Geopolitics and Cyberwar 2024-2025: An in-depth analysis of state cyber threats and operations

Cyberspace, once seen primarily as a technological and commercial domain, has irrevocably become a key and integral element of modern international conflicts, geopolitical rivalries and an instrument for nation-states to pursue their foreign policy goals. Between 2024 and 2025, we are watching with growing concern how offensive actions sponsored or at least tolerated by governments, sophisticated disinformation campaigns using the latest technological advances, and the dynamic evolution of national doctrines of cyberwarfare are shaping an entirely new, extremely complex and often unpredictable dimension of threats to international security, the stability of global critical infrastructure and the fundamental principles of democratic order. Understanding these dynamic processes is crucial for policymakers, business leaders and security professionals.

What are the main tactics, techniques and procedures (TTPs) of the leading state actors in cyberspace in 2024-2025 and what threat do they pose to critical infrastructure?

An analysis of publicly available intelligence reports, telemetry data from cybersecurity companies, and information from government agencies on the tactics, techniques and procedures (TTPs) employed by major state actors in cyberspace between 2024 and 2025, clearly indicates the steadily increasing scale, technical sophistication, audacity and strategic focus of their operations. States are increasingly bold and effective in using cyberspace as a tool to achieve their long-term strategic goals, covering a broad spectrum of activities – from traditional political and industrial espionage, to active battlefield preparation for future kinetic conflicts (so-called pre-positioning), to direct attacks on critical infrastructure and influence operations.

The People’s Republic of China (PRC) is consistently identified by many Western intelligence agencies and cyber security firms as the most active, persistent and prolific cyber threat to the United States, its allies and global critical infrastructure. Numerous Chinese APT (Advanced Persistent Threat) groups, often affiliated with the state apparatus (e.g., the Ministry of State Security – MSS, or the People’s Liberation Army – PLA), conduct extensive, long-term campaigns, such as the high-profile Operation Volt Typhoon or Salt Typhoon. The main objective of these operations is to gain and maintain permanent covert access (so-called pre-positioning) to key information and operational technology (IT/OT) systems in strategic sectors of Western countries, such as communications, energy, transportation, water and wastewater, and financial services. Characteristic of these highly sophisticated operations is the frequent use of “living off the land” (LotL) tactics, i.e., the use of legitimate, built-in administrative tools (e.g., PowerShell, WMI, netsh) and compromised but legitimate credentials in operating systems, to avoid detection by security systems and obliterate traces of their activity. China is vigorously developing and implementing its doctrine of “intelligent/intelligentized warfare,” which involves the deeply integrated use of artificial intelligence, big data analytics, quantum technologies and other advanced technologies in multi-domain operations where cyberspace plays a key role. The creation in recent years of a dedicated Cyberspace Force as a separate type of armed force, directly subordinate to the Central Military Commission, only underscores the strategic importance of this dimension to Beijing’s ambitions. A report by CrowdStrike noted an alarming 150% increase in Chinese APT group activity in 2024 alone compared to the previous year. Additionally, in April 2025, Chinese APT groups were observed exploiting the newly discovered CVE-2025-31324 vulnerability in the popular SAP NetWeaver enterprise software to launch targeted attacks on critical infrastructure systems around the world.

The Russian Federation also has highly advanced cyber capabilities and extensive, long-standing experience in the strategic integration of cyber attacks with traditional warfare and hybrid operations, which has been particularly evident during the ongoing conflict in Ukraine, but also in numerous previous operations. Russian special services, in particular the General Staff’s Main Intelligence Directorate (GRU) and its specialized units such as Fancy Bear (APT28, Sofacy Group) and Sandworm (APT44, Telebots, Voodoo Bear), as well as the Federal Security Service (FSB), conduct constant espionage, sabotage and subversion campaigns against countries in Europe, the United States and other countries perceived as Moscow’s adversaries. Attacks on critical infrastructure (especially energy and telecommunications), psychological influence operations, sophisticated disinformation campaigns and interference in electoral processes are a constant and integral part of Russia’s hybrid warfare strategy. According to data from a Forescout report, in 2024 Russia was the most common source of malicious traffic on the global Internet, accounting for about 16% of all recorded attacks.

The Islamic Republic of Iran is also actively and increasingly boldly using cyberspace to advance its geopolitical goals, projecting power in the Middle East region and conducting asymmetric confrontations with perceived enemies, mainly the United States and Israel. There have been systematic attacks on U.S. critical infrastructure, often in retaliation for U.S. support for Israel or for other actions perceived by Tehran as hostile. Iranian APT groups, often affiliated with the Islamic Revolutionary Guard Corps (IRGC), use a wide range of known vulnerabilities (often not facilitated by victims), advanced social engineering techniques and publicly available or modified hacking tools in their operations. In some cases, Iranian groups have impersonated hacktivist collectives to hide their state connections, attacking operational technology (OT) devices in sectors such as water and manufacturing, among others.

The Democratic People’s Republic of Korea (DPRK), and in particular its most notorious and active cybercrime group, FAMOUS CHOLLIMA (also known as Lazarus Group, Hidden Cobra or APT38), focuses most of its cyber operations on illegally generating revenue for Kim Jong Un’s internationally isolated regime. This revenue is then used to, among other things, fund weapons programs, including nuclear and missile programs. The group uses extremely sophisticated and creative schemes to do this, such as operations with fake, surreptitious IT workers who, after being remotely employed by foreign technology or financial firms, send business laptops to “laptop farms” controlled by the group, from where further malicious activity, including the theft of intellectual property and access, is then carried out. Lazarus Group is also responsible for numerous spectacular attacks on cryptocurrency exchanges, banks and other financial institutions, which have netted the regime hundreds of millions or even billions of dollars. Significantly, recent reports indicate that FAMOUS CHOLLIMA is increasingly using the capabilities of generative artificial intelligence (GenAI) to create fake but more convincing personal profiles, generate content for phishing campaigns, and lend credibility to its online activities.

Attacks on critical infrastructure (CI) have become a common and extremely dangerous tactic in the arsenal of state actors. Sectors such as energy (power plants, transmission networks), transportation (aviation, railroads, ports), telecommunications (network infrastructure, satellites), finance (banking systems, stock exchanges), healthcare (hospitals, patient data systems) or water and wastewater treatment systems are prime strategic targets for these operations. The motivations behind these attacks are varied and include traditional espionage (gathering information on CI operations), disruption of key services to destabilize a state or exert political pressure, demonstration of force and deterrence capabilities, testing of adversary defense capabilities, and, most dangerously, preparation for potential future military conflicts by placing “dormant” implants to remotely deactivate or destroy elements of CI when the time comes. Between 2022 and 2024, an alarming global increase of up to 668% in the number of recorded cyber incidents in critical infrastructure has been observed. The World Economic Forum’s prestigious Global Cybersecurity Outlook 2025 report indicates that nearly 60% of organizations around the world are directly addressing rising geopolitical tensions as a key risk factor in their cybersecurity management strategies.

The table below shows examples of recent attacks on critical infrastructure where there are strong indications of state actor involvement and geopolitical motivations:

Date of Attack/Disclosure	Target (Sector, Country)	Assigned State Actor/Group (Probable)	Attack Description/Characteristic TTPs.	Likely Geopolitical Motivation.
2024 (ongoing operations)	US critical infrastructure (various sectors, including communications, energy, transportation)	China (Volt Typhoon group and other related)	Long-term pre-positioning of covert access to IT and OT networks, heavy use of “living off the land” tactics, exploits for known vulnerabilities in edge devices.	Preparation for potential future conflict with the U.S. (e.g., in the context of Taiwan), strategic deterrence, and the possibility of disrupting U.S. crisis response capabilities.
Q4 2024 – Q1 2025	Critical infrastructure in Europe and the U.S. (including energy, transportation, finance)	Russia (GRU units, e.g., Sandworm, APT28).	Targeted attacks on infrastructure (e.g., energy and transportation in countries supporting Ukraine), integration with GRU operations, use of electronic warfare (EW) systems (e.g., GPS signal jamming), intensive disinformation campaigns.	Direct support of hostilities in Ukraine, attempts to destabilize countries supporting Ukraine, demonstration of power and power projection capabilities, weakening the cohesion of the West.
November 2023	Operational technology (OT) equipment in water supply infrastructure and other critical sectors in the US	Iran (a group affiliated with the IRGC, e.g., “CyberAv3ngers”)	Using publicly known default credentials to compromise and perform defacement (changing interface content) of Israeli-made OT devices (e.g. Unitronics PLCs).	Retaliation for perceived U.S. support for Israel in the Gaza conflict, a demonstration of its ability to attack U.S. critical infrastructure, an influence operation.
January 2024	Water distribution systems in several communities in Texas and other US states	Hactivists declaring pro-Russian ties (potentially a false flag operation)	Disruption of water distribution control systems, propaganda messages.	An attempt to weaken U.S. resolve to continue supporting Ukraine, demonstrating the ability to disrupt U.S. critical infrastructure, sowing public unrest.
April 2025	Critical infrastructure globally (SAP-based enterprise systems)	China (various APT groups)	Exploitation of the newly disclosed CVE-2025-31324 vulnerability in the SAP NetWeaver Visual Composer component for remote code execution (RCE) and extensive reconnaissance on infected hosts.	Industrial and technological espionage, collection of detailed information on global critical infrastructure, potential preparation for future disruptive or sabotage operations.

Table: Selected examples of recent (Q4 2024 – Q1 2025) attacks on critical infrastructure with likely attribution to state actors and their geopolitical motivations.

How do sophisticated disinformation campaigns, increasingly supported by artificial intelligence, affect social stability, democratic processes and international trust?

Disinformation campaigns, often carefully planned, financed and executed by or at the behest of state actors, pose a growing and extremely insidious threat to social stability, the integrity of democratic processes and mutual trust in the international arena. The use of the latest advances in artificial intelligence, particularly deepfake technology (generating fake but extremely realistic video and audio materials) and advanced language models (LLMs) to automatically create and mass distribute fake or manipulated content, significantly increases its potential credibility, reach of impact and speed of spread in the global infosphere. These modern tools allow the creation of materials that are increasingly difficult to distinguish from authentic information even for informed and critically thinking audiences.

The main goal of these complex, multi-vector campaigns is to manipulate public opinion on a massive scale. This can include attempts to directly interfere with electoral processes in other countries by discrediting specific candidates, political parties, undermining confidence in the electoral process itself and its results, or mobilizing or demobilizing specific groups of voters. Another common goal is to sow social discord and polarization by artificially amplifying existing ethnic, religious, political or social tensions, as well as creating and promoting false narratives aimed at exacerbating internal conflicts. Disinformation campaigns also serve to undermine trust in legitimate state institutions such as governments, parliaments, courts, as well as independent media, NGOs and expert communities. In a broader geopolitical context, disinformation is used to discredit political opponents in the international arena, weaken alliances, promote one’s own vision of the international order or justify one’s own, often aggressive, actions.

Examples of disinformation activities from 2024-2025 illustrate the global reach and growing sophistication of this phenomenon. Widespread use of deepfake technology to create false, compromising statements by key politicians was observed in the United States, where one such campaign, attributed to Russian entities, aimed to discredit Vice President Kamala Harris. Similar incidents, often linked to election periods or major political events, have occurred in the United Kingdom, Ukraine (where disinformation is a regular feature of hybrid warfare), Indonesia and Taiwan, where Chinese influence operations have targeted presidential and parliamentary elections, among others. Russia and China are consistently identified by analysts and intelligence agencies as the main, most active and resourceful state actors conducting such influence operations on a global scale. They use not only their own elaborate propaganda apparatuses and special services to do so, but also outsource activities to third parties such as marketing agencies, troll farms and ostensibly independent media, which makes clear attribution and effective counteraction even more difficult.

How are the national cyberwarfare doctrines of the world’s major powers evolving, and what are their key strategic objectives and implications for global cybersecurity?

The world’s major powers, recognizing cyberspace as a full-fledged fifth domain for conducting military operations – alongside land, sea, air and space – continue to intensively develop, test and adapt their national doctrines, strategies and capabilities for offensive and defensive operations in this critical sphere. Their strategic goals in cyberspace are complex and multidimensional, including the pursuit and maintenance of information superiority, the development of credible capabilities to deter potential adversaries, the ability to project power and influence at a distance without the need for physical presence, and the provision of capabilities to conduct effective, integrated Multi-Domain Operations (MDO), where kinetic operations are closely coordinated with operations in cyberspace.

The United States, through its specialized U.S. Cyber Command (USCYBERCOM), has consistently pursued and developed a strategy referred to as “persistent engagement” and “defend forward.” This approach involves not only passively defending one’s own networks and systems, but also conducting active, continuous reconnaissance and operational activities in the cyberspace of potential adversaries. The goal of these activities is to detect and neutralize threats early, disrupt hostile cyber operations at their source, and prevent attacks on US critical infrastructure and national interests before those attacks materialize on US soil. In recent years, there has been a growing emphasis in U.S. doctrine on the deep integration of artificial intelligence (AI) and machine learning (ML) across the spectrum of cyber operations, both offensive (e.g., automating exploit creation, conducting influence campaigns) and defensive (e.g., autonomous detection and response systems, predictive threat analysis). Strengthening deterrence capabilities, both through the threat of a symmetrical response in cyberspace and through the ability to respond with other instruments of state power, also remains a key element. Policy documents, such as the annual threat assessment published by the Director of National Intelligence (DNI Annual Threat Assessment) and the cyclical Homeland Security Threat Assessment issued by the Department of Homeland Security (DHS Homeland Threat Assessment), consistently and unequivocally identify China and Russia as the primary, most advanced and dangerous sources of cyber threats to the US.

The People’s Republic of China (PRC) is dynamically and with great momentum developing its national military doctrine, referred to as “intelligent/intelligent warfare” (intelligentized warfare). The concept involves the massive, synergistic use of the latest technological advances, such as artificial intelligence, big data analytics, quantum computing, space technology and advanced autonomous systems, to achieve decisive information superiority and the ability to accurately, synchronously strike targets in integrated multi-domain operations. Cyberspace is treated in this doctrine as a key force multiplier and an essential element in achieving information dominance. The establishment of the Cyberspace Force (CSF) in 2024 as an entirely new, separate component of the Chinese Armed Forces (People’s Liberation Army), directly subordinate to the all-powerful Central Military Commission, emphatically demonstrates the growing, strategic importance of this domain in China’s military strategy and national ambitions to become a global technological and military leader.

For years, the Russian Federation has consistently and with great effectiveness put into practice a hybrid warfare strategy that flexibly combines conventional (kinetic) operations with a broad spectrum of non-kinetic operations, where cyber operations, advanced information operations (including disinformation and propaganda) and other forms of pressure (e.g., energy, economic) play a key, often primary role. The Russian armed forces and special services (GRU, FSB, SWR) demonstrate a high ability to adapt tactics and tools in cyberspace, including the effective use of electronic warfare (EW) systems to disrupt enemy communications and navigation systems (as was evident, for example, in the conflict in Ukraine through mass jamming of GPS signals). There has also been a steady escalation of sabotage and subversion activities carried out by Russian special services on the territory of European countries, often using a cyber component to prepare, support or conceal these operations.

What is the current state of international legal norms and actual cooperation in the field of global cyber security, and what are the main challenges and future prospects?

Despite the exponentially increasing number of cross-border cyber incidents, the growing scale and severity of global threats, and the pronounced militarization of cyberspace, progress in creating, agreeing on and, most importantly, effectively enforcing international norms for responsible state behavior in cyberspace has unfortunately been very slow and faced numerous fundamental difficulties. There is an urgent, widely articulated need to develop a common, globally accepted legal and normative framework that could bindingly regulate the actions of states in this critical domain, but deep differences in national interests, differing strategic approaches, and a lack of mutual trust among the major global actors (particularly between the West and Russia/China) pose serious challenges to achieving consensus.

UN Open-ended Working Group on ICTs (OEWG) on Security and the Use of Information and Communication Technologies. , running for the 2021-2025 term, continues its diplomatic and negotiating work. Its main mandate is to focus on further developing and promoting the implementation of voluntary, non-binding norms for states “behavior in cyberspace (a set of which have already been agreed upon), developing Confidence-Building Measures (CBMs) to increase transparency and predictability of states” actions, and supporting capacity-building mechanisms for cyber security, particularly in developing countries, which are often the most vulnerable to cyber attacks. The tenth substantive session of the OEWG, held in February 2025, was devoted to, among other things, a detailed discussion of the analysis of current and future threats (such as global ransomware campaigns, the use of AI for offensive purposes, or attacks on critical infrastructure), the dilemma of priorities – whether to focus on the full implementation of already agreed standards, or the creation of new, more detailed regulations (e.g. Kazakhstan’s proposal to develop a global “zero trust standard” for state systems), the further development of specific CBMs, and a discussion of the shape and mandate of a future permanent UN ICT security mechanism to continue its work beyond the current OEWG term. The final, eleventh substantive session of the OEWG is scheduled for July 2025, after which the UN General Assembly expects to present a final report with recommendations.

However, the main fundamental challenge on the road to creating a stable and predictable order in cyberspace remains the lack of global consensus on the precise interpretation and application of existing international law, including such key branches of it as the UN Charter (especially in the context of the right to self-defense), international humanitarian law (the laws of armed conflict) or the law of state responsibility, in the specific context of cyberspace. This leads to the formulation of often divergent and sometimes even contradictory legal and political positions by individual states, and to their taking actions that are interpreted differently by the international community. Such a situation significantly hinders effective deterrence of adversaries, unambiguous attribution of responsibility (attribution) for malicious cyber activities, and building a sustainable, rules-based, stable and secure global digital environment.

What are the most serious, broader geopolitical implications of the ongoing militarization of cyberspace for global peace, security and economic stability?

Cyberspace is increasingly and irrevocably seen not only as a new operational domain, but even as a key arena of strategic geopolitical competition between major powers, and actions taken in this sphere can have extremely serious, often difficult to predict and potentially cascading consequences for global peace, international security and the stability of the world economy. Cyber-attacks are becoming a standard, increasingly used and sophisticated tool in the hands of states and those acting on their behalf, used to achieve a wide range of political objectives – from classic espionage (political, military, economic, technological) and intellectual property theft, to sabotage and disruption of an adversary’s critical infrastructure (energy, finance, transportation, communications), to sophisticated influence operations aimed at destabilizing the domestic situation in other countries, interfering with democratic processes or undermining the cohesion of international alliances. The increasing militarization of this domain brings with it new and specific risks that require urgent attention from the international community.

One of the most serious risks is the growing risk of miscalculation, misunderstanding of the other side’s intentions and, consequently, unintentional escalation of a conflict that can begin in cyberspace and then spill over into other domains, including kinetic actions. This is particularly dangerous in the context of attacks on critical infrastructure, which is often cross-border in nature (e.g., power grids, financial systems, the global internet), and a major disruption in one country can have immediate, cascading and catastrophic effects on other countries and the global economy as a whole. States are intensively developing and testing increasingly sophisticated, often classified cyberwarfare doctrines and offensive cyber capabilities, and ubiquitous disinformation campaigns, driven by artificial intelligence and social media, can further exacerbate existing international tensions, polarize societies and undermine trust in institutions and each other.

The lack of clear, precisely defined and globally accepted “red lines” in cyberspace, i.e. thresholds whose crossing would be met with an unambiguous, coordinated response from the international community, and the previously mentioned slow progress of the UN OEWG, which often encounters fundamental divergences of interests and strategic approaches among the world’s major powers, significantly increase the risk of misunderstandings, misinterpretations of adversary actions and uncontrolled escalation. In this extremely complex and dynamic situation, there is an urgent, fundamental need to intensify diplomatic efforts at all levels – bilateral, regional and global – to develop effective mechanisms for de-escalating conflicts in cyberspace, building mutual trust and transparency in operations (CBMs), and promoting and enforcing principles of responsible state behavior. For organizations, especially those operating in sectors deemed critical or handling particularly sensitive data, this means the absolute necessity of incorporating growing geopolitical risks and potential state-sponsored attacks into their cyber risk management strategies and business continuity and disaster recovery plans. This phenomenon is also having a direct, increasingly visible impact on the global cyber insurance market, where insurers and reinsurers are having to calculate increasingly complex, difficult-to-evaluate and potentially catastrophic scenarios related to cyber warfare, cyber terrorism and state-sponsored attacks, leading to higher premiums, tighter policy terms and the introduction of increasingly broad liability exclusions.

Key Takeaways:

Increasing escalation risks and strategic implications for organizations: The militarization of cyberspace increases the risk of miscalculation and unintended escalation of conflicts, requiring organizations to integrate geopolitical risk into their cybersecurity strategies and intensify diplomatic efforts to de-escalate and build trust.

Cyberspace as a key domain of geopolitical competition: The activities of state-run APT groups (especially from China, Russia, Iran, North Korea) are increasingly sophisticated, strategically targeted and often target critical infrastructure, posing a global threat.

Advanced disinformation powered by AI as a weapon: Disinformation campaigns using deepfake and other artificial intelligence tools are becoming an increasingly effective instrument for destabilizing democratic processes, polarizing societies and undermining international trust.

Dynamic evolution of national cyberwarfare doctrines: the major powers (US, China, Russia) are intensively developing their doctrines and capabilities to conduct operations in cyberspace, often integrating them with operations in other domains and using the latest technologies, including AI.

Challenges to creating and enforcing international norms: Despite ongoing work within the United Nations (OEWG), the lack of global consensus on the interpretation and application of international law in cyberspace and the divergence of state interests make it difficult to build a stable and predictable order in this domain.