Information Operations

The Foundation for Defense of Democracies published an analysis of the 2026 Annual Threat Assessment released by ODNI in March, grading the assessment's treatment of the "Axis of Aggressors" — China, Russia, Iran, and North Korea — as strategically sound but faulting it for hedging on specific ongoing adversarial cyber operations and likely Taiwan crisis scenarios.

ISPI published a policy brief warning that Russia and China have formalized an information operations alliance that is "institutionalized, resourced, and operationally integrated across cyber, space, and AI domains," posing a direct threat to the integrity of Europe's 2026 electoral cycle, including upcoming votes in France. The brief also flagged an AI-generated TikTok FIMI campaign targeting Hungary's April elections.

Cyber Operations

Microsoft published a report on AI-enabled device code phishing campaigns that mark a significant escalation from the Storm-2372 activity observed in 2025. The campaigns use generative AI to craft role-specific phishing lures (RFPs, invoices, manufacturing workflows) and automation platforms like Railway.com to deploy thousands of short-lived polling nodes, achieving a 54% click-through rate versus 12% for traditional phishing. Microsoft also seized 330 domains tied to the Tycoon2FA phishing kit, which has been linked to approximately 100,000 compromised organizations.

The European Commission confirmed a data breach of its Europa.eu platform after the ShinyHunters extortion gang leaked over 90 GB of stolen files. The breach originated on March 19 when attackers acquired an API key for the Commission's AWS account via an earlier compromise of the open-source security tool Trivy. CERT-EU attributed the initial intrusion to the cybercrime group TeamPCP. Data from at least 29 other EU entities may also be affected.

Foreign Influence & Intelligence Competition

Chinese private technology firms — some with PLA certifications — are marketing AI-processed military intelligence on U.S. force deployments in the Iran conflict. Firm Jing'an Technology has claimed to track U.S. B-2A stealth bombers during strikes on Iranian targets using open-source data and AI analysis. Separately, Iranian forces are reportedly using AI-enhanced satellite imagery from Chinese firm MizarVision to refine targeting of U.S. installations, compressing the kill chain from hours to minutes. The House Select Committee on China called the activity "turning AI into a battlefield surveillance tool against America."

Asia Times reported that analysts view the Iran conflict as a proxy laboratory for China to collect battlefield data on U.S. and Israeli weapons systems, radar signatures, and operational networks — providing strategic benefit without direct military intervention.

Russia continues to provide Iran with satellite intelligence on U.S. troop movements via its Kanopus-V satellite (re-designated "Khayyam" upon transfer to Iranian operational use), enabling precision targeting that Tehran could not achieve alone.

Espionage & Surveillance

Congress faces an April 20 deadline to reauthorize Section 702 of the Foreign Intelligence Surveillance Act. The White House is pushing for a clean 18-month extension without new warrant requirements, while Senators Lee, Durbin, and Wyden have introduced competing reform bills. No reauthorization legislation has been introduced yet, and the provision will sunset on April 20 if Congress does not act.

Google Threat Intelligence Group reported that state-aligned cyber actors are intensifying espionage operations against the global defense industrial base, with China-nexus groups identified as the most active threat in terms of sustained volume against defense and aerospace targets.

Iranian intelligence forces announced they seized 45 U.S. and Israeli-built spying devices and communication equipment during operations in the northwestern province of West Azerbaijan, claiming to have dismantled a spy network operating in the border region.