(By Khalid Masood)
Introduction: The Fifth Domain of Warfare
Throughout human history, warfare has evolved across distinct domains—land, sea, air, and space. Each new domain shifted the balance of power, rewarded innovators, and punished those who failed to adapt. Today, a fifth domain has emerged as perhaps the most contested battlespace of all: cyberspace.
Unlike traditional domains, cyberspace has no physical borders, no front lines, and no neutral territory. A single keyboard can disrupt a nation’s power grid, steal its military secrets, or sabotage its financial systems—all from thousands of miles away. In 2025, cyber warfare is no longer a theoretical concept or a supporting capability. It is a primary instrument of state power, deployed alongside aircraft carriers, fighter jets, and special forces.
Perhaps no single operation better illustrates this new reality than the February 2026 joint US-Israeli strike that eliminated Iran’s Supreme Leader Ayatollah Ali Khamenei and dozens of top military commanders. The bombs that fell on Tehran were guided not just by satellites and pilots, but by years of silent, painstaking cyber intelligence—much of it collected by Israel’s Unit 8200 through the humble traffic cameras of Tehran’s streets.
This article examines the ten most formidable state-sponsored cyber warfare units and offensive security agencies operating in 2025-2026. Our selection criteria include:
- Proven offensive capability (demonstrated operations)
- Budget, personnel, and technological resources
- Integration with national military and intelligence strategy
- Innovation in malware, zero-day exploits, and AI-driven attacks
- Global reputation among cyber security professionals
These are the units that defend their nations silently—and strike their enemies invisibly.
The Top 10 List
1. U.S. Cyber Command (USCYBERCOM) & Cyber Mission Force – United States
| Attribute | Details |
|---|---|
| Parent Organization | U.S. Department of Defense |
| Established | 2010 (elevated to Unified Combatant Command in 2018) |
| Estimated Personnel | 7,000+ (across 133 Cyber Mission Force teams) |
| Primary Mission | Offensive cyber operations, defensive cyber operations, DoD information network security |
Key Capabilities:
USCYBERCOM is the undisputed heavyweight of global cyber warfare. Its Cyber Mission Force (CMF) comprises 133 teams divided into four categories: National Mission Teams (defend critical infrastructure), Combat Mission Teams (support combatant commands), Cyber Protection Teams (defend DoD networks), and Support Teams (intelligence and planning). The command possesses an arsenal of zero-day exploits, persistent malware frameworks, and AI-enhanced attack tools that can penetrate virtually any target.
USCYBERCOM operates under a doctrine of “persistent engagement”—meaning it does not wait to be attacked. Instead, its teams actively “hunt forward” in allied networks, identifying and neutralizing foreign malware before it reaches U.S. systems.
Notable Operations:
- Operation Glowing Symphony (2018): Disrupted Islamic State’s online propaganda and recruitment infrastructure.
- Persistent Engagement Strategy (2018-present): Continuous “hunt forward” operations in allied nations, including Ukraine, Estonia, and Poland.
- 2024-2025 Campaigns: Multiple attributed operations against ransomware groups originating from Russia and North Korea, including preemptive takedowns of command-and-control servers.
- Operation Epic Fury (February 2026): In coordination with Israeli forces, USCYBERCOM provided electronic warfare support and communications disruption during the strike on Tehran. U.S. cyber operators jammed Iranian air defense communications while Israeli jets penetrated Iranian airspace.
2025-2026 Update:
USCYBERCOM has fully integrated AI-driven autonomous defense systems and expanded its partnership with the National Security Agency (NSA) under the continued “dual-hat” leadership arrangement. Budget requests for FY2026 exceeded $16 billion for cyber activities across DoD. The command has also formalized a new “Joint Cyber Warfighting Architecture” to streamline operations across all military branches.
2. Unit 8200 – Israel
| Attribute | Details |
|---|---|
| Parent Organization | Israel Defense Forces (IDF) – Intelligence Corps |
| Established | 1950s (as a signals intelligence unit) |
| Estimated Personnel | 5,000+ (including conscripts, many of whom become top cyber entrepreneurs) |
| Primary Mission | Signals intelligence (SIGINT), code decryption, offensive cyber operations |
Key Capabilities:
Unit 8200 is Israel’s equivalent of the NSA—but with a sharper offensive edge. It is renowned for producing some of the world’s most sophisticated cyber weapons, including the infamous Stuxnet worm (developed in collaboration with U.S. Cyber Command). The unit recruits exclusively from Israel’s top talent pool, and its alumni have founded hundreds of cyber security companies, including Check Point, Wiz, and Palo Alto Networks’ Israeli R&D center.
Unit 8200 maintains capabilities in network penetration, malware development, supply chain interdiction, real-time battlefield cyber support, and perhaps most distinctively—physical infrastructure hacking. Unlike many cyber units that focus on computers and networks, Unit 8200 has demonstrated the ability to hack traffic cameras, mobile phone towers, and industrial control systems.
Notable Operations:
- Stuxnet (2009-2010): Widely attributed to Unit 8200 and U.S. partners, this worm physically destroyed over 1,000 Iranian nuclear centrifuges.
- Operation Orchard (2007): Cyber and electronic warfare operations enabled the destruction of a Syrian nuclear reactor by blinding Syrian air defenses.
- Ongoing Campaigns (2020-2025): Continuous cyber operations against Iranian nuclear, military, and infrastructure targets.
Case Study: The Tehran Traffic Camera Operation (February 2026)
The most dramatic demonstration of Unit 8200’s capabilities came in early 2026, as revealed by a Financial Times investigation published March 2-3, 2026. What follows is based on that reporting, citing current and former Israeli intelligence officials.
Phase 1: Hacking Tehran’s Infrastructure
Israeli intelligence, led by Unit 8200 in coordination with Mossad, hacked nearly all traffic cameras across Tehran. This operation lasted for years, not months. The footage from these cameras was encrypted and transmitted to servers in Tel Aviv and southern Israel, where it was stored and analyzed.
One camera angle proved particularly valuable. It overlooked a compound on Pasteur Street in Tehran—a location where senior Iranian officials’ bodyguards and drivers parked their personal vehicles. This seemingly mundane vantage point became the cornerstone of one of the most sophisticated intelligence operations in modern history.
Phase 2: Building Dossiers on Security Personnel
Using the traffic camera footage, Israeli analysts compiled detailed dossiers on individual security personnel, including:
- Home addresses and daily commuting routes
- Duty hours and shift patterns over weeks and months
- Which specific leader each guard was assigned to protect
- Relationships between guards and their principals
- Personal habits, preferred routes, and behavioral patterns
Phase 3: “Pattern of Life” Analysis
Intelligence officers used complex algorithms and a mathematical method called Social Network Analysis to build what they describe as a “pattern of life” for the entire security apparatus surrounding Iran’s Supreme Leader. This involved mapping habits, schedules, relationships, and routines of dozens of individuals simultaneously.
A current Israeli intelligence official told the Financial Times: “We knew Tehran like we knew Jerusalem” long before the bombs fell.
Phase 4: Predicting the Meeting
This long-term surveillance enabled Israeli intelligence to determine—with high confidence—several critical facts:
- When Khamenei would be at his Pasteur Street office
- Who would attend the meeting with him
- The exact timing of the gathering on the morning of February 28, 2026
- The specific vehicles and routes that would be used
Phase 5: Disabling Warning Systems
In addition to visual surveillance, Israel reportedly disabled components of approximately a dozen mobile phone towers near Pasteur Street. This caused phones in the area to appear “busy” when called, preventing Khamenei’s security detail from receiving any warning alerts before the strike. The disruption was surgical—limited to the immediate vicinity to avoid tipping off broader Iranian defenses.
Phase 6: Double Confirmation
Israeli military doctrine requires double independent confirmation of a high-value target’s presence before a strike is authorized. Alongside Unit 8200’s electronic intelligence (which provided the first confirmation), the CIA reportedly provided a human source within Iran who confirmed the meeting was proceeding with Khamenei in attendance.
Phase 7: The Strike
Once confirmation was received, Israeli jets—airborne for hours awaiting precise timing—released up to 30 precision-guided munitions on the compound. Khamenei and approximately 40 other senior Iranian officials, including top military commanders from the Islamic Revolutionary Guard Corps (IRGC), were killed in the first minutes of the joint US-Israel military operation. Israel called it “Lion’s Roar” (also reported as “Roaring Lion”); the United States called it “Epic Fury.”
Significance of the Operation:
This operation represents a paradigm shift in cyber-enabled warfare. It demonstrates that a cyber intelligence unit can:
- Maintain long-term persistent access to adversary infrastructure for years
- Hack physical infrastructure (traffic cameras, mobile phone towers), not just computers
- Apply AI and algorithmic analysis to billions of data points to extract actionable intelligence
- Integrate seamlessly with human intelligence (Mossad assets and CIA sources)
- Support kinetic military strikes in real-time, bridging the gap between cyber and conventional warfare
A former Israeli intelligence official summarized the operation’s philosophy: “We didn’t need to hack Khamenei’s phone. We just needed to watch the men who watched him.”
2025-2026 Update:
Following the Tehran operation, Unit 8200 has been elevated in strategic importance within the Israeli defense establishment. Budget allocations have increased significantly, and the unit is now explicitly tasked with developing similar “pattern of life” capabilities against other high-value targets across Iran, Lebanon, and Yemen. The unit is also accelerating its AI and quantum computing research.
3. Main Directorate of the General Staff (GU) / Sandworm – Russia
| Attribute | Details |
|---|---|
| Parent Organization | Russian General Staff (formerly GRU) |
| Unit Designations | Sandworm (aka Voodoo Bear, Iron Viking), Fancy Bear, Cozy Bear |
| Estimated Personnel | Classified (estimates suggest hundreds of elite operators) |
| Primary Mission | Strategic intelligence, offensive cyber operations, critical infrastructure targeting |
Key Capabilities:
Russia’s cyber warfare apparatus is aggressive, creative, and ruthless. Sandworm—the most notorious Russian unit—specializes in destructive attacks against critical infrastructure. Unlike Western units that prioritize stealth and persistence, Russian operators are known for using “wiper” malware designed to destroy data and render systems inoperable.
Sandworm has developed unique expertise in exploiting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks. This makes them uniquely capable of attacking power grids, water treatment plants, oil refineries, and factories. They maintain a library of malware families specifically designed for different industrial environments.
Notable Operations:
- BlackEnergy / Industroyer (2015-2016): Caused multiple power outages in Ukraine, including a 30-minute blackout affecting 225,000 customers.
- NotPetya (2017): Disguised as ransomware, this wiper attack caused over $10 billion in global damages, affecting Maersk, FedEx, pharmaceutical giant Merck, and numerous other multinational corporations.
- Viasat Attack (2022): On the day of Russia’s invasion of Ukraine, Sandworm disabled thousands of Viasat satellite modems across Europe, disrupting Ukrainian military communications at a critical moment.
- 2024-2025 Campaigns: Continued targeting of Ukrainian energy infrastructure and European critical systems, including multiple attempted attacks on German wind farms and Polish rail networks.
2025-2026 Update:
Despite sanctions, operational pressures, and the loss of some key personnel, Russian cyber units remain highly active. Western intelligence indicates Russia is rebuilding and modernizing its cyber arsenal with AI-assisted tooling and deeper integration with conventional military operations in Ukraine. However, sanctions have degraded Russia’s ability to acquire advanced Western hardware, forcing reliance on domestic alternatives and battlefield capture of Western equipment.
4. CIA – Center for Cyber Intelligence – United States
| Attribute | Details |
|---|---|
| Parent Organization | Central Intelligence Agency |
| Established | 2015 (as a formal center) |
| Estimated Personnel | Classified (estimates in the thousands) |
| Primary Mission | Offensive cyber operations for foreign intelligence collection, covert action |
Key Capabilities:
While USCYBERCOM focuses on military objectives, the CIA’s cyber branch specializes in espionage, covert action, and long-term access to foreign networks. The Center for Cyber Intelligence develops bespoke malware, maintains global infrastructure for covert communications, and conducts “cyber-enabled” sabotage operations that fall below the threshold of armed conflict.
The CIA’s cyber operators work alongside traditional case officers to exfiltrate intelligence, map foreign networks, and when authorized, disrupt adversary operations. The agency maintains unique capabilities in supply chain interdiction—implanting backdoors in hardware before it reaches its intended destination.
Notable Operations:
- Vault 7 Leak (2017): WikiLeaks released thousands of documents detailing CIA cyber tools, including malware for Windows, macOS, Linux, and embedded systems. The leak confirmed the CIA’s extensive offensive capabilities and caused significant operational disruption.
- Tehran Double Confirmation (February 2026): According to Financial Times reporting, a CIA human source inside Iran provided the second independent confirmation that Khamenei’s meeting was proceeding, enabling the strike to be authorized under Israeli military doctrine.
- Ongoing Operations: Continuous campaigns against Chinese, Russian, North Korean, and Iranian targets.
2025-2026 Update:
Following the Vault 7 compromise, the CIA has rebuilt its cyber arsenal with a “zero-trust” architecture and enhanced operational security. AI-powered forensic tools now help identify leaks before they occur. The agency has also expanded its partnership with Israel’s Mossad and Unit 8200, recognizing the value of combined cyber-human intelligence operations.
5. PLA Strategic Support Force (SSF) / Unit 61398 – China
| Attribute | Details |
|---|---|
| Parent Organization | People’s Liberation Army (PLA) |
| Established | 2015 (SSF created), Unit 61398 identified publicly in 2013 |
| Estimated Personnel | Tens of thousands across multiple units |
| Primary Mission | Cyber espionage, intellectual property theft, strategic intelligence |
Key Capabilities:
China’s cyber warfare apparatus is vast, methodical, and relentlessly persistent. Unit 61398 (based in Shanghai) and its sister units (including 61486, 61427, and 41541) focus on penetrating government networks, defense contractors, and critical infrastructure worldwide.
Chinese operations prioritize long-term access over destructive effects. Unlike Russian units that often detonate their capabilities immediately, Chinese operators maintain persistent access for years, allowing them to harvest intelligence on military technologies, diplomatic strategies, and economic plans continuously.
The SSF consolidates China’s space, cyber, and electronic warfare capabilities under a single command structure, enabling integrated operations across domains. China is also the world’s largest state-sponsored trainer of cyber talent, with universities and military academies producing thousands of new operators annually.
Notable Operations:
- Operation Aurora (2009): Attributed to Chinese hackers, this breach targeted Google, Adobe, and dozens of other technology companies, stealing source code and intellectual property.
- Office of Personnel Management (OPM) Breach (2015): Stole records of 22 million current and former U.S. federal employees, including detailed security clearance background information.
- 2020-2024 Campaigns: Continuous targeting of semiconductor manufacturers, defense firms, pharmaceutical researchers, and university laboratories globally.
- Salt Typhoon (2024-2025): A major campaign targeting U.S. telecommunications infrastructure, discovered and partially mitigated by U.S. Cyber Command.
2025-2026 Update:
China has dramatically expanded its cyber workforce, with state-sponsored training programs producing thousands of new operators annually. Advanced AI-assisted scanning tools have increased the speed and scale of Chinese network penetration attempts. The SSF was reorganized in late 2025 to improve coordination between its cyber, space, and electronic warfare branches.
6. NSA – Tailored Access Operations (TAO) – United States
| Attribute | Details |
|---|---|
| Parent Organization | National Security Agency |
| Established | 1990s (as Red Team / Access Operations) |
| Estimated Personnel | Classified (estimates suggest over 1,000 operators) |
| Primary Mission | Computer network exploitation (CNE), implanting hardware and software backdoors |
Key Capabilities:
If USCYBERCOM is the hammer, TAO is the scalpel. This elite unit specializes in gaining access to the world’s most difficult targets—air-gapped networks, encrypted communication systems, and foreign diplomatic facilities. TAO operators develop custom hardware implants that can be physically inserted into target systems (via supply chain interdiction or human intelligence), as well as software exploits that bypass even the strongest defenses.
TAO maintains a library of thousands of zero-day vulnerabilities—software flaws unknown to the vendor. Some of these vulnerabilities are kept secret for years to preserve access, only revealed when operational necessity demands.
Notable Operations:
- QUANTUMINSERT: A man-in-the-middle attack system that redirects target traffic to NSA-controlled servers without the target’s knowledge.
- Hardware Implants: TAO has been known to intercept networking equipment (routers, servers, firewalls) in transit, installing backdoors before the equipment reaches its intended destination—a technique called “supply chain interdiction.”
- Operation Epic Fury Support (February 2026): TAO provided real-time network exploitation data on Iranian air defense systems during the Tehran strike.
2025-2026 Update:
TAO has expanded its focus to include quantum-resistant encryption cracking and AI-enhanced traffic analysis. The unit remains the gold standard for covert network access. In 2025, TAO successfully penetrated multiple previously inaccessible Chinese military networks using a combination of hardware implants and human intelligence.
7. Defence Cyber Agency (DCA) – India
| Attribute | Details |
|---|---|
| Parent Organization | Indian Ministry of Defence (integrated tri-service command) |
| Established | 2019 (fully operationalized by 2022) |
| Estimated Personnel | 15,000+ (including trained cyber commandos) |
| Primary Mission | Offensive and defensive cyber operations, information warfare, electronic warfare integration |
Key Capabilities:
India established the DCA as a tri-service command (Army, Navy, Air Force) to counter the growing cyber threats from China and Pakistan. The DCA recruits from India’s top technical institutes, including the Indian Institutes of Technology (IITs) and National Institutes of Technology (NITs).
The DCA maintains capabilities in network penetration, malware analysis, social engineering, and critical infrastructure defense. India has also invested heavily in “cyber commandos”—teams that can deploy alongside conventional forces to secure battlefield networks, disrupt enemy communications, and conduct electronic warfare operations.
Notable Operations:
- Counter-Hacking Campaigns (2023-2025): Following the 2022 AIIMS ransomware attack (attributed to a suspected state-backed group), DCA led a comprehensive cyber defense overhaul of India’s healthcare and research infrastructure.
- 2024-2025 Border Standoff Operations: DCA conducted continuous defensive and intelligence-gathering operations against Chinese and Pakistani networks during ongoing border tensions in Ladakh.
- Operation Digital Shield (2025): A coordinated defensive operation that successfully repelled a major distributed denial-of-service (DDoS) attack on Indian financial infrastructure.
2025-2026 Update:
India has announced plans to establish a dedicated National Cyber Warfare Command under the DCA umbrella, with a budget exceeding $1.5 billion for cyber capabilities over the next five years. The DCA has also formalized cyber cooperation agreements with the United States, France, and Australia.
8. National Cyber Force (NCF) – United Kingdom
| Attribute | Details |
|---|---|
| Parent Organization | UK Ministry of Defence and GCHQ (joint command) |
| Established | 2020 (operational from 2021) |
| Estimated Personnel | 3,000+ (projected to grow to 5,000 by 2026) |
| Primary Mission | Offensive cyber operations in support of military and national security objectives |
Key Capabilities:
The NCF represents a unique partnership between the UK’s signals intelligence agency (GCHQ) and its military. This integration—unusual among Western nations—allows the NCF to conduct offensive operations across the full spectrum: from tactical support to deployed troops (e.g., disabling enemy air defense networks) to strategic campaigns against terrorist groups or hostile states.
The NCF focuses on “persistent engagement” similar to USCYBERCOM, actively hunting adversaries in cyberspace rather than waiting to respond. The force operates from multiple locations across the UK, including a dedicated headquarters in Samlesbury, Lancashire.
Notable Operations:
- Support to Ukraine (2022-2026): NCF operators have provided continuous cyber defense assistance to Ukraine, including conducting offensive operations against Russian military networks and helping secure Ukrainian critical infrastructure.
- Islamic State Disruption (2021-2023): NCF operations degraded IS propaganda, recruitment, and command networks across Syria and Iraq.
- 2024 Election Security: NCF supported defensive cyber operations during the UK general election, successfully countering multiple foreign interference attempts attributed to Russian and Iranian actors.
2025-2026 Update:
The NCF has expanded its partnership with NATO cyber commands and received significant budget increases following the government’s 2025 Integrated Review, which identified cyber as a “tier-one” national security priority. The force is now developing dedicated AI-driven attack capabilities and has established a permanent presence in the Indo-Pacific region.
9. Joint Cyber Command (JC2) – France
| Attribute | Details |
|---|---|
| Parent Organization | French Ministry of Armed Forces |
| Established | 2017 |
| Estimated Personnel | 4,000+ (including military and civilian cyber operators) |
| Primary Mission | Offensive and defensive cyber operations, protection of French military networks |
Key Capabilities:
France’s JC2 coordinates cyber operations across all branches of the military. The command maintains both defensive teams (protecting French defense networks) and offensive units (capable of penetrating adversary systems). France has emphasized European cyber sovereignty, developing indigenous capabilities to reduce dependence on non-European technology providers—particularly from the United States and China.
JC2 operators train alongside their German, Dutch, Italian, and Spanish counterparts in NATO cyber exercises, including the annual Locked Shields exercise (the world’s largest live-fire cyber defense exercise). France has also invested heavily in quantum computing research for cryptographic applications.
Notable Operations:
- 2022-2025 Defense Campaigns: JC2 has actively defended French government and military networks against Russian and Chinese intrusion attempts, detecting and neutralizing multiple advanced persistent threat (APT) campaigns.
- Sahel Region Operations: Provided cyber and electronic warfare support to French counterterrorism forces in West Africa, including disrupting militant communication networks.
- 2024 Paris Olympics: JC2 led an unprecedented cyber defense operation protecting Olympic infrastructure from attacks, successfully repelling over 100 significant intrusion attempts during the games.
2025-2026 Update:
France has increased JC2’s budget by 40% since 2023 and announced plans to double the command’s offensive capability by 2027. The JC2 has also established a dedicated “cyber reserve” of civilian experts who can be called up during national emergencies.
10. Cyber Command of the Republic of Korea – South Korea
| Attribute | Details |
|---|---|
| Parent Organization | Republic of Korea Ministry of National Defense |
| Established | 2010 (reorganized and expanded multiple times) |
| Estimated Personnel | 1,000+ (elite operators, supported by thousands of analysts) |
| Primary Mission | Offensive and defensive cyber operations against North Korea |
Key Capabilities:
South Korea faces one of the most persistent cyber threats in the world: North Korea’s Bureau 121 (estimated 6,000+ operators). In response, the ROK Cyber Command has developed world-class defensive capabilities and increasingly aggressive offensive options.
The command operates 24/7/365, monitoring North Korean networks for signs of impending attacks and, when authorized, conducting preemptive disruptions. South Korea has invested heavily in AI-driven threat detection and response systems, as well as specialized training for cyber operators.
Notable Operations:
- 2011 Data Breach Investigation: Identified North Korean involvement in attacks against South Korean banks and media outlets, leading to increased international sanctions.
- Ongoing Counter-Operations (2015-present): Continuous efforts to disrupt North Korean cryptocurrency heists—which fund the regime’s weapons programs—and cyber espionage campaigns targeting South Korean defense contractors.
- 2024-2025 Joint Exercises: ROK Cyber Command has conducted combined cyber defense exercises with USCYBERCOM and the Japanese Defense Ministry’s cyber units.
2025-2026 Update:
Following several major North Korean cyber operations in 2024 (including the theft of approximately $1.5 billion in cryptocurrency), South Korea has elevated the Cyber Command’s authority and accelerated the development of “decapitation strike” cyber capabilities targeting North Korean command networks. The command now operates under a new legal framework that expands its authority to conduct preemptive offensive operations.
Special Mention: Pakistan’s State-Owned Cyber Warfare & Security Organizations (2025-2026)
While Pakistan does not yet possess a cyber warfare unit that ranks among the global top 10, the country has developed a growing and increasingly capable state-owned cyber apparatus. This has been particularly demonstrated during recent operations in the context of ongoing tensions with India. The following are Pakistan’s primary state-owned cyber outfits as of 2025-2026:
1. Pakistan Air Force (PAF) Cyber Warfare Unit
| Attribute | Details |
|---|---|
| Parent Organization | Pakistan Air Force |
| Role | Offensive cyber operations against enemy air and command networks |
| Notable Operation (2025) | Reported to have conducted a sustained cyber offensive targeting the Indian Air Force’s Northern Air Command, disrupting their command-and-control functions for extended periods. |
The PAF has long recognized cyberspace as a critical domain for air superiority. Its Cyber Warfare Unit focuses on penetrating adversary air defense networks, disrupting command-and-control communications, and protecting PAF’s own digital infrastructure. The unit works closely with the PAF’s electronic warfare squadrons to integrate cyber and conventional capabilities.
2. Military Cyber Team (Under Operation Bunyan ul Marsoos)
| Attribute | Details |
|---|---|
| Parent Organization | Joint Military Command (exact unit name remains classified) |
| Role | Full-spectrum cyber offensive operations |
| Notable Operation (May 2025) | Executed what was described as a “full-spectrum cyber offensive” targeting multiple Indian critical sectors, including: power infrastructure (temporarily disrupting electricity to nearly 80% of users in some regions), military communication networks (Indian Air Force’s Northern, Southern, and Western Commands), airport digital systems (Mumbai, Delhi, Kolkata), railway systems, petroleum and gas sector databases, and email/OTP authentication infrastructure. |
This operation marked Pakistan’s deliberate shift toward fifth-generation warfare (5GW) , where conflict extends beyond traditional battlefields into digital systems and information domains. While the exact unit designation remains classified, the operation demonstrated coordinated, multi-sector offensive capability. Independent cybersecurity firms later confirmed significant disruption to Indian systems, though both governments have maintained official silence on the details.
3. National Cybersecurity Authority (NCA)
| Attribute | Details |
|---|---|
| Parent Organization | Government of Pakistan |
| Legal Basis | Cybersecurity Act 2025 |
| Role | National cyber defense, incident response, threat intelligence, strategic coordination |
The NCA represents a major institutionalization of Pakistan’s cyber framework. Established under the Cybersecurity Act 2025, the NCA serves as the central body for coordinating cyber defense across government, military, and critical infrastructure sectors. It is responsible for developing national cyber doctrine, responding to major incidents, conducting cyber exercises, and liaising with international partners.
The NCA is structured into multiple directorates, including:
- National Cyber Threat Intelligence Directorate
- Critical Infrastructure Protection Directorate
- Cyber Crisis Management Directorate
- International Cooperation Directorate
4. Pakistan Computer Emergency Response Team (PKCERT)
| Attribute | Details |
|---|---|
| Parent Organization | Likely under NCA or Ministry of IT and Telecommunication |
| Role | National-level cyber threat monitoring, alerting, and resilience coordination |
PKCERT serves as Pakistan’s national CSIRT (Computer Security Incident Response Team). Its responsibilities include monitoring cyber threats, issuing public warnings, coordinating incident response across sectors, maintaining national cyber situational awareness, and conducting outreach to private sector organizations.
Under the 2025 Cybersecurity Act, PKCERT’s authority and resources have been significantly expanded. The team now operates 24/7 and has established formal information-sharing arrangements with international CERTs, including those of China, Turkey, and Saudi Arabia.
5. National Cyber Crime Investigation Agency (NCCAI)
| Attribute | Details |
|---|---|
| Parent Organization | Ministry of Interior / Federal Investigation Agency (FIA) |
| Role | Cyber crime investigation, digital forensics, counter-cyber terrorism |
The NCCAI focuses on the law enforcement dimension of cyber operations. It investigates major cyber crimes (including financial fraud, child exploitation, and cyber terrorism), conducts digital forensics, and pursues cyber criminals across national and international jurisdictions.
While primarily defensive and law enforcement-oriented, the NCCAI’s technical capabilities and intelligence gathering support broader national security objectives. The agency has established cyber crime units in each province and maintains a dedicated forensic laboratory in Islamabad.
Assessment of Pakistan’s Cyber Capabilities
Strengths:
- Tier-1 ITU Ranking: Pakistan has achieved Tier-1 ranking in the ITU Global Cybersecurity Index, reflecting growing institutional capability and international recognition.
- Demonstrated Offensive Operations: The May 2025 Operation Bunyan ul Marsoos demonstrated the ability to conduct coordinated, multi-sector cyber attacks against a major adversary (India).
- Legal Institutionalization: The Cybersecurity Act 2025 and establishment of the NCA provide a formal legal and organizational foundation for future growth.
- Fifth-Generation Warfare Doctrine: Pakistan’s military leadership has publicly acknowledged cyber as a primary domain, indicating strategic commitment.
- Regional Partnerships: Pakistan has established cyber cooperation agreements with China, Turkey, and Saudi Arabia, providing access to technology and training.
Limitations:
- Personnel and Budget: Pakistan’s cyber units remain significantly smaller, less technologically advanced, and less well-funded than their U.S., Israeli, Russian, or Chinese counterparts.
- Talent Retention: Pakistan faces challenges in retaining top technical talent, with many skilled professionals leaving for higher-paying positions in the private sector or abroad.
- Limited Battle-Testing: Beyond operations against India, Pakistan’s cyber units have limited experience conducting operations against other adversaries or in complex, multi-domain environments.
- Infrastructure Vulnerabilities: Pakistan’s own critical infrastructure remains vulnerable to cyber attack, a weakness that adversaries could exploit.
Trajectory:
The trajectory is clear: Pakistan is building a state-owned cyber warfare capability commensurate with its regional strategic position. Expect further institutional development, increased budgets, deeper integration with conventional military operations, and potentially a dedicated Cyber Command in the coming years. The establishment of the NCA under the 2025 Cybersecurity Act suggests that Pakistan is moving toward a more formalized and transparent cyber command structure comparable to those of other nations—though significant gaps remain.
_______________________________________________
Honorable Mentions
The following units possess significant cyber capabilities but narrowly missed the top 10:
- Bureau 121 (North Korea): Estimated 6,000+ operators focused on cryptocurrency theft (funding weapons programs), ransomware, and espionage against South Korea, Japan, and the United States.
- IRGC Cyber Command (Iran): Conducts destructive attacks (e.g., 2021 Colonial Pipeline ransom, though Iran denied involvement), data theft, and proxy operations through affiliated hacker groups.
- Cyber and Information Domain Service (CIR) (Germany): Established 2024 as Germany’s first unified military cyber command, rapidly growing but still maturing. Expected to enter top 10 rankings within 3-5 years.
- Joint Cyber Command (JSCU) (Netherlands): Highly capable but smaller scale; known for technical excellence and close NATO cooperation, particularly in protecting European critical infrastructure.
Comparison Table: Top 10 Cyber Warfare Units
| Rank | Unit | Country | Est. Personnel | Primary Focus | Known For |
|---|---|---|---|---|---|
| 1 | USCYBERCOM / Cyber Mission Force | USA | 7,000+ | Full-spectrum | Largest, best-resourced, persistent engagement |
| 2 | Unit 8200 | Israel | 5,000+ | SIGINT & Offensive | Stuxnet, Tehran traffic cameras, elite talent |
| 3 | Sandworm (GU) | Russia | Hundreds | Destructive attacks | Wiper malware, power grid attacks |
| 4 | CIA Center for Cyber Intelligence | USA | Classified (thousands) | Espionage & Covert action | Long-term access, human source integration |
| 5 | PLA SSF / Unit 61398 | China | Tens of thousands | Espionage & IP theft | Persistent, massive scale, supply chain access |
| 6 | NSA Tailored Access Operations | USA | 1,000+ | Network exploitation | Hardware implants, zero-day library |
| 7 | Defence Cyber Agency (DCA) | India | 15,000+ | Full-spectrum | Tri-service integration, cyber commandos |
| 8 | National Cyber Force (NCF) | UK | 3,000+ | Persistent engagement | GCHQ-military integration |
| 9 | Joint Cyber Command (JC2) | France | 4,000+ | Full-spectrum | European sovereignty, Olympic defense |
| 10 | ROK Cyber Command | South Korea | 1,000+ | Counter-North Korea | 24/7 monitoring, preemptive operations |
The Future of Cyber Warfare (2026-2030)
As we look beyond 2026, several trends will define the next generation of cyber conflict:
1. AI vs. AI Warfare
Human operators will increasingly supervise autonomous systems that conduct cyber attacks and defenses at machine speed. The first cyber war fought primarily by AI may be only a few years away. Both the United States and China have acknowledged investing heavily in AI-driven cyber weaponry.
Implication: Response times will shrink from hours to milliseconds. Human decision-makers will struggle to keep pace with machine-speed conflict, raising the risk of accidental escalation.
2. Critical Infrastructure as Primary Target
Power grids, water treatment plants, hospitals, and financial systems will remain prime targets. The distinction between cyber warfare and kinetic warfare will blur as attacks cause physical destruction. The 2026 Tehran operation demonstrated how cyber intelligence can enable kinetic strikes; future operations may see cyber attacks directly causing physical damage without any missiles or bombs.
Implication: Nations will increasingly treat cyber attacks on critical infrastructure as acts of war, potentially lowering the threshold for conventional military response.
3. Space-Cyber Nexus
Satellites are vulnerable to cyber attack. Disabling or taking control of enemy satellites—or the ground stations that command them—will become a core military objective. Several nations, including the United States, China, Russia, and India, have demonstrated anti-satellite capabilities, both kinetic and cyber.
Implication: The next major conflict may begin with the disabling of an adversary’s satellite network, blinding their communications, navigation, and surveillance capabilities.
4. Cyber-Physical Attacks
Ransomware will evolve beyond data encryption to include physical sabotage. Adversaries may trigger industrial accidents, disable emergency response systems, or manipulate safety controls to cause harm. Industrial control systems remain dangerously exposed, and many critical facilities lack basic cyber hygiene.
Implication: The same attack that locks a hospital’s data could also disable its life support systems. Legal and ethical frameworks for cyber warfare remain dangerously underdeveloped for such scenarios.
5. Private Sector Mobilization
Governments will increasingly integrate private cyber security firms into national defense structures, raising complex questions about authority, liability, and escalation. Companies like CrowdStrike, Mandiant, and Palo Alto Networks already provide threat intelligence to multiple governments.
Implication: The line between public and private cyber operations will blur. A private company’s incident response could have national security implications, and private-sector operators may find themselves targeted by state actors.
6. International Norms and Escalation Management
The world lacks clear rules for cyber warfare. Major powers will continue jockeying to establish norms that favor their own capabilities while restraining adversaries. The Tallinn Manual (2.0) provides a non-binding framework, but no international treaty specifically governs cyber warfare.
Implication: Until norms are established, the risk of miscalculation and unintended escalation remains high. A cyber attack perceived as “not that serious” by the attacker could be interpreted as an act of war by the target.
7. Quantum Computing and Cryptography
Quantum computers, when fully realized, will break much of the encryption that currently secures global communications, financial transactions, and military networks. Major powers are racing to develop both quantum computers and quantum-resistant encryption.
Implication: The nation that achieves quantum supremacy first will have
Conclusion
The units profiled in this article represent a new kind of military power—one that operates in milliseconds, crosses borders without detection, and can paralyze a nation without firing a single bullet. In 2025-2026, U.S. Cyber Command, Israel’s Unit 8200, Russia’s Sandworm, and their peers are as essential to national security as aircraft carriers or nuclear arsenals. The February 2026 elimination of Iran’s Supreme Leader—enabled not by a spy on the ground but by years of patient analysis of Tehran’s traffic cameras—demonstrates that cyber intelligence has fundamentally changed the nature of modern warfare. For emerging nations like Pakistan, the challenge is no longer whether to invest in cyber warfare capabilities, but how to do so effectively, strategically, and within the bounds of international norms. The next great conflict may not begin with a tank crossing a border or a missile launch. It may begin with a keystroke—silent, invisible, and devastating. The units listed above are the ones writing that future, one line of code at a time.
