Deep Dive into Cyber Warfare and Espionage

State cyber operations span five overlapping mission sets:

• Strategic intelligence — political, military, diplomatic collection.
• Economic espionage — industrial IP theft to advance domestic industry.
• Counterintelligence — surveilling dissidents, journalists, foreign agents.
• Preparation of the environment — quiet pre-positioning of access in critical infrastructure for potential future disruption.
• Disruption and destruction — direct sabotage, often timed to physical events.

Doctrines vary:

• United States — USCYBERCOM "defend forward" and "persistent engagement"; NSA SIGINT collection at scale; close integration with Five Eyes (UK, Canada, Australia, New Zealand).
• China — PLA Strategic Support Force, MSS bureaus and contractors; long-standing focus on industrial espionage and now critical infrastructure pre-positioning.
• Russia — GRU (military intelligence) for disruption; SVR (foreign intelligence) for stealthy collection; FSB for domestic and CIS-region operations.
• Iran — IRGC-affiliated groups for regional and global operations; rapid pivot to disruptive attacks during periods of tension.
• North Korea — RGB Bureau 121; uniquely focused on revenue generation (cryptocurrency theft, ransomware, financial-sector intrusions) to fund the regime.
• Israel, France, Germany, India, others — significant capabilities, generally more discreet operational disclosures.

Naming conventions are vendor-specific: APT28 (Mandiant) = Fancy Bear (CrowdStrike) = Sofacy (Kaspersky) = Forest Blizzard (Microsoft) = GRU Unit 26165.

State actors and top-tier contractors share characteristics distinguishing them from cybercriminals:

• Custom tooling — bespoke implants written for specific operations, often modular, frequently rewritten when burned.
• 0-day economy — purchase from brokers (NSO, Candiru, Intellexa) or develop in-house; use sparingly to avoid burn.
• Supply-chain compromise — SolarWinds, 3CX, X_Trader, Codecov, NotPetya's MeDoc, Kaspersky's CCleaner; reach thousands of targets from a single intrusion.
• Long dwell times — months to years before detection. APT29's Microsoft tenant intrusion (2023) persisted for months via OAuth token abuse.
• Living off the land — Volt Typhoon's reliance on built-in Windows tools (wmic, ntdsutil, netsh, PowerShell) to minimize artifacts.
• Operational security — VPN/proxy chains, compromised infrastructure as redirectors, time-zone discipline to mask working hours, careful selection of C2 protocols (DNS over HTTPS, legitimate cloud services, social media APIs).
• Compartmentation — separate teams for initial access, post-exploitation, and exfiltration; tooling silos to limit blast radius of attribution.

International law lenses:

• Tallinn Manual 2.0 — non-binding scholarly framework on how international law applies to cyber operations.
• UN GGE / OEWG norms — voluntary norms agreed (with varying compliance) by UN member states, including not attacking critical infrastructure, protecting CERTs, not knowingly allowing territory to be used for malicious cyber acts.
• Use of force / armed attack thresholds — Stuxnet-class destructive effects may cross into law-of-armed-conflict territory; pure espionage typically does not.
• Below-threshold gray zone — most state cyber activity sits here, leveraging the absence of clear escalation triggers.

Attribution and accountability:

• Public attributions — Treasury OFAC, DOJ indictments (most affected individuals will never be tried), State Department designations, allied joint advisories (CISA + NSA + FBI + Five Eyes + EU CSIRT Network).
• Sanctions and rewards — Rewards for Justice programs offer millions for information on specific operators.
• Industry attributions — Mandiant, CrowdStrike, Microsoft, Kaspersky, ESET, Recorded Future. Multi-source corroboration is the gold standard.

A non-exhaustive list of pivotal incidents:

• Stuxnet (~2010) — US/Israeli operation against Iranian Natanz centrifuges. The first widely public destructive cyber-physical operation.
• Aurora (2009) — China-attributed campaign against Google and dozens of US tech firms; catalyzed Google's eventual withdrawal from China.
• Sony Pictures (2014) — North Korea-attributed destructive attack in response to The Interview.
• OPM (2015) — China-attributed exfiltration of 21.5M US federal personnel records, including SF-86 background investigation forms; a strategic counterintelligence loss.
• DNC hack (2016) — Russian GRU and SVR operations; foundational to subsequent debates on election interference.
• NotPetya (2017) — Russian GRU; disguised as ransomware, designed for destruction; caused ~$10B in global damages, the most destructive cyberattack on record.
• WannaCry (2017) — North Korea-attributed, leveraged NSA-leaked EternalBlue exploit, hit ~200,000 systems including the NHS.
• SolarWinds / SUNBURST (2020) — Russian SVR (Cozy Bear / APT29) supply-chain compromise of Orion software updates, reached ~18,000 organizations including US federal agencies.
• Hafnium Exchange (2021) — China-attributed mass exploitation of on-premises Exchange Server zero-days.
• Viasat KA-SAT (2022) — Russian GRU disrupted satellite modems hours before the invasion of Ukraine, with collateral effects on European wind-turbine operators.
• Volt Typhoon (disclosed 2023) — Chinese MSS-attributed pre-positioning in US critical infrastructure (water, electric, telecom), designed for future disruption.
• Salt Typhoon (2024) — Chinese-attributed deep compromise of US telecom carriers including lawful-intercept infrastructure.
• Sandworm continuous Ukraine operations — Industroyer2, AcidRain, CaddyWiper, hundreds of wiper deployments and OT attacks since 2022.
• Lazarus Group ongoing crypto heists — Ronin, Atomic Wallet, Stake, WazirX, totaling billions to fund the DPRK regime.

NSO Group's Pegasus, Candiru, Intellexa's Predator, Cytrox, and others sell zero-click iOS/Android exploit chains to government customers. Documented misuse against journalists, dissidents, lawyers, and political opposition has triggered Apple lawsuits, US Commerce Department entity-list designations, and EU export-control debates. The Pall Mall Process aims to develop international norms around commercial cyber intrusion capabilities.

The examples above also serve here — they are the canonical case studies, regularly used in training, academic research, and policy analysis. A defender working in any sector should be able to articulate the basic facts and lessons of NotPetya, SolarWinds, Volt Typhoon, and the ongoing Lazarus campaigns.

Two newer recurring patterns:

• Edge-device exploitation — Ivanti Connect Secure, Cisco IOS XE, Fortinet FortiGate, Palo Alto GlobalProtect repeatedly exploited by both Chinese and Russian state actors as initial access points. Lifecycle weakness of network-edge appliances makes them the new perimeter weakness.
• Cloud identity attacks — Storm-0558 (China-attributed) forging Microsoft cloud authentication tokens by stealing a consumer signing key; APT29 abusing Entra ID OAuth flows for persistence. Defenders must instrument identity layers with the same rigor as endpoints.

For organizations likely to be targeted (which now includes most of critical infrastructure, technology, finance, defense, media, NGOs, and academia):

1. Threat-informed defense — base controls on the specific TTPs of actors interested in your sector (see CISA, NSA, MS-ISAC advisories, Mandiant M-Trends, Microsoft Digital Defense Report).
2. Edge-device hygiene — patch within 24 hours of advisories on internet-exposed appliances; minimize exposure; replace EOL devices.
3. Identity-first security — phishing-resistant MFA (FIDO2 / passkeys), conditional access, continuous access evaluation, anomaly detection on token issuance and use.
4. Supply-chain assurance — SBOMs, vendor security questionnaires, signed software, build-system isolation (SLSA framework), code-signing key protection.
5. Network and identity segmentation — assume initial compromise; design to limit blast radius. Zero-trust principles in practice.
6. High-fidelity logging and retention — many APT investigations require months of logs; default 30-day retention is inadequate.
7. Threat hunting — proactive, hypothesis-driven, against state-actor TTPs; do not wait for alerts.
8. Incident-response retainer with a mature DFIR firm; tabletop exercises that include nation-state scenarios and law-enforcement engagement.
9. Coordinated disclosure with government — CISA, NCSC, BSI, equivalent national CERTs. Information sharing benefits sector peers.
10. People security — insider risk, supply-chain personnel vetting, executive protection, secure travel programs for sensitive employees.