Hack the planet! A snapshot of nation-state of cyber threats over the last 12 months

But in the background of run-of-the-mill cyber-crime, nation-state hackers are continuing to ply their trade, stealing both data and dollars on behalf of their regimes.

In fact, according to cyber security firm CrowdStrike’s 2025 Threat Hunting Report, nation-state activity rose sharply over the last 12 months, sharper even than regular, financially motivated cyber-crime.

That’s not to say that cyber-crime wasn’t on the rise – it well and truly is, but not at the same scale. For instance, for hackers of all stripes, the technology sector is the number one target; we’re talking intellectual property, corporate secrets, and even defence/industrial intelligence. However, while cyber-criminal activity targeting the technology sector has dropped (though it is still the most targeted), nation-state activity targeting the sector rose by 99 per cent year-on-year.

Telecommunications, the next most targeted sector, faced a 130 per cent increase in nation-state instructions, while consulting & personal services saw a 126 per cent increase. Government entities, however, have borne the brunt of activity. Nation-state attacks against government targets surged by an alarming 185 per cent in the last 12 months.

“Though the government sector is consistently a high-value target for a variety of nation-state adversaries, this significant increase is attributed to activity conducted by Russia-nexus adversaries such as Primitive Bear and Venomous Bear, who conduct suspected espionage operations against Ukraine government entities in direct support of the conflict in Ukraine,” CrowdStrike said in its report.

Financial services aren’t immune either, unsurprisingly. This sector saw a merely ‘modest’ 80 per cent rise in nation-state activity.

VIEW ALL

So who are these hackers, and what are their aims? Here’s an example of three of the groups that CrowdStrike has observed in the last 12 months.

A quick note about attribution

Spectral Spider. Ethereal Panda. Venomous Bear.

You’d be forgiven for thinking these are outlandish creatures from a fantasy novel or a game of Dungeons & Dragons. But they’re hacking groups, and no, they don’t name themselves this. CrowdStrike’s analysts do, and there is a method to what seems to be their madness.

CrowdStrike assigns each country with an active nation-state hacking community an animal name. China, unsurprisingly, is Panda, and Russia, Bear. North Korea, similarly, is Chollima (a mythical winged horse from Korean folklore), and Sphinx, you guessed it, Egypt, and so on. If CrowdStrike ever had to attribute a hacking group backed by Australia, we’d likely Kangaroo or Koala – you get the idea.

Until CrowdStrike is certain of a group’s motives and affiliations, it remains unattributed, instead referred to as a, for instance, China nexus adversary. When CrowdStrike’s analysts are certain, however, that group gets a name, whereby the analysts in question pick the first part of what CrowdStrike calls a cryptonym, often loosely based on the behaviour of the threat actor in question.

It may seem random, even a bit tongue-in-cheek, but having a set and clear name for an adversary helps massively in tracking and future attribution.

Spider, by the way, when used in the second part of CrowdStrike’s naming protocol, refers to criminal activity. Now you know.

Famous Chollima and the rise of the fake IT worker

If you’ve been paying attention, you’ll know that Famous Chollima is a North Korean group, and it’s one of the most active operators in that country’s campaign to raise funds for its weapons programs.

Famous Chollima uses a raft of techniques to get its operatives placed as IT workers in companies across at least 30 US companies, including organisations that work in the defence and technology sectors. While other countries – including Australia – were targeted, the bulk of Famous Chollima’s ‘fake IT worker’ schemes target US entities.

“Threat hunters found that after obtaining employee-level access to victim networks, the insiders performed minimal tasks related to their job role. In some cases, the insiders also attempted to exfiltrate data using Git, SharePoint and OneDrive,” CrowdStrike said.

“Additionally, the insiders installed the following RMM tools: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels and Google Chrome Remote Desktop.”

Horde Panda and credential abuse

The China-backed group Horde Panda was observed attempting to penetrate the network of a South Asian telecommunications provider. The hackers used multiple sets of compromised credentials to embed themselves into the network and then move laterally across it.

Horde Panda deployed a pair of implants on the target network before deploying malware to maintain persistence on the network – backdoors, basically.

The hackers performed a DCSync attack, attempting to exfiltrate data such as user passwords from the network’s Active Directory

The group continued to leverage compromised credentials to gain further network access before it was detected and ultimately ejected by CrowdStrike. The hackers were likely looking to monitor activity on the telecommunications network in order to perform further espionage activities.

Static Kitten and RMM tools

The Iranian group known as Static Kitten relies on legitimate remote monitoring and management software to gain access to its victims. CrowdStrike observed this group using spear phishing tactics – targeted or personalised emails – to trick targets into downloading the RMM tools, which then gives the hackers access to their devices.

“In March 2024, STATIC KITTEN engaged in phishing activity to deliver ScreenConnect and Atera to government, telecom and technology entities in the Middle East and South Asia,” CrowdStrike said.

“In June 2024, STATIC KITTEN continued using the Atera RMM tool during a spear-phishing campaign against a healthcare entity in the Middle East, marking the latest in their series of operations using RMM tools to target Middle East-based entities.”

RMM tools are an attractive option for many hacking groups, both state-sponsored and criminal, as they’re easily available and can provide full access to their victims’ devices. In some cases, threat actors even rename these tools to hide their efforts.

And that’s just the tip of the iceberg, and three of the case studies from CrowdStrike’s latest research, which you can read in full here.