Midyear Roundup: Nation-State Cyber Threats in 2025

In September 2024, I attended the FBI’s CISO Academy, and one intelligence briefing summary on cyber threats stood out to me above the rest. The statement was simple: “Inside the [Washington, D.C.,] beltway the top cyber issue is nation-state cyberattacks, while outside the beltway [in the rest of the U.S.] the top cyberthreat remains ransomware."

We covered ransomware in some depth back in March 2025, so in this blog I want to cover updates on nation-state cyber threats. My timing coincides with many recent cybersecurity headlines that have surfaced in May, along with some fascinating new reports that dig deeper into this topic than most unclassified briefings.

NATION-STATE CYBER ACTOR BASICS

To start, the Cybersecurity and Infrastructure Security Agency (CISA) offers this excellent resource that describes nation-state cyber actors and their recent activities. Here’s how the overview begins:

“Nation-state adversaries pose an elevated threat to our national security. These adversaries are known for their advanced persistent threat (APT) activity:

• The Chinese government—officially known as the People’s Republic of China (PRC)—engages in malicious cyber activities to pursue its national interests including infiltrating critical infrastructure networks.
• The Russian government—officially known as the Russian Federation—engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.
• The North Korean government—officially known as the Democratic People’s Republic of Korea (DPRK)—employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue.
• The Iranian government—officially known as the Islamic Republic of Iran—has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity, and to harm regional and international adversaries.”

DIGGING DEEPER: CYBER THREATS FROM RUSSIA

I am starting with a deeper look at Russian cyber threats because an excellent report was recently released from the Atlantic Council entitled Unpacking Russia’s cyber nesting doll. Here is the opening: “Russia’s full-scale invasion of Ukraine in February 2022 challenged much of the common Western understanding of Russia. How can the world better understand Russia? What are the steps forward for Western policy? The Eurasia Center’s new 'Russia Tomorrow' series seeks to reevaluate conceptions of Russia today and better prepare for its future tomorrow.”

The report has the following table of contents:

• Initial expectations
• Russia’s cyber ecosystem
• What happened to Russia’s cyber might?
• Unpacking the (cyber) nesting doll
• Conclusion
• Acknowledgements
• About the author

After describing the cyber activities that began with the onset of Russia’s war with Ukraine, the opening summary offers these recommendations:

“Russia is still very much a cyber threat. Patriotic hackers and state security agencies, cybercriminals and private military companies, and so on blend together with deliberate state decisions, Kremlin permissiveness, entrepreneurialism, competition, petty corruption, and incompetence to create the Russian cyber web that exists today. The multidirectional, murky, and dynamic nature of Russia’s cyber ecosystem—relying on a range of actors, with different incentives, with shifting relationships with the state and one another—is part of the reason that the Russian cyber threat is so complex.

"Policymakers in the United States as well as allied and partner countries should take at least five steps to size up and confront Russia’s cyber threat in the years to come:

• When assessing the expectations-versus-reality of Russia’s wartime cyber operations, distinguish between capabilities and wartime execution.
• Widen the circle of analysis to include not just Russian state hackers but the broader Russian cyber web, including patriotic hackers and state-coerced criminals.
• Avoid the trap of assuming Russia can separate out cyber and information issues from other bilateral, multilateral, and security-related topics—maintaining its hostility toward Ukraine while, say, softening up on cyber operations against the United States.
• Continue cyber information sharing about Russia with allies and partners around the world.
• Invest in cyber defense and in cyber offense where appropriate.”

I won’t quote more of the report here, but I urge cybersecurity professionals to take time to read it in its entirety.

Another article that was released recently includes this piece from Politico in Europe: "Western countries reveal major Russian cyber-espionage campaign." Here's an excerpt:

“Eleven Western countries have accused a notorious Russian military intelligence hacking group of targeting defense, transport and tech firms involved in helping Ukraine.

"The United States, the United Kingdom, Germany, the Czech Republic, Poland, Australia, Canada, Denmark, Estonia, France and the Netherlands on Wednesday released a joint statement on the Russian state-sponsored campaign, which targeted organizations involved in the 'coordination, transport, and delivery of foreign assistance to Ukraine.'

"The countries said Unit 26165 of the Russian military intelligence service — known in the cybersecurity world as 'Fancy Bear' — had carried out the campaign for more than two years using a variety of tactics including targeted scam emails and stolen passwords.”

One more on Russia, this time from the National Security Agency (NSA): "NSA and Others Publish Advisory Warning of Russian State-sponsored Cyber Campaign Targeting Western Logistics and Technology Entities":

“The National Security Agency (NSA) is joining several United States and foreign entities to release the Cybersecurity Advisory (CSA), 'Russian GRU Targeting Western Logistics Entities and Technology Companies,' to call attention to a Russia state-sponsored cyber campaign targeting Western government organizations and commercial logistics entities, transportation services, and technology companies, including those involved in providing assistance to Ukraine. …

“The CSA provides guidance for at-risk organizations to posture their defenses against potential targeting by Unit 26165 through recommendations for increased monitoring and threat hunting for known TTPs and IOCs.”

DIGGING DEEPER: CYBER THREATS FROM CHINA

In the midst of headline-grabbing news about tariffs with China being paused for 90 days during negotiations, stories keep popping up about the ongoing China threat from cyber attacks against critical infrastructure.

For example, take a look at this story from Fox News: "Is America's power grid ready for next attack? Experts warn EMPs, cyber threats and AI could cripple US. Chinese hackers already positioned in American critical systems, cyber experts warn."Here's an excerpt:

“The widespread blackouts that recently brought parts of Spain and Portugal to a standstill triggered global speculation: was it an electromagnetic pulse (EMP) attack?

"Though authorities later ruled out an EMP, the incident reignited urgent questions about America’s vulnerability to similar large-scale disruptions and whether the U.S. is prepared for a modern-day 'black sky' event.

"According to cybersecurity expert and former Army Cyber Institute board member Bryson Bort, the United States remains dangerously exposed to a range of threats: not just EMPs, but increasingly sophisticated cyber and artificial intelligence (AI) attacks.”

On May 14, Reuters broke this story: "Rogue communication devices found in Chinese solar power inverters."

“The rogue components provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, with potentially catastrophic consequences, the two people said.

"Both declined to be named because they did not have permission to speak to the media.

"'We know that China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption,' said Mike Rogers, a former director of the U.S. National Security Agency. 'I think that the Chinese are, in part, hoping that the widespread use of inverters limits the options that the West has to deal with the security issue.'

"A spokesperson for the Chinese embassy in Washington said: 'We oppose the generalization of the concept of national security, distorting and smearing China's infrastructure achievements.'"

DIGGING DEEPER: CYBER THREATS FROM IRAN

Back in October 2024, NSA reported that "Iranian Cyber Actors Access Critical Infrastructure Networks." Here’s an excerpt:

“The National Security Agency (NSA) is joining the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and others in releasing a Cybersecurity Advisory (CSA), 'Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations,' to warn network defenders of malicious activity that can enable persistent access in sensitive systems.

"Since October 2023, Iranian cyber actors have used a technique known as brute force to compromise user accounts and obtain access to organizations to modify MFA registrations, enabling persistent access."

On May 16, the Department of Defense (DOD) reported this news story at defense.gov: "DOD Leaders Urge Congress to Bolster Cyberdefenses":

“[Laurie] Buckhout also flagged Russia's integration of cyberoperations with geopolitical aims, Iran's persistent malicious activities and North Korea's ransomware campaigns. She noted that transnational criminal organizations further increase the threat, targeting infrastructure with profit-driven cyberattacks.”

DIGGING DEEPER: CYBER THREATS FROM NORTH KOREA

In early May, Security Week reported that "SentinelOne Targeted by North Korean IT Workers, Ransomware Groups, Chinese Hackers":

“SentinelOne reported this week that it too is regularly targeted by threat actors, including North Korean IT workers, ransomware groups, and state-sponsored cyberspies.

"North Korean fake IT workers have been a growing problem. In this type of scheme, North Korean individuals use fake identities to get jobs at Western companies, enabling them to make money for the Pyongyang regime and in some cases to obtain valuable data from the organizations that hire them.

"Security awareness firm KnowBe4 was famously targeted in such a scheme last year, with the hired North Korean operative attempting to plant malware on the company’s systems.”

On April 24, Reuters reported that "North Korean cyber spies created U.S. firms to dupe crypto developers":

“North Korean cyber spies created two businesses in the U.S., in violation of Treasury sanctions, to infect developers working in the cryptocurrency industry with malicious software, according to cybersecurity researchers and documents reviewed by Reuters.

"The companies, Blocknovas LLC and Softglide LLC, were set up in the states of New Mexico and New York using fake personas and addresses, researchers at Silent Push, a U.S. cybersecurity firm, told Reuters. A third business, Angeloper Agency, is linked to the campaign, but does not appear to be registered in the United States."

In March, we learned from Microsoft that "North Korean hackers join Qilin ransomware gang." And in July 2024, we learned that a "North Korean [was] charged in cyberattacks on US hospitals, NASA and military bases."

FINAL THOUGHTS

In a world where geopolitics continue to change on a daily basis, cyber attacks are a continuing reality from the same nation-states that we are working with regarding many issues — including trade, peace treaties and more.

For those interested in learning more about these topics and recommended actions and solutions, I encourage you to visit the World Economic Forum (WEF) reports on cybersecurity. I covered the WEF meeting in Davos, Switzerland, in January.