National Cyber Threat Assessment 2025-2026: Key Insights

Executive Summary

Canada is confronting an increasingly complex and aggressive cyber threat landscape, characterized by a growing array of state and non-state actors targeting national security and critical infrastructure. State adversaries are evolving beyond traditional espionage, pre-positioning within critical networks for potential future disruptive attacks and combining cyber operations with online information campaigns to intimidate and influence public opinion.

The People's Republic of China (PRC) represents the most sophisticated and active state-sponsored cyber threat to Canada, engaging in extensive espionage, intellectual property theft, and transnational repression. Russia's cyber program aims to confront and destabilize Canada and its allies, while Iran is expanding its coercive and disruptive cyber operations beyond the Middle East.

Concurrently, cybercrime remains a pervasive and disruptive force, sustained by a resilient and interconnected Cybercrime-as-a-Service (CaaS) ecosystem. This model lowers the barrier to entry for malicious actors and fuels the growth of threats. Ransomware has emerged as the most impactful cybercrime threat, particularly against Canada's critical infrastructure, with actors escalating their extortion tactics to maximize profits. Ransomware incidents and associated payments reached record highs in 2023, a trend expected to continue as threat actors refine their capabilities and exploit digital supply chains.

Overview of the Threat Assessment

This briefing synthesizes the key findings of the National Cyber Threat Assessment 2025-2026 (NCTA 2025-2026), published by the Canadian Centre for Cyber Security (Cyber Centre), part of the Communications Security Establishment (CSE). The assessment, based on classified and unclassified information available as of September 20, 2024, concludes that Canada has entered a "new era of cyber vulnerability" where cyber incidents have cascading and disruptive effects on the daily lives of Canadians.

The report's analysis uses estimative language to convey the probability of its judgements, based on a rigorous assessment methodology.

--------------------------------------------------------------------------------

1. State-Sponsored Cyber Threats

State adversaries are leveraging a complex and expanding cyber ecosystem to conduct operations that extend beyond espionage to include disruptive attacks and influence campaigns. The cyber programs of the PRC, Russia, and Iran are identified as the greatest strategic threats to Canada.

The State Cyber Ecosystem

State cyber programs operate through a multifaceted ecosystem composed of core and wider elements:

• Core Ecosystem:
  • Intelligence and Military Organizations: Directly affiliated actors conducting cyberspace operations.
  • Front Companies: State-controlled entities that provide cover for cyber threat actors.
• Wider Ecosystem:
  • Cyber Contractors: Private companies performing project-based cyber activities (e.g., I-Soon in the PRC).
  • Freelance Cyber Operators: Individuals or small teams working for the state opportunistically.
  • Supporting Entities: Affiliated research institutions, commercial surveillance vendors, and exploit brokers that provide technology, talent, and tools.

People’s Republic of China (PRC)

The PRC's cyber program is assessed as the most sophisticated and active state cyber threat to Canada, characterized by its global scale, advanced tradecraft, and ambitious objectives.

• Strategic Objectives: The PRC conducts cyber operations to serve high-level political and commercial goals, including espionage, intellectual property (IP) theft, malign influence, and transnational repression.
• Targeting of Government: PRC actors persistently target all levels of government in Canada—federal, provincial, territorial, municipal, and Indigenous.
  • Over the past four years, at least 20 networks associated with Government of Canada agencies have been compromised by PRC actors.
  • Canadian officials, particularly those critical of the Chinese Communist Party (CCP) like members of the Inter-Parliamentary Alliance on China (IPAC), have been targeted in reconnaissance operations.
• Transnational Repression: The PRC uses cyber capabilities to monitor, harass, and silence activists, journalists, and diaspora communities in Canada, particularly groups it labels the "Five Poisons" (Falun Gong practitioners, Uyghurs, Tibetans, Taiwanese independence supporters, and pro-democracy activists).
• Economic Espionage: Canada's innovation ecosystem, private sector, and academia are long-standing targets. PRC actors have very likely stolen commercially sensitive data to support China's economic and military development in strategic technology sectors such as quantum computing, 6G networks, and advanced aviation.
• Pre-positioning in Critical Infrastructure: In a significant strategic shift, PRC actors (tracked as Volt Typhoon) are almost certainly pre-positioning within U.S. critical infrastructure for potential disruptive attacks during a conflict. Due to the integrated nature of North American critical infrastructure (e.g., power grids, pipelines), this activity poses a direct risk to Canada.

Russian Federation

Russia's cyber program is a key component of its strategy to confront and destabilize Canada and its allies.

• Strategic Objectives: Russia combines cyber espionage and network attacks with disinformation to promote its global status, erode trust in democratic institutions, and weaken its opponents.
• Espionage against Canada: Canada is considered a very likely valuable espionage target due to its NATO membership, support for Ukraine, and Arctic presence. Russian actors target government, military, and critical infrastructure networks, often through supply chain compromises (e.g., SolarWinds) and attacks on cloud services (e.g., the Microsoft corporate email breach).
• Pro-Russia Non-State (PRNS) Actors: Russia leverages a network of hacktivists and cybercriminals who conduct disruptive activities against Canada, likely with links to Russian intelligence services.
  • These groups have conducted DDoS campaigns against Canadian government and private sector websites, timed to coincide with events like the Ukrainian Prime Minister's visit.
  • PRNS actors have also attempted to compromise and disrupt operational technology (OT) systems in North American critical infrastructure, such as water facilities.

Islamic Republic of Iran

Iran employs an aggressive cyber program to coerce, harass, and repress its opponents, with an increasing willingness to conduct disruptive attacks beyond the Middle East.

• Coercive Operations: Iranian state-sponsored actors conduct multi-stage disruptive operations—including denial of service attacks, data wiping, and data leaks—to intimidate opponents and influence foreign policy. These actions are often amplified by hacktivist personas and social media channels to maintain deniability.
• Transnational Repression and Espionage: Iran is highly sophisticated in using social engineering to target individuals in Canada considered threats to the regime, including activists, journalists, and members of the Iranian diaspora. These campaigns often build trust through impersonation before delivering malware to harvest credentials.

Other State Actors of Note

• Democratic People’s Republic of Korea (DPRK): The DPRK's cyber program has a dual purpose of revenue generation and intelligence collection. Its state-sponsored actors engage directly in cybercrime, including ransomware and cryptocurrency theft, to fund the regime. This presents a persistent and well-resourced cybercrime threat to Canadian individuals and organizations.
• Republic of India: India is building a modernized cyber program to advance its national security interests. It likely leverages commercial cyber vendors and conducts cyber espionage against Government of Canada networks, with the level of activity very likely driven by the state of official bilateral relations.

--------------------------------------------------------------------------------

2. Cybercrime Threats

Cybercrime, primarily motivated by financial gain, remains the threat most likely to affect Canadians. Its persistence is fueled by the growth of a sophisticated and resilient online ecosystem.

The Cybercrime-as-a-Service (CaaS) Ecosystem

The CaaS business model has professionalized cybercrime, making it more accessible and scalable.

• Function: Specialized actors sell or lease ready-to-use malicious tools, data, and services to other cybercriminals through online marketplaces (e.g., the disrupted Genesis Market), forums, and encrypted chat platforms.
• Offerings: Services include Ransomware-as-a-Service (RaaS), Malware-as-a-Service, Phishing-as-a-Service (PaaS), and Access-as-a-Service.
• Impact: CaaS has lowered the technical barrier to entry, enabling a larger number of less-sophisticated actors to conduct attacks and increasing the overall volume and resilience of cybercrime.

Fraud and Scams

Fraud and scams are almost certainly the most common forms of cybercrime impacting Canadians, with significant financial consequences.

• Reported Losses from Fraud in Canada (CAD):
  • 2021: $383 million
  • 2022: $530 million
  • 2023: $567 million
• Key Methods: Phishing and spear phishing are among the most reported types of fraud. The threat is growing with the proliferation of PaaS kits and AI-powered chatbots that can craft highly convincing fraudulent messages.

The Ransomware Threat

Ransomware is one of the most disruptive forms of cybercrime facing Canada, with attacks increasing in scope, frequency, and complexity. It is assessed as the top cybercrime threat facing Canada's critical infrastructure.

• Growing Scale: 2023 was a record-breaking year for ransomware globally, with an estimated 74% rise in incidents and $1 billion USD in total ransom payments.
  • The average ransom paid in Canada in 2023 was $1.130 million CAD, an increase of nearly 150% in two years.
  • Ransomware incidents known to the Cyber Centre have shown a 26% average year-over-year growth since 2021.
• Top Ransomware Groups (2023): LockBit, ALPHV, CL0P, PLAY, and Black Basta. Most operate on a RaaS model, where core developers lease ransomware to affiliates.
• Targeting Critical Infrastructure: Ransomware actors are increasingly engaging in "big game hunting"—targeting large organizations and critical infrastructure entities perceived as more willing to pay to avoid operational disruptions.
  • Recent Canadian Incidents: Suncor Energy, SickKids hospital, five Southern Ontario hospitals, London Drugs, the Government of Nova Scotia, and the City of Hamilton have all been impacted by major cyber incidents, including ransomware.
  • The healthcare sector has seen a significant rise in attacks, with incidents nearly doubling worldwide since 2022.

Ransomware Incidents by Sector (Canada, 2022-2023)

The following shows the percentage increase in Canadian ransomware incidents from 2022 to 2023, as observed by the Cyber Centre:

• Resilience and Evasion: Despite major international law enforcement disruptions against groups like Hive, ALPHV, and LockBit, the ransomware ecosystem remains resilient. Actors often rebrand and resume operations, supported by the flexible and decentralized CaaS model.

--------------------------------------------------------------------------------

3. Trends Shaping the Cyber Threat Landscape (to 2026)

The NCTA 2025-2026 identifies five key trends that will shape Canada's cyber threat landscape in the coming years:

1. Artificial Intelligence (AI): AI technologies are amplifying cyberspace threats.
2. Evolving Tradecraft: Cyber threat actors are continually evolving their techniques to evade detection.
3. Geopolitically Inspired Non-State Actors: These groups are creating unpredictability in the threat environment.
4. Vendor Concentration: A reliance on a small number of key technology vendors is increasing systemic cyber vulnerability.
5. Dual-Use Commercial Services: Commercially available digital services are increasingly caught in the digital crossfire of geopolitical conflicts.