The reality: State-affiliated hacker groups have long been part of the geopolitical order
Cyber attacks are no longer the work of individual actors. State-supported hacker groups play a central role in today's threat situation. Security experts speak of the "Big Four":
All four countries have massively expanded, professionalized and often legally legitimized their cyber capabilities in recent years. This is not just about espionage or sabotage, but also about economic advantages and geopolitical influence.
China: cyber warfare on the quiet
With over 240 documented attacks in Austria in 2023 alone, China was the frontrunner among suspected state-sponsored attackers. The special thing about Chinese tactics is that they rely on longevity, stealth and targeted data espionage. Attacks are planned and executed over the long term via specialized units, private service providers and a specially established cyber security center in Wuhan.
A leaked leak ("I-Soon leak") revealed that data is deliberately leaked in small quantities in order to circumvent security mechanisms and remain under the radar. Particularly critical: according to the law, discovered zero-day vulnerabilities must first be reported to the government - not the manufacturer. This is a deliberate departure from international standards with the aim of potentially using exploits for offensive purposes.
Russia: sabotage, disruption, disinformation
Russia is pursuing a much more aggressive cyber strategy. The focus is clearly on symbolic attacks, for example on energy suppliers or political institutions. In 2023, 158 Russia-related cyber attacks were registered in Austria.
State-affiliated groups such as "Sandworm", part of the Russian military intelligence service GRU, have been operating with great precision for years. One well-known example is the attack on the Ukrainian power grid. Russia also offers a digital environment in which private cyber criminals can move and operate freely. Ransomware groups such as "Lockbit" benefit from this lawless space.
Iran: cyber power through sanctions
Iran has been investing in cyber capabilities since its nuclear program was compromised by Stuxnet in 2010. Today, the Islamic Republic is one of the most active players in global cyberspace. The aim is often to circumvent Western sanctions and gain access to militarily relevant information.
In 2023, over 100 cyberattacks of Iranian origin were observed in Austria. The attacks often target space and satellite projects, defense companies or critical infrastructure.
north Korea: cybercrime as a source of income
North Korea is a special case: here, cybercrime is officially used to finance the state. According to the United Nations, over 1.2 billion US dollars were generated through cyber theft, including to finance the North Korean nuclear program.
The focus is on attacks against crypto exchanges and financial service providers. Targeted phishing campaigns, supply chain attacks and malware infiltrated via manipulated domains are typical.
Recommendations for action: How companies can arm themselves against state-motivated attacks
To survive in this new threat context, you need more than traditional IT security measures:
🛡️ Introduce cyber threat intelligence Understand who is attacking - and how. Information on state attack groups and their tactics is crucial for prevention.
establish 🛡️Zero Trust architecture Trust is a thing of the past - today, the rule is: verify before access is granted. For systems, users and services.
🛡️Supply Increase chain security Attacks often come indirectly - for example via external service providers or outdated components in the chain.
🛡️Incident Detection & Response (XDR / MDR) Detect attacks in real time, respond quickly and minimize damage with automated systems and partners with 24/7 Security Operations Centers.
🛡️Security Awareness programs strengthen With social engineering and spear phishing in particular, all it takes is a single click and the attacker is in.
Similar topics
Zero Days - No time to lose!
The underestimated threat in the shadows The digital race between attackers and defenders is a constant sprint. Especially when it comes to zero-day vulnerabilities . This refers to security …
The strategies of the attackers: Cybercriminals rely on a combination of different techniques to achieve their goals. The main strategies include: Mail bombing: A flood of emails to overwhelm the …
A new frontier. How the IT world opened up and became vulnerable
From the island to the open world In the past, everything was defined: the network was internal, the servers were local, access was regulated. VPN, directory services, clearly separated …
The best work in the background: how machine learning strengthens cyber security
Machine learning: between hope and risk Big data analytics, informed ML, visual analytics, quantum learning; the world of machine learning is growing rapidly. The good news is that ML can detect …