Russia, Iran, and China are blending drones, cyber operations, satellite intelligence, and proxy strikes simultaneously. Single-domain risk assessment can no longer keep pace.
The threshold between peace and war has not merely blurred in 2026 — it has effectively ceased to exist. Russia is launching mass drone swarms at Ukrainian cities while sharing satellite targeting intelligence with Iran to strike U.S. military installations in the Gulf. China is applying economic coercion alongside grey-zone operations across the Taiwan Strait. Iran is orchestrating proxy attacks from Yemen to the Gulf while its forces conduct direct strikes against Western military assets. The convergence of kinetic, digital, informational, and economic instruments is not new in concept. What is new is the scale, the simultaneity, and the demonstrated willingness to weaponize every available domain at once.
For security professionals and corporate risk managers, the implication is direct: threat assessment frameworks built around discrete conflict categories are no longer fit for purpose.
Hybrid warfare predates the digital age. States have long combined military pressure with economic coercion, propaganda, and proxy forces to achieve strategic objectives while maintaining plausible deniability. The Soviet Union's use of "active measures" — disinformation, political subversion, and covert action — during the Cold War established a template that modern adversaries have refined and accelerated.
Russia's 2014 annexation of Crimea was widely cited as a modern inflection point: unmarked special forces, information operations, and economic leverage deployed in concert to achieve territorial gain without triggering a conventional NATO response. The lesson absorbed by Moscow — and observed closely by Beijing and Tehran — was that hybrid approaches could deliver strategic outcomes at lower escalatory risk than direct military confrontation with a peer adversary.
What has changed since 2014 is not the doctrine but the delivery mechanism. Drone technology has democratized precision strike capability. Artificial intelligence has accelerated the production and distribution of disinformation at industrial scale. Space-based surveillance assets have become integral to targeting cycles. And the proliferation of state-affiliated cyber units has made persistent infrastructure compromise a baseline feature of great-power competition rather than an exceptional event.
The Russia-Ukraine conflict, now in its fifth year of full-scale war, has become the most comprehensive live laboratory for hybrid warfare in modern history. Every domain is contested simultaneously, and the lessons being drawn by adversaries and allies alike will shape conflict for a generation.
Russia's operational approach in Ukraine in 2026 represents the most advanced real-world demonstration of multi-domain hybrid warfare yet observed. The pattern is not sequential — cyber, then kinetic, then information — but simultaneous and mutually reinforcing.
Following the collapse of a U.S.-brokered ceasefire in May 2026, Russian forces launched a large-scale aerial assault across Kyiv, Dnipropetrovsk, Kharkiv, and Odesa involving over 200 drones, guided bombs, and missile strikes targeting civilian infrastructure including kindergartens, residential buildings, railways, and energy facilities. At least 15 fatalities were confirmed, including a nine-month-old infant who sustained a traumatic limb amputation. Within 24 hours, a second wave of over 800 drones targeted western Ukrainian regions near NATO borders, prompting Poland to activate air interceptors — a deliberate signal of escalatory intent directed as much at the Alliance as at Kyiv.
The cyber dimension runs in parallel and without pause. Russian state-affiliated threat actors — including GRU-linked Sandworm, APT28 (Fancy Bear), FSB-linked Gamaredon, and SVR-linked APT29 — maintain persistent access to Ukrainian military and civilian networks, conducting intelligence collection, destructive malware deployment, and infrastructure disruption on a continuous basis. APT28 was confirmed in late April 2026 to be actively exploiting a Windows NTLM hash leakage vulnerability against Ukrainian and EU-based entities. Secondary hacktivist proxies including NoName057(16) conduct distributed denial-of-service operations that amplify the psychological effect of kinetic strikes, with confirmed DDoS campaigns against Ukrainian industrial and energy targets recorded in May 2026.
The information domain completes the triad. Russian operations consistently pair physical destruction with narrative operations designed to undermine Ukrainian morale, fracture Western political support, and delegitimize Kyiv's governance. The targeting of civilian infrastructure — hospitals, kindergartens, energy grids — serves a dual purpose: degrading physical resilience while generating imagery exploitable in information space.
Perhaps most significantly, Russia has extended its hybrid architecture beyond the Ukrainian theatre. Russian satellites conducted surveillance of Prince Sultan Air Base in Saudi Arabia on March 20, 23, and 25, 2026. Ukrainian President Volodymyr Zelenskyy assessed with high confidence that Moscow subsequently transferred targeting intelligence to Iran, which launched an attack on the facility on March 26, injuring 12 U.S. service members. A subsequent, larger Iranian missile and drone strike on April 7 destroyed a U.S. Air Force E-3 Sentry AWACS aircraft and damaged multiple KC-135 Stratotanker aircraft at the same base. This represents a qualitative evolution: hybrid warfare as a transnational, multi-actor coordination mechanism, with Russia functioning as an intelligence broker enabling proxy kinetic action thousands of kilometres from the primary conflict zone.
Zelenskyy publicly disclosed the intelligence-sharing arrangement in a March 30 interview, stating that Russia had been supplying Iran with satellite imagery of U.S. and British military installations across Saudi Arabia, Qatar, Jordan, and the UAE — and that he had personally notified the leadership of those nations.
The operational complexity of sustained hybrid warfare generates unintended consequences that extend the threat perimeter in unpredictable ways. A Ukrainian-origin drone, diverted by Russian electronic warfare interference, entered Estonian airspace and struck the chimney of the Auvere power station in Ida-Viru County — the third such incident involving Ukrainian drones over Baltic states within a 48-hour window. The incident illustrates a critical vulnerability: electronic warfare countermeasures deployed by one belligerent can redirect munitions into the territory of uninvolved third parties, including NATO member states. The alliance's air defense coordination frameworks were not designed for this scenario.
A separate escalation vector emerged in May 2026 when Russia's Ministry of Defense publicly designated German industrial facilities involved in a joint drone production initiative with Ukraine as potential military targets, following German Defense Minister Boris Pistorius's confirmation of a planned joint program to develop long-range strike drones with a range of up to 1,500 km. The designation extends the hybrid threat surface directly into NATO's industrial base.
Iran's hybrid model differs from Russia's in emphasis but not in sophistication. Tehran has long relied on a layered proxy network — Hezbollah, Hamas, the Houthis, and various Iraqi and Syrian militias — to project power and impose costs on adversaries while maintaining strategic ambiguity. In 2026, that architecture is operating at elevated tempo across multiple theatres simultaneously.
The Houthi campaign in the Red Sea, sustained since late 2023, has demonstrated that a non-state proxy equipped with Iranian-supplied drones and anti-ship missiles can impose significant costs on global maritime commerce — a form of economic warfare conducted through a nominally independent actor. Iran's direct military posturing, including the Prince Sultan Air Base strikes, signals a willingness to escalate beyond proxy operations when strategic circumstances demand.
The Russia-Iran intelligence-sharing relationship documented in the Prince Sultan incidents represents a structural development with long-term implications. Two sanctioned, isolated states — each facing significant conventional military limitations relative to the U.S. and its allies — are pooling capabilities across domains: Russian space-based surveillance enabling Iranian kinetic action, Iranian drone technology supplementing Russian strike capacity in Ukraine. This is hybrid warfare as adversarial coalition, with each partner contributing comparative advantages to a shared operational architecture.
Ukraine's response has itself taken on hybrid characteristics. President Zelenskyy publicly disclosed in April 2026 that Ukrainian military personnel are conducting counter-drone operations in Saudi Arabia, Qatar, and the UAE in exchange for fuel, diesel, and air defense interceptors. Over 200 Ukrainian drone-defense specialists are deployed across Gulf states, integrating with regional air defense systems and conducting confirmed intercepts of Iranian Shahed drones. Kyiv is leveraging hard-won operational expertise as a strategic commodity — a form of defence diplomacy that simultaneously builds regional partnerships and counters Iranian drone proliferation.
China's grey-zone operations in the Indo-Pacific represent the most economically consequential strand of contemporary hybrid warfare, even as they remain the least kinetically visible. Beijing's approach combines military pressure — sustained incursions into Taiwan's air defence identification zone, naval exercises simulating blockade scenarios, coast guard operations in disputed waters — with economic coercion, technology denial, and information operations targeting both regional partners and domestic audiences in target states.
Russia's demonstrated ability to sustain hybrid pressure against a Western-backed adversary for years without triggering direct NATO intervention provides Beijing with a working model for managing escalation thresholds in a Taiwan contingency. For multinational corporations with significant exposure to Taiwan Strait supply chains — semiconductors, electronics, precision manufacturing — the grey-zone environment represents a persistent, low-visibility risk that conventional security assessments routinely underweight.
The security community's central analytical challenge in 2026 is not identifying individual hybrid tactics — these are well-documented — but understanding and responding to their convergence. When drone swarms, cyber operations, satellite intelligence-sharing, proxy kinetic action, and disinformation campaigns are deployed simultaneously and in mutual support, the aggregate effect exceeds the sum of the parts.
Organisations assessing risk through single-domain lenses — a cyber team evaluating network threats, a physical security team tracking conflict zones, a communications team monitoring disinformation — will systematically underestimate their exposure. The Prince Sultan incident is instructive: a space-based surveillance operation by one state enabled a kinetic strike by a second state against a third-party facility, with cascading implications for energy markets, regional security posture, and U.S. force protection globally. No single-domain assessment would have captured that threat vector.
The MITRE ATT&CK framework, while invaluable for cyber threat characterisation, does not natively integrate kinetic, informational, and economic threat vectors. Risk managers should consider supplementing existing frameworks with multi-domain threat modelling that explicitly maps the interaction effects between cyber, physical, and information threats — particularly for assets in or adjacent to active hybrid warfare theatres.
The drone spillover incidents in the Baltic states underscore a further dimension: geographic proximity to a hybrid warfare theatre is itself a risk factor, independent of direct targeting intent. Infrastructure, personnel, and supply chains within the operational radius of contested airspace, electronic warfare environments, or cyber campaigns face elevated exposure even when they are not primary targets.
Several indicators warrant close attention in the coming months.
Ceasefire dynamics in Ukraine will remain the primary escalation variable. The May 2026 ceasefire collapse triggered an immediate return to high-intensity hybrid operations across all domains. Any future diplomatic process will be accompanied by — and potentially undermined by — continued cyber operations, disinformation, and proxy activity that do not pause for political negotiations.
The Russia-Iran intelligence-sharing relationship is likely to deepen. The Prince Sultan model — Russian space-based surveillance enabling Iranian kinetic action — is replicable against other high-value targets in the Gulf, the Levant, and potentially beyond. Organisations with assets near major military installations in the region should treat this as a persistent, elevated-risk environment.
Chinese grey-zone activity in the Taiwan Strait will be calibrated against the bandwidth of U.S. strategic attention. Periods of heightened focus on Ukraine or the Middle East historically correlate with increased Chinese assertiveness in the Indo-Pacific. Supply chain risk managers should model scenarios in which multiple hybrid theatres activate simultaneously.
Drone technology proliferation continues to lower the barrier to entry for hybrid operations. Military-grade unmanned systems are migrating into non-state and sub-state conflict environments, expanding the hybrid threat surface beyond great-power competition. The confirmed use of long-range rebel drones carrying munitions in Sudan's civil conflict — intercepted by Sudanese Armed Forces over White Nile State in May 2026 — illustrates how rapidly this capability is diffusing.
Early warning indicators of escalation include: increased Russian cyber reconnaissance against NATO member infrastructure; unusual satellite tasking patterns over Gulf military installations; Houthi operational tempo changes in the Red Sea; and Chinese coast guard or naval activity in the South China Sea inconsistent with seasonal patterns.
Hybrid warfare is not a new phenomenon, but the 2026 operating environment has produced a qualitative shift in its danger. The simultaneous convergence of kinetic, cyber, informational, and proxy operations — across multiple theatres, involving coordinated adversarial coalitions, and generating unpredictable spillover effects — has rendered single-domain threat assessment structurally inadequate.
Organisations should conduct full-spectrum threat reviews that explicitly map interdependencies between cyber, physical, and information risks. Security teams should establish cross-domain monitoring protocols that flag correlations between seemingly unrelated threat indicators. Risk managers should stress-test assumptions about geographic separation from active conflict zones — as the Baltic drone incidents demonstrate, the blast radius of hybrid warfare extends well beyond the front line.
Threatwhere continues to monitor developments across all active hybrid warfare theatres, with particular focus on the Russia-Ukraine-Iran operational nexus, Chinese grey-zone activity in the Indo-Pacific, and the evolving drone threat landscape.