What executives must know about nation-state threat actors

Key types of nation-state cyberattacks

In today's digital-first environment, the potential ramifications of a nation-state cyberattack are vast. State-sponsored actors have more advanced technology to work with and can wage war from inside their own nations, making physical distance redundant. They can also use social engineering, such as collecting data from social media, to infiltrate private accounts and gain unauthorized access to classified systems.

Nation-state attacks come in various forms. While they may all play into a nation's broader geopolitical strategy, individual attacks will vary in their targets and goals. Still, they usually fall into one of three categories:

• Espionage – a stealth attack that steals sensitive information from international rivals, to give a competitive advantage in future strategy.
• Disruption – an overt attack that damages or disables another nation's critical activity to cause active harm, such as through ransomware attacks.
• Political speech – a symbolic attack that promotes a specific message to a public audience, to promote the attacking nation's ideology.

Depending on the current relationship between the two nations, one type of attack may be more prevalent than another. In today's geopolitical threat landscape, rising tensions and conflicting ideologies have prompted a rise in more direct cyber assaults that actively destroy or disrupt sensitive operations.

Major players in current cyberattacks

Any country can conduct or instigate a cyberattack, but in 2025, a few notable players are more commonly involved in this kind of malicious activity, especially against Western countries. Executives should be informed of these countries' tactics and prepared to defend against them.

Sometimes described as the "big four," this group consists of Iran, North Korea, Russia and China; they are also known as advanced persistent threats (APTs). Each country uses nation-state cyberattacks in different ways according to its geopolitical priorities. In its 2024 report, the UK's National Cyber Security Center (NCSC) described these actors as "real and enduring threats."

Iran

Government Name: The Islamic Republic of Iran

Situated within the Middle East, Iran has been involved in decades of geopolitical dispute and unrest within the region, NS many of its reported nation-state cyberattacks have been targeted at neighbors. In March 2025, Iran conducted cyber espionage attacks against the government of Iraq and the telecommunications of Yemen, while in October 2024, Iran increased similar espionage efforts against the United Arab Emirates, according to the Center for Strategic and International Studies (CSIS).

Iran has also been labelled as a significant threat actor to the U.S. and Israel, both due to longstanding tensions and because of the escalation of the Israel-Palestine conflict. Since the Hamas attacks in Israel on Oct. 7, 2023, Iran has compromised the IT network of an Israeli nuclear facility, targeted Israeli government sites and is said to have infiltrated Donald Trump's 2024 presidential campaign. Israel was the target of 50% of Iran's APT activity between October 2023 and June 2024, according to Microsoft's 20224 Digital Defense Report.

North Korea

Government Name: The Democratic People's Republic of Korea (DPRK)

As a communist state under totalitarian dictatorship, North Korea has been considered a rival and threat to the U.S. for decades. While the country is not actively at war, its isolationist practices and investment in nuclear weapons have contributed to widespread geopolitical tension, particularly with its neighbor, South Korea. In October 2023, state-sponsored hackers targeted South Korea's shipbuilding sector with malware phishing attacks, while in February 2025, they conducted cyber espionage against a range of South Korean entities.

In addition to these attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that North Korea engages in nation-state cyberwarfare to generate revenue for the country. Specifically, North Korean hackers conducted the largest cryptocurrency heist to date, stealing $1.5 billion in Ethereum from the Dubai-based exchange ByBit. CSIS has also reported that North Korean actors stole at least $3 billion through cyberwarfare between 2018 and 2023. It commonly uses supply chain attacks for this purpose.

Russia

Government Name: The Russian Federation

Since the end of the Cold War, the relationship between the US and Russia has remained tense. Opposing political regimes and general rivalry have led the US to be commonly attacked by Russian cyberwarfare, but it's not the only one: Microsoft's Digital Defense Report found that 75% of Russia's cyberattacks targeted Ukraine or a NATO member state between July 2023 and June 2024. Specifically, Russian hackers have been shown to have targeted elections in several countries over the years, including Romania's national election in December 2024 and the European Parliamentary elections in June 2024.

Ukraine has been the biggest target over the last couple of years, and Russia has used several different methods of cyberattacks. In October 2024, it stole personal information from Ukrainian men of draft age to hinder military recruitment efforts, while in 2023, it targeted Ukrainian embassies with espionage efforts. Throughout 2024, CSIS reports that Russian-sponsored cyberattacks on Ukraine grew by nearly 70% and that there were 4,315 cybersecurity incidents targeting critical infrastructure.

China

Government Name: The People's Republic of China

Over the past few decades, China has become an increasingly competitive rival to the U.S. and to the Western world in general. According to the CISA, it predominantly conducts cyberwarfare to pursue national interests, which often involves infiltrating the critical infrastructure networks of its targets. This is often done for espionage purposes to support potential future attacks.

Specifically, Germany has accused China of targeting its Federal Office for Cartography and Geodesy (BKG) in 2021; Canada of targeting eight members of Parliament and one senator starting in 2021; and the UK of targeting its Ministry of Defense in May 2024. In July 2024, Australia, the U.S., Canada, the UK, Germany, Japan, South Korea and New Zealand issued a joint warning about Chinese cyberwarfare in their networks.

The business risks of ignoring nation-state cyberattacks

The potential political fallout of a successful nation-state cyberattack is clear. However, executives should also be mindful of the business risks they face if they ignore the threat of being targeted by a nation-state actor.

Key risks include:

• Widespread publicity and reputational damage – Since these attacks are part of a larger geopolitical narrative, successful assaults are often publicized more than those conducted by self-serving individuals. Knowing that an organization was successfully attacked by a global rival could turn potential customers away, damaging brand reputation and long-term revenue prospects.
• Greater scale and therefore greater financial cost – Nation-state cyberattacks are usually larger in scale and more damaging, since they have greater resources behind them. This means greater disruption to operations and larger financial penalties to remediate the damage.
• Federal and legal penalties for insufficient security measures – These attacks target sensitive data at a national level, and therefore, the owners of that data are obligated to have sufficient cyber protections in place. If a business is found to be guilty of inaction in the face of a nation-state cyberattack, it could face serious ramifications and penalties at the hands of the federal government.

While some attacks may break through even comprehensive systems, ignoring the threat could result in material and intangible damage to the business. In addition to the financial cost of recovery, incomplete security measures could be labelled as negligence and result in fines, public shaming and the termination of government contracts.

What we can learn from real-world nation-state cyberattacks

Every executive is aware of the potential damage of a cyberattack, but nation-state cyberattacks have unique characteristics that are worth paying attention to. Successful assaults can provide useful lessons for CISOs and other executives who operate organizations that may be targeted by this kind of cyberwarfare. Not only do they reveal potential vulnerabilities in existing security protocols, but they can also demonstrate how nation-state actors choose targets and give clues to the nature of future threats.

Notable examples to learn from include:

MOVEit (2023)

In 2023, a Russian-speaking hacker group called CL0P took advantage of a vulnerability in the managed file transfer software MOVEit to gain unauthorized access to its databases. Over 2,700 organizations were compromised around the world, including Amazon, the BBC, Shell and the New York City Department of Education. The sensitive data of 60 million individuals was also breached. While not officially launched on behalf of the Russian government, CL0P malware is designed not to work on devices that operate primarily in the Russian language, and the group never targets former Soviet nations, suggesting a patriotic angle.

Lessons learned:

• Importance of vulnerability management – Had MOVEit audited its own security protocols and identified this problem earlier, it could have released a patch before the breach occurred.
• Role of active security updates – While MOVEit quickly released patches post-incident, it was incumbent on the organizations to apply these to their systems. This demonstrates the need for businesses to be actively engaged in security updates in order to stay protected.
• Data theft can't be undone—Although it may not have been removed from its original location, the data that CL0P stole cannot be taken back. Once a data breach has occurred, that data is permanently leaked and vulnerable to malicious use.

SolarWinds (2020)

In 2020, American software company SolarWinds was hit by a cyberattack that targeted its IT performance monitoring system Orion. The perpetrators were a Russian hacker group called Nobelium, also known as Midnight Blizzard, Cozy Bear, APT29 and The Dukes. Nobelium used a supply chain attack, meaning it targeted a third party with access to many other organizations' data, rather than the organizations themselves. Since Orion has privileged access to its 30,000 users' IT systems and system performance data, hacking it enabled the hackers to reach thousands of targets in one fell swoop – including government agencies at the local, state and federal level. Nobelium injected malicious code known as Sunburst into the backend of Orion, which SolarWinds inadvertently sent out to customers as part of a software update. It is estimated that recovery costs for this breach totaled as much as $100 billion, according to Government Technology.

Lessons learned:

• Enterprise service providers are a key target—Nation-state cybercrime is much more efficient when a single attack can give hackers backdoor access to thousands of organizations. This can make service providers a more appealing target than individual government entities.
• Many attacks take place over months, not days – Nobelium first gained access to SolarWinds' Orion in September 2019, but it didn't inject Sunburst into the system until February 2020. If the unauthorized access had been identified in the months beforehand, the damage would have been significantly limited.
• A single vulnerability can be exploited by multiple actors at once –  During the same time, Chinese nation-state actors also exploited the SolarWinds backdoor using different malware and targeting different entities. If nation states are allied, they could share this kind of intelligence for maximum disruption.

NotPetya (2017)

The NotPetya cyberattack is possibly the most damaging to have occurred in modern times, causing $10 billion in damages and compromising organizations across 60 countries. A group of Russian agents known as Sandworm originally targeted the Ukrainian company Linkos Group, the producers of an accounting software used by nearly all businesses in Ukraine. Breaching that system gave them access to computers around the country, upon which they unleashed the malware NotPetya. The purpose was not to extort ransom, although it did share ransomware messages; instead, NotPetya irreversibly encrypted the master boot records of infected computers, with no key to restore access. This malware spread at a rapid speed and travelled to systems around the world within hours, and infiltrated a Russian state oil company.

Lessons learned:

• Software patches are only effective if actively implemented – NotPetya took advantage of a vulnerability in a Windows protocol, which had already been identified and resolved by Microsoft. However, not every Windows user installed the patch to fix the issue, leaving them as vulnerable as before – and hackers knew to target this backdoor.
• A single corrupted computer can compromise the whole network – One way that NotPetya was able to spread so fast was that it could steal passwords from an infected computer and use those to access devices that were previously protected by the Microsoft patch. The network is therefore only as strong as the weakest link.
• Network segmentation is vital in today's interconnected world – Organizations with segmented networks were less vulnerable to NotPetya corruption, since the malware ran into more walls along its path. By isolating various parts of the system, organizations can limit their overall exposure.

Executive-level responsibilities amid nation-state threats

Considering the high stakes, it's important that executives are aligned on the role they need to play when it comes to handling nation-state cyber threats. The geopolitical aspect of these attacks requires that companies engage actively with regulatory bodies and federal agencies, where appropriate, to ensure they are meeting national requirements. It also means looking at cybersecurity through a different lens, one that considers the different goals and methods of state-sponsored attacks.

Oversight and cyber governance expectations

Executive boards have a fiduciary duty to understand and manage enterprise risk, including cyber threats tied to geopolitical actors. Due to the potential damage of a successful nation-state cyberattack, government regulators such as the SEC in the U.S. and NIS2 in the EU are increasingly requiring disclosures of material cyber risks. By sharing this information, nations gain clearer oversight of their data vulnerabilities.

Executives also need to ensure they are meeting the governance expectations of cybersecurity within their organizations. In many industries, these are specifically laid out by governing bodies, but all organizations should be able to demonstrate an active security posture in the face of nation-state cyberthreats. This should include detailed incident response plans for different kinds of cyberwarfare and a current cyber insurance policy. If anything is unclear, either in terms of expectation or security coverage, executives should seek clarity with regulatory bodies, stakeholders and investors.

Action checklist:

• Verify what cyber risks need to be disclosed to regulators.
• Review incident response plans for nation-state attack coverage.

Understanding the CISO's nation-state threat strategy

While the CISO oversees an organization's security posture, all executives should be informed of their company's protocols. This information not only provides better coverage across the organization but also ensures a shared and unified vision on how to respond to potential nation-state threats. By understanding the CISO's strategy, executives can also reduce their risk of accidentally compromising this approach through unsafe actions.

Each company will have its own specific vulnerabilities and risk spots to address, but generally, executives should be aware of the answers to the following questions:

• What should the board ask about defense posture against state-sponsored threats?
• Is threat intelligence integrated into the company's detection and response strategy?
• How is the organization identifying and defending against APT groups?
• Does the organization participate in information-sharing programs?

 Action checklist:

• Establish routine briefings on the current threat strategy to ensure information is current.
• Review and minimize potential data exposure risks that may compromise said strategy.

Evaluating risk preparedness without deep technical knowledge

All executives need to be sufficiently briefed on their company's position and risk preparedness, even if their day-to-day exposure to risk management is minimal. A lack of technical knowledge around cybersecurity strategy should not prohibit executives from being able to assess, understand and communicate their readiness from a business standpoint. If any members of the board are less knowledgeable in these areas, executives should be equipped to inform and educate them.

Key business metrics to focus on should be tied to resilience, such as how fast the business can detect, respond to, and recover from a targeted attack. This will likely vary depending on the nature of the attack, and so executives should be able to differentiate between the more common forms of cyberthreat. Relatedly, executives would be wise to ask whether current incident response plans include nation-state threat scenarios, such as supply chain attacks or destructive malware. If not, they should push for their inclusion.

Lastly, executives should understand whether the business has tested these plans, such as through tabletop exercises or red teaming, and how they performed under different scenarios. While not every attack can be accounted for, response plans should be tested for effectiveness and optimized as needed to ensure maximum protection against the broadest range of threats.

Action checklist:

• Institute quarterly reports on APT monitoring to inform all executives.
• Introduce regular exercises to test response plans and confirm readiness.

 Madeleine Streets is a senior content manager for WhatIs. She has also been published in 'TIME,' 'WWD,' 'Self' and Observer.'