Top 5 Nation State Cyber-Attack Trends 

Nation states hostile to the West, including Russia, China, Iran and North Korea, have engaged in significant nefarious cyber activity over recent years.

These attacks have traditionally been utilised for espionage purposes, to steal sensitive secrets from rival governments and critical infrastructure organisations to gain geopolitical advantages.

However, with global conflicts and geopolitical tensions coming to the surface, nation-states have also demonstrated a willingness to engage in destructive cyber-attacks, designed to harm critical services in enemy states.

Compared to kinetic attacks, cyber activity has the advantage of providing ‘plausible deniability’ to nation states for their nefarious actions. This is because it is difficult to directly attribute cyber activity to particular individuals or entities.

Here are the top five nation-state cyber-attack trends observed by Infosecurity over recent years.

The lines between nation-state actors and financially motivated cybercriminals have become increasingly blurred.

Nation-state threat actors have ramped up cooperation with cybercriminals to advance their political and military goals, Microsoft’s Digital Defense Report 2024 found.

This includes Russia outsourcing some of its cyber-espionage operations to criminal groups, particularly to target Ukraine.

Microsoft also highlighted evidence that nation state groups are increasingly utilising tools favoured by financially motivated cybercriminals to conduct their operations, such as infostealers and command and control frameworks.

Another emerging link between nation-state and cybercrime activity relates to the attack techniques being deployed by state actors.

Researchers from SentinelLabs and Recorded Future noted that Chinese state-linked APT groups are using ransomware – normally the preserve of financially-motivated actors - during operations. This is designed to throw cybersecurity researchers off the scent and hide their true intent of cyber-espionage.

Additionally, North Korean state actors have frequently used cybercrime techniques such as ransomware and crypto hacks to generate funds for the Democratic People's Republic of Korea (DPRK) regime.

Nation-state cyber actors have traditionally focused on intelligence gathering operations, however, there has been a move towards destructive attacks.

These attacks are designed to disrupt critical services.

This trend has coincided with rising geopolitical conflict and tensions, such as the Russia-Ukraine war and China’s regional dispute with Taiwan.

Russia has leveraged cyber-attacks to try and disrupt critical infrastructure in Ukraine alongside traditional warfare. This includes attempts to take down energy and water services in the country.

Russia has also launched destructive attacks on territories outside of Ukraine. In September 2024, the US, UK and seven other governments accused the Russian military of launching sabotage cyber-attacks on critical infrastructure in NATO member countries in Europe and North America.

The US and allies have also raised concerns that Chinese state actors have positioned themselves in critical sectors including communications, energy, transportation and water in order to launch destructive attacks on multiple critical infrastructure sectors in the event of a military conflict.

Additionally, Iran has been accused to attempts to disrupt critical services in countries like the US and Israel following the outbreak of war between Israel and Hamas in October 2023.

Another trend arising from recent global conflicts and regional tensions is the heavy concentration of attacks by respective nation states in geographical areas of most concern to them.

Microsoft’s 2024 Digital Defense Report found that 75% of Russian nation-state attacks in the period July 2023 to June 2024 targeted Ukraine or a NATO member state.

The tech giant also highlighted how Iran increased its focus on Israel following the outbreak of the conflict in Gaza, making up 50% of its activity from October 2023 to June 2024.

China’s primary target for attacks were North America, Taiwan and other countries in Southeast Asia, making up 72% of its cyber activity targets, according to the same report.

Additionally, in January 2025, Taiwan’s National Security Bureau revealed that Taiwanese government networks experienced double the number of daily attacks in 2024 compared to 2023, most of which were attributed to Chinese state-backed hackers.

This data highlighted how Chinese cyber activity in Taiwan appears to be ramping up amid growing tensions around the Island territory’s self-governing status.

Recent years have seen numerous instances of nation-state actors targeting software and other third-party providers to compromise multiple victims.

These attacks have primarily been used for espionage purposes.

The first high-profile incident of this nature was the SolarWinds hack in 2020, in which Russian actors added malicious code to a SolarWinds Orion update to compromise the firm’s customer base. Among the organisations targeted in the incident were US government departments and cybersecurity vendors.

Since then, software supply chain attacks have been a common tactic employed by nation-state groups, particularly China.

In 2023, Chinese espionage group Storm-0558 compromised the Microsoft 365 accounts of numerous organisations, including US government departments. This allowed the group to gain access to thousands of emails of government officials.

Microsoft revealed that Storm-0558 forged authentication tokens using an acquired Microsoft encryption key. When this key was combined with another flaw in Microsoft’s authentication system it allowed Storm-0558 to gain full access to almost any Exchange Online account anywhere in the world.

In late 2024, two other major Chinese espionage supply chain attacks were revealed. In November, Salt Typhoon compromised major telecommunications providers in the US, enabling the attackers to access call records, unencrypted messages and audio communications from targeted individuals, including government officials.

In late December, the US Treasury revealed that Chinese hackers had accessed some of its computers after compromising third-party cybersecurity vendor BeyondTrust.

Bloomberg reported that US Treasury Secretary Janet Yellen’s computer was among the devices compromised.

Threat actors from Russia, China, North Korea and Iran are leveraging AI and other advanced technologies to support their operations.

Researchers from Microsoft and OpenAI have observed nation-state actors probing AI’s current capabilities and security controls, using them for assistance in areas such as running basic coding tasks and translations for social engineering campaigns.

AI has also become a vital part of nation-state actors’ influence and disinformation campaigns, designed to sow division and manipulate opinion in other countries.

A report by Microsoft’s Threat Analysis Center (MTAC) highlighted how Chinese Communist Party (CCP)-affiliated actors have been observed publishing AI-generated content on social media to amplify controversial domestic issues in various countries including the US.

This includes the use of AI-generated images and videos of AI-generated people.

In the lead up to the 2024 US Presidential election, government agencies warned that nation states were using technologies like GenAI and deepfakes to push their narratives online.

ADVERTISEMENT

Nation-state attacks have become a major concern for organisations, particularly in the government and critical infrastructure sectors.

Nation-state actors have expanded their operations and tactics in recent years, making them more dangerous.

This includes cooperation with financially motivated cybercriminals, growing interest in conducting destructive attacks and the use of sophisticated AI tools.

The threat from state hackers has moved on from being solely about data theft to the potential for critical services to be disrupted.

It is vital for targeted organisations to stay abreast of these trends, and adapt their security strategies accordingly – recognising that the threat is on a par with financially-motivated cybercrime. 

Enjoyed this article? Make sure to share it!

Looking for something else?