Cyber Warfare Tracker: State-Sponsored Attacks & Global Threats

Overview

Cyber warfare has emerged as a critical domain of interstate conflict, operating alongside - and often preceding - conventional military operations. Unlike traditional warfare with defined battlefields and visible destruction, cyber operations occur in networks and systems, often remaining undetected for months or years. The consequences, however, can be devastating: disrupted power grids, compromised military communications, stolen weapons designs, and paralyzed government agencies.

This tracker focuses on offensive cyber operations between nation-states - distinct from the Cyber Threat Level Today page, which covers defensive posture, and the CYBERCOM Alert page, which tracks U.S. Cyber Command readiness status. Here we monitor state-sponsored hacking campaigns, destructive attacks, espionage operations, and the evolving capabilities of the world's major cyber powers.

The cyber domain has become increasingly militarized, with most major nations now maintaining dedicated cyber warfare units within their military and intelligence structures. The U.S. Cyber Command (CYBERCOM) achieved full operational capability in 2018, while China's Strategic Support Force, Russia's GRU and FSB cyber units, Iran's Islamic Revolutionary Guard Corps cyber division, and North Korea's Reconnaissance General Bureau all conduct operations that blur the line between espionage, sabotage, and acts of war.

Major State Actors

China operates the world's largest state-sponsored cyber espionage apparatus. China's cyber operations focus on intellectual property theft, military technology acquisition, and pre-positioning in critical infrastructure for potential future conflict. The People's Liberation Army Strategic Support Force (PLA SSF) and the Ministry of State Security (MSS) run extensive campaigns targeting defense contractors, technology companies, telecommunications networks, and government agencies worldwide. Groups like APT41, APT10, and the Volt Typhoon campaign have demonstrated both espionage and destructive capabilities.

Russia is distinguished by its willingness to conduct destructive cyber attacks and integrate cyber operations with conventional military campaigns. Russia's GRU (military intelligence) operates groups including Sandworm (responsible for the 2015 and 2016 Ukraine power grid attacks, the 2017 NotPetya global attack, and ongoing operations against Ukraine) and APT28/Fancy Bear (responsible for the 2016 DNC hack and numerous political influence operations). The FSB and SVR conduct espionage campaigns, including the SolarWinds supply chain compromise discovered in 2020 that penetrated multiple U.S. government agencies.

Iran has developed significant cyber capabilities despite being a comparatively smaller power. Iranian groups - including APT33 (Elfin), APT35 (Charming Kitten), and MuddyWater - target Middle Eastern adversaries, particularly Saudi Arabia and Israel, as well as the U.S. government and private sector. Iran demonstrated destructive intent with the 2012 Shamoon attack that wiped 30,000 Saudi Aramco computers and has conducted retaliatory operations following kinetic military events. North Korea is unique in using cyber operations as a revenue stream, with the Lazarus Group stealing an estimated $3 billion in cryptocurrency and conducting financially motivated attacks alongside traditional espionage and destructive operations.

Recent Major Attacks

The pace and severity of state-sponsored cyber operations have increased markedly in recent years. Russia's full-scale invasion of Ukraine in February 2022 was preceded and accompanied by extensive cyber operations targeting Ukrainian government systems, telecommunications, energy infrastructure, and satellite communications - the Viasat hack on the eve of the invasion disabled communications across a wide area. Throughout the war, Russian cyber units have conducted hundreds of operations against Ukrainian targets, though Ukraine's cyber defense - bolstered by Western assistance and private sector support - has proven more resilient than many anticipated.

China's Volt Typhoon campaign, publicly attributed by the FBI and CISA in 2023-2024, represented a paradigm shift in Chinese cyber operations. Rather than espionage, Volt Typhoon focused on pre-positioning access within U.S. critical infrastructure - water treatment facilities, power grids, transportation systems, and telecommunications networks - in what officials described as preparation for potential disruptive operations during a future conflict, likely over Taiwan. The Salt Typhoon campaign, disclosed in late 2024, revealed that Chinese hackers had penetrated major U.S. telecommunications providers and accessed call metadata and, in some cases, content of targeted individuals including government officials.

Other significant operations include Iran's increased cyber attacks on Israeli infrastructure following the October 2023 Hamas attack, North Korea's continued cryptocurrency theft operations funding its weapons programs, and ransomware operations by criminal groups with varying degrees of state tolerance or sponsorship. The line between state-sponsored operations and state-tolerated criminal activity continues to blur, particularly in Russia where ransomware groups operate with apparent impunity as long as they avoid targeting Russian-speaking countries.

Critical Infrastructure Threats

The targeting of critical infrastructure represents the most dangerous escalation in cyber warfare. Unlike espionage - which all major nations conduct and tacitly accept - attacks on power grids, water systems, hospitals, and transportation networks have the potential to cause physical harm and loss of life. Russia demonstrated this capability with the 2015 and 2016 attacks on Ukraine's power grid, which caused blackouts affecting hundreds of thousands of people, and the 2017 NotPetya attack, which was targeted at Ukraine but spread globally, causing an estimated $10 billion in damage to companies including Maersk, Merck, and FedEx.

The Volt Typhoon revelations highlighted the extent to which adversaries have pre-positioned within U.S. infrastructure. CISA Director Jen Easterly described the Chinese campaign as "living off the land" - using legitimate system tools rather than malware to maintain persistent access that is extremely difficult to detect. The implication is that in a conflict scenario, these pre-positioned accesses could be used to disrupt water treatment, power distribution, port operations, and communications at critical moments. Similar pre-positioning has been identified in allied nations' infrastructure.

The vulnerability of critical infrastructure stems from decades of connecting operational technology (OT) systems - which control physical processes like power generation and water treatment - to internet-connected information technology (IT) networks without adequate security. Many critical infrastructure operators run legacy systems that cannot be easily patched, lack dedicated cybersecurity staff, and have limited visibility into threats on their networks. The federal government has increased efforts through CISA advisories, sector-specific risk assessments, and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), but the attack surface remains vast and growing.

Cyber Defense & CISA

The United States' cyber defense architecture has evolved significantly over the past decade. The Cybersecurity and Infrastructure Security Agency (CISA), established in 2018, serves as the operational lead for federal civilian cybersecurity and coordinates critical infrastructure protection across 16 designated sectors. CISA publishes advisories, provides technical assistance, operates the Known Exploited Vulnerabilities (KEV) catalog, and coordinates incident response. The agency works closely with CYBERCOM, the NSA, and the FBI to share threat intelligence and respond to significant cyber events.

U.S. Cyber Command operates under a "defend forward" doctrine, conducting operations in foreign networks to disrupt adversary cyber capabilities before they can be used against American targets. This approach was employed during the 2018 midterm elections, when CYBERCOM disrupted Russian Internet Research Agency operations, and has been applied in ongoing operations against ransomware groups and state-sponsored actors. The Cyber National Mission Force (CNMF) conducts these hunt-forward operations, often deploying teams to allied nations at their invitation to identify and counter threats in their networks.

Despite these capabilities, the defensive challenge remains enormous. The U.S. government processes billions of cybersecurity events daily across federal networks, and the private sector - which owns approximately 85% of critical infrastructure - operates with widely varying levels of security maturity. The cybersecurity workforce shortage, estimated at hundreds of thousands of unfilled positions nationally, hampers both government and private sector defense. International cooperation through the Five Eyes alliance, NATO's Cooperative Cyber Defence Centre of Excellence, and bilateral partnerships enhances collective defense but faces challenges in information sharing speed and classification barriers.

Attribution Challenges

One of the most difficult aspects of cyber warfare is attribution - determining who is responsible for an attack. Sophisticated state actors use extensive operational security measures including proxy servers, compromised third-party infrastructure, false-flag indicators, and tools designed to mimic other nations' tradecraft. The Russian GRU has planted North Korean code in operations, Chinese groups have used Iranian infrastructure, and criminal groups sometimes conduct operations that align with state interests without clear direction.

Attribution has improved significantly through the combination of technical forensics, signals intelligence, human intelligence, and behavioral analysis. The U.S. intelligence community now routinely issues public attributions of major cyber operations - a practice that began with the 2014 indictment of PLA Unit 61398 members and has expanded to include attributions of Russian, Chinese, Iranian, and North Korean operations. These public attributions serve deterrence and diplomatic purposes but require careful balancing of the need to expose adversary behavior against the risk of revealing intelligence sources and methods.

The attribution challenge complicates deterrence and response. Unlike a missile launch with a clear origin point, a cyber attack can be routed through dozens of countries, use tools available to multiple actors, and be designed to appear as the work of someone else. This ambiguity creates escalation risks - responding to a misattributed attack could trigger unintended conflict - and provides adversaries with plausible deniability that complicates diplomatic responses. The development of international norms around responsible state behavior in cyberspace, led by the UN Group of Governmental Experts (GGE) process, has established some principles but lacks enforcement mechanisms.

Frequently Asked Questions

What is cyber warfare?

Cyber warfare refers to state-sponsored offensive operations conducted through computer networks to disrupt, damage, or gain unauthorized access to another nation's military systems, government agencies, critical infrastructure, or private sector networks. It encompasses espionage (stealing information), sabotage (destroying or degrading systems), and subversion (manipulating information or processes). Unlike conventional warfare, cyber operations can be conducted remotely, often covertly, and may not cause immediately visible damage.

Which countries have the strongest cyber capabilities?

The United States is generally considered to have the most advanced offensive and defensive cyber capabilities, followed by China, Russia, the United Kingdom, and Israel. China has the largest state-sponsored cyber workforce and conducts the most extensive espionage operations. Russia has demonstrated the greatest willingness to use destructive cyber attacks. Iran and North Korea are considered second-tier cyber powers but have demonstrated significant capabilities in targeted operations.

What is Volt Typhoon?

Volt Typhoon is a Chinese state-sponsored cyber campaign identified by the FBI, CISA, and NSA in 2023-2024. Unlike typical espionage operations that steal data, Volt Typhoon focused on gaining and maintaining persistent access to U.S. critical infrastructure - including water treatment, power grids, transportation, and telecommunications. Officials assessed the campaign as pre-positioning for potential disruptive operations during a future conflict, likely related to a Taiwan scenario.