Nation State Attacks Increase, But Tactics Remain The Same

July 24, 2025

Netskope, a cybersecurity company, revealed that nearly two-thirds of attributable malware used in attacks over the past year is linked to state-backed groups.

The report is based on 12 months of data collected from customer environments, with the largest share of malware attacks coming from North Korean groups, followed by China and Russia.

Netskope's findings highlight the growing digital threat from state-backed cyber-threats. The report emphasizes that state-affiliated actors are outsourcing operations to cybercriminals, further complicating attribution.

MI5 director general, Ken McCallum, warned of the increasing digital threat from Russia.

Ray Canzanese, Director of Netskope Threat Labs, pointed out that attribution can be challenging as adversaries try to hide their true identities or launch false-flag operations. Multiple groups often use the same tactics and techniques, making it difficult to define adversary groups.

The article also mentions that financially motivated attacks, largely carried out by cybercrime groups, comprised more than 90 percent of the total analyzed by Verizon last year.

Netskope's warnings carry weight because as nation state actors expand their operations, they target cloud applications for entry and exfiltration.

North Korean actors focus mainly on profit, while China and Russia target high-value victims such as critical infrastructure providers for disruption and cyber-espionage.

Source: https://www.infosecurity-magazine.com/news/twothirds-attributable-malware/
 

Commentary

The source notes two groups that are targeting data - nation states and cybercriminals. Although their goals may be different - espionage, profit, disruption - their social engineering methods are similar.

The most common tactics are:

  • Spear Phishing: This involves sending carefully crafted emails to targeted individuals, often impersonating trusted sources to trick targets into revealing sensitive information or clicking on malicious links. These emails are designed to look legitimate and can be highly personalized based on the victim's online presence.
  • Smishing: This is like phishing but conducted through SMS or text messages. Cybercriminals send texts pretending to be someone else to steal information. These messages can include fake delivery notifications, late payment warnings, or requests for sensitive information.
  • Poisoning the Well: This tactic involves compromising strategic websites that are frequently visited by the target audience. The compromised websites then serve malicious software to their visitors, effectively snaring victims.

The final takeaway is that organizations that want to lower their exposure to nation state and cybercriminal attacks should focus on training employees and other system participants on identifying phishing.

Finally, your opinion is important to us. Please complete the opinion survey: