Continue your mission
A threat intelligence overview of second-tier state cyber actors beyond the Big Four, covering Vietnam's APT32/OceanLotus operations, India's SideWinder campaign activity and commercial spyware use, Turkey's StrongPity and diaspora targeting operations, and the broader proliferation of offensive cyber capabilities to nation-states with regional ambitions.
# Emerging Cyber Powers: Vietnam, India, Turkey
The dominant frame in public cyber threat discourse focuses on four state actors: Russia, China, Iran, and North Korea. This is a defensible prioritization for organizations in the United States and Western Europe, given the scale, sophistication, and frequency of operations these states conduct against Western targets. But it systematically underweights a second tier of state cyber actors that conduct significant operations within their own regions, occasionally beyond them, and with capabilities that have grown steadily through the 2010s and 2020s.
Vietnam, India, and Turkey represent three meaningfully distinct models of emerging state cyber capability. Vietnam has developed one of Southeast Asia's most sophisticated domestic intelligence cyber programs, documented in campaigns against regional governments, the private sector, and its own diaspora. India has built a growing cyber espionage capability focused on its near-abroad, while simultaneously being one of the world's largest consumers of commercial spyware deployed against domestic political opponents. Turkey has developed cyber capabilities aligned with its expanding regional ambitions and used them against Kurdish political organizations, regional rivals, and occasionally NATO allies.
Understanding these actors matters for organizations with operations in Southeast Asia, South Asia, the Middle East, or Eastern Europe; for organizations in sectors that these states target for IP theft or competitive intelligence; and for the broader analytical picture of how offensive cyber capabilities proliferate beyond the most powerful states. Within the Planetary Defense Model, the TID domain's Predictive Defense Intelligence (PDI) methodology must account for second-tier actors to produce threat models that are accurate for clients in affected regions and sectors. The proliferation pattern itself is a strategic intelligence finding: the barrier to entry for meaningful state cyber capability has fallen dramatically.
The proliferation of state cyber capabilities beyond the original Big Four reflects several reinforcing dynamics. Commercial offensive security tools, including both legitimate penetration testing software and purpose-built surveillance and intrusion tools, have dramatically lowered the cost of entry. The commercial spyware market (NSO Group, Cytrox, Intellexa, and others) has enabled governments to purchase sophisticated mobile exploitation capabilities that would previously have required large national intelligence agencies to develop from scratch.
Beyond commercial tools, the availability of training, infrastructure, and talent has expanded. Offensive security professionals are increasingly present in every region. University programs, international hacking competitions, and the commercial security industry have distributed the knowledge base. Governments that prioritize building cyber capabilities can hire talent domestically or acquire it through diaspora recruitment, technology transfer, or direct purchase of services from contractors.
The result is a two-tier structure in the global state cyber landscape. The first tier (Russia, China, Iran, DPRK) maintains full-spectrum capabilities: large-scale operations, custom malware development, hardware supply chain access, and the ability to conduct disruptive operations against major global infrastructure. The second tier (Vietnam, India, Turkey, Saudi Arabia, UAE, Israel, and others) maintains narrower but real capabilities: effective domestic intelligence operations, regional espionage capacity, and in some cases sophisticated diaspora and dissident targeting using commercial tools.
The second tier is not a fixed category. India's government cyber programs have grown substantially since the mid-2010s. Turkey's offensive capabilities have expanded alongside its growing regional foreign policy ambitions. Vietnam's APT32 has demonstrated multi-year, multi-vector campaigns at a level of sophistication that places it at the top of what is typically called "advanced persistent threat."
Second-tier state cyber actors matter to defenders for reasons that are often underweighted in threat modeling.
For organizations with regional operations, a second-tier actor may represent the primary threat. A company with significant operations in Vietnam, relationships with Vietnamese government entities, or exposure to Vietnamese competitors should treat APT32 as a first-tier threat for its specific risk profile. A financial institution operating in South Asia with government clients in Pakistan or India should treat SideWinder as a relevant adversary. Threat modeling that only considers the Big Four will miss the most likely actual attacker for a substantial fraction of organizations.
For individuals who are targets of dissident or diaspora surveillance, the commercial spyware threat from second-tier actors can be more acute than the Big Four espionage threat. Journalists covering Vietnamese politics, opposition politicians in India, and Kurdish activists in Europe are targeted using NSO Pegasus, Cytrox Predator, and similar tools at a frequency that exceeds most conventional espionage operations. Second-tier actors with more limited diplomatic exposure may calculate that they face fewer constraints on using commercial spyware against journalists and dissidents than major state actors do.
APT32, tracked by Mandiant, Volexity, and other threat intelligence organizations, is assessed with high confidence to operate under sponsorship from the Vietnamese Ministry of Public Security or another Vietnamese government intelligence entity. Also known as OceanLotus, the group has been active since at least 2012 and has demonstrated sustained, sophisticated operations across multiple sectors.
APT32's targeting profile covers several distinct categories. ASEAN government entities, particularly those in nations with territorial disputes with Vietnam in the South China Sea, have been consistent targets. The group has targeted Thai, Cambodian, Laotian, and Philippine government entities as well as Vietnamese opposition political organizations. Regional media organizations, including those covering Vietnamese politics and human rights, have also been targeted.
Private sector targeting has been a notable APT32 characteristic. The group conducted documented intrusion campaigns against automobile manufacturers, including Toyota and Honda, in the period when Vietnam was establishing its domestic auto industry through Vinfast. Security researchers assessed that APT32 was collecting competitive intelligence to support the development of a Vietnamese domestic auto industry, a mission that blends government economic policy goals with classic industrial espionage.
APT32's toolkit demonstrates significant custom development capability. The group uses custom backdoors including Denis (a multi-platform backdoor supporting Windows and macOS), PHOREAL, and KERRDOWN. Delivery mechanisms include spear phishing with malicious macros in Office documents, watering hole attacks targeting sites frequented by target populations, and strategic web compromises of Vietnamese diaspora community sites. The macOS capability is notable: APT32's development of Mac-targeted malware reflects awareness that its dissident and diaspora targets frequently use Apple platforms.
India's state cyber picture has two distinct components that are often analyzed separately but together represent the full picture of Indian government cyber activity.
SideWinder (also tracked as RattleSnake, Hardcore Nationalist, APT-C-17, and T-APT-04 by various vendors) is assessed by most commercial threat intelligence firms to operate with Indian government nexus, though the specific agency relationship is less firmly established than for APT32. The group has been active since at least 2012 and its targeting profile is consistent with Indian foreign intelligence priorities.
Primary SideWinder targets include Pakistani military and government entities, with campaign lures frequently using military and geopolitical themes relevant to the India-Pakistan relationship. Chinese government and military entities, particularly those involved in disputed border territory in Ladakh and Arunachal Pradesh, have been targeted, notably with increased tempo during periods of border tension. SAARC member governments (Nepal, Sri Lanka, Bangladesh, the Maldives, Myanmar) are consistent SideWinder targets, consistent with India's regional influence objectives.
SideWinder's toolkit is primarily .NET-based, using custom RATs with modular functionality, JavaScript loaders, and DLL side-loading techniques to execute payloads in the context of legitimate processes. Spear phishing with geopolitically relevant document lures is the dominant initial access vector; the group is particularly skilled at creating convincing lures that reference real military events, bilateral agreements, and regional news.
The commercial spyware dimension is a separate but equally significant component of the Indian government's cyber toolkit. Amnesty International, Citizen Lab, and Access Now have documented the use of NSO Group's Pegasus spyware against Indian opposition politicians, journalists, activists, and lawyers, including individuals associated with a prominent human rights case. India was among the most heavily documented Pegasus user countries in the July 2021 Pegasus Project reporting. Cytrox's Predator spyware has subsequently been linked to Indian government targeting.
The domestic targeting of opposition figures using commercial spyware represents a politically sensitive application of cyber capability. India is a democracy with robust press freedom laws, making its government's use of sophisticated spyware against journalists and opposition figures an active domestic political controversy rather than merely a foreign intelligence program.
Turkey's offensive cyber capabilities have developed alongside its expanding regional foreign policy, which under the AKP government has included military operations in Syria and Libya, disputes with Greece and Cyprus over maritime boundaries and gas exploration rights, and an assertive approach to influencing Turkish diaspora communities in Europe.
StrongPity (also known as PROMETHIUM and Türk Hack Team by some vendors) is the most prominently documented threat actor associated with Turkish government interests. The group has been active since at least 2012 and its targeting patterns closely track Turkish geopolitical and domestic security priorities. Operations have targeted Kurdish political organizations and individuals, including suspected supporters of the PKK and YPG; Greek and Cypriot government entities during periods of heightened bilateral tension; and Syrian opposition groups, consistent with Turkey's Syria policy objectives.
StrongPity's primary tradecraft involves trojanized software distribution: embedding malware in modified versions of legitimate software installers (including WinRAR and other common utilities) and distributing them through websites set up to appear as legitimate software download sources. Victims who download and execute the trojanized installer receive functioning software alongside an installed implant, making detection less likely. The group has also used spear phishing with geopolitically relevant lures and strategic web compromises targeting communities of interest.
The most analytically significant aspect of Turkey's cyber operations is their occasional intersection with NATO allies and partners. Operations targeting Kurdish diaspora communities in Germany, Belgium, and other NATO members occur in the territory and against the citizens of allied states. The SilentBreak water utility incident in 2019, which was attributed in some reporting to Turkish-affiliated actors, raised questions about critical infrastructure targeting. Turkey as a NATO member using cyber capabilities against allied populations and potentially allied infrastructure represents a policy challenge that the alliance has largely addressed through diplomatic silence rather than formal attribution and response.
Turkey has also been a consumer of commercial spyware. Amnesty International and other civil society organizations have documented Pegasus use against Turkish journalists, academics, and political figures, though the directionality of the targeting in some cases reflects Turkey's own political divisions rather than purely state offensive use.
The three case studies illustrate a consistent dynamic: offensive cyber capabilities are spreading to second-tier powers and the spread is accelerating. The commercial spyware market, legitimate offensive security tooling, and the global availability of cybersecurity talent mean that governments with the will and resources to build these capabilities can do so. Attribution grows more complex as more actors operate in overlapping geographic and sector spaces. Second-tier actors sometimes deliberately imitate Big Four TTPs to complicate attribution. The addition of NSO Group to the Commerce Entity List constrained one vendor but did not address the broader commercial surveillance market.
CDA's PDI methodology treats second-tier state actors as a required component of threat intelligence programs for clients with relevant geographic or sector exposure. A threat model built exclusively on the Big Four is incomplete for any organization with meaningful operations in Southeast Asia, South Asia, or the Eastern Mediterranean.
For clients in manufacturing, automotive, telecommunications, and defense supply chain sectors operating in Vietnam's neighborhood, PDI assessments include an APT32 TTP overlay. The group's watering hole attacks against industry-specific websites mean that organizations outside the direct spear phishing target set may be exposed through professional online communities their employees use.
For clients with operations in South Asia or government sector clients with Pakistan or India nexus, SideWinder is a required component of PDI assessments. Organizations in this region face a layered threat environment: SideWinder's .NET-based implants require endpoint protection calibrated for sophisticated persistent access, while Indian government commercial spyware use requires mobile device security policies appropriate for Pegasus-class exploitation.
For clients with operations in NATO countries that have significant Turkish diaspora populations, or clients in the Eastern Mediterranean energy sector, StrongPity and Turkish-affiliated actors are relevant to threat models. This is particularly important for civil society organizations, legal aid providers, and media organizations, which are among StrongPity's documented target categories.
Regional threat intelligence cannot be assumed to be covered by Big Four-focused feeds. Accurate regional threat modeling requires dedicated coverage drawing on specialized researchers in Southeast Asian, South Asian, and Eastern Mediterranean security.
Vietnam's APT32/OceanLotus is one of Southeast Asia's most sophisticated state cyber programs, conducting multi-year campaigns against ASEAN governments, regional media, and private sector entities including auto manufacturers, likely in support of Vietnam's domestic industry development.
India's SideWinder (RattleSnake) focuses primarily on Pakistani military and government targets and Chinese entities in the disputed border region, using .NET-based RATs and spear phishing with geopolitically relevant lures. India is also a documented heavy user of commercial spyware (Pegasus, Predator) against domestic opposition figures and journalists.
Turkey's StrongPity operations target Kurdish political organizations, Greek and Cypriot government entities, and Syrian opposition groups, using trojanized software distribution as a primary delivery mechanism. Turkey's use of cyber capabilities against populations in NATO ally territory represents an unresolved policy challenge for the alliance.
The commercial spyware market (NSO Group, Cytrox, Intellexa) has been a primary enabler of second-tier state cyber capability, allowing governments to purchase sophisticated mobile exploitation tools that previously required large national intelligence agencies to develop.
Threat models built exclusively on the Big Four (Russia, China, Iran, DPRK) are incomplete for organizations with regional operations in Southeast Asia, South Asia, or the Eastern Mediterranean.
CDA's PDI methodology incorporates second-tier actor analysis as a required component for clients with relevant regional exposure, drawing on specialized regional threat intelligence rather than relying on Big Four-focused feeds.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.