The Growing Cyber Threat Landscape: Insights into State-Sponsored and Criminal Cyber Activities

Cyber Attacks and National Security Threats

Adversarial cyber campaigns can cumulatively produce strategic loss for the United States and its allies, and they increasingly put the development goals of emerging economies at risk. Cyber threats continue to intensify in both frequency and severity, with increased risks of escalatory or uncontrolled cyber activity. State actor and non-state actors, including criminals, terrorists, and violent extremists, have tremendous incentives to invest in and exploit digital technologies to threaten our and other’s national interests.

The People’s Republic of China (PRC) presents the broadest, most active, and most persistent cyber threat to government and private sector networks in the United States. Beijing has mounted cyber espionage operations against government, commercial, and civil society actors and has increased its ability to carry out destructive and disruptive cyberattacks. The PRC is capable of launching cyberattacks that could disrupt oil and gas pipelines, rail systems, and other critical infrastructure services within the United States or its allies and partners. Attempts to compromise critical infrastructure by PRC actors are designed in part to pre-position themselves to be able to disrupt or destroy critical infrastructure in the event of a conflict—either to either prevent the United States from being able to project power into Asia, or to affect our decision-making during a crisis by instigating societal chaos inside the United States. Both state-sponsored activity and that of PRC-linked actors are part of the PRC cyber approach.

A persistent cyber threat, the Russian government is refining its cyber espionage, cyberattack, influence, and information manipulation capabilities to threaten other states and to weaken U.S. alliances and partnerships. Russia continues to provide safe haven to transnational cybercriminal actors, such as disruptive ransomware gangs. Russia’s cyberattacks in support of its 2022 unprovoked invasion of Ukraine were intended to destabilize the Ukrainian state and military and have resulted in spillover effects onto civilian critical infrastructure in other European countries. As the war continues, Russian government and Russian government-aligned cyber actors have targeted Ukraine with cyber operations against the public and private sectors, information manipulation and online influence operations, and attempts to divert and censor Ukrainians’ access to the Internet. Russia appears particularly focused on improving its ability to target critical infrastructure in the United States to demonstrate its ability to damage infrastructure during a crisis.

The governments of the Democratic People’s Republic of North Korea (DPRK) and Iran have both increased the scale of their malicious cyber activities. Facing multiple rounds of international sanctions, the DPRK evades controls through cybercrime and the theft of cryptocurrencies. DPRK hackers continue to gather intelligence on military technology targets as well as academia and think tanks. In addition, the DPRK dispatches thousands of skilled IT workers around the world to generate fraudulent revenue that ultimately contributes to its weapons of mass destruction and ballistic missile programs despite U.S. and UN sanctions.

Iran’s growing expertise and willingness to conduct cyber operations threaten the security of networks and data globally. Iran’s opportunistic approach to cyberattacks makes critical infrastructure owners in the United States susceptible to being targeted by Iranian actors, particularly when Tehran believes that it must demonstrate it can push back against the United States in other domains. Iranian actors have engaged in a wide range of intelligence-gathering operations around the world, and—in the wake of Hamas’ atrocities on October 7, 2023, and Israel’s military operations in Gaza—have conducted wiper, website takedown, hack and leak operations, espionage, and online information manipulations campaigns. Iranian actors have also conducted malicious activity against operational technology devices used in the water sector and other industries.

Cyber criminals and criminal syndicates operating in cyberspace now represent a specific threat to the economic and national security of countries around the world. Cybercrime and online fraud cause significant harm to economic development, with small- to medium-sized enterprises and financial service providers especially at risk. According to one estimate, the global cost of cybercrime is estimated to top $23 trillion in 2027. [3]

Ransomware incidents have disrupted critical functions, services, and businesses, from energy pipelines and food companies to schools and hospitals. Ransomware attacks against the healthcare industry can undercut the level of care provided to patients and others under care. Total economic losses from ransomware attacks worldwide continue to climb, reaching into the billions of U.S. dollars annually. Ransomware groups often operate out of safe haven jurisdictions whose governments, often adversaries like Russia, do not cooperate with law enforcement and sometimes encourage, direct, sanction, or tolerate their activities.

Terrorists’ and violent extremists’ use of digital technologies also represents a threat to the national security of the United States and its allies and partners. Malign activities include the use of information and communications technologies (ICT) to spread violent propaganda; encourage radicalization and mobilization to commit violent acts; recruit individuals to terrorist organizations; to train, plan, and coordinate attacks; and finance terrorist acts.