GLOBAL THREAT & INCIDENT BRIEF
SENIOR INTELLIGENCE ANALYST REPORT: 2026-01-21
BLUF (Bottom Line Up Front)
The primary vector of immediate risk remains escalating cyber operations targeting critical infrastructure (CI) and global supply chain logistics, driven by sophisticated hacktivist groups increasingly aligned with nation-state objectives. Ransomware attacks have intensified, setting new records in volume and scope, primarily targeting US entities. Geopolitically, the risk of kinetic conflict remains high, with geoeconomic confrontation identified as the top global crisis risk for 2026, alongside heightened concerns over maritime vulnerability in key chokepoints and digital risks posed by state-linked technologies embedded in port operations. Organizations must immediately focus resources on OT/ICS defenses and mitigating AI-related data exposure risks.
💻 Cyber
- Date: Ongoing (Report covers 2025 activity with current implications)
- Location: Global, with the United States experiencing 55% of all reported ransomware attacks in 2025.
- Key Actors: New and established Ransomware-as-a-Service (RaaS) groups (Devman, Sinobi, Warlock, Gunra, Cl0p, Qilin, Lockbit, Crypto24); Threat actors leveraging Generative AI (Gen AI).
- Key Facts:
- Ransomware attacks increased 52% in 2025 compared to 2024, totaling 6,604 incidents.
- Gen AI adoption is unintentionally leaking sensitive corporate information, providing new opportunities for criminals to exploit critical data.
- Adversaries are exploiting AI systems via prompt injection, memory poisoning, and poisoned supply chains to turn enterprise AI workflows into attack vectors.
- The IT, Technology, Transportation & Logistics, Government & Law Enforcement, and Energy & Utilities sectors are among the most heavily targeted.
Geolocation Context: US entities face disproportionate financial and operational risk due to high digitization and perceived high payoff. Secondary targets include Canada, Germany, the UK, Italy, and France.
- Implement robust monitoring and governance policies specifically for Gen AI adoption to prevent unintentional sensitive data leakage.
- Focus defensive efforts on identifying and segmenting IT/OT interfaces, as ransomware groups are expanding their reach into critical infrastructure sectors.
- Urgently review patch management for years-old, unpatched vulnerabilities which remain a primary exploitation method.
🏗️ Critical Infrastructure
- Date: Ongoing (Report coverage December 2024–December 2025)
- Location: Global, notably targeting web-based SCADA and HMI interfaces.
- Key Actors: Z-Pentest (most active), Dark Engine (Infrastructure Destruction Squad), Sector 16, Golden Falcon Team, NoName057(16), TwoNet, RipperSec, and Inteid.
- Key Facts:
- Hacktivists are moving beyond traditional DDoS attacks to directly target Industrial Control Systems (ICS) and Operational Technology (OT).
- Targeted systems include electric vehicle charging (33.3%), fueling and industrial systems (18.2%), fleet management, telematics, and train control systems (15.2% each).
- Critical flaws in Dover Fueling Solutions’ ProGauge MagLink, Kaleris Navis N4, and Radiometrics VizAir pose severe risks due to their internet-facing exposure.
Geolocation Context: Threats exist globally wherever exposed HMIs and web-based SCADA interfaces are present. Exploitation risks compromise passenger safety and disrupt logistics chains, including rail and port operations.
- Immediately inventory and audit all internet-facing HMI and SCADA interfaces, ensuring strict least-privilege access and multi-factor authentication.
- Bridge the existing OT cybersecurity culture gap by integrating IT and OT teams and focusing on threat preparedness (only 14% of organizations feel fully prepared).
- Consult the UK NCSC’s advisories regarding reinforcing Denial of Service (DoS) defenses amidst pro-Russia hacktivist surges.
geopol Geopolitical
- Date: January 14, 2026 (WEF Global Risks Report 2026 publication)
- Location: Global economic and trade systems (e.g., US-China rivalry, Ukraine escalation, Middle East).
- Key Actors: Major global powers (US, China, Russia, Iran).
- Key Facts:
- Geoeconomic confrontation emerges as the top global risk for 2026, climbing eight positions in the two-year outlook.
- State-based armed conflict ranks second for 2026.
- Conflict and political volatility are driving increased air travel restrictions (Middle East airspace closures in 2025 due to Iran/Israel conflict) and supply chain issues (Russia-Ukraine war affecting agricultural goods).
- 68% of surveyed respondents anticipate a “multipolar or fragmented order” over the next decade.
Geolocation Context: While conflict zones (Ukraine, Middle East, Taiwan Strait) present immediate risk, the economic fallout is global, demanding vigilance over supply chain resiliency and market volatility.
- Model and stress-test supply chains against potential kinetic conflicts (e.g., confrontation over Taiwan, Iran’s conflict with Israel/US) which could severely impact global trade.
- Integrate geopolitical forecasts into cybersecurity strategy, recognizing that geopolitical tensions increase the risk of cyber warfare and espionage (gray-zone action).
🚢 Maritime Events
- Date: 2024-011 Advisory (Continues to be a primary focus of US government risk advisories)
- Location: Worldwide ports and maritime logistics nodes.
- Key Actors: People’s Republic of China (PRC), specifically state-controlled entities Nuctech Company, Ltd., Shanghai Zhenhua Heavy Industries Company Limited (ZPMC), and the LOGINK platform developer.
- Key Facts:
- Foreign companies manufacture, install, and maintain port equipment (scanners, cranes, logistics software) that introduces critical vulnerabilities to maritime IT/OT systems.
- The PRC-developed LOGINK platform, used by at least 24 global ports, aggregates massive amounts of sensitive business and foreign government data, including cargo and vessel/cargo details.
- ZPMC ship-to-shore cranes, which hold the largest global market share, may be controlled and serviced remotely, leaving them vulnerable to exploitation and potential disruption.
Geolocation Context: Ports utilizing LOGINK, Nuctech scanners, or ZPMC cranes are high-risk nodes for foreign intelligence collection and potential disruption, affecting critical logistics worldwide.
- Conduct immediate risk assessments of all port equipment, focusing on devices from foreign adversarial entities, and ensure remote access capabilities are secured or disabled unless strictly necessary.
- Establish stringent procurement policies that mandate vetting of all hardware and software components integrated into critical port infrastructure and OT environments.
- Review and adhere to U.S. Maritime Advisory System alerts, particularly those addressing Foreign Adversarial Technological, Physical, and Cyber Influence.
- Date: Mid-2025 to Present
- Location: Red Sea, Suez Canal, and Gulf of Guinea.
- Key Actors: Houthi forces (Red Sea), Complex criminal networks linked to piracy and terrorism (Gulf of Guinea).
- Key Facts:
- Houthi attacks on commercial vessels in the Red Sea have led to casualties and forced ships to re-route, resulting in high maritime trade costs and reduced Suez Canal transit.
- Piracy and armed robbery incidents in the Gulf of Guinea increased by 47.5% in early 2025 compared to the previous year.
- Technological advancements, including the use of AI by cybercriminals, are introducing complexity to traditional maritime security threats.
Geolocation Context: The Red Sea route continues to pose a high kinetic and economic risk due to geopolitical conflict. The Gulf of Guinea represents a critical security gap for traditional piracy and criminal network exploitation.
- Enforce heightened security protocols and mandatory threat reporting when transiting the Red Sea and Gulf of Guinea (GoG).
- Ensure shipboard systems adhere to international guidelines on cyber security onboard ships, as digital systems are increasingly vulnerable to attack (e.g., AIS/GPS disruption and ransomware).