CRINK attacks: which nation state hackers will be the biggest threat in 2026?

Throughout 2025 nation state adversaries have carried out a large number of notable attacks, with incidents attributed to China, Russia, Iran and North Korea – also known as CRINK. In August, UK and US officials publicly linked three technology companies based in China with a global malicious cyber campaign targeting critical networks.

Russia is engaged in rampaging cyber attacks in Ukraine and abroad, hitting critical sectors such as energy as part of its geopolitical aims. Iran is becoming a more formidable adversary, while North Korean IT workers have been infiltrating an increasing number of firms in the US and Europe.

Going into 2026, the landscape is shifting slightly, so which of the CRINK attackers is the biggest threat to businesses?

China in the lead

Experts concur that China is a leading threat to UK and US businesses, but it might not pose the most pressing risk.

China represents the most “persistent, long-term threat” to western firms, says Philip Ingram, MBE, a former colonel in British military intelligence. This due to its “focus on harvesting as much data as it can, stealing IP and proprietary data via stealthy, long-dwell operations”, he says.

China-nexus operations aiming to influence its future ability to understand and manipulate western thinking “consistently surpasses the volume of other nations”, according to Ingram.

He paints a scary picture of China adversarial activity: “They are on a massive data harvesting mission, storing anything and everything they can find, in order to create a lake of data they can analyse when quantum computing challenges are overcome.”

However, this is a more long term risk. Russia presents the highest immediate threat of “catastrophic operational disruption for critical national infrastructure (CNI)”, Ingram adds.

At the same time, he warns, Iran-backed groups are growing more sophisticated, leveraging AI in social engineering and focusing on targets in the Middle East, Israel and the US and UK to support regional political objectives.

A relative threat

The threat posed by nation state adversaries is relative, based on the country and industry a firm operates in. “If you are in Ukraine and Eastern Europe, the biggest risk is Russia,” according to Ian Thornton-Trump, CISO at Inversion6.

“For US critical infrastructure, the biggest risk is China; if you’re an Iranian dissident, it’s the Iranian intelligence services and their surveillance capabilities: and if you have anything to do with Bitcoin it’s North Korea.”

While all firms can be a target of nation state attacks, a few sectors are at a more obvious risk. Organizations targeted by Chinese nation state activity include those within CNI such as energy and utilities, either directly, or indirectly via the supply chain, says Darrel Lang, cyber threat intelligence analyst at Bridewell “This serves the national objectives set by the Chinese Communist Party (CCP) to develop and assert domestic economic and technological dominance, where pre-positioned backdoor accesses are the primary objective. Theft of intellectual property is now secondary.”

On top of CNI and the supply chain, nation states are also targeting the AI ecosystem, says Ingram. Semiconductor manufacturers, AI model developers, and companies with large, proprietary training datasets are at risk from nation states and China-backed adversaries in particular, he warns.

This is likely to continue into 2026, with China continuing its successful “Typhoon” campaigns seeking to embarrass western governments and “take as much intellectual property as possible”, says Thornton-Trump.

At the moment, the Iranian regime is “confined to the home front” to focus on dissidents, Thornton-Trump says. Yet he thinks it’s probable the nation “will execute some large cyber-attacks” to “keep Hamas, Hezbollah and the Houthis in awe of the Regime”.

North Korea is still largely focused on money, specifically cryptocurrencies, says Thornton-Trump. He thinks 2026 will reveal the extent to which the IT supply chain has been compromised at a global level by the North Korean IT workers scheme – which famously impacted security firm KnowBe4 in 2024.

“Some researchers believe it’s been in place as early as 2014 and the amount of intellectual property stolen from IT companies could be extraordinary.”

Types of CRINK attacks

While nation state adversaries often focus on specific targets, there is no single tactic, technique and procedure (TTP) to look out for going into 2026, says Lang. “Chinese nation-state groups have demonstrated the capability to secure initial access via numerous methods, often tailored on the basis of prior reconnaissance activity,” he says.

However, key attack vectors that must be considered are supply chain compromise, SEO poisoning and exploits of public facing applications, Lang suggests. “These techniques enable low-noise approaches to a target network and a minimalist footprint from which they can conduct long-term actions on objectives.”

Often, the means of nation states gaining access are simple and well-trodden. Most recently, social engineering, in particular vishing, has been making a comeback, says Andy Swift, cybersecurity assurance technical director, Six Degrees. “Complexities of remote work and supply chains in the modern workplace have created space for this type of attack to thrive and a number of organizations are finding themselves without guidance or policy.”

The most important thing to understand is that nation state actors “generally don’t perform random attacks and will have specific objectives”, says Thornton -rump. “It could be anything from compromising endpoints to building a bot net for distributed denial of service (DDoS) attacks – or a specific goal for espionage purposes. It all comes down to detecting the attack, containing it, and pushing the threat actor out of the network.”

How to prepare for CRINK in 2026

While China seems to be shifting its tactics and ramping up, experts say 2026 could see much of the same from all nation states, with adversaries increasingly using technology such as AI to supercharge attacks. AI will help to increase speed, scale and believability, as well as supporting traditional human intelligence type operations, says Ingram.

With this in mind, Ingram advises getting the basics right, shoring up identity and access management and employing a zero trust mindset.

Thornton-Trump emphasizes the benefits of a threat intelligence program, alongside optimum detection capabilities. “If it’s likely you will need to go toe-to-toe with nation state adversaries, you have to gear-up – be able to detect initial compromise and quickly act,” he says. “The critical piece here is to have a very high signal-to-noise ratio to detect even subtle activity that could be an indication of compromise.”

Extermination, a term used for removing the various footholds adversaries may have in the network, is another step to take, adds Thornton-Trump.

“You need a well-resourced and trained threat hunting team with expertise in reverse engineering. CRINK is likely to possess never-seen-before malware capabilities so expect to discover things that are rare and unique. Facing off against nation state actors is probably the toughest job in cyber and bringing in outside help, such as law enforcement and even intelligence agencies, may need to be part of the response playbook.”