A Defender's Guide to the Current War Footing: Russia-China-Iran Cyber Operations Against Five Eyes Nations
- Patrick Duggan
- Mar 27
- 8 min read
Updated: Apr 25
# A Defender's Guide to the Current War Footing: Russia-China-Iran Cyber Operations Against Five Eyes Nations
March 27, 2026 — DugganUSA
This is not a threat brief. This is a field guide for defenders operating in a formally aligned adversary environment that didn't exist six months ago. The alliances are signed. The operations are running. The commit timestamps prove it.
The Formal Alignments
In January 2026, Russia, China, and Iran signed a Comprehensive Strategic Pact that formalized what intelligence agencies had been warning about for years. Per Small Wars Journal's analysis, this pact created a trilateral intelligence-sharing hub — Russian surveillance capabilities, Chinese cyber infrastructure, and Iranian operational units now function within a single data loop.
This is not three countries happening to attack the same targets. This is coordinated targeting with shared intelligence, shared infrastructure, and shared objectives.
The Pact Structure
Against Whom?
The Five Eyes nations and their extended alliance networks are the explicit targets:
Alliance | Members | Primary Adversary Targeting | Evidence |
Five Eyes | US, UK, Canada, Australia, New Zealand | All three pact members | Volt Typhoon in US CI, Sandworm targeting UK/AU, Handala targeting US defense |
Nine Eyes | Five Eyes + Denmark, France, Netherlands, Norway | Russia (espionage), China (economic), Iran (retaliation) | 44.8% threat ratio in our Cloudflare data — highest of any alliance bloc |
Fourteen Eyes | Nine Eyes + Germany, Belgium, Italy, Spain, Sweden | China (industrial espionage), Russia (destabilization) | Finland 2026 security overview flags both RU and CN targeting government infrastructure |
SIGINT Partners | Israel, Japan, South Korea, Singapore | Iran (direct conflict), China (regional), North Korea (aligned with pact) | Israel in active military conflict with Iran; Japan/SK targeted by Chinese APTs |
Our Own Data Confirms It
From our Cloudflare traffic analysis (7-day window, March 20-27, 2026):
Alliance | Requests | Threats | Threat Ratio | What This Means |
Nine Eyes | 19,174 | 8,591 | 44.8% | Almost half the traffic from Nine Eyes expansion countries is hostile |
Five Eyes | 370,493 | 2,475 | 0.7% | High volume, low threat ratio — mostly legitimate consumers |
SIGINT Partners | 6,642 | 783 | 11.8% | Israel, Japan, Singapore — mixed legitimate + probing |
Adversary States | 4,495 | 576 | 12.8% | China + Russia direct — lower volume but targeted |
Fourteen Eyes | 6,744 | 94 | 1.4% | Germany, Italy, Belgium, Spain — mostly clean |
Gulf States | 118 | 0 | 0.0% | Minimal engagement |
The Nine Eyes threat ratio at 44.8% is the number that should concern defenders. France alone generated 13,562 requests this week — and our enrichment shows a significant portion originating from defense-adjacent networks (FBW Networks SAS, Vélizy-Villacoublay — the town where French Air and Space Force headquarters is located).
The Operational Picture: March 2026
Timeline of Escalation
Attack Attribution Map
Date | Target | Actor | Pact Member | Method | Verified |
Feb 28 | 110 organizations, 16 countries | Electronic Operations Room | Iran | 149 DDoS in 9 hours | Yes |
Late Feb | US healthcare institution | Pay2Key | Iran | Ransomware via stolen admin creds | Yes |
Mar 11 | Stryker (200K devices) | Handala / Void Manticore | Iran (MOIS) | Intune MDM wipe | Confirmed by DOJ |
Mar 13 | Intuitive Surgical | Unknown (phishing) | Unattributed | Credential theft → admin network | Yes |
Mar 20 | FBI seizes 4 Handala domains | US Government | — | Domain seizure | Yes |
Mar 20 | Handala stands up 3 new domains | Handala | Iran (MOIS) | Infrastructure rotation | Yes — we mapped it |
Mar 24 | Second US medical institution | Pay2Key | Iran | Ransomware, no exfil, no ransom | Yes |
Mar 25 | Tamir Pardo (ex-Mossad chief) | Handala | Iran (MOIS) | 14GB data dump | Unverified |
Mar 25 | Lockheed Martin (28 engineers) | Handala | Iran (MOIS) | Passport doxxing + death threats | Partial — passports match LinkedIn |
Mar 27 | FBI (Director Kash Patel) | Handala | Iran (MOIS) | Photos published | Unverified |
Ongoing | US critical infrastructure | Volt Typhoon | China | Pre-positioned since 2023 | Confirmed by NSA/CISA |
Ongoing | Western CI, edge devices | Sandworm / APT44 | Russia | Wipers, VPN exploitation | Confirmed |
Ongoing | Water, energy, agriculture | CARR, NoName057, Z-Pentest | Russia | VNC exploitation, OT targeting | CISA advisory active |
Mar 20+ | Iran war cyber front | Russian-linked groups | Russia | Appeared alongside Iranian ops | Reported by Nextgov |
The Three-Layer Attack Model
China provides the foundation. Volt Typhoon has been inside US critical infrastructure since at least 2023. Salt Typhoon penetrated telecom networks. They don't attack loudly — they map, position, and wait. The 117 Chinese IPs that scanned our infrastructure in 2 hours on March 26 weren't attacking. They were cataloging.
Russia provides the doctrine and disruption. Sandworm wrote the playbook — the 2015 Ukrainian power grid attack, NotPetya, the wiper campaigns. Pro-Russia hacktivists target water systems and energy infrastructure. And now Russian-linked groups have appeared on Iran's cyber front, providing direct support.
Iran provides the offensive tempo. Handala is the visible tip — loud, aggressive, escalating every few days. Pay2Key runs the quieter ransomware operations against healthcare. The Electronic Operations Room coordinates dozens of hacktivist groups across 16 countries.
DOGE as Attack Surface Multiplier
The domestic policy environment has compounded the threat:
Action | Cyber Impact |
DOGE access to Treasury, OPM, SSA systems | Uncleared personnel traversing federal networks = free reconnaissance for any pre-positioned adversary |
CISA workforce reductions | Fewer people writing advisories, coordinating response, maintaining KEV catalog |
FBI leadership instability | Kash Patel's adversarial relationship with the institution he runs degrades operational trust |
Federal IT security workforce departures | Institutional knowledge walking out the door doesn't come back |
Reduced interagency coordination | The trilateral pact coordinates better than the agencies defending against it |
Handala claiming an FBI breach — whether true or not — is a propaganda victory enabled by a target that softened itself.
The Infrastructure Rotation Problem
When the FBI seized Handala's domains on March 20, the community response was measurable through GitHub commit timestamps:
Community Detection Timeline
Time After Seizure | Who Acted | What They Did |
~12 hours | contrxl/APT-Research | Created entire repo, tracked new domain + Telegram |
~15 hours | fastfire/deepdarkCTI | Added Handala to conflict tracker |
~36 hours | almuftaris/security-notes | Published Handala-Hack.md |
5 days | barkandbite/iranian-apt-detection | Suricata v0.6.2 with 318 rules, 16 groups |
6 days | DugganUSA | Full DNS pivot — found IPs, ASNs, mail infra nobody else published |
7 days | Still zero repos have | 82.38.63.237, AS214036, SPF mail IPs, Telegram C2 bot URL |
What Handala Did in Those 12 Hours
Key finding: Handala pre-staged replacement infrastructure. The .ps domain had SPF records configured for operational email — you don't do that reactively in 12 hours. They knew the seizure was coming and had contingency infrastructure ready to activate.
The diversification tells the story:
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
handala-hack.ps → Namecheap (US hosting, legitimate registrar)
handala-team.to → DDOS-Guard (Russian DDoS protection — alliance signal)
handala-alert.to → Ultahost/AS214036 (runs 6 Tor middle relays — bulletproof)
Three hosting providers. Three jurisdictions. Three different resilience strategies. One Namecheap account tying the registrations together.
The Medical Device Vertical: A Case Study in Targeting
We scored 8 medical device companies on Pi Day (March 14). The results predicted what happened next:
Pi Day Scorecard vs. Actual Outcomes
Company | Subdomains | IOCs in Feed | Pi Day Assessment | Outcome by Mar 27 |
Stryker | 1,014 | 233 | Handala exposure, high risk | HIT Mar 11 — 200K devices wiped |
Intuitive Surgical | 13 | 0 | Clean in 13 seconds | HIT Mar 13 — phishing breach |
Baxter | 470 | 2,620 | DoseIQ/Claria patient infra exposed | Not yet — highest IOC count in vertical |
Datavant | — | 0 | n8n CVE active | Not yet |
Medtronic | — | 43 | Surgical robotics | Not yet |
+ 3 others | Various | Various | Scored and documented | Not yet |
Two of eight hit within 16 days of our assessment. The data was screaming before both attacks.
Why medical devices? Iran chose healthcare deliberately. The Stryker attack was explicitly claimed as retaliation for a US airstrike on an Iranian school. Healthcare is critical infrastructure that generates maximum public impact with minimum military response. Two different Iranian groups (Handala and Pay2Key) targeted the same vertical in the same three-week window. That's strategic coordination, not coincidence.
What Defenders Should Do Right Now
Immediate Actions (This Week)
Patch Cisco FMC (CVE-2026-20131). CVSS 10.0. Unauthenticated RCE as root. Exploited by Interlock ransomware since January 26 — a full month before disclosure. If you run FMC and haven't patched, assume compromise.
Audit your MDM. Stryker was wiped through Microsoft Intune. Handala compromised one admin account and pushed a factory reset to 200,000 devices across 79 countries. Check Intune, AirWatch, JAMF — MFA on every admin account. Alert on mass device actions. Test whether a single compromised admin can wipe your fleet.
Monitor these ASNs:
ASN | Provider | Why |
AS214036 | Ultahost | Handala post-seizure hosting, runs Tor relays |
AS57724 | DDOS-Guard LTD (Russia) | Handala operational infrastructure |
AS47583 | Hostinger | Handala C2 per maltrail |
PONYNET | Cloudzy | Known bulletproof hosting for Iranian operations |
Deploy Handala IOCs. Our STIX feed has 148 indicators including post-seizure infrastructure that no other feed has published. Free at analytics.dugganusa.com/stix.
Check for Volt Typhoon indicators. If China is pre-positioned in your infrastructure, the current conflict environment gives them reason to activate. CISA's Volt Typhoon advisory is your starting point.
Review federal system access. If your organization interfaces with Treasury, OPM, SSA, or any system DOGE has accessed, assume your access patterns have been observed by adversaries who were already inside.
Detection Priorities
What To Detect | Why | How |
Telegram API calls from internal hosts | Handala uses Telegram as C2 | Monitor for api.telegram.org in outbound HTTP, especially with bot token patterns |
Mass MDM actions | Stryker attack vector | Alert on bulk device wipe/reset commands from any single admin |
Device code OAuth flows | Active M365 phishing campaign | Query Azure AD for device code flow authentications you don't recognize |
Webshell uploads to Magento | PolyShell hit 56.7% of stores | Check for unauthorized files in Magento upload directories |
VNC connections to OT systems | Russian hacktivist targeting | CARR and Z-Pentest are scanning for open VNC on water/energy/agriculture systems |
DNS queries to .ps TLD | Handala post-seizure domain | Low false positive rate — how many legitimate .ps domains does your org use? |
Strategic Posture
This is not a normal threat environment. The formal trilateral pact means:
Intelligence is shared. What Iran learns from the Lockheed breach, China and Russia receive. What China mapped inside US telecom networks, Iran can use for targeting.
Infrastructure is shared. Handala hosts on Russian DDOS-Guard. Russian hacktivists appear on Iran's cyber front. Chinese scanning provides reconnaissance that benefits all three.
Timing is coordinated. 149 DDoS attacks in 9 hours on Day 1 of the conflict. Two different Iranian groups hitting healthcare in the same three-week window. Chinese scanning surges coinciding with Iranian escalation. This is not coincidence.
The Five Eyes nations are the explicit targets. The domestic security apparatus is weakened. The adversary alliance is formalized and operating at tempo.
Defend accordingly.
Sources
Patrick Duggan is the founder of DugganUSA LLC. He applied to build AI platforms for Lockheed Martin. They're considering other candidates. Iran accepted theirs. The STIX feed is free at analytics.dugganusa.com/stix. PreCog has been red for 48 hours. Defend accordingly.
Her name was Renee Nicole Good.
His name was Alex Jeffery Pretti.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.
Comments