This brief highlights significant threats to US homeland security posed by China, Russia, Iran, and North Korea observed between December 2025 and January 2026.

Summary:

Observed Threats - Current activity that poses direct risk to US homeland security

1. A Chinese national was charged with unlawfully recording aircraft, facilities and security measures at Whiteman Air Force Base in Missouri.

2. Chinese state-affiliated hacking group UAT-8837 is assessed to have conducted a prolonged campaign of cyber intrusions in US critical infrastructure in 2025.

3. The Kimsuky Group, a hacking group affiliated with the North Korean state, conducted a months-long spearphishing campaign targeting think tanks, universities, and government organizations with malicious QR codes.

Horizon Threats - International activity that may pose future risk to US homeland security

4. The intelligence agencies of multiple NATO nations have assessed that Russia is building a new “zone-effect” weapon to target Starlink and other US space infrastructure.

1. CHINESE NATIONAL CHARGED WITH UNLAWFUL SURVEILLANCE OF B-2 BOMBER BASE

On January 7, the US Attorney's Office, Western District of Missouri announced charges against Chinese national Qilin Wu for conducting unlawful surveillance of Whiteman Air Force Base in Missouri, the home of the US fleet of B-2 Spirit bombers.

According to the indictment, Wu took photographs and videos of the base’s B-2s as well as their facilities and base security measures.

“The complaint alleges that on December 2, 2025, the Whiteman Air Force Base Office of Special Investigations (AFOSI) investigated a report of a suspicious minivan bearing a Massachusetts license plate near the perimeter of the military installation. Air Force patrolmen were dispatched to the area to investigate, and encountered Wu, who stated that he was there to observe the B-2 Spirit aircraft. The patrolmen informed Wu that he was not permitted to take photographs or make video recordings of the military installation.

“The following day, according to the complaint, AFOSI was notified that the same minivan was again identified at a perimeter fence of Whiteman Air Force Base. AFOSI agents went to the area to investigate and again made contact with Wu. Wu admitted to taking videos of the B-2 Spirit aircraft and numerous photographs of Whiteman’s perimeter fencing, a gate, and military equipment. Wu showed investigators his phone, including images of Whiteman Air Force Base and military equipment that Wu had recorded. In total, investigators observed 18 images and videos that Wu admitted he had taken of the installation and of military equipment. Wu also admitted to having photographed another U.S. Air Force base and its military aircraft as well.”

Additional Information:

1. The B-2s at Whiteman Air Force Base make up a critical component of the US nuclear triad, and were used in the June strikes on Iran’s nuclear facilities. As a result, activities on the base are of significant interest to foreign intelligence services. Concerns of Chinese surveillance of Whiteman Air Force Base have been building for some time. On November 13, 2025 Congressman Mark Alford (MO-04) requested the Treasury Department investigate the 2017 purchase of a trailer park next to the base by a Chinese shell company with alleged ties to Chinese intelligence.

2. This latest event is part of a long-running trend of unusual security incidents near US military bases involving Chinese nationals. A September 2023 report by the Wall Street Journal found that Chinese nationals had been involved in at least 100 separate cases of illegal intrusions and/or surveillance of US military bases and other sensitive government facilities in recent years.

2. CHINESE HACKING GROUP UAT-8837 TARGETING US CRITICAL INFRASTRUCTURE

On January 15, Cisco’s Talos threat intelligence group announced that it has observed indications that a Chinese state-affiliated hacking group, UAT-8837, had conducted multiple intrusions into critical infrastructure networks in 2025.

“After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims. The threat actor uses a combination of tools in their post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy. The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a ViewState Deserialization zero-day vulnerability in SiteCore products, indicating that UAT-8837 may have access to zero-day exploits.”

Additional Information:

1. Chinese state-affiliated hacking groups routinely target critical infrastructure networks in the US and other foreign nations. Groups such as Salt Typhoon, Volt Typhoon, Flax Typhoon, Linen Typhoon, and Violet Typhoon have conducted some of the largest and most significant cyber intrusions in US history.

2. In 2024, Salt Typhoon carried out an especially wide-ranging espionage campaign, breaching nine US telecom companies to collect intelligence on the presidential campaigns of Donald Trump and Kamala Harris, access federal law enforcement wiretaps, and compromise servers of the Army National Guard and National Nuclear Safety Administration.

3. The Volt Typhoon group conducted a significantly more dangerous cyber intrusion in 2023, penetrating the networks of a wide range of US critical infrastructure, in order to prepare future disruptions. The intrusions were severe enough to warrant a warning from the Five Eyes intelligence alliance of the threat posed to every organization in the US and other allied nations:1

   “…Volt Typhoon has been pre-positioning themselves on U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies.

   “This is a critical business risk for every organization in the United States and allied countries. The advisory provides detailed information related to the groups’ activity and describes how the group has successfully compromised U.S. organizations, especially in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors.3 The authoring organizations urge critical infrastructure owners and operators to review the advisory for defensive actions against this threat and its potential impacts to national security.”

4. China has reportedly admitted that its prepositioning of cyber forces in critical infrastructure, as seen in Volt Typhoon’s operations, is designed to build leverage over the US and allied nations to deter intervention in support of Taiwan. UAT-8837’s activities may serve a similar purpose.

3. NORTH KOREAN HACKERS USING QR CODE PHISHING TO TARGET GOVERNMENT, UNIVERSITY, AND THINK TANK EMPLOYEES

On January 8, the FBI announced that North Korean hackers from the Kimsuky group conducted a months-long spearphishing campaign using malware-embedded QR codes. The "quishing" operation targeted think tanks, academic institutions, and government organizations with emails prompting recipients to scan malicious QR codes.

According to the FBI, the attack is significant in that it can effectively bypass multi-factor authentication systems and compromise both a user’s organizational and personal devices.

“After scanning, victims are routed through attacker-controlled redirectors that collect device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.”

“Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical “MFA failed” alerts. Adversaries then establish persistence in the organization and propagate secondary spearphishing from the compromised mailbox. Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, Quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.”

Additional Information:

1. Quishing attacks are not new and have been practiced by cybercriminals for years. Their use in targeting government officials and thought leaders, however, appears to be an effort to conduct espionage rather than an extension of criminal activity.

2. The Kimsuky group made the quishing emails appear legitimate by spoofing sender addresses to impersonate trusted entities including the employees of foreign embassies and think tanks.

4. RUSSIA DEVELOPING NEW ANTI-SATELLITE WEAPON TO TARGET STARLINK AND OTHER US SPACE INFRASTRUCTURE

On December 22, the Associated Press reported that the intelligence service of two NATO nations has assessed the Russian military is developing a “zone-effect” weapon to attack Starlink and other low-earth orbit communications satellites. According to the report, the new weapon would “seek to flood Starlink orbits with hundreds of thousands of high-density pellets, potentially disabling multiple satellites at once but also risking catastrophic collateral damage to other orbiting systems.”

Additional Information:

1. Russia has been developing a variety of different anti-satellite weapons for years. In November 2021, Russia successfully tested an anti-satellite missile. In February 2024, the Chair of the House Intelligence Committee Rep. Mike Turner issued an unusual public warning that Russia was in the process of developing a space-based anti-satellite nuclear weapon.

2. Many experts have expressed doubt that Russia would field a weapon system that, when deployed, would indiscriminately destroy the space infrastructure of strategic partners like China in addition to those of its adversaries in the West. This skepticism overlooks Russia's long history of fielding doomsday weapons that pose even greater threats to its allies. The recently fielded Burevestnik nuclear cruise missile and Poseidon nuclear torpedo, for example, would have catastrophic global effects if used.

   Individually, these systems have limited utility as battlefield weapons but collectively give Russia an edge in coercive diplomacy by solidifying its command of the upper rungs of the escalation ladder. Russia has leveraged its nuclear arsenal and other strategic weapons to constrain Western military support for Ukraine, threatening catastrophic escalation in the event of strategic defeat.