# State-Sponsored Cyber Threats: A Global Overview
Four nations dominate the state-sponsored cyber threat landscape: Russia, China, Iran, and North Korea. Each has developed sophisticated offensive cyber capabilities designed to achieve distinct strategic objectives. Each operates through a combination of military units, intelligence agencies, and recruited criminal proxies. Together, they represent the most persistent, well-resourced, and strategically motivated threat that defenders face.
This is not a theoretical concern. These four nations conduct daily operations against Western governments, critical infrastructure, private companies, and individual citizens. Their collaborative and sophisticated characteristics pose significant challenges for cybersecurity defenders, and traditional cybersecurity measures are often insufficient to counter the advanced tactics used by state-sponsored actors.
CDA's founder has published research on this subject through the Irregular Warfare Initiative, a joint publication of Princeton University's Empirical Studies of Conflict Project and the Modern War Institute at West Point. That research, "Eroding Global Stability: The Cybersecurity Strategies of China, Russia, North Korea, and Iran," informs CDA's approach to threat intelligence operations and the Predictive Defense Intelligence (PDI) methodology. The analysis below draws on that foundation.
Russia's cyber capability is the most operationally demonstrated of the four. Russian state-sponsored actors have conducted destructive attacks against critical infrastructure (Ukraine's power grid, 2015 and 2016), deployed globally destructive malware (NotPetya, 2017, causing over $10 billion in damages worldwide), interfered in democratic elections (United States, France, Germany, and others), and maintained persistent access to Western government and corporate networks.
The Russian government views cyberspace as a critical domain for exerting influence and achieving geopolitical goals. Its cyber ecosystem is a complicated tangle of state and non-state actors. The Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the Main Directorate of the General Staff of the Armed Forces (GRU) all operate cyber units that conduct operations domestically and internationally. These agencies also recruit cybercriminals to carry out operations on their behalf, providing them with legal protection and resources in exchange for their services.
A key component of Russia's cyber strategy is the concept of information confrontation: an approach that integrates cyber operations, psychological operations, electronic warfare, and traditional military operations to achieve strategic objectives. Cyber is not a standalone capability in Russian doctrine. It is one instrument in a combined-arms approach to information warfare.
PDM mapping: Russian operations span every domain. GRU's Sandworm team has conducted destructive attacks on critical infrastructure (DPS: data destruction, SPH: system disruption). SVR's APT29 (Cozy Bear) specializes in long-term espionage through supply chain compromise (VSD: SolarWinds attack surface exploitation) and credential theft (IAT: identity compromise). Russian information operations target governance and democratic institutions (RGA). Detection of Russian activity requires layered threat intelligence (TID) because Russian actors deliberately blend cyber operations with non-cyber influence campaigns.
Key units: GRU Unit 26165 (Fancy Bear/APT28), GRU Unit 74455 (Sandworm), SVR (Cozy Bear/APT29), FSB Center 16 and Center 18.
Defining characteristic: Willingness to deploy destructive capabilities against civilian infrastructure. NotPetya was designed to look like ransomware but was actually a wiper: it destroyed data with no recovery mechanism. It was targeted at Ukraine but spread globally, damaging Maersk, Merck, FedEx, and hundreds of other organizations. Russia has demonstrated that it will accept massive collateral damage to civilian entities as a cost of offensive operations.
China's cyber strategy is characterized by scale, patience, and strategic alignment with national economic and military objectives. Where Russia conducts disruptive and destructive operations, China primarily conducts espionage and pre-positioning. The distinction matters operationally: Russian operations announce themselves through damage. Chinese operations succeed by remaining undetected for years.
The discovery of Volt Typhoon, a Chinese state-sponsored hacking group, underscores China's focus on gaining asymmetric advantage over the United States and its allies by gaining persistent access to their critical infrastructure. The group uses the unconventional tactic of "living off the land," using existing resources in the operating system of targeted devices rather than introducing new files that could trigger cybersecurity sensors. Volt Typhoon's objective appears to be long-term persistence within the target environment, or pre-positioning, giving China the placement and access to conduct future acts of sabotage and disruption.
China's Ministry of State Security (MSS) and the People's Liberation Army Strategic Support Force (PLASSF) coordinate cyber operations across espionage, intellectual property theft, and military pre-positioning. Chinese cyber actors have stolen intellectual property from virtually every sector of the Western economy: aerospace, defense, pharmaceutical, semiconductor, energy, and telecommunications. The scale of Chinese IP theft is measured in terabytes per operation and trillions of dollars in cumulative economic damage.
PDM mapping: Chinese operations concentrate on DPS (exfiltrating protected data, particularly intellectual property and classified information), VSD (exploiting supply chain and infrastructure vulnerabilities for persistent access), and IAT (credential theft and identity compromise for long-term access). Chinese pre-positioning in critical infrastructure (Volt Typhoon) creates TID challenges because the actors are specifically designed to evade detection by using legitimate system tools rather than malware.
Key units: PLASSF, MSS-affiliated groups, Volt Typhoon, Salt Typhoon, APT41/Double Dragon (state-tolerated group conducting both espionage and cybercrime).
Defining characteristic: Strategic patience. Chinese operations are designed to persist for years without detection. The goal is not disruption. The goal is access, intelligence collection, and pre-positioning for potential future conflict.
Iran's cyber capabilities have grown rapidly since Stuxnet (the US-Israeli operation that damaged Iran's nuclear centrifuges in 2010) demonstrated to Tehran the strategic value of offensive cyber operations. Iran learned from Stuxnet and invested heavily in building its own offensive capability.
Iranian cyber actors conduct operations aligned with Tehran's regional objectives: targeting Gulf state energy infrastructure, Israeli organizations, U.S. financial institutions, and domestic dissidents. Iranian operations tend to be more technically rudimentary than Russian or Chinese operations but compensate with persistence and willingness to conduct destructive attacks.
Iranian state-sponsored groups have deployed destructive wiper malware against Saudi Aramco (Shamoon, 2012, destroying 35,000 workstations), conducted distributed denial-of-service attacks against U.S. financial institutions (Operation Ababil, 2012-2013), and targeted water treatment facilities (Oldsmar, Florida, 2021, attributed to Iranian-linked actors).
Iran's Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) coordinate most state-sponsored cyber operations. Iran also operates through proxy groups and recruited cybercriminals, similar to Russia's model.
PDM mapping: Iranian operations concentrate on DPS (destructive attacks targeting data integrity, wiper malware), VSD (exploiting known vulnerabilities in internet-facing systems, often targeting organizations slow to patch), and TID (the detection challenge is distinguishing Iranian operations from commodity cybercrime, as Iranian actors sometimes use ransomware as cover for destructive operations).
Defining characteristic: Willingness to conduct destructive attacks against civilian infrastructure with relatively unsophisticated means. Iran compensates for technical limitations with operational persistence and a high tolerance for risk.
North Korea is unique among the four in that its primary cyber objective is financial: generating revenue for the regime through cybercrime. International sanctions have isolated North Korea economically, and the regime uses cyber theft as a primary revenue stream. North Korean cyber actors have stolen billions of dollars through cryptocurrency heists, bank fraud (the Bangladesh Bank SWIFT attack, 2016, attempted $951 million), ransomware operations (WannaCry, 2017), and IT worker fraud schemes.
The Reconnaissance General Bureau (RGB) oversees North Korean cyber operations. The Lazarus Group (APT38) is the most well-known North Korean cyber unit, responsible for the Sony Pictures attack (2014), WannaCry (2017), and numerous cryptocurrency exchange heists.
North Korean operations also serve espionage objectives, particularly intelligence collection on military capabilities of South Korea, the United States, and Japan. But the financial motive is the distinguishing characteristic: North Korean cyber operations directly fund the regime's weapons programs, including its nuclear and ballistic missile development.
PDM mapping: North Korean operations concentrate on DPS (stealing financial data, cryptocurrency private keys), IAT (social engineering and identity fraud, including the IT worker infiltration schemes where North Korean operatives pose as remote IT workers to gain employment at Western companies), and VSD (exploiting cryptocurrency exchange and DeFi platform vulnerabilities).
Defining characteristic: Cybercrime as state policy. North Korea is the only nation-state that conducts large-scale financial cybercrime as an official government program to fund regime operations.
These four nations do not operate in isolation. As unified Western actions against adversarial states have increased (sanctions, public attribution, indictments) and active conflicts persist (Ukraine, Middle East), the agreements and cooperation among China, Russia, North Korea, and Iran have grown stronger and more unified.
Russian-Iranian cyber collaboration has deepened alongside their military cooperation in Ukraine, where Iranian drones have become a fixture on the battlefield. North Korea and Russia signed a mutual defense pact in June 2024 and cooperate on sanctions evasion, including through cyber means. China and Russia reaffirmed their comprehensive partnership during the 43rd meeting between Putin and Xi in May 2024.
The extent to which these four nations share cyber capabilities, tools, and intelligence remains an area of active analysis. What is clear is that defenders cannot treat these threats as independent. The adversary ecosystem is interconnected, and defensive strategies must account for collaborative threat operations.
CDA's approach to state-sponsored threats operates through Predictive Defense Intelligence (PDI): "See the threat before it sees you." This requires layered intelligence collection spanning tactical (IOCs, malware signatures), operational (campaign tracking, TTP analysis), and strategic (geopolitical context, adversary intent assessment) levels.
The PDM provides the structural framework for organizing defense against state-sponsored threats:
The distinction between defense and offense is not semantic. Democratic societies build cyber defense to protect citizens, infrastructure, and institutions. Authoritarian regimes weaponize cyber offense to surveil, repress, and attack. CDA trains defenders. The "CD" in CDA is not cosmetic. It is the mission.
Word count: 2,743