What is the current situation with nation-state cyber attacks in the middle of 2025? Here’s a look at some of the biggest cyber threats from Russia, China, Iran and North Korea.
In September 2024, I attended the FBI’s CISO Academy, and one intelligence briefing summary on cyber threats stood out to me above the rest. The statement was simple: “Inside the [Washington, D.C.,] beltway the top cyber issue is nation-state cyberattacks, while outside the beltway [in the rest of the U.S.] the top cyberthreat remains ransomware.”
We covered ransomware in some depth back in March 2025, so in this blog I want to cover updates on nation-state cyber threats. My timing coincides with many recent cybersecurity headlines that have surfaced in May, along with some fascinating new reports that dig deeper into this topic than most unclassified briefings.
“Nation-state adversaries pose an elevated threat to our national security. These adversaries are known for their advanced persistent threat (APT) activity:
The Russian government—officially known as the Russian Federation—engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.
The North Korean government—officially known as the Democratic People’s Republic of Korea (DPRK)—employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue.
The Iranian government—officially known as the Islamic Republic of Iran—has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity, and to harm regional and international adversaries.”
DIGGING DEEPER: CYBER THREATS FROM RUSSIA
I am starting with a deeper look at Russian cyber threats because an excellent report was recently released from the Atlantic Council entitled Unpacking Russia’s cyber nesting doll. Here is the opening: “Russia’s full-scale invasion of Ukraine in February 2022 challenged much of the common Western understanding of Russia. How can the world better understand Russia? What are the steps forward for Western policy? The Eurasia Center’s new ‘Russia Tomorrow’ series seeks to reevaluate conceptions of Russia today and better prepare for its future tomorrow.”
The report has the following table of contents:
After describing the cyber activities that began with the onset of Russia’s war with Ukraine, the opening summary offers these recommendations:
“Russia is still very much a cyber threat. Patriotic hackers and state security agencies, cybercriminals and private military companies, and so on blend together with deliberate state decisions, Kremlin permissiveness, entrepreneurialism, competition, petty corruption, and incompetence to create the Russian cyber web that exists today. The multidirectional, murky, and dynamic nature of Russia’s cyber ecosystem—relying on a range of actors, with different incentives, with shifting relationships with the state and one another—is part of the reason that the Russian cyber threat is so complex.
“Policymakers in the United States as well as allied and partner countries should take at least five steps to size up and confront Russia’s cyber threat in the years to come:
When assessing the expectations-versus-reality of Russia’s wartime cyber operations, distinguish between capabilities and wartime execution.
Widen the circle of analysis to include not just Russian state hackers but the broader Russian cyber web, including patriotic hackers and state-coerced criminals.
Avoid the trap of assuming Russia can separate out cyber and information issues from other bilateral, multilateral, and security-related topics—maintaining its hostility toward Ukraine while, say, softening up on cyber operations against the United States.
Continue cyber information sharing about Russia with allies and partners around the world.
Invest in cyber defense and in cyber offense where appropriate.”
I won’t quote more of the report here, but I urge cybersecurity professionals to take time to read it in its entirety.
“Eleven Western countries have accused a notorious Russian military intelligence hacking group of targeting defense, transport and tech firms involved in helping Ukraine.
“The United States, the United Kingdom, Germany, the Czech Republic, Poland, Australia, Canada, Denmark, Estonia, France and the Netherlands on Wednesday released a joint statement on the Russian state-sponsored campaign, which targeted organizations involved in the ‘coordination, transport, and delivery of foreign assistance to Ukraine.’
“The countries said Unit 26165 of the Russian military intelligence service — known in the cybersecurity world as ‘Fancy Bear’ — had carried out the campaign for more than two years using a variety of tactics including targeted scam emails and stolen passwords.”
“The CSA provides guidance for at-risk organizations to posture their defenses against potential targeting by Unit 26165 through recommendations for increased monitoring and threat hunting for known TTPs and IOCs.”
DIGGING DEEPER: CYBER THREATS FROM CHINA
In the midst of headline-grabbing news about tariffs with China being paused for 90 days during negotiations, stories keep popping up about the ongoing China threat from cyber attacks against critical infrastructure.
“The widespread blackouts that recently brought parts of Spain and Portugal to a standstill triggered global speculation: was it an electromagnetic pulse (EMP) attack?
“Though authorities later ruled out an EMP, the incident reignited urgent questions about America’s vulnerability to similar large-scale disruptions and whether the U.S. is prepared for a modern-day ‘black sky’ event.
“According to cybersecurity expert and former Army Cyber Institute board member Bryson Bort, the United States remains dangerously exposed to a range of threats: not just EMPs, but increasingly sophisticated cyber and artificial intelligence (AI) attacks.”
“The rogue components provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, with potentially catastrophic consequences, the two people said.
“Both declined to be named because they did not have permission to speak to the media.
“‘We know that China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption,’ said Mike Rogers, a former director of the U.S. National Security Agency. ‘I think that the Chinese are, in part, hoping that the widespread use of inverters limits the options that the West has to deal with the security issue.’
“A spokesperson for the Chinese embassy in Washington said: ‘We oppose the generalization of the concept of national security, distorting and smearing China’s infrastructure achievements.'”
“Since October 2023, Iranian cyber actors have used a technique known as brute force to compromise user accounts and obtain access to organizations to modify MFA registrations, enabling persistent access.”
“[Laurie] Buckhout also flagged Russia’s integration of cyberoperations with geopolitical aims, Iran’s persistent malicious activities and North Korea’s ransomware campaigns. She noted that transnational criminal organizations further increase the threat, targeting infrastructure with profit-driven cyberattacks.”
“SentinelOne reported this week that it too is regularly targeted by threat actors, including North Korean IT workers, ransomware groups, and state-sponsored cyberspies.
“North Korean fake IT workers have been a growing problem. In this type of scheme, North Korean individuals use fake identities to get jobs at Western companies, enabling them to make money for the Pyongyang regime and in some cases to obtain valuable data from the organizations that hire them.
“Security awareness firm KnowBe4 was famously targeted in such a scheme last year, with the hired North Korean operative attempting to plant malware on the company’s systems.”
“North Korean cyber spies created two businesses in the U.S., in violation of Treasury sanctions, to infect developers working in the cryptocurrency industry with malicious software, according to cybersecurity researchers and documents reviewed by Reuters.
“The companies, Blocknovas LLC and Softglide LLC, were set up in the states of New Mexico and New York using fake personas and addresses, researchers at Silent Push, a U.S. cybersecurity firm, told Reuters. A third business, Angeloper Agency, is linked to the campaign, but does not appear to be registered in the United States.”
In a world where geopolitics continue to change on a daily basis, cyber attacks are a continuing reality from the same nation-states that we are working with regarding many issues — including trade, peace treaties and more.
For those interested in learning more about these topics and recommended actions and solutions, I encourage you to visit the World Economic Forum (WEF) reports on cybersecurity. I covered the WEF meeting in Davos, Switzerland, in January.
