The Rage of the Nation-State Hacker

Certain expressions in global cybersecurity parlance have become ubiquitous lately, especially after the recent targeting of the American government and its core sectors by Chinese hackers. “Nation-state hackers” and “TTPs” (tactics, techniques, and procedures) are some of them. Worries about the scope of cyber espionage and the damage it can do are rising as some countries become more and more ambitious in stealing information apart from manipulating data and automated control to paralyse networks. Targets include energy grids, which European Parliament reports describe as an attack to “prevent users from using data or services”. This would mean power outages and massive chaos resulting in huge financial losses and equipment failures.

Indian authorities know it only too well that American and European governments are not the only targets of nation-state hackers, cyber ninjas or groups acting at the behest of governments to snoop on other nations as part of new strategies to stay ahead of the spying game.

After recent bouts of cyberattacks, multiple agencies in the West, including the US, came out with a joint statement, assessing that the extent of threat was higher than what was earlier perceived. Perkins Coie, which specialises in cybersecurity litigation besides other areas, says, “Multiple agencies of the US government and other governments have concluded that the cyber threat presented by the People’s Republic of China [PRC], specifically actors attributed to Salt Typhoon, is substantially greater than previously reported.”

A joint statement by multiple agencies said that PRC’s state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging and military infrastructure networks. “While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge and customer-edge routers, they also leverage compromised devices and trusted connections to pivot into other networks. These
actors often modify routers to maintain persistent, long-term access to networks. This activity partially overlaps with cyber threat actor reporting by the cybersecurity industry—commonly referred to as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807 and GhostEmperor, among others.”

In an op-ed for the Washington Post, Pamela K Isom of the American Security Project wrote that the Salt Typhoon attacks highlight the urgent need for systemic change in how telecommunications providers approach cybersecurity. “Government and industry leaders must be proactive and prioritise threat intelligence to improve defences before incidents occur. This requires proactive threat intelligence sharing. Encouraging an exchange between federal agencies and industry peers on actionable intelligence about emerging threats before incidents occur would help secure our country against state-sponsored hackers. Policymakers should establish programs that promote threat sharing and collaboration between the government and the private sector.”

What are the lessons to learn from all this chaos in the West for India, a neighbour who has been the target of suspected Chinese-sponsored hackers for far too long?

After all, in the recent hacking spree, according to reports in Bloomberg and the Guardian quoting highly placed sources, the victims of the attack include the US agency charged with overseeing nuclear weapons, the National Nuclear Security Administration. Microsoft said it had observed three groups—the Chinese state-backed Linen Typhoon and Violet Typhoon, and Storm-2603, which is believed to be China-based—using “newly disclosed security vulnerabilities” to target internet-facing servers hosting the platform, according to a recent Guardian report, as updates from years-long attacks ferret out names of newer victims, taking the toll higher than earlier expected. It was therefore no coincidence that Amazon shut down its Shanghai AI research lab; McKinsey stopped taking up generative AI-related work amid geopolitical tensions in China, and several other companies scaled down operations in that country, fearing espionage by targeting vulnerabilities in the system to gain access to their networks.

As stated earlier, TTPs are often talked about by analysts who are close to the matter and are looking at what went wrong in terms of cyber defence and offensive capabilities in their respective units. Tactics explains the “why” of a cyber-attack while techniques the “how”. Procedures are specific actions taken to implement techniques, or “what” the attack was at a granular level.

Mumbai-based AI expert and cybercrime investigator Ritesh Bhatia, founder of V4WEB Cybersecurity, tells Open that the recent Chinese cyber intrusions into US security and political establishments highlight three hard lessons. “First, critical
infrastructure and government networks will always be prime targets for nation-states and no sector is off-limits. Second, even highly resourced nations like the US can be compromised through supply-chain attacks and zero-day exploits, showing that perimeter defence alone is insufficient. Third, geopolitical rivalries are increasingly being fought in cyberspace, where attribution is murky and consequences are long-term.”

He adds, “For affected countries, the key takeaway is to shift from a posture of defence to one of resilience that includes continuous monitoring, cyber-threat intelligence sharing, and building international coalitions to deter such actors.”

Cyber experts have often talked about why countries fail to anticipate such attacks which, as of now, are synonymous with prolonged espionage. That also means access to personal data of each citizen of a country because of the heightened nature of connectivity and digitalisation. But not much headway has been made by individual countries, including India, which trains cyber commandos at a young age to boost its cyber-offensive capacities.

Simply put, the threat of nation-state cyber criminals is on the rise and, in sharp contrast with traditional cyber attackers, their motives often border on warfare.

A World Economic Forum report has underscored the challenges ahead: “The rise of generative AI has significantly increased the scale and sophistication of cybercrime, particularly identity theft and fraud. Global cybercrime is expected to cost $10.5 trillion annually by 2025, up from $3 trillion in 2015, according to Cybersecurity Ventures. To put it in perspective, if annual cybercrime were a country, it would have the third-largest gross domestic product [GDP] worldwide.”

In the 2025 Armis Cyberwarfare Report, in which the firm surveyed more than 1,800 global IT decision-makers, a similar share (73 per cent) added that they feared that nation-state hackers’ AI capabilities could enable future sophisticated cyber attacks.

Bhatia notes, “Most nations fail to anticipate vulnerabilities because of two reasons: complacency and complexity. Legacy systems, bureaucratic delays, and lack of proactive red-teaming leave blind spots. Unfortunately, it often takes a breach for leadership to realise that the weakest link in the chain can cause the biggest damage. Cyber resilience requires foresight, not hindsight.” He feels that India has made decent progress in cyber defence, with CERT-In, NCIIPC (National Critical Information Infrastructure Protection Centre) and dedicated cyber command units working actively. However, in terms of offensive capabilities, countries like the US, China, Russia, and Israel are far ahead. India has the talent pool but what we need is sharper coordination, faster adoption of indigenous tools, government support and stronger private-public partnerships to scale our cyber power.”

In fact, most countries, especially those with an edge in cyber capabilities, hire young people in order to combat threats and protect themselves by launching pre-emptive offensive attacks. Open had written about the Modi government’s plans earlier. While India has successfully withstood cyber attacks from Pakistan during and after Operation Sindoor, threats from elsewhere may not necessarily arise in the same way. Many sectors, including India’s education sector, are increasingly being targeted for cyber attacks, according to various reports. According to a report in The Hindu, organisations in India witnessed 3,237 cyber attacks per week on average in the month of August 2025 with education being the top target, followed by government and consumer goods and services segments, reported CheckPoint Research, the threat intelligence arm of Check Point, a Tel Aviv-based cyber security solutions firm.

For his part, Bhatia agrees, “Cybersecurity is a young person’s game and their curiosity, adaptability, and raw coding skills matter as much as experience. Countries like Israel start spotting and training talent during high school, channelling them into elite units like Unit 8200. In India, we are slowly catching up through initiatives such as university-level ethical hacking competitions. But we need to institutionalise these efforts at scale, starting with school-level programmes, if we want to create a pipeline of cyber warriors for the future.”

Meanwhile, a paper authored by Joe Devanny and Arthur PB Laudrain for the Carnegie Endowment for International Peace outlines the opportunities and challenges for India on this front. “Given the strength of its digital economy and innovation, and its potential for further growth in connectivity, digital inclusion, and workforce development, India has considerable latent cyber power. There are, however, significant obstacles to converting latent into actual power—and indeed in orchestrating its effective use. Future developments should focus principally on investment in and improved coordination of domestic cybersecurity, resilience, and cyber defence.”

The Indian Cyber Crime Coordination Centre (I4C) has acknowledged the need to groom cyber commandos, and the Ministry of Home Affairs (MHA) is working with the states to create special cells of such cyber warriors. Yet, considering the pace and extent of damage that nation-state cyber actors can cause, a swifter implementation of plans is in order.  

Armis Cyberwarfare ReportArthur PB Laudraincyber attacksCyber espionagehackersIndian Cyber Crime Coordination CentreJoe DevannyNCIIPCOperation Sindoor