Business leaders need to stay up to date with geopolitics to keep their cybersecurity strategies up to date and mitigate the risks posed by state-backed hacker groups.
This is the message that Paul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), delivered to attendees at a keynote session of Infosecurity Europe 2025.
The call to action from Chichester came as states known to support threat actors and engage in cyber attacks of their own step up efforts to disrupt critical infrastructure
Chichester said Russia’s cyber capabilities in particular have improved in recent years, with its invasion of Ukraine used as an opportunity to hone offensive cyber techniques. Along with Russia, Chichester focused on the threat China-backed groups pose to both public and private organizations.
“I'll come back to this a few times, but states don't do hacking for fun,” Chichester said.
“They do not do things for the sake of it. There is always a reason. We might not know the reason sometimes and that's quite a challenge for us, but we shouldn't assume that they're just doing it because they can.”
Chichester urged businesses who are being targeted by a state APT to carefully consider why and to assess how geopolitics feeds into their defensive strategies.
“At the end of the day, cyber isn't really just, or even, a technical thing. It's a tool that somebody uses, be it a criminal, be it a state. How does that risk manifest itself for you?”
The past few years have seen a number of high-profile attacks by state-sponsored groups on organizations to achieve ideological and military aims. Chichester said Russia is increasingly targeting supply chains which feed into Ukraine, with defense, energy, and logistics companies firmly in its crosshairs.
In 2022, for example, Microsoft warned the Russia-backed group Seashell Blizzard was using the Prestige ransomware strain to target organizations involved in the supply or transport of humanitarian aid and military shipments to Ukraine.
This is also coming from within the GRU military intelligence service, and Chichester cited the example of Unit 29155. This Russian military sabotage unit is known for its role in the 2018 Skripal poisonings, but it is now using cyber attacks to carry out its aims.
“Ultimately, if you want to target something in the real world, you need to understand them in the cyber world. You need to understand how they operate, you need to understand their movements, you need to understand what's going where,” Chichester explained.
“And we're seeing that merger of that real world sabotage being joined with that cyber espionage piece as well – and also cyber sabotage.”
Russia launched a major cyber attack on Viasat, a US communications company, on 24 February 2022, the same day it invaded Ukraine. This triggered a widespread outage, impacting Ukrainian military command and control and causing knock-on outages for several thousand internet-connected German wind turbines.
Chichester said the attack was carefully-timed to hit hardest in the first 24-48 hours of the invasion and “might have been a deciding factor” in the war had events on the ground gone differently.
Despite the apparently unintentional effects on EU-based companies, Chichester used the attack as an example of how states are increasingly targeting private businesses to achieve military or ideological aims.
China is also heavily implicated in attacks on critical national infrastructure, with cyber experts Kevin Mandia and Nicole Perlroth having recently warned the nation state has ramped up its cyber aggression.
Chichester said attacks by Volt Typhoon, an advanced persistent threat (APT) that successfully breached the US electric grid for almost a year, as well as Salt Typhoon which carried out major attacks on US telcos in 2024, show groups ‘pre-positioning’ themselves inside critical infrastructure.
As warned by CISA, this could enable undetected groups to carry out devastating attacks in the event of conventional war in the long-term.
For-profit attacks remain king
Despite the growing threat posed by state-backed groups pursuing ideological and military aims, evidence suggests that businesses will still largely contend with traditional threat actors.
In a separate keynote talk at the event, James Lyne, office of the CEO at the SANS Institute and Ciaran Martin, director of CISO network at the SANS Institute and former head of the NCSC, balanced the real threat of state-backed groups with those of profit-motivated groups.
“Most people are interested in fraud,” said Lyne. “Most of this stuff is about making money, the average obsession of the average criminal gang is far more mundane.”
“I think that's probably largely going to continue to be the case,” he added.
Lyne noted that, like the German wind farm operators inadvertently impacted by Russia’s attack on Viasat, some serious cyber attacks are mere “collateral damage” from campaigns aimed at other targets.
Martin said this was seen in the worst period of his time at the NCSC: the six-week period in 2017 in which North Korea launched the WannaCry ransomware attack, while suspected Russian groups hit Ukrainian banks and other organizations with the NotPetya malware.
“Between them, they [did] north of $10 billion of destruction and in my, sadly, favorite example from NotPetya, they’re attacking Ukrainian tax software and they end up stopping production at Cadbury’s chocolate factory in Tasmania, off the south coast of Australia.”
MORE FROM ITPRO
- The Iran cyber threat: Breaking down attack tactics
- Why government email servers are top targets for state-backed hackers
- State-sponsored cyber crime is officially out of control
-
Despite the hype, cybersecurity teams are still taking a cautious approach to using AI toolsNews Research from ISC2 shows the appetite for AI tools in cybersecurity is growing, but professionals are taking a far more cautious approach than other industries.
-
A new, silent social engineering attack is being used by hackersNews Security researchers have warned the 'FileFix' technique, which builds on the notorious 'ClickFix' tactic, is being used in the wild by threat actors.
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Millions of customers have been exposed in the Qantas cyber attack – here’s everything we know so farNews While details remain murky, cyber experts told ITPro the Qantas incident bears all the hallmarks of the Scattered Spider ransomware group.
-
M&S aims for full online restoration within four weeks following major cyber attackNews M&S CEO Stuart Machin says the high street retailer plans to fully restore operations by August following a devastating cyber attack in April.
-
British IT worker jailed for revenge attack on employer that caused a “ripple effect of disruption” for colleagues and customersNews West Yorkshire man Mohammed Umar Taj was suspended from his job in Huddersfield in July 2022, and began taking revenge within hours.
-
Financial impact of cyber attacks on UK retailers laid bare in new reportNews Analysis from the Cyber Monitoring Centre shows the recent cyber attacks on a host of UK retailers could cost up to £440 million.
-
A sneaky cyber espionage campaign is exploiting IoT devices and home office routers – here's what you need to know
News Researchers at SecurityScorecard have issued a warning about a new China-linked threat campaign, dubbed 'LapDogs', targeting IoT devices and home routers.
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
Cyber attacks have rocked UK retailers – here's how you can stay safeNews Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
