top of page
Search

EMERGING THREAT REPORT: A DOMINANCE OF CYBERATTACKS ON CRITICAL INFASTRUCTURE; GLOBAL DISTRIBUTION OF ARMED ASSAULTS; AND THE MILITARY/JUNTA ATTACKS WITHIN THE TRANSITIONAL NATIONS

  • Senior Editor
  • 1 hour ago
  • 7 min read

(The DTAR Emerging Threat Report is to help Threat, Security, Intelligence, and Investigative Professionals [TSIIPs] with threat awareness and prevention.)[1]


Nirmal Jose, Isobel Allen, Andrew Britland, Jeffrey Glibowski, Ignacio Valdés Fuentes, WATCH/GSOC Team

Jackie Heier, Meghan Terry, Gabe Halupka, Jen Radlinsky, Editors; Jennifer Loy, Chief Editor

November 13-26, 2025


ree

*Events that affect multiple critical infrastructure sectors are counted within each sector


Emerging Threat #1: From November 13 to 26, there were 201 attacks, of which 31.8 percent were directed against critical infrastructure. The three critical infrastructure sectors most affected were law enforcement and safety, government facilities, and transportation systems. Cyberattacks were the most common form of attack affecting critical infrastructure; out of 79 attacks, 22 cases involved cyber or technology. Of the attacks that impacted the law enforcement sector, only 5.9 percent were cyberattacks, which is lower than in other sectors with a similar number of attacks. Government facilities were affected by cyberattacks at a rate and volume of over three times that of law enforcement during the time frame, at 19.1 percent. The education sector was impacted 14 times, but 21.4 percent of the attacks on the education sector were cyberattacks, nearly quadrupling the cyberattack rate of law enforcement. Cyberattacks will very likely increase incidents affecting critical infrastructure because they allow perpetrators to operate remotely with minimal physical risk and use increasingly accessible technology such as AI. Unknown perpetrators carried out 45.5 percent of cyberattacks that impacted critical infrastructure, while another 40.9 percent were carried out by hacker groups that prioritize remaining anonymous. The lack of ideological association likely indicates the intent of cyberattackers to conduct targeted, covert attacks with plausible deniability, rather than acts of terrorism. Hackers will very likely become motivated by economic gain, using cyberattacks for profit. Nation-state hackers will very likely use their loyalty to serve their government’s needs as a key driver.


Critical Infrastructure Sectors impacted by Cyber Events → 29

  • Information Technology Sector → 10

  • Government Facilities Sector → 4

  • Transportation Systems Sector → 3

  • Educational Sector → 3

  • Communications Sector → 2

  • Financial Services Sector → 2

  • Defense Industrial Base Sector → 1

  • Healthcare and Public Health Sector → 1

  • Commercial Facilities Sector → 1

  • Law Enforcement and Safety Sector → 1

  • Emergency Services Sector → 1


Conclusion: Cyberattacks against the education sector will likely increase, as attackers can easily exploit its cybersecurity vulnerabilities. These attacks will very likely affect digital service disruptions on major critical infrastructures. The Information Technology Sector will very likely remain a primary target as its systems are highly interconnected, meaning disrupting one network will likely impact other dependent services. The Law Enforcement Sector is unlikely to face more cyberattacks because it recognizes the threat and funds a high standard of cybersecurity in response.


How can TSIIPs use this data?

This data can be used to increase security measures to prevent the continuation of cyberattacks targeting critical infrastructure. TSIIPs should increase special cybersecurity teams to avoid the potential leak of sensitive information. Implementing intrusion detection systems and enhancing the security of supervisory control and data acquisition systems (SCADA) can help detect abnormal activity before an attack occurs. TSIIPs should initiate educational programs on new methods and technologies for cyber threats to understand the rapidly evolving cybersecurity landscape. TSIIPs should remember that, as cyberattacks are unknown and hackers are very likely to remain anonymous, prosecuting attackers can be challenging. Although some cyberattacks will be due to an insider threat. TSIIPs should prioritize their cyber hygiene while encouraging teams to track the attacks and threats by enforcing multi-factor authentication and regularly updating software. Tools such as user-behavior analytics, access monitoring, and intrusion detection systems should be used.


ree

Emerging Threat #2: From November 13 to 26, 155 kinetic attacks occurred. The top three attack methods were armed assaults (in combination with other attack forms) with 53 attacks, bombings/explosions with 45, and other unspecified methods with 30 events. Those tactics were also used in combination with other methods, such as human rights violations and kidnapping. The data shows that 24.5 percent of those armed assaults occurred in Nigeria, followed by the Democratic Republic of Congo at 15.1 percent and Palestine at 13.2 percent. These high rates are concentrated in nations facing governance, security, and societal challenges, which very likely limit the effectiveness of law enforcement and arms control measures. In these countries, limitations in state capacity and weak institutional coordination likely contribute to an elevated frequency of violent attacks. Nigeria and the Democratic Republic of Congo will very likely experience the majority of armed assaults due to the crisis, lack of security, and humanitarian situation. Armed assaults in this region were likely impacted by significant Islamist extremist influence and presence without a strong leading government. Europe is unlikely to experience a comparable number of armed attacks due to the stability and security systems of some nations. Gang and cartel influences in North and South America will likely lead to a steady number of armed assaults. Asia will likely see few armed assaults, especially in far-eastern nations such as Japan or Taiwan. Even when the Middle East showed a reduction in armed assault attacks, it is almost certain that this will change in the short term due to the ongoing conflict in Israel, the West Bank, and Syria.


Total armed assaults → 55

  • Nigeria → 13

  • Democratic Republic of Congo → 8

  • Palestine → 7

  • Colombia → 5

  • USA → 3

  • Mexico → 2

  • Open water → 2

  • Greece → 1

  • Australia → 1

  • Iran → 1

  • India → 1

  • Peru → 1

  • Ecuador → 1

  • Pakistan → 1

  • Russia → 1

  • Gaza Strip → 1

  • Guinea-Bissau → 1

  • Cambodia → 1

  • Bangladesh → 1

  • Zimbabwe → 1

  • Ukraine → 1


Conclusion: Trends in armed assault data indicate Nigeria and the Democratic Republic of Congo will very likely consistently experience high numbers of armed assaults. Africa will likely account for the majority of armed assaults. Europe has recorded the fewest armed assaults; it will almost certainly continue this trend. There is a roughly even chance that seasonal factors, such as December festivities, could temporarily elevate risk. In North America, the United States will likely account for a large volume of armed assaults, driven by mass shootings. Armed assault in Mexico will likely be due to cartel-related violence. South America will likely experience lower but notable levels of armed assault, likely linked to narco-terrorist groups and guerrilla dissidents. Across Asia, armed assault will remain concentrated in countries with ongoing instability, such as Myanmar. In the Middle East, security issues and complex political environments, particularly in Israel, the West Bank, and Syria, will likely make armed assault persistent.


How can TSIIPs use this data?

TSIIPs can use this data to guide risk management, helping prioritize security resources for high-risk locations, such as the Democratic Republic of Congo, Nigeria, and Colombia. A well-rounded approach should integrate strong physical security, effective communication, skilled security teams, and cultural sensitivity. For TSIIPs providing close protection to clients in these regions, this data can serve as a practical starting point for developing strategies and operational protocols that are responsive to intelligence and changing conditions. TSIIPs should use this data to focus counterterrorism efforts on Islamist extremist groups that are responsible for the most armed assaults. This includes improving regional cooperation through joint training, border patrols, and intelligence sharing. At the strategic level, TSIIPs can use this data to mitigate arms proliferation by reevaluating baseline assessments and creating appropriate Weapons and Arms Management (WAM) programs or by implementing a practical WAM framework that sets out measures in key functional areas involving transfers, stockpile management, record-keeping, and the handling and disposal of illicit arms and ammunition.


ree

Emerging Threat #3: From November 13 to 26, 68 attacks occurred across the transitional nations: 44 in Syria, 11 in Myanmar, and 13 in Sudan. Junta/Military control was the most common perpetrator type at 41 percent, followed by Islamist extremism at 16 percent. Across all non-transitional nations, Islamist extremists accounted for only 2.7 percent of total attacks, whereas in Syria, they were responsible for 25 percent, a rate nine times higher than the global average. The imbalance and power vacuum in Syria will very likely enable competing threat actors to operate without much oversight, likely increasing the potential for escalating violence and territorial disputes. In Myanmar and Sudan, the most active perpetrators are military groups in governance, such as the junta in Myanmar, with 11 attacks. Myanmar and Sudan will very likely remain under military regimes that use force against dissidents and insurgents, which will likely leave civilians exposed to harm. More than 80 percent of incidents involving transitional nations did not target critical infrastructure, but likely targeted people directly. The remaining events that targeted critical infrastructure impacted the Defense Industrial Sector and the Food and Agriculture Sector. These attacks likely reflect attempts by armed groups to control supply chains and food resources, imperative for consolidating influence.


Total Ideological attacks → 68

Islamist → 11

Junta/Military Control → 28

N/A → 17

Unknown → 11

Separatists → 1


Conclusion: Syria will very likely remain a nation of Islamist attacks due to the multiple Islamist extremist groups operating, such as ISIS and Hayat Tahrir al-Sham (HTS). Syria’s lack of state structure will unlikely be conducive to suppressing perpetrators, bringing more harm to the public as an active target. A shift to a democratic solution in  Myanmar and Sudan will almost certainly lead to fewer events caused by junta/military control since the command will likely lose its institutional power. It is almost certain that attacks and threats in Sudan and Myanmar will target the civilian population as a mechanism of military control. These actors very likely maintain control via the targeting of journalists and through internet blackouts to suppress the spread of information.


How can TSIIPs use this data?

This data can be used to track the drivers of violence in high-risk countries, thereby improving forecasting accuracy. The data may also be used as a precursor to conducting further research and analysis into the disconnect between States and the local populations, as well as their degree of vulnerability towards being recruited by terrorist groups that seek to exploit their discontent with the ruling military juntas. TSIIPs can use tools like Armed Conflict Location & Event Data (ACLED) to project spikes in violence and civilians being targeted, allowing them to map out hotspots and geolocate zones where human rights abuses occurred. TSIIPs can treat Syria and Myanmar as distinct risk environments requiring tailored counterterrorism strategies due to their fragmentation and escalating sectarian conflict. The data above will help guide policy that is informed by context in Syria and Myanmar, enabling a holistic approach to reducing conflict and protecting vulnerable minorities such as the Alawites, Kurds, and Druze in Syria and the Rohingya in Myanmar.


[1] All data comes from The Counterterrorism Group (CTG)'s The Daily Threat Activity Reports from November 13-26, 2025.

 
 

Reports

Careers

Privacy Policy 

Services

Terms & Conditions 

  • Linkedin
  • Instagram
  • Twitter
  • Facebook

Interested in joining us? Learn more

 

© The Counterterrorism Group (CTG) - 2026 - This website and all of its contents are copyrighted by The Counterterrorism Group, Inc. 2026. Any use, reproduction or duplication of the contents of this website without the express written permission of The Counterterrorism Group (CTG) is strictly prohibited.

bottom of page