Threat Actors Never Let a Good Conflict Go to Waste

Geopolitical conflict has become an accelerant for cyber risk. Russia, China, Iran, North Korea, and a sprawling cast of non-state actors are operating in parallel, sometimes in coordination, more often in convergence, to exploit the instability. The result is a structurally more dangerous threat environment that CISOs need to plan for rather than react to.

This isn't a formal alliance. It's a convergence of interests: independent actors who benefit from shared disruption, overlapping targets, and the safe-harbor conditions each creates for the others. Tooling gets reused. Infrastructure overlaps. Attribution gets harder. And the line between state-directed campaigns and independent criminal activity continues to blur.

Here's what each actor brings to the table, and what it means for how you defend.

China: Patient, Pervasive, Playing the Longer Game

China is the most strategically consequential and the most misunderstood. Its program isn't built for disruption or extraction. It's built to displace U.S. economic and technological primacy over the course of decades. Three lines of effort run in parallel: IP theft to accelerate industrial modernization, strategic espionage to inform foreign policy and military planning, and pre-positioning for crisis leverage. Volt Typhoon's persistent access to U.S. critical infrastructure and recent telecom infiltration campaigns targeting systems that carry data rather than the data itself illustrate its ambition. China is patient by design, scaled by intent, and deliberately indistinguishable from normal network activity once inside.

Russia: Strategic Persistence and Pre-Positioning

Russia treats cyber as a core instrument of state power. Its operations are calculated and long-term: espionage against government and defense targets, influence operations to erode institutional trust, and pre-positioning inside energy, telecom, and transportation systems as a hedge for future escalation. NotPetya and the Ukraine power grid intrusions made clear that Russia is willing to translate access into real-world disruption. Spear-phishing, edge-device exploitation, supply-chain compromise, and living-off-the-land techniques remain its workhorse methods.

Iran: Regionally Driven, Selectively Destructive

Iran is the most willing of the four to impose direct costs. Its cyber apparatus, spanning intelligence services, the IRGC, and proxy groups, uses disruption as a retaliatory signal rather than an opening move. Wiper malware (Shamoon and its successors), hack-and-leak operations, and credential-based intrusions targeting cloud and remote-access portals are its preferred tools. Espionage focuses on government, defense, and Iranian dissident networks. Influence operations weaponize stolen data to shape narratives around elections and regional conflict.

North Korea: Financially Driven, Strategically Aligned

North Korea is unique in that its cyber program directly funds the regime. The Lazarus Group's cryptocurrency thefts, sophisticated social engineering campaigns, and the more recent placement of operatives into remote IT roles at Western companies are state-sponsored revenue generation, not opportunistic crime. Espionage and selective disruption round out the program, but the financial focus makes North Korea both predictable in its targets and creative in its methods.

Non-State Actors: Amplifiers of Instability

Hacktivists, ransomware syndicates, and opportunistic attackers fill the gaps. They rarely take orders, but they reliably benefit from the same instability and the same permissive environment. Ransomware, DDoS, and hack-and-dump operations dominate, with low barriers to entry and high volume. During geopolitical flare-ups, their activity surges in lockstep with state-aligned campaigns.

What This Means for CISOs

The instinct is to treat this as a resourcing problem: more tools, more analysts, more budget. That framing is incomplete and, in some cases, actively counterproductive. The actors profiled here are patient, structurally embedded, and optimized for persistence rather than speed. A program built primarily around detection and response is not well-matched to adversaries whose defining trait is the ability to remain undetected for months or years.

In our incident response work, organizations that have invested heavily in EDR, SIEM, and detection engineering still lose control of incidents because basic containment disciplines weren’t operationalized. The tooling surfaced activity, but response lag, unclear ownership, and inconsistent isolation practices allowed adversaries to maintain access and expand their foothold.

What this environment actually demands is resilience, the organizational capacity to absorb intrusion, contain its consequences, maintain operational continuity, and recover without catastrophic loss. That's a different design objective.

Four priorities pay off consistently across nearly every actor profiled here:

• Perimeter hygiene. Edge devices, VPNs, and remote-access infrastructure are the preferred initial access vector for all four nation-states. Unpatched vulnerabilities here are no longer an acceptable risk.
  Across the environments we assess, a single unmanaged or poorly governed remote access path, often inherited through M&A or a third party, is repeatedly the initial foothold despite otherwise strong internal controls. Attackers are systematically finding the one door you forgot to lock.
• Identity. Credential compromise is the connective thread through spear-phishing, social engineering, insider placement, and password spraying. Hardening identity reduces exposure to the full range of adversary techniques at once.
• Threat intelligence with geopolitical context. Intel that informs prioritization is useful. Intel that just generates alerts is noise.
• Supply chain. Software dependencies, MSPs, and third-party access deserve the same scrutiny as internal systems. Adversaries have already shown they'll route through them when direct access gets hardened.

No program eliminates the risk of intrusion by actors at this level. The goal is to raise the cost of access, compress the window of undetected presence, and limit the blast radius. The organizations that fare best aren't necessarily the ones with the largest security budgets. They're the ones who've made a deliberate, sustained decision to be harder targets than the alternatives.