Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Cyber Insights 2022: Nation-States

Nation State Cyber Threat Insights: 2022

Nation State Cyber Threat Insights: 2022

In the 1960s, the Cold War with the USSR was at its height and hot war raged in Vietnam. The world was on the brink, and songs like P.F. Sloan’s Eve of Destruction were popular. The world pulled back, and things changed.

But did they? The underlying geopolitical tensions never went away. The global aspirations of the three power blocs – the U.S.A., Russia and China – remain the same. And today, at the end of 2021, Joseph Carson, chief security scientist at ThycoticCentrify, says, “I believe we are truly on the brink of a full-blown cyberwar.”

All that has really changed are the weapons of choice from kinetic to cyber, and the emergence of several nations able to punch above their physical weight, such as North Korea and Iran. The UK could be included in the latter, but because of treaties with the U.S. and the relationship between GCHQ and the NSA is best viewed in cyber terms as part of the U.S.

The question for 2022 is whether the threat of full-blown cyberwar will increase or recede. The stakes are high – a single error in cyber activity could tip over into a kinetic response that could spread from local to global in extent.

Heating up or cooling down

The early months of WW2 were described as the Phony War because not much happened. There are some suggestions that 2022 will be a similar period in the current (not yet full-blown) cyberwar. “While nation state-backed threat actors won’t stop their operations, we should expect 2022 to be a quieter year,” suggests Daniel Spicer, CSO at Ivanti.

There are various reasons for such a view. “A lot of tools and techniques have been exposed in the past year, so nation-state threat actors will spend additional time updating kits and refining techniques. Changes in cybersecurity policies and requirements will require nation-state operators to further adjust their toolkits to evade new minimum requirements. Plus, most of the world does not have a major election cycle next year.” (But don’t forget the midterms.)

Carson suggests that the increasing cyber threat from cybercriminals could promote better cyber relations between nations. “This could result in the introduction of a cyber treaty in 2022 that could force cybercriminals to retreat to an ever-shrinking number of safe havens to operate as countries unite to fight back against cybercrime. Global stability has been on the knife’s edge for several years.  The increase in cyberattacks and their magnitude of impact on society means the balance of the force is tipping.”

Advertisement. Scroll to continue reading.

However, even if 2022 is a quieter year in nation-state activity (it’s a big ‘if’), it will only be the precursor to increasing activity. “By the end of 2022 or early in 2023,” continues Spicer, “we should expect to see a continuation of larger scale operations targeting the weakest links in the chain. And we likely will see more attacks targeting managed service providers (who provide IT and security services to companies) as opposed to going after companies directly.” (See Cyber Insights 2022: Supply Chain for further details on supply chain attacks.)


To understand the threat from the different nation-state adversaries, we should consider their motives. But it is also worth noting that while nations have traditionally concentrated on espionage, this is evolving to include disruption, social interference, and in some cases financial return.

SecureWorks, however, believes that espionage will remain the primary driver for nation-states: “Hostile state activity will continue to focus primarily on espionage rather than on disruption and destruction. Several states, notably China, Russia, and Iran, will continue to conduct operations aimed at harvesting bulk data to support subsequent cyber operations and traditional espionage activities.”

Most nation-states will be collecting and storing sensitive data – national security, business IP and PII – waiting for the ability to use quantum computers to decrypt the secrets.

But compare this to opinions such as that from Boaz Gorodissky, CTO and co-founder of XM Cyber, who says simply: “Nation-states will activate more disruptive attacks against their adversaries.”

Anurag Gurtu, CPO at StrikeReady, expands on this view. “The four prominent nation-state actors, including Russia, Iran, China, and North Korea, are expected to show enhanced aggressiveness with cyberwarfare. This is especially for Russia as several recent incidents, such as the manipulation of UNC2452 authentication methods, have shown the country possesses a high level of sophistication when it comes to cyberwarfare.” 

He adds, “Iran is likely to consider creating more power balance towards its own interest, with more emphasis on regional promotions. As for China, the country is expected to continue supporting the Belt and Road initiative with the use of cyber-espionage while North Korea is willing to take the risk, if need be, and continue funding nuclear ambitions and strategic intelligence with the North Korean cyber apparatus. I do not see any slowdown for these nations, while some more may also join in 2022.”


Russia’s primary geopolitical motivation is to regain the global influence it enjoyed as the USSR. It has no qualms about using kinetic force where it is unlikely to provoke a kinetic response from NATO – such as the Crimea earlier, and possibly the Ukraine in 2022. Elsewhere, cyber is its weapon of choice. The reason is simple: deniability. There is no global court able to accept and uphold ‘proof’ of culpability.

In geographic regions that are unlikely to benefit from a kinetic NATO response, we are likely to see a continuation of the disruptive Russian activity we have seen in the past – such as the attacks against power supplies and the delivery of destructive cyber like NotPetya.

Elsewhere, Russia will have three primary purposes: espionage to keep pace with other countries’ technology; reconnaissance to enable access to critical industries (for use if needed, rather than specifically as a first strike); and destabilizing societies.

We will hear little about the first two. “By their very nature, nation-state attacks are ‘low and slow’ and very targeted, the complete opposite of ransomware-based attacks (see Cyber Insights 2022: Ransomware for more details). I believe they will continue globally,” comments Ed Williams, Director of Trustwave SpiderLabs EMEA. They also tend to be very stealthy.

Russia and China Cyber Threats

For the third purpose, Russia has two primary targets: the U.S. and the EU. It is ironic that a socialist government would seek to promote far-right organizations – but nevertheless, this is exactly the way to destabilize traditional liberal democracies. 

The current strength of the right in the U.S. has led to questions over the very future of U.S. democracy, and the midterms in 2022 offer the potential for more disruption. If the right obtains unfettered control of Congress in the November elections, it will effectively neuter the current president. 

In the EU, the rise of the right has already led to calls for Frexit (French exit from the EU). A destabilized U.S. and a fractured EU is exactly what Russia would like to see, and we can expect it to use its considerable misinformation and disinformation cyber expertise to promote both conditions.


Culturally, China is very different to Russia. It is able and willing to play the long game. It doesn’t wish to destroy other societies, economies or governments – it merely wishes to dominate and surpass them. This can be achieved by having better technology and a stronger economy.

For now, China must play catch-up in both areas, and it uses cyber to achieve this. The primary method is cyberespionage to steal state and technology secrets. But it is also interested in personal credentials where the people concerned may be able to further Chinese national interests.

“Several states, notably China, Russia, and Iran,” suggests SecureWorks, “will continue to conduct operations aimed at harvesting bulk data to support subsequent cyber operations and traditional espionage activities.”

Like Russia, it will also engage in critical infrastructure reconnaissance so that attacks against critical industries can be invoked in extreme conditions. But unlike Russia, it has no moral restraints and is less concerned about plausible deniability. For this reason alone, hostile Chinese cyber activity will likely increase.

“Broadly speaking,” suggests Casey Ellis, founder and CTO at Bugcrowd, “we should see China as a rising cybersecurity threat on the international stage. That has been the case for some time in terms of their economic, defense, and military posture, but 2021 has quite clearly demonstrated that the relationship has deteriorated into a sort of Cold War, with espionage playing out in the cyber domain.”

Mike Sentonas, CTO at CrowdStrike, agrees that Chinese activity is still rising. “Geopolitical tensions continue to sour to an all-time low between China and other APJ countries – and these tensions have spilled heavily over to the cyber world,” he said. “China-based threat actors have remained consistently active, targeting healthcare, defense and other industries in APJ countries to support their 14th Five-Year Plan, Belt and Road Initiative (BRI), Made in China 2025, and other economic strategies.”


Iran has a cultural antipathy towards current U.S. economic imperialism and historical British colonialism, having suffered from both. It does not seek global influence like Russia nor global dominance like China. It is consequently less concerned with avoiding destructive cyber activity. The extent and severity of its cyber activity will be linked to the extent and severity of economic sanctions levied against it.

Iran Cyber Threats

However, the more destructive activity is likely to be localized to the Middle East region. It has a hatred for Israel and a strong dislike for Arab countries it considers to be too pro-western. While traditional cybercriminals are likely to abandon the use of encryption within ransomware, Iran might abandon decryption to turn ransomware into a wiper for use against regional ‘enemies’.

But Iran is also interested in a destabilized U.S. and is quite likely to engage in cyber activities designed to disrupt or influence the U.S. midterm elections. Like other adversaries it will also reconnoiter western critical industries ‘just in case’.

North Korea

North Korea is the black sheep. It suffers under the most stringent economic sanctions and feels it has little to lose. One of its primary concerns is to use cyber as a means of bolstering its economy, and consequently behaves more like a traditional cybercriminal than a major nation-state. It has a strong motivational need for money, and consequently uses ransomware and other means of extortion on a large scale.

Potential newcomers

2022 could also see the emergence of new nation-state activity. Vietnam, for example, has no historic love for Japan. Japan is rich and Vietnam would like to be. There have already been suggestions of Vietnamese espionage against the Japanese motor industry to help bolster its own. Vietnam could be tempted to expand its technology espionage.

Afghanistan is also an unknown. In the short term it is no threat – but this could change if the Taliban believes it is unfairly treated by the U.S. and Europe. It does not currently have the technical expertise to engage in cyberwar – but this expertise could be obtained from neighboring Iran and/or China.


It is difficult to predict how nation-states will perform their activities in 2022. The primary difference between nation-state actors and most cybercriminals is one of resources (but note the increasing professionalism of cybercriminal gangs in Cyber Insights 2022: The Good Versus the Bad). Nation-states generally have more time – and especially in China – more human resources to achieve their end. There is less pressure for an immediate financial ROI.

Victims are often chosen targets rather than just any organization with a known vulnerability. If the target has no known vulnerability, criminals will look elsewhere while nation-states have the time to ‘create’ a vulnerability. Nation-states will take advantage of what exists, but will spend time on breaching a target if necessary. Their low, slow and stealthy activity likely means they have access or have accessed more targets than is generally known.

This will continue through 2022, but we may never know to what extent.

About SecurityWeek Cyber Insights 2022

Cyber Insights 2022 is a series of articles examining the potential evolution of threats over the new year and beyond. Six primary threat areas are discussed:

• Ransomware

• Adversarial AI

• Supply Chain 

• Nation States

• Identity

• Improving Criminal Sophistication

Although the subjects have been separated, the attacks will rarely occur in isolation. Nation state and supply chain attacks will often be linked ‒ as will supply chain and ransomware. Adversarial AI will likely be seen primarily in attacks against identity; at least in the short term. And underlying everything is the growing sophistication and professionalism of the cybercriminal. 

SecurityWeek spoke with dozens of security experts and received almost a hundred suggestions for the series.  

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights