Threats Findings from the Canadian Cyber Centre's National Cyber Threat Assessment 2025-2026

Cybercrime remains a constant challenge, ransomware still threatens critical infrastructure, and state-sponsored cyber activity continues to impact Canadian interests. The Canadian Centre for Cyber Security (AKA Cyber Centre) National Cyber Threat Assessment 2025–2026, released in October 2024, builds on previous reports from 2018, 2020, and 2023–2024. It offers an updated view of the current cyber threat environment, along with projections of what Canadians should expect through to 2026.

Let’s dive into what the report says about today’s cyber threats—what’s stayed the same, what’s changing, and how individuals, businesses, and government institutions in Canada can better prepare for what’s ahead.

Key Judgements From the Report

• State-sponsored cyber actors are disrupting Canada and shaping public opinion through coordinated cyber attacks and influence operations

• Critical infrastructure in Canada and allies is being targeted for future disruption

• China poses the most advanced and persistent cyber threat, focused on espionage, IP theft, and political influence

• Russia uses cyber operations to destabilize Canada and its allies, often via espionage and influence campaigns

• Iran conducts cyber attacks to repress opposition and extend its reach beyond the Middle East

• Cybercrime-as-a-Service enables more actors to launch sophisticated attacks and evade detection

• Ransomware remains the top threat to Canada’s critical infrastructure and is expected to become more aggressive

Breaking Down Adversarial Operational Structure

The report provides an overview of the operational structure of APT cyber adversaries.  The structure is a hybrid public-private ecosystem of government entities such as military and intelligence services, as well as decoy front companies used to conceal the true state-funded source of cyber attacks. These front companies act as cover, masking the true origin of cyber activities while allowing governments to distance themselves from direct attribution. The wider ecosystem involves both private offensive cybersecurity contractors and freelancers who specialize in cyber attack activities. 

A graphic that describes the state cyber program ecosystem. (Source: Canadian Cyber Centre's National Cyber Threat Assessment 2025-2026)

• Core ecosystem: The core of the state cyber ecosystem is composed of government-aligned entities with direct operational roles. These include military units and civilian intelligence organizations responsible for executing cyberspace operations. It also includes front companies that are state-controlled but designed to appear independent, helping to obscure attribution and give cover to government cyber actors during offensive campaigns.

• Wider ecosystem: Beyond the core, a broader ecosystem of loosely affiliated or contracted entities supports state cyber efforts. This includes private cyber contractors hired for specific offensive projects, freelance operators who occasionally assist state objectives, research institutions that develop offensive technologies, and commercial surveillance vendors who supply spyware and zero-day exploits. Exploit brokers also play a role by trading in vulnerabilities, often serving both state and non-state clients. Together, these entities extend a state’s reach and capability without direct state affiliation.

Unique Threats from Canada's Biggest Cyber Adversaries

The report outlines the cyber strategies of five major nation-state adversaries that pose a direct or indirect threat to Canada. These countries operate state-sponsored programs with varying objectives—ranging from espionage and influence to financial gain and strategic disruption. Understanding the unique approaches of each adversary helps clarify the motivations and tactics behind the cyber activities targeting Canadian interests.

• People’s Republic of China (PRC): The PRC poses the most sophisticated and persistent cyber threat to Canada, targeting all levels of government, private industry, and diaspora groups. Its cyber operations support political, economic, and military objectives, including espionage, IP theft, and transnational repression. PRC actors have compromised at least 20 Canadian government networks and targeted politicians critical of the CCP. China’s cyber activity intensifies during diplomatic tensions and includes pre-positioning for potential disruptive operations in North American critical infrastructure.

• Russian Federation (Russia): Russia uses cyber operations as part of a hybrid strategy combining espionage, influence campaigns, and destructive attacks to destabilize Canada and its allies. It targets Canadian government, military, and private sector networks, and uses criminal proxies to obscure attribution. Russian actors have executed major global intrusions, including SolarWinds and Microsoft email breaches, and conducted psychological operations like the Kyivstar attack. Pro-Russia non-state actors frequently launch DDoS attacks against Canadian targets to influence public perception and foreign policy.

• Islamic Republic of Iran (Iran): Iran employs cyber tools to repress opposition, intimidate foreign governments, and conduct disruptive operations abroad. Though Canada is not a primary target, Iranian actors are likely present in domestic networks and may escalate if tensions rise. Iran uses social engineering and fake personas to target activists, diaspora members, and public officials for espionage and harassment. The regime combines technical attacks with disinformation to exert coercive influence while maintaining plausible deniability.

• Democratic People’s Republic of Korea (DPRK): North Korea’s cyber program is focused on financial gain to fund its regime, with ransomware and cryptocurrency theft as key tools. While not a strategic threat to Canada, it presents a persistent cybercrime risk across many sectors. DPRK cyber actors operate under state protection, blending espionage and cybercrime. Their operations are adaptable, well-funded, and aligned with broader political and military priorities.

• Republic of India (India): India is building a modern cyber capability focused on national security objectives like espionage, counterterrorism, and influence. It likely relies on commercial vendors to enhance its cyber operations. Indian state-sponsored actors have reportedly targeted Canadian government networks for intelligence purposes. Tensions in bilateral relations are expected to continue driving India’s cyber threat activity toward Canada.

Conclusion

According to the Cyber Centre's National Cyber Threat Assessment 2025–2026, Canada continues to face a growing and complex cyber threat environment shaped by hostile nation-states and increasingly sophisticated criminal networks. As cyber capabilities expand globally, the lines between government operations and private actors are becoming more blurred. Proactive cybersecurity measures and cross-sector collaboration will be critical in defending against both persistent threats and emerging risks through 2026.