• Commentary Digitalisation, Cybersecurity and AI
  by Luigi Martino
• whatsapp

In 2026, cyberwarfare has become one of the most relevant tools of state power projection. This domain of warfare has seen numerous developments in the last few years, with capable actors such as China, Russia, Iran, and North Korea demonstrating that cyberattacks can be highly valuable: by damaging critical infrastructure or enabling the collection of election-defining kompromat. All because of the ability to act under plausible deniability, thanks to a wide range of actors that operate outside of traditional state structures. At the same time, while the Chair of the NATO Military Committee, Admiral Cavo Dragone, notes how the Atlantic Alliance was evaluating pre-emptive hybrid actions against Russia, in Washington, a debate is also emerging on whether private companies should play a more direct role in supporting offensive cyber operations. These are the symptoms of a larger development that sees even Western democracies becoming more active in the aggressive realm that is cyberspace, "dipping a toe" in the waters of "state hacking". Taken together, these signs point to a wider trend, for which cyber competition is no longer relegated to revisionist powers, but becomes a day-to-day statecraft tool.

What is "state hacking"?

"State hacking" has become a catch-all label for a wide range of malicious cyber activity linked, either directly or indirectly, to governments. However vague, the term points to a very concrete geopolitical reality: cyber operations are now embedded in states' power-projection toolset. We can define "state hacking" as a spectrum of threats with varying relationships to the state. Specifically, these operations can be: i) state-directed, if conducted by government agencies; ii) state-sponsored, if conducted by non-government actors receiving tasking, funding, tooling, or intelligence; and iii) state-aligned, if conducted by actors whose activity consistently serves a state's interests without clear evidence of direct tasking.

Examples abound for each of these categories. For the first one, all "legally-bound" units embedded in a country's formal command-and-control structure can be cited; namely, organisations that operate under an explicit mandate, clear chains of authority, and political oversight. The U.S. Cyber Command is a clear example, as is the Joint Task Force Ares, which was responsible for the cyber operations carried out against ISIS in 2016-17.

As for state-sponsored operations, the infamous "APT groups" are generally mentioned. APT stands for "advanced persistent threats", a label that is used to describe actors that combine sophisticated operations with long-term, mission-driven targeting. These methods are difficult to sustain without significant resourcing, such as the one provided by states. Classic examples include the Chinese "APT1", associated with multiple espionage campaigns against government networks, or the Russian "Sandworm", the malicious actor behind the 2015 cyberattack that disrupted Ukraine's power distribution. Cases such as these have become benchmarks for what "state-level" capability looks like in practice.

State-aligned operations, by contrast, are generally less organised and less effective, as they rely on looser networks of ideologically motivated actors (hacktivists/patriotic hackers) that act in ways broadly consistent with a state's interests, but mostly independently and with less complex tactics (website defacements or DDoS) over complex, stealthy intrusions. A commonly cited example is the wave of DDoS attacks against Estonia in 2007, an early illustration of how politically motivated digital mobilisation can create real pressure on modern societies.

Centring the Lens: the CRINK

"CRINK" is an acronym for what has been defined as a "new axis" in international politics, connecting a range of revisionist actors that are among the most aggressive and capable in cyberspace: China, Russia, Iran, and North Korea.

China

China has largely treated cyber operations as a long-term espionage tool designed to deliver economic and strategic advantage. That logic is visible in cases explicitly framed as commercial theft, such as the 2014 U.S. indictment of five PLA officers accused of hacking American firms in sectors like nuclear power, metals, and solar to support Chinese interests, and in later allied attributions describing APT10 activity conducted on behalf of China's Ministry of State Security to steal intellectual property and sensitive commercial data internationally.

In order to pursue these objectives, Chinese operators have repeatedly targeted IT intermediaries, such as managed service providers and software supply chains, so that a single upstream compromise could yield access, tooling, and repeatable methods against many downstream organisations, as illustrated by the "Cloud Hopper" campaigns that used MSPs as a multiplier to reach clients globally.

Russia

Among the CRINK group, Russia stands out as one of the most capable cyber actors, combining a long-standing and highly "litigious" hacking culture with a multi-layered and sophisticated ecosystem of APT groups.

Many of these clusters are assessed to belong to Russia's security apparatus (GRU, FSB, and SVR), with their scope of operations ranging from intelligence collection to disruptive operations, used both as instruments of coercion or warfighting.

Indeed, Russian-sponsored threat actors went on to run some of the most consequential campaigns of the last decade: the 2020 SolarWinds supply-chain attack, widely attributed to SVR-sponsored APT29, showed how patient access operations can move laterally through trusted providers and reach far beyond the initial scope of the operations; while the ViaSat KA-SAT incident on the eve of the 2022 invasion of Ukraine illustrated how cyber can be used to degrade satellite communications and possibly favour ground operations.

Iran

As a player that inevitably looks at regional dominance, Iran persistently uses its capabilities to target actors within the confines of the Middle East: while the United States still remains one of its top priorities, the highest share of cyberattacks that it launched in 2024 were directed at Israel (64%).

What makes Iran especially relevant in the "state hacking" spectrum is how it blends overtly state-linked units with "hacktivist" branding to keep attribution murky. A clear example is the "CyberAv3ngers" campaign, during which the actors left a defacement message explicitly tying their targeting to "made in Israel" equipment. Within weeks, the U.S. government formally attributed the activity to officials in the Islamic Revolutionary Guard Corps, showcasing how hacktivists can function as state instruments.

North Korea

North Korea stands out within the CRINK set, as its attributed cyber operations largely serve as a "sustainable" revenue source for the regime, while also serving as tools of intelligence collection. Indeed, DPRK-linked actors are estimated to have stolen $2 billion in cryptocurrency in 2025, a record in the history of state-hacking.

Moreover, the U.S. DoJ and FBI have described schemes in which North Korean operators, while using stolen or fake identities, obtain remote IT jobs at unwitting companies, in order to generate income and access, with some cases escalating into extortion once discovered. U.S. authorities have explicitly linked these proceeds to funding priorities, such as prohibited weapons programs, illustrating how crime, espionage, and state strategy converge into the same operational ecosystem.

A Spectrum of Possibilities

Rather than a single clearly attributable act, as is often the case in conventional warfare, "state hacking" has shown itself to be a spectrum of state control that allows governments to launch operations while managing escalation with their targets by exploiting anonymity and plausible deniability. Indeed, the wide range of actors that states have at their disposal allows them to operate below the threshold of war.

In this context, the revisionist CRINK axis has proven to be among the main exploiters of these mechanisms. While China employs cyber espionage for long-term economic and technological gain, Russia integrates disruptive cyberattacks into coercive campaigns and even active warfare. In turn, Iran leverages ideologically aligned "hacktivist" proxies to project regional power with plausible deniability, and North Korea harnesses financially motivated hacking to bankroll its regime's objectives. Outside of this set, Western democracies are attempting to harness private companies' skills for state hacking: beyond the original militarised units, or even the APT groups in service to Washington, such as the Equation Group. As previously mentioned, in the United States, drafts of a forthcoming national cyber strategy reportedly explore bringing private companies more directly into support for offensive cyber operations, beyond today's role of building tools and capabilities: a role for private firms that is today prohibited by U.S. law.

In this constant theatre of competition, target states, companies, and citizens can rarely take a moment of respite: the "grey zone", that phase of conflict that encompasses all below-threshold activities, is an ever-threatening condition that they have to face. As cyberattacks disrupt economies and erode public trust in security across entire societies, the priority becomes reinforcing resilience and being proactive regarding cybersecurity. In this sense, we can read European legislative initiatives (however draconian they may be) as one of the main tools at our disposal to defend our societies from a reality that is constantly threatening and difficult to foresee. Proactive measures are needed as the instability of cyberspace spreads across the fabric of our societies.