Part 3: Adversaries and Cyber Warfare

Computer security is not only about vulnerabilities and exploits. Behind every attack is an adversary — a person, group, or state pursuing specific goals. Understanding adversaries is essential for anticipating threats and preparing defenses. At the highest level, some adversaries use cyberattacks as instruments of national power, turning security into a matter of international conflict.

Characteristics of Adversaries

Adversaries differ in several ways:

• Goals: profit, political influence, espionage, sabotage, or simply notoriety.
• Risk tolerance: a criminal group seeks low risk and quick returns, while a nation-state may accept long-term risks for strategic gains.
• Resources: lone hackers may have little computing power, while governments command research labs, intelligence agencies, and even supercomputers.
• Expertise: from unskilled “script kiddies” who download attack kits to elite teams who develop zero-day exploits.

Types of Adversaries

• Hackers:
  • White hats (defenders).
  • Black hats (malicious).
  • Gray hats (operating in a legal/ethical gray zone).
• Criminal groups: Organized gangs that run fraud, ransomware, and malware services. Some even rent out their infrastructure as ransomware-as-a-service.
• Malicious insiders: Employees or contractors who abuse legitimate access. Because they already have privileges, their attacks are especially hard to prevent and detect.
• Hacktivists: Attackers motivated by political or social causes. Groups like Anonymous have targeted corporations and governments to make a point.
• Spies: Industrial spies steal trade secrets, while state-backed spies conduct political or military espionage.
• Terrorists: Rare in cyberspace, but some groups aspire to disrupt infrastructure or spread fear.
• Nation-states: Governments now maintain offensive cyber units as part of their militaries. They have the persistence, skill, and funding to compromise even hardened systems.

Economic Incentives

Underground markets provide a thriving economy for adversaries. Botnets, stolen credentials, and exploit kits can be bought and sold. Zero-day vulnerabilities may fetch millions of dollars. At the same time, legal bug bounty programs reward defenders for responsibly disclosing flaws. The same technical skills can be monetized on both sides of the law.

Advanced Persistent Threats (APTs)

At the high end are Advanced Persistent Threats (APTs): skilled, well-funded, often state-backed.

• Advanced: They use custom malware, zero-day exploits, and stealth techniques.
• Persistent: They maintain access for months or years, often evading detection.
• Threat: They have the capability to bypass defenses and achieve high-value objectives.

Well-known examples include Russia’s Fancy Bear, China’s APT41, North Korea’s Lazarus Group, and Iran’s Charming Kitten.

Naming conventions vary. Mandiant numbers APTs sequentially (APT1, APT29). CrowdStrike uses animals (Panda for Chinese groups, Bear for Russian, Kitten for Iranian). Microsoft uses weather-based names like Midnight Blizzard (Russia) and Volt Typhoon (China).

Cyber Warfare

Cyberattacks are no longer isolated incidents — they are tools of statecraft. Cyber warfare refers to state-sponsored operations that disrupt, damage, or disable critical infrastructure and military systems. Unlike espionage, which gathers intelligence, cyber warfare seeks direct impact.

Stuxnet

Discovered in 2010, Stuxnet marked a turning point. It targeted Iran’s uranium enrichment program by infecting Windows systems and then Siemens industrial controllers. The facilities were protected by an air gap, meaning they were physically isolated from the Internet. Stuxnet overcame this barrier by spreading through infected USB drives carried in by workers. Once inside, it reprogrammed centrifuges to spin at destructive speeds while reporting normal values to operators.

Stuxnet was the first known malware to cause physical destruction. It showed that software alone could achieve what once required bombs or sabotage.

Russia and Ukraine

Russia has repeatedly used cyber operations alongside military action:

• In 2015 and 2016, hackers disrupted Ukraine’s power grid, cutting electricity to hundreds of thousands of people.
• In 2017, NotPetya malware spread globally, causing $10 billion in damages. Though disguised as ransomware, it was actually a wiper designed for destruction.
• In 2022, just before its invasion, Russia deployed WhisperGate malware and disrupted satellite communications across Europe.

China

China has focused on infiltration and pre-positioning for future conflicts.

• Volt Typhoon (2025): U.S. government reports revealed that this group had maintained long-term, stealthy access to U.S. critical infrastructure, including power grids, ports, and pipelines. The goal was not immediate disruption but readiness to disable systems during a crisis.
• Salt Typhoon (2024–2025): Targeted U.S. and global telecom operators, including data centers and residential Internet providers. Compromising the communications backbone gives attackers visibility and control over vast amounts of traffic.

These operations go beyond espionage. They demonstrate preparation for sabotage in the event of geopolitical conflict.

Other Examples

• Iran and Israel: Iranian hackers have stolen sensitive data from Israeli hospitals, while Israeli-linked groups have disrupted gas stations and factories in Iran.
• North Korea: The Lazarus Group has carried out both espionage and financial theft, including the 2016 theft of $81 million from the Bangladesh Central Bank.

GPS Spoofing

Cyber operations are not limited to computers. GPS spoofing attacks feed false navigation signals, disrupting aviation, shipping, and military operations. In 2024, more than 900 flights per day were affected in conflict zones by spoofed GPS data.

Countermeasures

Cyber warfare is not one-sided. Defenders actively fight back.

In 2024, the U.S. Department of Justice announced that it had disrupted a Chinese-controlled botnet used to mask intrusions into U.S. infrastructure. The botnet relied on compromised small-office routers. By seizing command-and-control servers and coordinating with ISPs, the U.S. dismantled the network.

International cooperation has also brought down major criminal botnets like Emotet. Increasingly, governments and private companies share intelligence and act jointly to counter large-scale cyber threats.

Implications

Cyber warfare blurs the line between war and peace. Malware can spread globally in seconds, attackers can reroute operations through compromised machines, and attribution is difficult. States often deny involvement, maintaining plausible deniability.

For defenders, this means that critical infrastructure — from power grids and telecoms to hospitals and pipelines — is now a battlefield. Security planning must account not only for opportunistic criminals but also for patient, well-funded adversaries preparing for conflict years in advance.