State-sponsored actors embed themselves in critical infrastructure networks for long-term persistence and future disruption capabilities. China’s Volt Typhoon and Salt Typhoon campaigns achieved undetected access to US communications, energy, transportation and water systems. The Salt Typhoon operation breached nine major US telecommunications companies, extracting phone records and location data.
These advanced persistent threats use “living off the land” techniques, leveraging legitimate system administration tools like PowerShell and Windows Management Instrumentation to blend malicious activity with normal administrative traffic. Russian groups like Sandworm targeted Ukrainian energy infrastructure, while Iranian Cyber Av3ngers successfully manipulated US water facility control systems.
The pervasive use of legitimate tools renders traditional signiature-based security ineffective. Antivirus software and legacy intrusion detection systems cannot identify malicious use of trusted applications. This forces security paradigm shifts toward behavioral analytics, comprehensive visibility, and rapid threat hunting capabilities.
1. Ransomware with physical consequences
Key Companies: Dragos, Claroty, Nozomi Networks, Palo Alto Networks, Fortinet
Economic Impact: Waterfall Security reports 80% of cyberattacks with physical consequences are attributable to ransomware operations
