State-sponsored cyberattacks and nation-state data breaches are on the rise — and industrial sectors around the world are experiencing the brunt of them. Is there anything cybersecurity professionals can do to defend against these sophisticated, well-funded adversaries?

Prepare to Defend Against Nation-State Adversaries

Nation-state attacks are increasing in volume, sophistication and aggression. More often than not, they target industrial sectors. According to data compiled by the U.S. Homeland Security Committee, cyberattacks targeting critical infrastructure increased by around 30% in 2023.

When nation-state adversaries seek to impede technological advancement, cause disorder, respond to elevated political tension or further their ideological goals, they launch a cyberattack. They are often subtle — their actions give little to no indication of their presence.

Attackers’ methods are becoming more refined. The existence or extent of a nation-state breach can remain largely unknown for years, giving attackers enough time to cause widespread damage. Industrial sectors are particularly vulnerable to this approach because their perimeter security and network monitoring measures are often substandard.

Why State-Sponsored Cybercrime Is on the Rise

This type of cyberattack is becoming increasingly prevalent for several reasons. For one, state-sponsored hacktivist groups are capable of long-term undiscovered persistence. Using living off the land (LOTL) techniques — where they exploit a system’s legitimate, native tools during infiltration — they can evade detection for years at a time.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and National Security Agency (NSA) have determined that Volt Typhoon — a threat group associated with the People’s Republic of China — has pre-positioned itself on information technology (IT) networks in energy, communications, water systems and transportation sectors.

CISA, the FBI and the NSA warn that this pre-positioning enables lateral movement to operational technology (OT) assets to disrupt critical infrastructure functions. These agencies report observing indications that Volt Typhoon has maintained a foothold in some systems for more than five years, underscoring the gravity of this threat.

The IT/OT convergence trend in industrial sectors may reduce costs and drive efficiency, but it also expands the attack surface and streamlines hackers’ lateral movement. A single successful breach could result in a significant disruption with potentially catastrophic consequences.

Another contributing factor is the growth of smart technologies and automation solutions. For instance, artificial intelligence has lowered cybercriminality entry barriers, enabling unskilled hacktivists to carry out sophisticated cyberattacks. Moreover, since these tools often rely on the cloud or constantly exchange data, they introduce novel vulnerabilities.

What This Threat Landscape Will Look Like in 2025

State-sponsored cybercrime no longer belongs to hacktivists with an agenda. Almost 49% of security incidents remain unattributed to any nation-state, after all. Cyberattacks-as-a-service will become increasingly popular in 2025, with countries using groups with no ties to them to carry out attacks.

The country’s leading cybersecurity experts have already recognized a trend of nation-states quietly backing ransomware groups. There has been a considerable uptick in state-sponsored attacks targeting critical infrastructure organizations.

The target will also shift in 2025. Hackers will go where the data is instead of going after critical infrastructure or industrial facilities directly. Supply chain attacks will become predominant as they target third parties and service providers.

When flashy, publicized cybersecurity incidents aren’t the goal, they will target organizations’ weak points — and remain unnoticed for as long as possible to compromise as many systems as possible. These individuals will exploit the growing reliance on cloud computing and internet-enabled connectivity to spread throughout extended supply networks.

Attackers will be able to conduct extensive pre-exploitation reconnaissance by exploiting legitimate credentials. According to IBM’s X-Force Cloud Threat Landscape report, the average price of compromised access credentials has steadily decreased in recent years, going from $11.74 in 2022 to $10.23 in 2024, a 12.8% decrease over a three-year period.

These threat actors increasingly use compromised credentials to take advantage of trusted cloud services like OneDrive and Google Drive to distribute malware. IBM’s report offers APT43 and APT37 — North Korean hacking groups — as examples. These individuals have targeted cloud-based services to distribute remote access trojans.

Defending Against State-Sponsored Cybercrime

There are several measures industrial cybersecurity professionals should take to secure their systems, networks and devices against state-sponsored cybercrime.

1.    Prioritize Vulnerability Patching

Patching remains the best defense against cybercriminals. However, many cybersecurity teams neglect it. In 2023, 23% of organizations worldwide experienced cybercrime due to an unpatched vulnerability, making it the leading cause of cyberattacks.

Industrial cybersecurity professionals cannot overlook vulnerability patching. Even if IT/OT convergence complicates their duties and increases their workload, they must prioritize patching known exploits to minimize risk.

2.    Enforce the Principle of Least Privilege

Cybersecurity teams should not implicitly trust any system, device or person — especially if their facility has industrial remote access configured. Since nation-state breaches often leverage legitimate credentials and LOTL techniques, they cannot be too careful.

3.    Utilize Encrypted Multifactor Authentication

Multifactor authentication is an excellent defense against pre-positioning. It prevents network infiltration, thereby mitigating data exfiltration and malware injection. Moreover, it requires little expertise, making it ideal for all employees.

Enabling multifactor authentication comes with one caveat. Team leaders must ensure the communication channel is secure. The FBI has warned Salt Typhoon — a hacking group linked to China — infiltrated at least eight telecommunications providers from 2022 to 2024.

This is one of the largest intelligence breaches in the country’s history. Salt Typhoon may still be actively infecting telecommunications networks. Rich Communication Services (RCS) and Short Message Service (SMS) are not entirely secure. Leveraging an encrypted alternative is crucial.

4.    Secure or Discontinue Remote Desktop Protocol

Industrial firms often rely on remote desktop protocol despite its well-known security weaknesses. Whether they actively use it to simplify troubleshooting or simply forget it was enabled, it poses a serious threat. It must be secured — and should be disabled.

Securing Systems Against Nation-State Data Breaches

Ultimately, no system is 100% secure. Cybersecurity leaders must do what they can to preserve privacy and security where it matters. Perimeter security is a thing of the past — especially if attackers use third parties as a jumping pad.