Nation-State Cyber Threats: The Complete Guide to State-Sponsored Hacking

Why Nation-State Cyber Threats Matter

Nation-state cyber threats represent the most sophisticated and persistent danger facing organizations today. Unlike financially motivated criminal groups that seek quick payouts, state-sponsored hackers operate with virtually unlimited resources, long time horizons, and strategic objectives that align with their government's geopolitical goals. They target critical infrastructure, steal intellectual property worth billions, and conduct operations that can reshape the global balance of power.

Understanding which nations operate offensive cyber programs, which agencies run them, and what they are after is no longer optional for security professionals. A hospital network, a defense contractor, a cryptocurrency exchange, and a human rights organization each face fundamentally different nation-state threats. Without geopolitical context, defenders are flying blind.

This guide maps out the major state-sponsored hacking programs, their known APT groups, primary targets, and the campaigns that have defined the modern threat landscape.

Russia: GRU, SVR, and the Weaponization of Cyberspace

Russia fields the most destructive state cyber capability in the world. Two principal intelligence agencies drive Russian cyber operations: the GRU (military intelligence) and the SVR (foreign intelligence service). Each has distinct objectives and tradecraft, but together they cover the full spectrum of cyber warfare, from espionage to sabotage to information operations.

GRU: APT28 (Fancy Bear) and Sandworm

The GRU's cyber units are responsible for Russia's most aggressive and damaging operations. APT28 (also known as Fancy Bear or Forest Blizzard) is the GRU's primary espionage unit, targeting NATO governments, defense organizations, political campaigns, and media outlets. APT28 was behind the 2016 hack of the Democratic National Committee and has conducted persistent campaigns against European government networks for over a decade.

Sandworm (also tracked as Seashell Blizzard) is the GRU's most dangerous unit and arguably the most destructive cyber actor on the planet. Sandworm's operations include the 2015 and 2016 attacks on Ukraine's power grid, which caused blackouts affecting hundreds of thousands of civilians and marked the first confirmed cases of cyber attacks taking down an electrical grid. In 2017, Sandworm unleashed NotPetya, a destructive wiper disguised as ransomware that caused over $10 billion in damages worldwide, crippling Maersk, Merck, FedEx, and dozens of other multinational companies. NotPetya remains the most costly cyber attack in history.

During Russia's full-scale invasion of Ukraine in 2022, Sandworm deployed multiple wiper malware families against Ukrainian government and infrastructure targets and attacked the Viasat KA-SAT satellite network on the first day of the invasion, disrupting military communications across the country.

SVR: APT29 (Cozy Bear)

APT29 (also known as Cozy Bear or Midnight Blizzard) is the SVR's premier cyber espionage group. Where the GRU favors aggressive, often noisy operations, the SVR prioritizes stealth and long-term access. APT29 was responsible for the SolarWinds supply chain compromise discovered in December 2020, one of the most sophisticated espionage operations ever documented. By trojanizing a routine software update, APT29 gained access to the networks of approximately 18,000 organizations, including the U.S. Treasury, Department of Homeland Security, and multiple Fortune 500 companies.

APT29 continues to target cloud environments, technology companies, and diplomatic organizations worldwide. In early 2024, Microsoft disclosed that APT29 had compromised corporate email accounts of senior Microsoft executives, demonstrating that even the largest technology companies are not immune to SVR tradecraft.

China: MSS, PLA, and the Largest Espionage Machine in History

China operates the most prolific state-sponsored cyber espionage program in the world. Chinese cyber operations are coordinated primarily by the Ministry of State Security (MSS) and the People's Liberation Army (PLA), with objectives spanning intellectual property theft, political espionage, and military pre-positioning in adversary networks.

MSS Operations: APT41, APT40, and the Telecom Campaigns

APT41 (Double Dragon) is one of the most versatile threat actors in existence, conducting both state-directed espionage and financially motivated intrusions. APT41 has targeted healthcare, telecommunications, technology, and video game companies across dozens of countries. Their dual-hat operations, working for the MSS while simultaneously running criminal side ventures, make them uniquely prolific.

APT40 (Leviathan) operates on behalf of China's Hainan State Security Department, an MSS regional bureau. APT40 focuses on maritime industries, defense contractors, and governments across Southeast Asia, the United States, and Europe. Their targeting aligns closely with China's strategic interests in the South China Sea.

The Salt Typhoon campaign, disclosed in late 2024, revealed that Chinese state-sponsored hackers had deeply compromised major U.S. telecommunications providers, including AT&T, Verizon, and T-Mobile. The attackers accessed wiretap systems used by law enforcement, call metadata for millions of Americans, and the communications of senior U.S. government officials. Salt Typhoon represented one of the most significant intelligence compromises in U.S. history.

Critical Infrastructure Pre-Positioning: Volt Typhoon

The Volt Typhoon campaign, first publicly attributed in May 2023, fundamentally changed how the West understands Chinese cyber strategy. Unlike traditional espionage, Volt Typhoon operators systematically infiltrated U.S. critical infrastructure, including water treatment facilities, energy systems, telecommunications, and transportation networks, using living-off-the-land techniques that made detection extremely difficult. In some cases, they maintained persistent access for five or more years.

U.S. intelligence officials assessed that Volt Typhoon's purpose was not espionage but preparation for disruptive or destructive operations in the event of a military conflict, most likely over Taiwan. This pre-positioning strategy signals that China views cyber operations against civilian infrastructure as a legitimate first-strike capability designed to degrade U.S. military logistics and create domestic chaos during the critical opening phase of a conflict.

Iran: IRGC and the Art of Retaliation

Iran's cyber program is primarily run by the Islamic Revolutionary Guard Corps (IRGC) and has evolved from crude defacement campaigns into a capable apparatus for destructive attacks, espionage, and influence operations. Iranian cyber operations tend to be retaliatory, often spiking during periods of heightened tension over the nuclear program, sanctions, or regional conflict.

Charming Kitten (APT35) and Espionage

APT35 (Charming Kitten, also known as Mint Sandstorm) is Iran's most prolific espionage group, operating under the IRGC Intelligence Organization. APT35 specializes in social engineering, creating elaborate fake personas to target journalists, academics, diplomats, and policy researchers involved in Middle Eastern affairs, nuclear nonproliferation, and Iranian diaspora communities. Their primary objective is intelligence collection on perceived threats to the Iranian regime, with particular focus on surveilling dissidents and political opponents abroad.

APT35 has also targeted pharmaceutical and medical research organizations, particularly during the COVID-19 pandemic, and has been observed conducting campaigns against U.S. presidential campaigns and government officials.

Destructive Attacks: Shamoon and Beyond

Iran was among the first nation-states to deploy destructive wiper malware against civilian targets. The Shamoon attack in 2012 destroyed data on approximately 30,000 workstations at Saudi Aramco, the world's largest oil company, in what was then the most destructive cyber attack against a single organization. Shamoon was deployed again in 2016 and 2018 against additional targets in the Gulf region.

In 2022, Iranian actors attacked Albanian government infrastructure with wiper malware and ransomware, forcing the government to shut down online services for its citizens. The attack, attributed to the IRGC, was retaliation for Albania hosting the Mujahedin-e Khalq (MEK) opposition group. It marked the first time NATO issued a collective statement condemning a cyber attack on a member state. Iran has also increasingly operated through hacktivist front groups and personas to create deniability while conducting destructive operations against Israeli targets.

North Korea: RGB and the Weaponization of Cybercrime

North Korea stands apart from other nation-state cyber actors because its primary motivation is financial. The Reconnaissance General Bureau (RGB), North Korea's principal intelligence agency, runs cyber operations that have stolen billions of dollars to fund the regime's nuclear weapons and ballistic missile programs, circumventing international sanctions.

Lazarus Group: From Sony to Cryptocurrency Billions

The Lazarus Group (APT38, also tracked as Diamond Sleet) is North Korea's most well-known cyber unit and arguably the most financially successful state-sponsored hacking group in history. Lazarus first gained global attention with the 2014 Sony Pictures hack, a destructive attack that wiped corporate systems and leaked confidential data in retaliation for a film satirizing Kim Jong-un.

Lazarus subsequently pivoted to financial theft, orchestrating the 2016 Bangladesh Bank heist that attempted to steal $1 billion from the bank's Federal Reserve account through fraudulent SWIFT messages (ultimately netting $81 million). Since then, Lazarus has focused heavily on cryptocurrency theft, stealing approximately $620 million from the Axie Infinity Ronin Bridge in 2022 and an estimated $1.5 billion from the Bybit exchange in 2025. U.N. investigators estimate that North Korean cyber actors have stolen over $3 billion in cryptocurrency since 2017, making the RGB the most prolific bank robber in human history.

Kimsuky: Espionage and Social Engineering

Kimsuky (Emerald Sleet) is North Korea's dedicated espionage unit, targeting South Korean government agencies, think tanks, academics, and organizations involved in Korean Peninsula policy and denuclearization diplomacy. Kimsuky is known for sophisticated spear-phishing campaigns and credential theft, often impersonating journalists, researchers, or government officials to build trust with targets before delivering malware. They also target defense and aerospace organizations in the U.S. and Japan for military intelligence collection.

North Korea's IT worker fraud scheme adds another dimension to the threat. Thousands of North Korean IT workers have obtained remote jobs at Western companies under fraudulent identities, generating revenue for the regime while potentially providing insider access to corporate networks.

Emerging Threats: Other State Cyber Capabilities

While Russia, China, Iran, and North Korea dominate the public threat landscape, other nations maintain significant and growing offensive cyber capabilities.

Israel: Unit 8200 and the Surveillance Industry

Israel's Unit 8200, a signals intelligence directorate within the Israel Defense Forces, is widely considered one of the most technically advanced cyber operations units in the world. Unit 8200 alumni have founded much of Israel's commercial surveillance and cybersecurity industry, including NSO Group, the creators of the Pegasus spyware. Israel was a co-developer of Stuxnet, the malware that sabotaged Iranian nuclear centrifuges in 2010, marking the first known use of a cyber weapon to cause physical destruction. Israeli cyber capabilities are primarily directed at Iran and regional adversaries, though the proliferation of commercial spyware built by Unit 8200 alumni has become a global concern for human rights organizations.

Five Eyes and Allied Capabilities

The United States, United Kingdom, Australia, Canada, and New Zealand maintain extensive offensive cyber capabilities through their respective signals intelligence agencies (NSA, GCHQ, ASD, CSE, and GCSB). The Snowden disclosures in 2013 revealed the scale of NSA operations, including the TAO (Tailored Access Operations) unit's ability to compromise virtually any networked system. The U.S. Cyber Command and UK's National Cyber Force conduct active "hunt forward" and "defend forward" operations, deploying teams to allied nations to identify and counter adversary intrusions in real time. These capabilities are primarily defensive and counteroffensive in posture but represent the most technically advanced cyber operations programs in existence.

How to Stay Informed on Nation-State Cyber Threats

The nation-state cyber threat landscape shifts constantly. New APT groups are identified, campaigns are disclosed, and geopolitical events trigger surges in cyber activity. Staying current requires ongoing attention to both technical threat intelligence and geopolitical developments.

• Track geopolitical triggers: Diplomatic crises, military buildups, elections, and sanctions announcements all correlate with spikes in nation-state cyber activity. Monitoring these events helps you anticipate threats before they materialize.
• Know your adversary: Different organizations face different nation-state threats. Defense contractors should prioritize Chinese and Russian APTs. Financial institutions and crypto companies should focus on North Korean actors. NGOs and media organizations face elevated risk from Iranian and Chinese surveillance.
• Combine technical and strategic intelligence: Indicators of compromise alone are insufficient. Understanding the why behind an intrusion, the strategic motivation driving the adversary, is what transforms raw data into actionable intelligence.

CyberGeoDigest was built specifically for this purpose. Our daily briefings combine cybersecurity threat reporting with geopolitical analysis, connecting the dots between APT campaigns and the state objectives driving them. Every story is placed in strategic context so you understand not just what happened, but why it matters and what might come next.