TL;DR: The four most active nation-state cyber powers — China, Russia, North Korea, and Iran — have evolved their operations significantly in the past two years. China's Volt Typhoon and Salt Typhoon campaigns represent a strategic shift from espionage to pre-positioning in critical infrastructure for potential wartime disruption. Russia's groups continue targeting Western governments and NGOs while refining supply chain techniques. North Korea has stolen over $6 billion in cryptocurrency to fund weapons programs, using social engineering sophistication that rivals any intelligence service. Iran's operations are expanding beyond regional targets. The techniques these groups pioneer trickle down to criminal organizations within 12-18 months — making nation-state tradecraft directly relevant to every enterprise security program.
China: From Espionage to Pre-Positioning
China's cyber operations have undergone the most significant strategic shift of any nation-state in the past three years. While intellectual property theft and espionage continue through groups like APT41 and Hafnium, the emergence of Volt Typhoon and Salt Typhoon represents something fundamentally different: preparation for potential wartime disruption of US critical infrastructure.
Volt Typhoon: Living in US Infrastructure
Volt Typhoon targets water treatment systems, energy grids, telecommunications networks, and transportation infrastructure across the United States. Their objective is not data theft — it is persistent access that could be activated during a geopolitical crisis, particularly a conflict over Taiwan. The group has been resident in some networks for years without conducting any disruptive activity, suggesting they are building capability for future use.
What makes Volt Typhoon exceptionally dangerous is their operational security. They use living-off-the-land techniques exclusively — no custom malware, no C2 infrastructure that can be easily fingerprinted, no tools that would trigger endpoint detection. They compromise SOHO routers (Cisco, Netgear, Fortinet) to build operational relay networks that proxy their traffic through residential IP addresses, making their activity indistinguishable from normal internet traffic. Detection requires behavioral analysis at a level that most critical infrastructure operators do not have.
Salt Typhoon: Inside the Wiretap Infrastructure
Salt Typhoon compromised nine or more major US telecommunications providers — AT&T, Verizon, T-Mobile, and others — gaining access to the CALEA lawful intercept systems used by US law enforcement for court-authorized wiretapping. The implications are extraordinary: a foreign intelligence service gained access to the same surveillance infrastructure that US agencies depend on for national security investigations.
Salt Typhoon's access to call detail records, text messages, and potentially intercepted communications represents one of the most significant intelligence compromises in US history. The campaign exposed fundamental weaknesses in telecommunications infrastructure security — an industry that has historically prioritized reliability and regulatory compliance over cybersecurity.
Flax Typhoon: IoT as Attack Infrastructure
Flax Typhoon compromised hundreds of thousands of IoT devices — cameras, routers, NAS devices — to build a massive botnet that serves as operational infrastructure for other Chinese cyber operations. The botnet provides distributed attack infrastructure, proxy networks for anonymizing traffic, and persistent footholds in networks that are difficult to identify and remediate because the compromised devices are typically unmanaged and unmonitored.
Russia: Espionage, Disruption, and Influence
Russian cyber operations in 2025-2026 continue to be shaped by the war in Ukraine, with sustained campaigns against Western governments, NATO allies, NGOs supporting Ukraine, and critical infrastructure in countries providing military aid.
Midnight Blizzard (APT29 / Cozy Bear)
Russia's SVR-linked group has expanded its targeting beyond government networks to major technology companies. Their compromise of Microsoft's corporate email in late 2023 — achieved through a password spray attack on a legacy test account — demonstrated that even the most security-conscious organizations have blind spots. The group accessed email accounts of senior Microsoft leadership and cybersecurity team members, using the stolen information to further target other organizations.
Midnight Blizzard's operational pattern in 2025-2026 focuses on OAuth application abuse and cloud-native attack techniques. Rather than deploying malware, they compromise cloud identities and create persistent access through malicious OAuth applications that maintain access even after password resets. Their targeting of Microsoft 365 environments reflects the reality that most sensitive government and enterprise communications now live in cloud email.
Sandworm (APT44)
Russia's GRU-linked Sandworm group remains the most destructive cyber threat actor globally. In Ukraine, they have deployed wiper malware against energy infrastructure, communication networks, and government systems throughout the conflict. Their techniques have evolved from relatively crude destructive malware to sophisticated attacks that combine network infiltration, lateral movement, and precisely targeted destruction of operational technology systems.
For enterprises outside Ukraine, Sandworm's relevance is in their supply chain techniques and their willingness to cause collateral damage. The NotPetya attack in 2017 — a Sandworm operation targeting Ukraine — caused $10 billion in global damages by spreading through the M.E.Doc accounting software used by companies operating in Ukraine, but affecting organizations worldwide including Maersk, Merck, and FedEx.
North Korea: Cybercrime as State Policy
North Korea's cyber operations are unique among nation-states because their primary objective is revenue generation — funding the regime's weapons programs through cryptocurrency theft, ransomware, and IT worker fraud. The scale is staggering: North Korean groups have stolen an estimated $6 billion or more in cryptocurrency since 2017.
Lazarus Group and TraderTraitor
The Lazarus Group cluster — including TraderTraitor, UNC4736, and related subgroups — is the most prolific state-sponsored financial theft operation in history. Their February 2025 theft of $1.5 billion from the Bybit cryptocurrency exchange was the largest single crypto heist ever recorded. The April 2026 Drift Protocol hack ($285 million) used a sophisticated supply chain technique: compromising a developer's VSCode configuration through months of social engineering, then using the established trust to deploy malicious code that pre-signed authorization transactions.
The social engineering sophistication of North Korean operations deserves emphasis. Their operatives build genuine professional relationships with targets over months — contributing to open-source projects, participating in developer communities, and establishing credibility before attempting exploitation. The targeting of developers and engineers through fake job offers, trojanized development tools, and social engineering through LinkedIn and GitHub represents a direct threat to every technology company.
IT Worker Fraud
North Korea has placed thousands of IT workers in remote positions at Western companies using fabricated identities. These workers generate revenue for the regime while potentially providing insider access to corporate networks. The FBI has warned that North Korean IT workers have been employed at Fortune 500 companies, startups, and government contractors — often through third-party staffing agencies that did not detect the deception.
Iran: Regional Power With Expanding Reach
Iran's cyber operations have historically focused on regional targets — Israel, Saudi Arabia, UAE — but have expanded significantly to target Western organizations, particularly those involved in Middle Eastern policy, defense contracting, and critical infrastructure.
MuddyWater and Scarred Manticore
MuddyWater (attributed to Iran's MOIS intelligence service) targets government organizations, telecommunications companies, and energy infrastructure across the Middle East and expanding into Europe. Their techniques have matured from simple spear-phishing campaigns to sophisticated multi-stage attacks using custom tooling, living-off-the-land techniques, and legitimate cloud services for command and control.
Scarred Manticore focuses on long-term espionage operations against telecommunications and internet service providers in the Middle East. By compromising ISPs, Iranian intelligence gains passive access to enormous volumes of communications data — a capability similar to what Salt Typhoon achieved in the US telecommunications sector.
Cotton Sandstorm: Hack-and-Leak
Iran has increasingly adopted hack-and-leak operations as a form of influence and disruption. Cotton Sandstorm (formerly Neptunium) compromises targets, exfiltrates data, and then publicly releases the stolen information to embarrass the target, create political pressure, or amplify geopolitical tensions. These operations combine traditional cyber intrusion with information warfare — a model that Russia pioneered but Iran has adopted with increasing sophistication.
Nation-State Threat Landscape Comparison
| Nation | Primary Motivation | Key Groups | Top Techniques | Industries Targeted |
|---|---|---|---|---|
| China | Espionage, pre-positioning for disruption | Volt Typhoon, Salt Typhoon, APT41 | Living off the land, SOHO router compromise, edge device exploitation | Critical infrastructure, telecom, defense, technology |
| Russia | Espionage, disruption, influence | Midnight Blizzard, Sandworm, Star Blizzard | OAuth abuse, supply chain, wiper malware, cloud identity attacks | Government, defense, NGOs, energy, technology |
| North Korea | Financial theft, weapons funding | Lazarus Group, TraderTraitor, UNC4736 | Social engineering, supply chain, developer targeting, crypto theft | Cryptocurrency, fintech, defense, technology |
| Iran | Regional influence, espionage, disruption | MuddyWater, Scarred Manticore, Cotton Sandstorm | Spear-phishing, ISP compromise, hack-and-leak, wiper operations | Government, telecom, energy, defense (ME focus) |
The Blurring Line: Nation-State to Criminal
The distinction between nation-state and criminal cyber operations is increasingly artificial. Nation-state techniques trickle down to criminal groups within 12-18 months. Russian intelligence services co-opt criminal ransomware groups for state objectives — or at minimum, provide safe harbor in exchange for targeting alignment. North Korean operations are indistinguishable from criminal activity in their methods and objectives. Iranian groups moonlight as cybercriminals when not conducting state-directed operations.
For enterprises, this means that defending against "just" cybercriminals is no longer sufficient. The ransomware group targeting your network in 2026 is using the same living-off-the-land techniques that Volt Typhoon pioneered, the same AiTM phishing kits that Russian groups deployed, and the same supply chain attack vectors that North Korean groups perfected. Defending against commodity threats now requires defending against nation-state-grade tradecraft.
What Enterprises Should Learn
- Assume breach is not paranoia — it is realistic planning. If nation-states can persist in US telecommunications infrastructure for years, your network is not impenetrable either. Test your detection and response capabilities through assumed-breach penetration testing that starts with internal access.
- Know your threat model. Which nation-state groups target your industry? If you are in technology, defense, or critical infrastructure, Chinese APTs are a primary concern. If you handle cryptocurrency, North Korean groups should be in your threat model. If you operate in the Middle East, Iranian groups are relevant. Threat intelligence should inform your security priorities.
- Identity is the highest-value target. Nation-state groups increasingly target identities rather than systems — OAuth tokens, session cookies, cloud credentials, federation trust. Invest in phishing-resistant MFA, conditional access, and identity threat detection.
- Supply chain security is existential. Every nation-state uses supply chain attacks. Audit your CI/CD pipeline permissions, verify dependency integrity, and monitor for anomalous updates to your software supply chain.
- Behavioral detection over signatures. Living-off-the-land techniques used by the most sophisticated nation-states produce no malware signatures. Your detection capability must identify anomalous behavior — unusual process execution chains, lateral movement patterns, and data access anomalies — not just known-bad indicators.
Understand Your Threat Landscape
Lorikeet Security's assumed-breach penetration testing simulates the techniques used by nation-state and advanced criminal groups — living off the land, identity abuse, lateral movement, and data exfiltration. Validate whether your defenses detect and respond to real-world adversary tradecraft.
