What the report actually says
Recorded Future's 2026 State of Security (CTA-2026-0212, published February 12, 2026) is a 54-page assessment of how 2025's geopolitical fragmentation reshaped the cyber threat landscape. Of its five headline findings, one is directly about Canada:
“Russian APT targeting of the US and Canada increased compared to 2024. While activity continued targeting Ukraine, the Baltics, and non-NATO Eastern Europe, Russia expanded operations into the Western hemisphere.”
That sentence does two important things. First, it explicitly names Canada as a heightened-target country alongside the US — not lumped into “North America” or “Western allies.” Second, it frames the shift as an expansion, not just an uptick: Russia is doing things in Canada it wasn't doing as much before.
How the tradecraft is changing
The report goes further than just “more activity.” Recorded Future's Insikt Group measured specific changes in the techniques Russian threat actors are using against Western targets:
- ~70% year-over-year increase in the use of application-layer protocol and web protocols for command-and-control. Translation: attackers are hiding traffic inside encrypted HTTPS to look like normal web browsing, making network detection harder.
- ~27% increase in abuse of command and scripting interpreters — PowerShell, cmd.exe, bash. This is post-compromise: once they're in, they're using built-in tools (living off the land) rather than dropping malware that EDR can flag.
- Strategic shift from isolated, high-profile attacks toward “persistent, low-visibility access” — in plain terms, pre-positioning. They get in, stay quiet, and wait.
Why the pre-positioning matters more than the “loud” attacks
Recorded Future puts it this way: in a fragmented, crisis-prone security environment, persistent low-visibility access “likely reduces warning time for potential disruptive operations against critical national infrastructure and could complicate containment by enabling rapid activation from pre-positioned access.”
That's the part Canadian defenders should sit with. The threat model isn't “Russia launches a destructive attack on a Canadian utility tomorrow.” The threat model is: a Russian operator has already been in a Canadian utility's environment for months, silently, waiting for a geopolitical trigger. When that trigger fires, the warning window is hours, not weeks.
The geopolitical backdrop
The report also flags a second-order risk specifically for Canada: US territorial assertions toward Canadian territory, combined with coercive US trade policy, drove US-Canada diplomatic relations to historic lows in 2025. Why does that matter for cyber defense? Because intelligence sharing, joint incident response, and the Five Eyes operational tempo all depend on diplomatic capital that is now thinner than it has been in decades.
Canadian defenders should not assume the same depth of US partnership they had in 2023 will be there during the next incident.
What Canadian organizations should actually do
Three priorities follow from the report's findings:
- Hunt for pre-positioning, not just active intrusions. Most SOC dashboards are tuned to detect ongoing attacks. Russian APT tradecraft in 2025 is designed to look like nothing is happening. That requires threat hunting against the documented Russian TTPs (T1071 application-layer protocol, T1059 scripting interpreter abuse) on a recurring schedule, not just when an alert fires.
- Audit your encrypted egress traffic. A 70% rise in web-protocol C2 means TLS inspection and egress baselining matter more than they did a year ago. Anything beaconing to an uncommon destination over 443 — even with valid certs — deserves a look.
- Assume identity, not malware, is the front line. The report consistently shows attackers using legitimate credentials, legitimate tools, and legitimate channels. Identity governance (MFA on every privileged account, just-in-time admin access, robust offboarding) is where the leverage is.
How CyberSafe helps
Our Cyber Defense Services include proactive threat hunting against state-sponsored TTPs, encrypted-egress analysis, and 24/7 SOC coverage that watches for the quiet stuff — not just the loud alerts. For Canadian critical infrastructure operators specifically, our Consulting team can scope the kind of pre-position-hunt engagement Recorded Future's findings warrant.