An Unprecedented Escalation in Digital Warfare
The global cybersecurity landscape has reached a critical inflection point as state-sponsored cyber attacks surge to unprecedented levels, fundamentally altering the nature of international conflict and security. In 2025, nation-state adversaries have demonstrated unprecedented aggression, sophistication, and scale in their cyber operations, forcing governments worldwide to confront a new reality where digital warfare has become a primary tool of geopolitical competition and national power projection.
China’s Cyber Espionage Intensification
China has emerged as the most dominant and aggressive force in the state-sponsored cyber threat landscape. The report reveals that China-nexus adversaries escalated state-sponsored cyber operations by 150%, with targeted attacks in financial services, media, manufacturing and industrial sectors soaring up to 300%. This dramatic escalation represents the most significant surge in Chinese cyber activity ever documented.
CrowdStrike identified seven new China-nexus adversaries in 2024, fueling this massive spike in espionage attacks across critical industries. The Chinese government—officially known as the People’s Republic of China (PRC)—engages in malicious cyber activities to pursue its national interests including infiltrating critical infrastructure networks, conducting extensive espionage operations, and stealing intellectual property on an industrial scale.
The scope of Chinese operations is staggering. Over the past four years, at least 20 networks associated with Government of Canada agencies and departments have been compromised by PRC cyber threat actors. The PRC’s expansive and aggressive cyber program has global cyber surveillance, espionage, and attack capabilities and is the most comprehensive cyber security threat facing Canada today.
Recent high-profile incidents demonstrate the persistent nature of Chinese cyber operations. Chinese cyber actors conducted a coordinated disinformation campaign on WeChat against Canadian Liberal leadership candidate Chrystia Freeland, with the operation reaching 2 to 3 million global WeChat users. Additionally, cyberattacks on Taiwan by Chinese groups doubled to 2.4 million daily attempts in 2024, primarily targeting government systems and telecommunications firms.
Russian Cyber Operations and Warfare Integration
Russian state-sponsored cyber activities have evolved beyond traditional espionage to become integrated components of broader military and geopolitical strategies. The Russian government—officially known as the Russian Federation—engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.
Russian cyber capabilities have been particularly focused on supporting military operations and disrupting Western support for Ukraine. The United States, Britain, France, Germany, and other allies issued an advisory warning of a Russian cyber campaign targeting the delivery of defense support to Ukraine and other NATO defense and tech sectors. The countries identified Unit 26165 of the Russian military intelligence service — known in the cybersecurity world as ‘Fancy Bear’ — as conducting campaigns for more than two years using targeted scam emails and stolen passwords.
The persistent nature of Russian operations is exemplified by incidents such as suspected Russian hackers executing spearphishing attacks against Kazakh diplomatic entities, embedding malicious code within diplomatic documents for cyber espionage purposes. Additionally, Russian hackers infiltrated a Pakistani hacking group, exploiting their infrastructure to access sensitive information stolen from South Asian government and military targets.
North Korean Revenue Generation and Financial Crimes
North Korea has distinguished itself through sophisticated financially-motivated cyber operations designed to circumvent international sanctions and fund state programs. The North Korean government—officially known as the Democratic People’s Republic of Korea (DPRK)—employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue.
The scale of North Korean financial cybercrime is unprecedented. In February 2025, North Korean hackers stole $1.5 billion in Ethereum from the Dubai-based exchange ByBit, exploiting a vulnerability in third-party wallet software and laundering at least $160 million within the first 48 hours. This represents the largest cryptocurrency heist to date.
North Korean operations extend beyond traditional cybercrime to include sophisticated deception campaigns. North Korean fake IT workers have been a growing problem, using fake identities to get jobs at Western companies, enabling them to make money for the Pyongyang regime and in some cases to obtain valuable data from the organizations that hire them. Security awareness firm KnowBe4 was notably targeted in such a scheme, with the hired North Korean operative attempting to plant malware on the company’s systems.
Iranian Cyber Capabilities and Regional Targeting
Iran has developed increasingly sophisticated cyber capabilities focused on regional adversaries and social control. The Iranian government—officially known as the Islamic Republic of Iran—has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity, and to harm regional and international adversaries.
Iranian cyber operations demonstrate both domestic control objectives and international targeting. Since October 2023, Iranian cyber actors have used brute force techniques to compromise user accounts and obtain access to organizations to modify MFA registrations, enabling persistent access. Iranian-linked actors have also targeted former Israeli officials, military personnel, and a former U.S. Ambassador to Israel through phishing campaigns to gain access to inboxes, personally identifiable information, and identity documents.
AI-Enhanced Threat Evolution
The integration of artificial intelligence into state-sponsored cyber operations has fundamentally transformed the threat landscape. Adversaries worldwide are weaponizing AI-generated deception, exploiting stolen credentials and increasingly executing cross-domain attacks to bypass security controls and operate undetected.
GenAI has supercharged social engineering capabilities, with AI-driven phishing and impersonation tactics fueling a 442% increase in voice phishing (vishing) between H1 and H2 2024. From fictitious profiles to AI-generated emails and websites, adversaries like FAMOUS CHOLLIMA are using genAI to supercharge insider threats and social engineering.
In 2025, AI-enhanced malware attacks have emerged as a primary concern for U.S. IT professionals, with 60% of IT experts globally identifying it as the most concerning AI-generated threat for the next 12 months. These AI-driven threats can automate vulnerability identification, craft convincing phishing schemes and even adapt in real-time to circumvent security measures.
Critical Infrastructure Targeting
State-sponsored adversaries have increasingly focused on critical infrastructure as a primary target, seeking to pre-position for potential future disruption while conducting ongoing espionage operations. State-sponsored cyber threat actors are very likely targeting critical infrastructure networks in Canada and allied countries to pre-position for possible future disruptive or destructive cyber operations.
The Volt Typhoon threat group, associated with the People’s Republic of China, has pre-positioned itself on information technology (IT) networks in energy, communications, water systems and transportation infrastructure. These agencies report observing indications that Volt Typhoon has maintained a foothold in some systems for more than five years, underscoring the gravity of this threat.
Recent incidents demonstrate the vulnerability of critical infrastructure. The widespread blackouts that recently brought parts of Spain and Portugal to a standstill triggered global speculation about electromagnetic pulse (EMP) attacks, highlighting concerns about America’s vulnerability to similar large-scale disruptions.
Global Sanctions and Economic Responses
The international community has responded to escalating state-sponsored cyber threats through comprehensive sanctions regimes targeting individuals, entities, and infrastructure supporting malicious cyber activities. The U.S. Department of State works with the Treasury Department to identify individuals and entities whose conduct meets criteria for cyber-related sanctions.
Recent sanctions demonstrate the scope of international response. The Treasury Department sanctioned Integrity Technology Group, Incorporated, a Beijing-based cybersecurity company, for its role in multiple computer intrusion incidents against U.S. victims attributed to the Chinese state-sponsored Flax Typhoon group. The sanctions bar Beijing Integrity Technology from access to U.S. financial systems and freeze any assets the company might hold in the United States.
During the Trump administration, cyber-related sanctions increased exponentially in response to growing cyber threats from North Korea, China, Iran, and Russia. While the Obama administration averaged 10 cyber-related designations per year between 2012 and 2017, the Trump administration averaged 57 cyber-related sanctions per year from 2017 to 2020.
The European Union has also established comprehensive frameworks for cyber sanctions. The Council decided to prolong the restrictive measures (sanctions) against cyber-attacks threatening the EU and its member states for a further year, until 18 May 2026, with the legal framework extended for three years until 18 May 2028.
International Coordination and Collective Defense
The scale and sophistication of state-sponsored cyber threats have necessitated unprecedented international coordination and collective defense initiatives. In June 2017, the EU established a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (the “cyber diplomacy toolbox”), allowing the EU and its member states to use all Common Foreign and Security Policy measures, including restrictive measures, to respond to malicious cyber activities.
Multilateral coordination has become essential for effective response. Recent advisories have been issued jointly by the United States, Britain, France, Germany, and other allies warning of Russian cyber campaigns. The National Security Agency (NSA) joined several United States and foreign entities to release cybersecurity advisories calling attention to state-sponsored cyber campaigns targeting Western organizations.
The Five Eyes intelligence alliance has become particularly important for sharing threat intelligence and coordinating responses. Canada, along with its Five Eyes partners, faces ongoing targeting by PRC cyber programs, necessitating close intelligence sharing and coordinated defensive measures.
Geopolitical Impact and Strategic Implications
The World Economic Forum’s Global Cybersecurity Outlook 2025 reported that geopolitical tensions are an influence on cyber strategy in nearly 60 percent of organizations, with one in three CEOs citing cyber espionage and loss of sensitive information/IP as top concerns. This reflects the recognition that cyber threats have become inextricably linked with broader geopolitical competition.
The ongoing conflict in Ukraine exemplifies how cyber operations have become integrated with conventional warfare. Critical sectors such as energy, telecommunications, water and heating have been repeatedly targeted by cyber and physical attacks, demonstrating the strategic importance of cyberspace in modern conflict.
State adversaries are using cyber operations to disrupt and divide, with state-sponsored cyber threat actors almost certainly combining disruptive computer network attacks with online information campaigns to intimidate and shape public opinion.
Evolving Attack Methodologies
State-sponsored adversaries have significantly evolved their attack methodologies, moving toward more sophisticated and stealthy approaches designed to evade detection and maintain persistent access. The shift to malware-free intrusions that exploit trusted access, combined with record-shattering breakout times, leaves defenders little room for error.
Living off the land (LOTL) techniques have become increasingly prevalent, where attackers exploit a system’s legitimate, native tools during infiltration to evade detection for years at a time. This approach allows state-sponsored groups to maintain long-term undiscovered persistence within target networks.
Supply chain attacks have become predominant as adversaries target third parties and service providers rather than going after critical infrastructure or industrial facilities directly. This approach allows them to exploit the growing reliance on cloud computing and internet-enabled connectivity to spread throughout extended supply networks.
Private Sector Impact and Response
The private sector has become a primary battlefield in state-sponsored cyber operations, with attackers targeting everything from financial institutions to technology companies and critical infrastructure providers. 72 percent of respondents say cyber risks have risen in the past year, with cyber-enabled fraud on the rise and increased phishing and social engineering attacks.
Organizations are struggling to address the scale and sophistication of threats. About 54 percent of large organizations cite third-party risk management as a major challenge, with supply chain challenges remaining a top concern for achieving cyber resilience. The increasing complexity of supply chains, coupled with a lack of visibility and oversight into suppliers’ security levels, has emerged as the leading cybersecurity risk.
The financial impact of state-sponsored attacks continues to grow. Hackers spied on the emails of roughly 103 U.S. bank regulators at the Office of the Comptroller of the Currency for over a year, while Chinese hackers breached a third-party vendor for the U.S. Treasury Department to gain access to over 3,000 unclassified files.
Future Trajectory and Emerging Threats
Looking ahead, the trajectory of state-sponsored cyber threats suggests continued escalation and sophistication. Almost 49% of security incidents remain unattributed to any nation-state, indicating the growing complexity of the threat landscape and the emergence of new actors and capabilities.
The convergence of AI, quantum computing, and other emerging technologies will likely create new vectors for state-sponsored attacks while also providing new defensive capabilities. Organizations must prepare for a future where cyber threats continue to evolve at an unprecedented pace.
The integration of cyber operations with broader geopolitical strategies will likely deepen, making cybersecurity an increasingly central component of national security and international relations. As states continue to view cyberspace as a domain for projecting power and achieving strategic objectives, the importance of robust cyber defenses and international cooperation will only continue to grow.
Conclusion: Navigating an Uncertain Digital Future
The rising tide of state-sponsored cyber threats represents one of the most significant security challenges of the 21st century. As China, Russia, North Korea, and Iran continue to escalate their cyber operations, the international community must adapt its defensive strategies, strengthen cooperation mechanisms, and develop more effective deterrent measures.
The integration of AI and other emerging technologies into both offensive and defensive cyber capabilities will continue to reshape the landscape, requiring constant adaptation and innovation from defenders. The success of future cybersecurity efforts will depend on the ability of nations, organizations, and individuals to work together in addressing threats that transcend traditional boundaries and challenge conventional approaches to security.
As we move forward, the imperative for robust cyber defenses, international cooperation, and innovative approaches to cyber deterrence has never been more critical. The digital domain has become a primary arena for international competition, and those who fail to adapt to this new reality do so at their own peril.
