cross-posted from: https://lemmy.sdf.org/post/37521781

Historically, Western assessments of cyber threats have concentrated on state adver­saries. More than 600 state-backed groups are tracked globally. Yet, for more than a decade, Western analyses and discussions of cyber threat concerns have focused mainly on four states: China, Iran, Russia and North Korea. Based on open-source report­ing evaluated by the European Repository of Cyber Incidents (EuRepoC), these coun­tries account for more than 70 per cent of the state-backed threats that Europe and its partners have faced since 2000.

[…]

Critically, in the current climate of heightened geopolitical tension, the opera­tional divide between state and non-state actors shows signs of collapsing, as states seek to assert control over cyber capabilities both inside and outside their borders. A closer examination of EuRepoC data under­scores the need for a more integrated understanding in the analysis of state and non-state actor threats. These trend lines are particularly pronounced in the case of the authoritarian states that have been dominating Western threat perceptions, drawing attention to the reinforcement that long-standing nation state threats derive from non-state capabilities. Russia, China and North Korea have developed their own distinct approaches. While Russia has pro­vided sanctuary for criminal groups, Chi­na’s state programmes have served to accel­erate the emergence of a domestic hacking industry. Charting its own path, North Korea has sought to create bridgeheads extra­territorially for its operators.

[…]

Russia: The safe haven blueprint

Russian cyber criminals make up nearly half of the most wanted list published by Germany’s Federal Criminal Police Office (BKA). That list typically includes individ­uals accused of high-profile crimes, such as members of the far-left terrorist organi­sation RAF, those who collaborated in the 9/11 attacks and individuals such as Jan Marsalek, the former chief operating officer of the now bankrupt payment processor Wirecard. The BKA list has had a notable success rate. Close to 70 per cent of suspects included on it since 1999 were arrested. How­ever, in the case of the twenty-six people included on the list because of sus­pected links to the Russian criminal under­ground, there is little expectation of any breakthrough, despite German law enforce­ment and its international partners having collected a wealth of information on those individuals.

[…]

China: Command, control, deny

Unlike Russia, the People’s Republic of China (PRC) seeks to seize non-state cyber capabil­ities through the targeted development of a commercial ecosystem. This approach is part of the three-fold aim to establish com­mand, control and deniability within the PRC cyber portfolio. As regards the first goal, command efforts are designed to secure un­conditional authority over high-risk opera­tions entrusted to the military.

Meanwhile, initiatives to strengthen con­trol have centralised the coordination of cyber espionage objectives within the Minis­try of State Security (MSS). This arrangement is supported by the legally mandated report­ing of vulnerabilities and a network of hack­ing competitions that channel the findings of vulnerability research into offensive pro­grammes. The MSS 13th Bureau’s management of the Chinese National Vulnerability Database ensures near-seamless integration into this vulnerability discovery system.

[…]

North Korea: Breaking out of isolation

The cyber activities of the Democratic People’s Republic of Korea (DPRK) are both a strategic continuation of and operational departure from the political, economic and military self-reliance strongly emphasised in the country’s state ideology. While the DPRK is attempting to break out, at least partly, of its self-imposed isolation through its cyber programme – thereby demonstrat­ing the political will and the capability to innovate means of subverting internation­al sanctions – it is also making con­sider­able efforts to leverage non-state capa­bilities beyond its own borders. Despite its diplomatic isolation, the DPRK has been able to enlist foreign tools and know-how to steal cryptocurrency and use blockchain-based technologies developed by a global decentralised community of engineers to launder funds and thereby support the devel­opment of its military capabilities. To gen­erate revenue and alleviate the pressure of sanctions, the DPRK has sought to lever­age legitimate platforms and expertise, which be­come criminally liable – and thus a focus of interest – only when co-opted in this way.

[…]

Calibrating responses [by the EU and the West]

In the absence of an integrated understanding of how authoritarian actors lever­age non-state resources, the potential of tac­tics to slow down and fragment attribution efforts may weaken the response toolkit developed by EU member states. Currently, key cyber diplomacy tools – such as sanc­tions – remain closely tied to attribution. Addressing senior officials responsible for developing cyber policies/practices in May 2025, Germany’s cyber ambassador, Maria Adebahr, recognised that efforts to hold threat actors accountable are dependent on this link to attribution. Implicit in this recog­nition is the need to develop response options that are independent of attribution.

Capturing non-state capabilities allows authoritarian states to increase their capa­bilities pool and step up their operational tempo. Diplomatic measures that address the interweaving of state and non-state capabilities have a strong complementary potential. They include not only initiatives aimed at restricting access for threat actors to legitimate platforms and disrupting criminal tools; information sharing – as part of a regular exchange with friendly jurisdictions – with a view to developing a common threat perception could support due diligence efforts to constrain the room for manoeuvre overseas and facilitate the takedown of shadow infrastructure. A re­sponse framework that remains fit for pur­pose requires a range of tools that can match the changing scope of the threat.