π―Basically, countries like China and Russia use similar hacking methods to achieve different goals.
What Happened
In 2025, state-sponsored threat activity surged, particularly from China, Russia, North Korea, and Iran. Each of these nations had distinct motivations, such as espionage, disruption, financial gain, and geopolitical influence. However, they shared common tactics, techniques, and procedures (TTPs) that allowed them to exploit vulnerabilities and maintain access for extended periods.
The Threat
China
Chinese threat activity increased significantly, with a nearly 75% rise in investigations compared to 2024. Newly disclosed vulnerabilities were exploited almost immediately, often before patches were available. Long-standing vulnerabilities in networking devices also provided reliable entry points. Once inside, attackers focused on persistence through web shells, custom backdoors, and credential harvesting.
Russia
Russian cyber operations remained closely linked to geopolitical goals, particularly the ongoing war in Ukraine. Many attacks leveraged unpatched vulnerabilities in networking devices, which allowed for long-term intelligence gathering. The correlation between geopolitical events, such as sanctions, and spikes in Russian cyber activity was evident, with common malware families like Dark Crystal RAT appearing frequently.
North Korea
North Korean operations heavily utilized social engineering tactics. Campaigns like Contagious Interview involved fake recruiters tricking targets into executing malicious code or divulging credentials. This led to significant financial gains, including a historic $1.5 billion cryptocurrency heist. Additionally, thousands of IT workers employed stolen identities to infiltrate Fortune 500 companies, funding North Korea's weapons programs.
Iran
Iranian cyber activity combined disruptive tactics with persistent access strategies. Hacktivist operations surged by 60%, particularly in response to the Israel-Hamas conflict. Disruptive campaigns included DDoS attacks and website defacements. Meanwhile, groups like ShroudedSnooper focused on long-term espionage, using stealthy backdoors to infiltrate sectors like telecommunications.
Defensive Measures
Despite their different objectives, these state-sponsored actors rely on similar methods to gain and maintain access. Here are some recommended actions for security teams: Stay informed about new state-sponsored activities and campaigns by following the Talos blog.
Do Now
- 1.Donβt ignore older systems: Both newly disclosed and long-known vulnerabilities are actively exploited.
- 2.Prioritize identity security: Credentialed access and social engineering remain reliable entry points.
- 3.Increase visibility into network and edge infrastructure: These systems are common targets for persistent access.
Do Next
- 4.Expect activity to follow global events: Sanctions and political developments often correlate with spikes in cyber activity.
- 5.Inspect for long-term presence: Many operations are designed to persist stealthily over time, rather than trigger immediate disruption.
π Pro insight: Expect heightened state-sponsored activity to correlate with geopolitical tensions, necessitating proactive defense strategies.
