Introduction: The New Normal of Cyber Warfare and the End of the Gray Zone
The modern international conflict landscape has been irreversibly altered by the emergence of cyberspace as a primary operational domain. The digitalization of global infrastructure, governance, and society has created vulnerabilities on a scale previously unimaginable. Once, cyber operations were seen as a tool for low-intensity harassment or covert espionage, operating below the threshold of military conflict. This ambiguous space was defined as the “gray zone,” which prevented actions from triggering a conventional warfare response and provided the attacking state with a veil of plausible deniability. However, as geopolitical tensions reach a boiling point, this illusion is ending.
The Viasat KA-SAT Attack: The Catalytic Event
The most prominent indicator of this strategic shift is the devastating cyberattack on Viasat’s KA-SAT satellite network, which occurred on February 24, 2022, just one hour before Russia’s ground invasion of Ukraine. This event clearly demonstrated that state-sponsored cyber operations (APTs) are no longer covert activities conducted in the shadows but have transformed into an overt and destructive instrument of national power, directly synchronized with conventional military operations.
The timing of the attack clearly indicates the operation’s intent. Beginning approximately one hour before the invasion, the operation directly targeted the command, control, and communications (C3) capabilities of the Ukrainian military. This is concrete proof that the cyberattack was used as “preparatory fire” for traditional military operations and is an integral part of hybrid warfare doctrine. The attackers’ goal was not to steal data but to permanently disable the infrastructure; to this end, they used a wiper malware called AcidRain, designed to remotely erase the memory of modems and routers.
Due to the attack’s perfect synchronization with an invasion, the European Union and the Five Eyes alliance quickly and publicly attributed the attack to Russia’s military intelligence service, the GRU. This signals a strategic shift, showing that in great power conflicts, states are now abandoning the guise of the gray zone and are prepared to use their destructive cyber capabilities as an acknowledged component of hybrid warfare.
Part I: The Barometer of Geopolitical Tension: A Radical Transformation in Tactics
Whether the operational objective of a state-sponsored actor is espionage or destruction is the clearest technical indicator of a shift in the respective state’s strategic intent. The technical choice of APT groups can be read as a barometer of geopolitical tensions.
1.1. The Traditional Model: Silent and Deep Espionage (SVR Doctrine)
The classic model of APT operations is based on long-term, covert, and data-driven intelligence gathering. The objective of these operations is to remain undetected in adversary networks for years, continuously collecting sensitive information that provides a strategic advantage. “Noisy” actions such as destruction or service disruption are deliberately avoided, as such actions could jeopardize the long-term intelligence-gathering mission.
The group Cozy Bear (APT29 / Midnight Blizzard), attributed to Russia’s Foreign Intelligence Service (SVR), is the foremost practitioner of this doctrine. The group’s operational history is defined by the SolarWinds attack (2020), which represents the pinnacle of its emphasis on stealth, patience, and operational security. This supply chain attack succeeded in infiltrating thousands of high-level networks via a trusted software update, but it aimed for persistent access and intelligence gathering, avoiding destruction. SolarWinds perfectly represents the typical cyber activity of “peacetime” or low-intensity conflict periods in geopolitical competition.
1.2. The Conflict Paradigm: Irreversible Destruction (GRU Doctrine)
When geopolitical tensions escalate and preparations for military action are underway, the tactics of APT groups change radically. The goal of intelligence gathering gives way to active sabotage and irreversible destruction. This strategic transformation indicates that the state is no longer pursuing an information advantage but instead aims to completely eliminate the adversary’s ability to function.
The most prominent technical indicator of this new destruction paradigm has been the Rise of Wiper Malware. Wiper software does not just encrypt data; it makes system recovery impossible by destroying the Master Boot Record (MBR). This is the clearest evidence that the intent is pure destruction.
- NotPetya (2017): This attack, targeting Ukraine and attributed to the Sandworm (APT44) group linked to Russia’s GRU, was a wiper disguised as ransomware. It had no financial motive; its sole purpose was to paralyze Ukraine’s entire critical infrastructure, including banking, energy, transportation, and government agencies.
- AcidRain (2022): A next-generation wiper used in the Viasat attack, designed to erase modem and router memory.
The strategic calculation underlying this tactical evolution is the fact that espionage and destruction serve different purposes. Espionage is a tool of competition; destruction is a tool of war, aimed at paralyzing the opponent’s ability to function. When an APT group uses a wiper, it is essentially declaring that the phase of covert competition is over and a phase of active, albeit undeclared, conflict has begun. This distinction makes the detection of wiper malware a critical geopolitical indicator for corporate risk analysis.
Part II: The Expansion of the Battlefield: The Shift in Target Priorities
While in the early years of cyber warfare targets were generally limited to military networks, as geopolitical tensions have escalated, the battlefield has expanded to encompass all of society. State-sponsored actors now aim to trigger societal panic and break political will by targeting the Critical National Infrastructure (CNI) that forms a country’s economic and social fabric.
2.1. From Digital to Physical: Kinetic Impact and Industrial Control Systems
The watershed moment for this dangerous transformation was the Stuxnet worm (2010), which proved that digital code could cause kinetic damage in the physical world. Stuxnet targeted complex Industrial Control Systems (ICS), manipulating the rotational speeds of centrifuges at Iran’s Natanz nuclear facility and causing them to tear themselves apart.
This operation was designed as a way for the US and Israel to achieve their geopolitical objective of delaying Iran’s nuclear program while avoiding the incalculable geopolitical consequences of a conventional military strike. Stuxnet demonstrated to the world that critical infrastructure had become a legitimate target for cyberattacks and opened Pandora’s Box, encouraging rival states to rapidly develop their own CNI attack capabilities.
2.2. Targeting Societal Chaos and E-Government Systems
The targeting strategy has shifted from sabotaging a specific military facility to breaking a country’s political will by creating widespread social and economic chaos. The 2007 attacks on Estonia brought life to a standstill in the country’s digitalized society through coordinated DDoS attacks on banking, government, and media sites during a period of political tension. The attack’s purpose was to create widespread societal chaos by simultaneously targeting the country’s social cohesion, digital infrastructure, and physical security. This event demonstrated that cyberattacks could be used as a tool of political coercion and laid the groundwork for the Russian GRU’s doctrine of prioritizing destruction and psychological impact.
2.3. Spillover Effect and the Weaponization of the Supply Chain
One of the most critical features of modern cyber conflict is the unexpected spread of attacks—aimed at a geopolitical target—to international commercial targets via the global supply chain.
The NotPetya attack demonstrated that a trusted supply chain relationship could be weaponized, occurring when Sandworm (GRU) compromised the update server for a tax accounting software (M.E.Doc) used in Ukraine. The attack spread far beyond Ukraine, infecting international companies such as the global shipping giant Maersk, pharmaceutical company Merck, and FedEx. The paralysis of Maersk’s global operations for weeks and the resulting damages of over $10 billion prove what a systemic risk a geopolitically motivated attack poses to the global economic system.
Similarly, the Viasat attack also caused a massive civilian spillover effect, leaving tens of thousands of civilian customers in Europe without internet. These spillover effects show that even if your company does not operate in conflict zones, you face an existential risk to your global operations if a partner at any point in your supply chain becomes the target of a geopolitical attack. Therefore, supply chain risk management is no longer a logistical issue but a geopolitical security imperative.
Part III: Plausible Deniability and Proxy Wars: Armies in the Shadows
To evade responsibility for acts of conflict and maintain a veil of deniability, states have adopted the strategy of using non-state actors (hacktivists and cybercriminals) as proxies. The war in Ukraine has revealed just how complex this proxy war model has become.
3.1. Integration of Civilian Hacktivists into the State
Geopolitical conflict has accelerated the inclusion of civilian volunteers in cyber operations. The “IT Army of Ukraine,” officially announced by the Ukrainian Ministry of Digital Transformation, is an innovative example of the state augmenting its cyber capabilities through crowdsourcing. This structure has created a hybrid coordination model that combines operational flexibility with strategic direction.
On the opposing side, pro-Russian “patriotic” groups like Killnet function as informal units whose actions are in perfect alignment with the Kremlin’s geopolitical goals. These groups aim to create instability in Western societies by targeting critical infrastructure in NATO countries. Analyses reveal that groups like XakNet are in direct coordination with Russian military intelligence (GRU), strongly suggesting that these groups serve state objectives behind a curtain of deniability.
3.2. The Transformation of Cybercrime into a State Apparatus
The most dangerous dimension of proxy warfare is the increasingly blurred line between states and organized cybercrime groups. North Korea’s Lazarus Group (APT38) uses organized crime as a tool of national economic and military policy, conducting large-scale financial crimes like cryptocurrency theft and bank heists on an industrial scale to circumvent international sanctions and finance its nuclear weapons program.
Similarly, the public support of ransomware groups like Conti, which normally operate with financial motivation, for Russia’s invasion of Ukraine has shown that the cybercrime ecosystem has been transformed into a geopolitical weapon. This situation demonstrates that the boundary between cybercrime and state-sponsored attacks has disappeared, making it difficult to quickly determine an attack’s true intent (espionage, financial gain, or destruction) using traditional threat intelligence models. For an organization, the risk that an event appearing to be an ordinary ransomware attack could, in fact, be the veil for a state-sponsored destructive attack (like NotPetya) fundamentally complicates risk assessment.
Part IV: The Latest Evolution in APT TTPs (2023-2025 Trends)
Geopolitical pressures are forcing APT groups to rapidly adapt to technological advancements, which has created four fundamental shifts in TTPs in recent years.
4.1. The New Battlefield: Cloud and Identity-Focused Attacks
As corporate infrastructure has shifted from on-premise networks to the cloud, APTs have strategically moved their targets to cloud environments. While the traditional network perimeter has become indefensible, analyses show that in the Cloud Computing environment, identity has become the new security perimeter.
Sophisticated actors like Cozy Bear (SVR) have dramatically focused their TTPs on targeting identity and access management systems. Their current tactics include Password Spraying against service accounts; MFA Fatigue, which pressures users into accidental approvals; and the exploitation of stolen authentication tokens and OAuth applications to move laterally and escalate privileges without needing a password. The SVR’s targeting of major tech companies like Microsoft and Hewlett Packard Enterprise in late 2023 using these identity-centric methods confirms that this strategic shift is an operational reality.
4.2. The Weaponization and Targeting of Artificial Intelligence
The use of artificial intelligence in cyberattacks has moved from being a theoretical threat to a part of APT operations. State-sponsored actors are using AI to increase the scale, complexity, and speed of their operations.
- Scaling Social Engineering: North Korea’s Lazarus Group (APT38) is scaling its social engineering attacks in its famous “Operation Dream Job” campaign by using GenAI. Fake recruiter personas are equipped with AI-generated resumes and interview skills to convincingly lure targets.
- Malware Development: Russia’s Fancy Bear (APT28) has been associated with LAMEHUG, the first known malware powered by a Large Language Model (LLM). This development is a sign that future malware will be more adaptive, context-aware, and evasive.
- AI Systems Themselves are the New Target: The AI tools rapidly being adopted by businesses are becoming a new, high-value attack surface for APT groups.
4.3. LotL (Living Off the Land) and Malware-Free Intrusions
To bypass traditional signature-based defenses, APTs are abandoning custom malware and focusing on using legitimate tools (like PowerShell, WMI, RDP) that are naturally present on the system. This “Living Off the Land” (LotL) tactic makes detection by traditional antivirus solutions nearly impossible and allows the attacker’s activity to blend in with normal network traffic.
Cybersecurity reports show that a staggering 81% of interactive intrusions are now malware-free. In its 2022 attack on critical infrastructure in Ukraine, Russia’s Sandworm group issued destructive commands using a legitimate MicroSCADA binary already present on the system, rather than custom OT malware. This event demonstrates that defense strategies must shift from signature-based detection to behavioral analysis.
Part V: Strategic Implications for Corporate Resilience
In the face of geopolitically motivated cyber threats, traditional cybersecurity approaches based solely on technical measures are insufficient. The threat landscape has evolved from predictable cybercriminals to nation-state actors whose goal is to destroy the business.
5.1. The Philosophical Shift: From Security to Resilience
While traditional cybersecurity is based on a crime prevention model that tries to prevent 100% of breaches, the focus in the face of geopolitical threats must be on a resilience model that accepts the inevitability of an attack. The corporate focus must shift from attempting to prevent the breach (Prevention) to the ability to withstand a geopolitically motivated attack, maintain operational continuity, and recover quickly from the attack (Endurance and Recovery). Resilience focuses on minimizing the impact of the damage and restoring functionality as quickly as possible.
5.2. The CISO’s New Role: Geopolitical Risk Manager
The role of the modern CISO extends far beyond its technical roots; cybersecurity strategy must now be informed not only by technical vulnerabilities but also by global power dynamics. CISOs need to think like geopolitical analysts.
Corporate cyber strategies must be based on the following geopolitically-based risk analyses:
- Geographic Risk Mapping: Analysis of the digital connections between operations, employees, or critical customers and regions with active conflict risk.
- Sectoral Criticality: Assessing the risk that operating in critical infrastructure sectors—such as energy, finance, or transportation—makes the corporation a primary and symbolic target for state-affiliated actors.
- Supply Chain Stress Tests: As the NotPetya case demonstrated, preparing for scenarios where a critical software or service provider in the supply chain becomes the target of a geopolitical conflict.
These analyses must be solidified through scenario planning and stress tests, and the CISO must be a strategic leader at the boardroom table, capable of speaking the language of geopolitics to manage these risks.
5.3. Architectural Imperatives: A Defensive Architecture Against APT TTPs
In the face of modern APT TTPs focused on LotL and Cloud/Identity, traditional perimeter defense is inadequate.
5.3.1. Zero Trust Adaptation
The most effective architectural response to the SVR’s (Cozy Bear) identity-focused attacks is the implementation of a Zero Trust philosophy. The Zero Trust model operates with an “assume breach” mentality and verifies every request as if it were coming from an uncontrolled network: “Never trust, always verify.” This approach restricts user access with Just-In-Time (JIT) and Just-Enough-Access (JEA) principles, thereby significantly hindering the ability to move laterally with stolen credentials.
5.3.2. Resilience and Recovery Against Destructive Attacks
With the proliferation of wiper malware (NotPetya, AcidRain), security strategy must focus on surviving system destruction. “Assume Breach” is the fundamental principle of cyber resilience. It is essential to minimize the damage area and ensure that critical data can be securely recovered. Ensuring secure, logically isolated, and immutable backups of critical data and systems is the only way to quickly restore functionality and ensure operational continuity after a wiper attack.
5.3.3. Supply Chain Transparency and Collective Defense
To prevent a recurrence of incidents like SolarWinds and NotPetya, hidden risks in software components must be made transparent by demanding a Software Bill of Materials (SBOM) from all software vendors.
Furthermore, given the fact that the most sophisticated threats are discovered by the private sector, deep, real-time, and bidirectional threat intelligence sharing between government agencies and critical infrastructure operators is mandatory. This collective defense creates a more agile and better-informed defense than the isolated operations of a single entity.
Conclusion: The Decoupling of Cyberspace and the Era of Geopolitical Leadership for CISOs
Geopolitical tensions have evolved cyberspace from Espionage to Destruction, from the Perimeter to Identity, and from Human Error to AI-Assisted threats. This evolution in the TTPs of state-sponsored threat (APT) groups has transformed the corporate risk landscape and proven that cybersecurity boundaries are no longer limited to the corporate firewall. Cyber risk is now an integral part of national security, the global supply chain, and international power competition.
Surviving and ensuring operational continuity in this new threat environment depends not only on adopting technical architectures like Zero Trust but also on the leadership of CISOs who can speak the language of geopolitics—CISOs who can translate global events into their own business risks and make resilience against total destruction scenarios a strategic priority. Cybersecurity is no longer just an information technology problem; it is a fundamental component of corporate grand strategy in a fragmented and competitive world.
