There is a version of the cybersecurity threat landscape that most senior executives have absorbed from press coverage and board briefings. In this version, the main threat is ransomware gangs who encrypt your data and demand payment. Nation-states occasionally appear as a background presence — something that happens to defence contractors and intelligence agencies, not to commercial organisations.
This picture is outdated, incomplete, and leads to defensive investments that leave significant gaps.
The Fundamental Difference in Motive
Criminal ransomware groups want money. That’s it. Their behaviour follows from that motive with a consistency that makes them, in some ways, predictable. They target organisations where disruption creates leverage. They don’t care about your intellectual property, your customer relationships, or your long-term viability. They want a payment, and then they’re gone.
Nation-state actors have objectives that are entirely different in character, and which vary significantly between states.
Russia’s primary cyber objectives against Western commercial targets have included: gathering intelligence on sanctions evasion opportunities and the effectiveness of economic measures, gathering data on Western political figures and their advisors, pre-positioning in critical infrastructure for potential future disruption, and — particularly relevant to the current period — supporting information operations by gathering and leaking material that shapes public narratives.
China’s primary objectives include long-term economic espionage — the sustained, patient collection of intellectual property, trade secrets, merger and acquisition plans, and commercial intelligence across a wide range of industries. Chinese state actors have been active in pharmaceutical research, aerospace manufacturing, semiconductor design, and financial services — wherever commercial intelligence has long-term economic value.
Iran focuses on different targets: organisations with visibility into Gulf state affairs, Jewish community organisations, Western defence contractors, and increasingly, energy infrastructure in countries that host US military presence.
North Korea is the outlier: a state actor with strong financial motivations, responsible for some of the most significant cryptocurrency thefts in history, using cyber operations partly to fund state programmes under sanctions.
The “We’re Not a Target” Assumption
The most dangerous assumption in the boardroom is that nation-state targeting is reserved for governments, defence contractors, and intelligence agencies. This was never entirely true, and is increasingly false.
The pharmaceutical sector learned this during the COVID-19 pandemic, when vaccine research was targeted by multiple state actors — most famously by Russian intelligence seeking to steal and publish Western vaccine data. The targeting wasn’t about preventing vaccination. It was about gathering intelligence and gaining leverage.
Financial services firms are targeted for intelligence about sanctions effectiveness, capital flows, and commercial decision-making. Law firms handling M&A transactions are targeted for deal intelligence. Technology companies are targeted for source code and product development roadmaps. Universities are targeted for research in any area that has dual commercial and strategic value.
The question is not “are we important enough to be a target?” The question is “what do we have that a state actor might want?” Almost every substantial commercial organisation has something: customer data, proprietary processes, financial information, commercial relationships, or simply access to systems that are interesting to a patient adversary building a network of footholds.
The Difference in How They Operate
Nation-state actors operate differently from criminal ransomware groups in ways that have direct implications for detection and defence.
Patience. A ransomware group typically moves from initial access to ransom demand in hours or days. Nation-state actors may maintain access for months or years before taking any action that would attract attention. Volt Typhoon maintained access in US critical infrastructure systems for at least five years in some cases. This means your logging and detection capabilities need to look back further, and your indicators of compromise need to be subtler.
Living off the land. Nation-state actors prefer to use tools and techniques that are already present in your environment: built-in Windows administration tools, legitimate remote access software, credentials obtained through phishing or credential theft. They deploy less custom malware than popular perception suggests, precisely because custom malware can be detected. This makes them harder to identify with standard signature-based detection.
Selective action. Criminal groups act on access immediately. Nation-state actors may only act on a fraction of the access they have, and only when circumstances call for it. This means that your clean bill of health from last quarter’s penetration test doesn’t mean you’re not currently hosting a persistent presence that has simply not been told to do anything yet.
Practical Implications for Business Leaders
The defensive implications of a nation-state threat are different from those of a criminal threat.
For criminal ransomware, the priority controls are: patch management, MFA, offline backups, and network segmentation. These are high-return investments precisely because criminal actors are opportunistic — they move on when the friction is too high.
For nation-state threats, you additionally need: comprehensive logging with long retention periods, anomaly detection that can identify subtle patterns of activity, regular threat hunting exercises that go beyond automated detection, and a programme of intelligence-sharing with NCSC and sector peers.
The budgets required are different. The skills required are different. The suppliers who can help are different.
Most importantly: the risk conversations that boards need to have are different. A board that frames cyber risk purely in terms of ransomware probability and ransom quantum is missing a class of threat that is harder to detect, more difficult to remediate, and potentially more consequential — even if it never makes the evening news.