Why It Matters
A newly updated Congressional Research Service report cataloguing major cyberattacks 2012-2025 offers Congress its most comprehensive public accounting yet of foreign adversaries targeting U.S. networks, and the picture it paints is not reassuring.
The report, authored by CRS cybersecurity specialist Chris Jaikaran and updated May 18, 2026, documents dozens of nation-state and criminal cyberattacks against U.S. government agencies, critical infrastructure, financial institutions, and private companies.
It arrives at a moment when the Trump administration has reduced staff at the Cybersecurity and Infrastructure Security Agency and moved to roll back Biden-era cyber regulations, creating a direct tension between the threat landscape the report describes and the policy direction currently underway.
The central tension in this report is straightforward: the U.S. government has spent more than a decade identifying, attributing, and publicly disclosing foreign cyberattacks, building an institutional infrastructure to do so. The question Congress now faces is whether that infrastructure is being preserved or dismantled precisely when the threats are most acute.
The report's cyber threat history spans four adversary nations, two categories of attackers, and attacks ranging from the theft of nearly 150 million Americans' personal data in the Equifax hack to the pre-positioning of malware inside U.S. water and energy systems. These are not hypothetical risks. They are documented, attributed, and in several cases, the subject of federal indictments.
For a Congress weighing deterrence strategy, defense appropriations, and oversight of the executive branch's cybersecurity posture, this report is a baseline. The cyberattack case studies it assembles from primary government sources (including court findings, grand jury indictments, and official agency statements) represent the authoritative public record of what foreign actors have done to American networks.
The Big Picture
The report draws on the intelligence community's 2026 Annual Threat Assessment to identify four primary nation-state adversaries: China, Russia, North Korea, and Iran. Each pursues distinct objectives.
China's operations are the most expansive in scope. The report documents the Volt Typhoon campaign, in which state-sponsored actors compromised U.S. critical infrastructure, not to steal data, but to establish persistent access that could be activated to cause disruption if ordered to do so. Separately, the Salt Typhoon campaign saw Chinese actors compromise major U.S. telecommunications companies to steal customer communications. Earlier, China's People's Liberation Army was attributed with the 2017 Equifax hack, stealing the personal information of nearly 150 million Americans.
Russia's operations span espionage, election interference, and infrastructure disruption. The SolarWinds supply chain attack, attributed to Russia's Foreign Intelligence Service, compromised government and private-sector networks by inserting malicious code into widely used software management tools. Russia's GRU targeted the 2016 election, hacking political campaigns and state election infrastructure. As recently as May 2025, the same GRU unit was attributed with targeting Western logistics companies supporting Ukraine aid delivery.
North Korea's cyber operations are primarily financial. The report documents how APT-38, operating under North Korea's Reconnaissance General Bureau, destroyed Sony Pictures' computers, compromised the SWIFT international banking network, deployed the WannaCry ransomware, and targeted cryptocurrency companies to steal funds for state programs. In a separate operation, North Korean actors deceived U.S. technology companies into hiring remote workers who were actually state operatives generating revenue for Pyongyang.
Iran's operations have targeted election infrastructure, critical systems, and defense-related intellectual property. In 2020, two Iranian nationals were charged with hacking state election websites, accessing voter information on more than 100,000 citizens, and sending disinformation to politicians and media. Iranian actors linked to the Islamic Revolutionary Guard Corps targeted U.S. water and wastewater industrial control systems in 2022. The IRGC-affiliated Mabna Institute ran a years-long campaign stealing academic data and research from U.S. universities and government agencies.
Criminal Actors Add a Second Layer of Risk
Beyond nation-states, the report's cybersecurity incidents timeline includes a substantial catalogue of foreign criminal operations. The Phobos ransomware gang victimized more than 1,000 organizations and stole over $16 million. The Qakbot botnet, operated from Russia, ran from 2008 to 2025, with its creator selling access to other criminal groups who then deployed ransomware. The REvil group conducted a supply chain attack against an IT management company, distributing ransomware to that company's clients simultaneously.
The report notes that while criminal actors are generally less resourced than nation-states, their attacks are often highly effective. Many nation-states also direct criminal proxies to conduct operations, blurring the line between the two categories.
Attribution: The Prerequisite for Everything Else
A significant portion of the report addresses how attribution works and why it matters. The CRS lays out a spectrum of source authority, from court convictions at the highest end to social media claims at the lowest. The report relies exclusively on primary government sources: indictments, court findings, and official agency statements.
Attribution is described as difficult but achievable. Investigators analyze the tradecraft used in an attack, the malware deployed, the infrastructure employed, and the intent suggested by target selection. They then assign confidence levels. Moderate confidence means the evidence is clear and convincing, but alternatives remain possible. Low confidence means evidence points to a particular actor, but significant information gaps exist.
Adversaries actively work to frustrate attribution by obfuscating their activity, removing traces from networks, and using new infrastructure for each campaign.
Political Stakes
For the Administration
The report's documentation of Volt Typhoon and Salt Typhoon as ongoing Chinese operations inside U.S. networks creates a direct policy challenge. The administration is simultaneously pursuing trade negotiations with China while the intelligence community is reporting that Chinese actors are pre-positioned inside American critical infrastructure. The report also notes that the Department of Defense is now operating under a "Department of War" secondary designation per Executive Order 14347, signed September 5, 2025, a labeling change the report flags in its methodology section.
The administration's reductions at CISA are particularly relevant here. The report's entire methodology depends on CISA's capacity to issue public advisories attributing attacks. If that capacity erodes, the public record of cyberattacks erodes with it.
For Congress
The report was produced at Congress's direction, and its implications for congressional action are substantial. The Computer Fraud and Abuse Act and the Economic Espionage Act are the primary statutes under which cyberattack perpetrators are prosecuted, and the report's catalogue of indictments reflects their use. But the report also implicitly raises questions about whether existing law and institutional capacity are keeping pace with the threat.
Members on both sides of the aisle have raised concerns about the frequency and impact of cyber incidents, and this report gives them a documented, sourced baseline for those concerns. The notable data breaches and infrastructure intrusions catalogued here span multiple administrations and congressional sessions, making this a bipartisan oversight issue.
For the Public
The attacks documented in this report are not abstract. The Equifax hack exposed the personal data of nearly 150 million Americans. Iranian actors accessed voter information and sent threatening messages to voters ahead of the 2020 election. North Korean ransomware hit U.S. hospitals. Russian actors compromised the software tools used by federal agencies. The government cybersecurity report makes clear that the consequences of these attacks fall on ordinary Americans, not just government systems.
The Bottom Line
Two things stand out from this report. First, the four adversaries identified by the intelligence community have been conducting sustained, escalating operations against U.S. networks for more than a decade, and the tactics are growing more sophisticated. Pre-positioning malware in critical infrastructure for potential future use, as Volt Typhoon reportedly did, represents a qualitative escalation beyond data theft.
Second, the government's ability to detect, attribute, and disclose these attacks depends on the institutional infrastructure that has been built up over that same decade. The agencies cited throughout this report (CISA, the FBI, the DOJ, the ODNI) are the machinery that makes attribution possible. Decisions about their funding, staffing, and regulatory authority are not administrative housekeeping. They are, according to the record this report assembles, decisions about whether the United States can continue to see what is being done to its networks and say so publicly.
Access the Legis1 platform for comprehensive political news, data, and insights.