Emerging trends in cyber threats
Historically, APTs focused on high-value targets such as government entities and large enterprises. However, state-sponsored actors have widened their scope, going downmarket and targeting mid-market and SMBs for economic espionage, supply chain infiltration and ransomware attacks. Here’s how these trends have become particularly evident in the activities of nation-state actors from China, Russia, North Korea and Iran.
China: A multifaceted threat
China’s cyber operations are vast and highly active, with multiple groups leveraging shared intelligence, resources and contractor networks. These groups have a wide range of targets, from governments to SMBs, and strategic rivals such as the U.S., Russia, India and Europe, as well as neighboring countries like Taiwan and Japan. Their tactics include DLL sideloading, legitimate tool and infrastructure reuse, and noisy operations with little concern for attribution.
Recently, China-linked groups have been moonlighting as ransomware operators, targeting industries such as manufacturing, engineering, pharmaceuticals and IT services. These actors used tools previously reserved only for nation-state attacks to deploy ransomware instead for their personal gain, marking a significant shift in their operations.
Russia: Unsophisticated but persistent
Unlike China, Russia’s attacking entities are all in-house and they’re very clearly aligned to just a few groups, i.e., military agencies. Groups like Shuckworm, linked to Russia’s Federal Security Service (FSB), specialize in attacks against Ukraine. They often rely on a mass “spray and pray” technique, sending out phishing links in tons of emails. While their methods are often unsophisticated, their persistence results in collateral damage to lots of unintended victims.
North Korea: Sophisticated espionage and extortion
North Korea is unique in their own right. Compared to other nation states—including China— they are the only nation state to actually go after currency for pure economic gain, frequently targeting cryptocurrency organizations. In addition, North Korea continues to use a variety of other schemes to generate foreign currency from impersonating U.S. workers to executing ransomware attacks. The U.S. Department of Justice recently indicted a North Korean man named Rim Jong Hyok, a member of the Stonefly group linked to the North Korean Reconnaissance General Bureau (RGB), for extorting U.S. healthcare providers and laundering ransom proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide.
Iran: Aggression and espionage operations
Iranian cyber groups such as Druidfly and Seedworm are known for their destructive attacks and espionage operations. Druidfly targets countries hostile to Iran, including Albania and Israel, while Seedworm focuses on organizations in the Middle East and beyond. These groups employ adept social engineering tactics, custom backdoors and ransomware like DarkBit, often serving as a cover for their devastating attacks.