TLP: WHITE

This threat intelligence report was written in tandem between Krypt3ia and the ICEBREAKER Threat Intelligence Analyst created by Krypt3ia.

Executive Summary

Over the past year, nation-state cyber activity has escalated significantly, with Advanced Persistent Threat (APT) groups leading attacks on critical infrastructure, financial systems, and geopolitical rivals. State-backed actors have increasingly collaborated with criminal groups, leveraging their techniques to obscure attribution while funding their operations through extortion, theft, and ransomware. This strategy blurs the lines between traditional cybercrime and state-sponsored attacks, making attribution and defense more complex and creating a form of low-intensity warfare in the digital domain.

Rise in Nation-State Cyber Attacks

Escalating Nation-State Operations

From mid-2021 to 2022, nation-state attacks surged, with critical infrastructure becoming a primary target. Microsoft’s 2022 Digital Defense Report highlights that 40% of state-backed cyber operations now focus on disrupting essential services, especially amid the Russia-Ukraine war. APT groups linked to Russia, China, Iran, and North Korea have ramped up their efforts in sabotage, espionage, and data exfiltration. For example, Russian APTs aggressively targeted Ukraine’s power grid, financial systems, and military networks, reflecting their broader strategy of cyber-enabled hybrid warfare.

Low-Intensity Warfare in Cyberspace

These cyber operations are being recognized as a form of low-intensity warfare—persistent, high-impact attacks that fall short of outright military conflict but have substantial geopolitical consequences. Unlike traditional warfare, cyberattacks can continuously disrupt economic and military targets while avoiding clear attribution, which limits direct diplomatic or military retaliation. Russia’s operations in Ukraine are prime examples, with continuous strikes on critical infrastructure paired with disinformation campaigns designed to weaken Ukrainian resistance.

The Role of APT Groups in the Past Year

Advanced Persistent Threat (APT) groups have played a pivotal role in these cyber campaigns. APTs are often tied to specific nation-states and are known for their long-term, sophisticated attacks. Key APT groups active in the past year include:

• In 2024, APT28 (Fancy Bear), the Russian state-sponsored group, has continued its aggressive cyber campaigns targeting Ukrainian critical infrastructure and NATO allies. One notable attack involved phishing emails sent to Ukrainian government and military personnel in December 2023, with the intent to compromise systems by delivering malware through fake CERT-UA email addresses. These emails contained malicious files that initiated data theft operations and remote command execution, leveraging tools like PowerShell and MASEPIE malware for deeper infiltration​ Anvilogic​ Council on Foreign Relations.
• APT28 also exploited vulnerabilities in Microsoft Outlook, using a known flaw (CVE-2023-23397) to gain access to high-value NATO-related targets and European defense ministries​ The Record from Recorded Future.
• The Lazarus Group, linked to North Korea, remains focused on financially motivated attacks, primarily through cryptocurrency theft. In 2024, Lazarus executed several large-scale heists, targeting global crypto platforms and exchanges. The proceeds from these operations are funneled into North Korea’s government and military programs. This group uses sophisticated phishing techniques and custom malware to steal millions in digital assets, exacerbating tensions in cyberspace​ Council on Foreign Relations.
• APT41 (Winnti), associated with China, has continued its cyber espionage campaigns in 2024, focusing on intellectual property theft in the technology and pharmaceutical sectors. This group targets entities in Southeast Asia and the U.S., often using advanced supply chain attacks to compromise their targets. The group’s operations align with China’s broader geopolitical goals of gathering intelligence and exerting regional influence through cyber means​ Council on Foreign Relations.
• OilRig (APT34), tied to Iran, has been involved in espionage campaigns targeting oil, gas, and government institutions in the Middle East. In 2024, this group escalated its activities, employing spear-phishing techniques to compromise key sectors in adversarial Gulf countries. Iranian state-backed actors are increasingly using ransomware as a disruptive tool without financial motives, a tactic observed in attacks on critical infrastructure in Israel and other Middle Eastern states​ Council on Foreign Relations.

These groups have significantly increased their operations, furthering their nation’s geopolitical goals while often operating in a grey zone between espionage and sabotage. Their rise exemplifies the convergence of low-intensity warfare in cyberspace with strategic geopolitical objectives.

Nation-State Use of Cybercrime for Financial Gain

An emerging trend is the leveraging of cybercriminal techniques by nation-states to fund their operations. For instance, North Korea’s Lazarus Group has been instrumental in stealing billions of dollars through cryptocurrency attacks. This stolen wealth is funneled directly into North Korea’s state programs, financing both cyber and nuclear initiatives. Similarly, Iran has been implicated in using ransomware attacks not for extortion but to cause operational disruption, with these efforts masking state objectives.

Nation-states are increasingly working with cybercriminal groups to carry out these financially motivated operations. Ransomware groups with loose or direct ties to state actors, such as REvil and Conti, have been linked to nation-states like Russia, which benefits from these groups’ activities while maintaining plausible deniability. Initial Access Brokers (IABs)—who sell access to compromised systems—are often exploited by state actors to penetrate target networks undetected before deploying destructive malware or espionage tools.

In 2024, nation-state actors like North Korea and Iran have increasingly utilized cybercriminal techniques for financial gain to support state activities, a trend that is exacerbating global cybersecurity challenges.

North Korea’s Lazarus Group has been one of the most prominent examples of this strategy. They have been responsible for large-scale cryptocurrency thefts, totaling over $3 billion, which directly funds North Korea’s missile and weapons programs. Some of their high-profile heists in 2024 include breaches of platforms like Atomic Wallet, CoinEx, and Stake.com, stealing significant sums of cryptocurrency. North Korea has developed a sophisticated money-laundering network involving cryptocurrency mixers, such as Tornado Cash and Sinbad, to obscure the origins of stolen funds, which makes it difficult for law enforcement to recover the assets​ SecurityWeek​ Blockonomi​ Harvard International Review.

Similarly, Iran has been leveraging ransomware attacks not purely for financial extortion but as a tool for operational disruption. These attacks, often aimed at critical infrastructure, reflect a broader state agenda to weaken adversarial nations. Iranian groups, such as APT34 (OilRig), have been implicated in espionage and sabotage operations across the Middle East, where ransomware is used to cause disruption under the guise of typical cybercrime​ Harvard International Review.

Nation-states are also increasingly collaborating with ransomware groups and Initial Access Brokers (IABs) to carry out financially motivated operations while maintaining plausible deniability. In Russia’s case, groups like REvil and Conti have operated in environments with tacit state support, allowing the Russian government to benefit from these activities while distancing itself from direct involvement. These criminal operations, which involve selling access to compromised networks, enable state actors to infiltrate targets more efficiently for espionage or destructive purposes​ SecurityWeek.

This convergence allows nation-states to extort funds from companies and individuals, which in turn finances further state-backed operations. It also creates a complex web of interactions where cybercriminals, operating with impunity in state-protected environments, carry out attacks that serve broader geopolitical goals.

False-Flag Operations and Attribution Challenges

Attribution in modern cyber warfare is increasingly complicated by false-flag operations. State actors often disguise their activities by using tools and techniques associated with criminal groups. Russia and China are both known for leveraging false-flag operations, using malware strains or infrastructure associated with other criminal groups to avoid direct attribution. In doing so, these states can launch deniable operations, allowing them to escalate tensions without clear repercussions.

For instance, Russia’s GRU (military intelligence) has deployed malware linked to multiple different groups in a way that complicates forensic analysis, making it difficult for investigators to attribute attacks definitively to state-backed actors. This tactic has been used in campaigns against Ukraine, the U.S., and other NATO allies, muddying the water in terms of how to respond effectively to such attacks.

Impact on Geopolitical Landscape

The rise of state-sponsored cyber operations is reshaping the global geopolitical environment. Nation-states now see cyber operations as a key tool for strategic influence without engaging in traditional warfare. Cyberattacks can destabilize economies, weaken military capabilities, and undermine public trust in governments, all without crossing the threshold of open military conflict.

• Russia: The hybrid warfare strategy, using both kinetic and cyber means, against Ukraine has shown how cyber operations can be deployed in parallel with traditional military campaigns.
• China: Its cyber espionage operations, particularly in Southeast Asia, are part of a broader strategy to exert influence in the region and gain intelligence that strengthens its economic and military position against the U.S. and its allies.
• Iran: Iran’s cyber operations against Israel and Albania reflect an ongoing conflict fought in cyberspace, with operations focused on critical infrastructure disruption and political destabilization.
• North Korea: By using cybercrime, North Korea circumvents international sanctions and continues to fund its strategic objectives, including its nuclear program, without relying on traditional forms of revenue generation.

This trend of using cyber tools as a geopolitical lever blurs the line between statecraft and crime, challenging traditional concepts of warfare and diplomacy.

The Nexus of Cyber Crime and Nation State Crime Today

The fusion of nation-state cyber activity with cybercrime has reshaped the threat landscape, introducing a form of low-intensity warfare where nation-states leverage cyber tools for both strategic objectives and financial gain. Traditionally, Advanced Persistent Threat (APT) actors were primarily associated with espionage, targeting governments, military networks, and critical infrastructure. However, the current reality is that every corporation, regardless of size or industry, can be a potential target for these financially motivated cyber operations.

Corporations as Targets in Nation-State Cybercrime

Corporations are now increasingly seen as lucrative targets for nation-states, especially those who face international sanctions, such as North Korea and Iran, or those looking to destabilize adversaries economically, like Russia. These states are not merely seeking intelligence or control but are also pursuing direct financial benefits by targeting businesses with ransomware, data theft, and extortion schemes. This shift means that organizations, not just government entities, are at significant risk from nation-state cyber actors, who exploit cybercrime tactics to fund their strategic goals.

For example, North Korea’s Lazarus Group has been instrumental in carrying out cryptocurrency heists and financial crimes against private corporations. They have stolen billions through the hacking of cryptocurrency exchanges and platforms like CoinEx and Atomic Wallet, with the proceeds funneled into the regime’s military and nuclear programs​ SecurityWeek​ SecurityWeek. Corporations across various sectors, from finance to manufacturing, are now part of a global battlefield where their financial assets are directly targeted to fund hostile regimes.

The Role of APTs and Criminal Proxies

APTs, which once focused mainly on espionage, are increasingly engaged in financial crimes. These actors employ ransomware or partner with cybercriminal groups, like REvil and Conti, to gain access to corporate networks, encrypt data, and demand ransom payments. For example, Russia has used ransomware groups as proxies, allowing the state to benefit financially and strategically while denying involvement. These criminal groups, often perceived as independent, can be subtly directed by state actors, further complicating attribution and international response​ SecurityWeek​ The Record from Recorded Future.

Corporations may mistakenly believe that only industries directly linked to national security are at risk, but financial services, healthcare, retail, and technology firms are prime targets due to their access to sensitive data and capital. The use of Initial Access Brokers (IABs), who sell access to compromised corporate networks, allows state-backed groups to infiltrate organizations quickly, facilitating espionage or ransomware operations that generate significant revenue​ Blockonomi.

Financial Crimes as a Means to Strategic Ends

The financial crimes orchestrated by nation-states through their APTs serve dual purposes. First, they provide direct funding for regimes, particularly those under economic sanctions like North Korea and Iran. Second, they serve a strategic objective by destabilizing corporations, creating broader economic disruption in adversarial countries. A successful attack on a major corporation, for instance, can undermine investor confidence, interrupt supply chains, or expose sensitive customer data, all of which weaken the targeted nation’s economy.

Iran, through groups like APT34 (OilRig), has used ransomware not just for monetary gain but to disrupt and sabotage critical infrastructure across the Middle East. These attacks often masquerade as simple criminal activity, but their broader goals align with state interests, such as weakening regional adversaries through cyber sabotage​ Harvard International Review.

The Global Corporate Impact

As corporate entities become key targets in this evolving threat landscape, the implications for cybersecurity are vast. Businesses must not only guard against typical cybercriminals but also prepare for nation-state actors that have far greater resources, sophistication, and strategic patience. This rise in hybrid operations, where nation-states use cybercrime tactics to achieve both financial and geopolitical goals, represents a major shift in the threat model for corporations globally.

Cybersecurity defenses must now include proactive measures like threat intelligence sharing, international cooperation, and deeper cyber resilience planning to prepare for attacks that are not just financially motivated but also part of a broader geopolitical strategy.

Conclusion

In conclusion, the merger of nation-state tactics with cybercrime expands the potential attack surface for corporations, transforming them into collateral damage or primary targets in low-intensity warfare. This trend reflects a significant break from traditional norms in both warfare and corporate security. Historically, corporations were largely viewed as neutral entities in geopolitical conflicts, insulated from direct attacks outside of conventional warfare zones. However, the convergence of cyber espionage, financial crime, and state-sponsored attacks has shattered this norm, exposing organizations to the risks of a global conflict without the presence of physical hostilities.

Geopolitical tensions worldwide are escalating, with powers like the U.S., China, and Russia jockeying for influence through technological dominance, economic leverage, and military posturing. These rivalries are increasingly being fought in the shadows, with cyber tactics taking center stage. As nations employ cybercrime syndicates and hacking groups as proxies to advance their political and economic objectives, organizations are now caught in a crossfire of strategic interests. What was once the domain of covert espionage has expanded into broader economic warfare, where the goal isn’t just intelligence gathering but also crippling economic capacity, disrupting critical infrastructure, and sowing chaos across markets.

Low-intensity warfare, such as cyberattacks, disinformation campaigns, and economic coercion, erodes the boundaries between peace and war. The lines between national security and corporate security are increasingly blurred as companies become both participants and victims in this asymmetrical battlefield. For instance, ransomware attacks aimed at critical sectors like healthcare, energy, and finance can destabilize economies and lead to far-reaching consequences, even without bullets being fired. Additionally, economic warfare, such as sanctions, trade restrictions, and currency manipulation, can compound the tensions, leading to retaliatory cyberattacks that paralyze entire industries.

The cumulative effect of these low-intensity and economic warfare strategies is the potential to spark a hot war. As the frequency and severity of cyberattacks grow, so does the risk of miscalculation. A severe enough disruption—whether a crippling attack on a nation’s power grid, a massive breach of sensitive military or financial data, or the destruction of key infrastructure—could lead to a tipping point where diplomatic solutions no longer suffice. In such a volatile environment, the escalation from cyber skirmishes to kinetic warfare becomes a real possibility, especially as nations struggle to protect their sovereignty in an increasingly interconnected and fragile global economy.

Thus, organizations must recognize the interconnected nature of modern warfare, where the frontlines may be in boardrooms or data centers, and prepare for the reality that economic and cyber conflicts can rapidly spiral into global instability.