Historically, Western assessments of cyber threats have concentrated on state adversaries. More than 600 state-backed groups are tracked globally. Yet, for more than a decade, Western analyses and discussions of cyber threat concerns have focused mainly on four states: China, Iran, Russia and North Korea. Based on open-source reporting evaluated by the European Repository of Cyber Incidents (EuRepoC), these countries account for more than 70 per cent of the state-backed threats that Europe and its partners have faced since 2000.
[...]
Critically, in the current climate of heightened geopolitical tension, the operational divide between state and non-state actors shows signs of collapsing, as states seek to assert control over cyber capabilities both inside and outside their borders. A closer examination of EuRepoC data underscores the need for a more integrated understanding in the analysis of state and non-state actor threats. These trend lines are particularly pronounced in the case of the authoritarian states that have been dominating Western threat perceptions, drawing attention to the reinforcement that long-standing nation state threats derive from non-state capabilities. Russia, China and North Korea have developed their own distinct approaches. While Russia has provided sanctuary for criminal groups, China’s state programmes have served to accelerate the emergence of a domestic hacking industry. Charting its own path, North Korea has sought to create bridgeheads extraterritorially for its operators.
[...]
Russia: The safe haven blueprint
Russian cyber criminals make up nearly half of the most wanted list published by Germany’s Federal Criminal Police Office (BKA). That list typically includes individuals accused of high-profile crimes, such as members of the far-left terrorist organisation RAF, those who collaborated in the 9/11 attacks and individuals such as Jan Marsalek, the former chief operating officer of the now bankrupt payment processor Wirecard. The BKA list has had a notable success rate. Close to 70 per cent of suspects included on it since 1999 were arrested. However, in the case of the twenty-six people included on the list because of suspected links to the Russian criminal underground, there is little expectation of any breakthrough, despite German law enforcement and its international partners having collected a wealth of information on those individuals.
[...]
China: Command, control, deny
Unlike Russia, the People’s Republic of China (PRC) seeks to seize non-state cyber capabilities through the targeted development of a commercial ecosystem. This approach is part of the three-fold aim to establish command, control and deniability within the PRC cyber portfolio. As regards the first goal, command efforts are designed to secure unconditional authority over high-risk operations entrusted to the military.
Meanwhile, initiatives to strengthen control have centralised the coordination of cyber espionage objectives within the Ministry of State Security (MSS). This arrangement is supported by the legally mandated reporting of vulnerabilities and a network of hacking competitions that channel the findings of vulnerability research into offensive programmes. The MSS 13th Bureau’s management of the Chinese National Vulnerability Database ensures near-seamless integration into this vulnerability discovery system.
[...]
North Korea: Breaking out of isolation
The cyber activities of the Democratic People’s Republic of Korea (DPRK) are both a strategic continuation of and operational departure from the political, economic and military self-reliance strongly emphasised in the country’s state ideology. While the DPRK is attempting to break out, at least partly, of its self-imposed isolation through its cyber programme – thereby demonstrating the political will and the capability to innovate means of subverting international sanctions – it is also making considerable efforts to leverage non-state capabilities beyond its own borders. Despite its diplomatic isolation, the DPRK has been able to enlist foreign tools and know-how to steal cryptocurrency and use blockchain-based technologies developed by a global decentralised community of engineers to launder funds and thereby support the development of its military capabilities. To generate revenue and alleviate the pressure of sanctions, the DPRK has sought to leverage legitimate platforms and expertise, which become criminally liable – and thus a focus of interest – only when co-opted in this way.
[...]
Calibrating responses [by the EU and the West]
In the absence of an integrated understanding of how authoritarian actors leverage non-state resources, the potential of tactics to slow down and fragment attribution efforts may weaken the response toolkit developed by EU member states. Currently, key cyber diplomacy tools – such as sanctions – remain closely tied to attribution. Addressing senior officials responsible for developing cyber policies/practices in May 2025, Germany’s cyber ambassador, Maria Adebahr, recognised that efforts to hold threat actors accountable are dependent on this link to attribution. Implicit in this recognition is the need to develop response options that are independent of attribution.
Capturing non-state capabilities allows authoritarian states to increase their capabilities pool and step up their operational tempo. Diplomatic measures that address the interweaving of state and non-state capabilities have a strong complementary potential. They include not only initiatives aimed at restricting access for threat actors to legitimate platforms and disrupting criminal tools; information sharing – as part of a regular exchange with friendly jurisdictions – with a view to developing a common threat perception could support due diligence efforts to constrain the room for manoeuvre overseas and facilitate the takedown of shadow infrastructure. A response framework that remains fit for purpose requires a range of tools that can match the changing scope of the threat.