Nation-State Actor
What is Nation-State Actor?
Nation-State ActorA government-sponsored or government-aligned threat actor that conducts cyber operations to pursue strategic, intelligence, military, or economic objectives.
Nation-state actors are intelligence agencies, signals-intelligence organisations, military cyber commands, or contractors operating under state direction. They run long-running campaigns for espionage, pre-positioning in critical infrastructure, sabotage, influence operations, and offensive cyber. Examples include Russia-linked Sandworm and APT29 (Cozy Bear), China-linked APT41 and Volt Typhoon, Iran-linked APT34 (OilRig) and Charming Kitten, North Korea-linked Lazarus Group, and US/Five-Eyes capabilities documented in the Shadow Brokers leaks. They typically have larger budgets, custom malware, zero-day exploits, supply-chain access, and operational security exceeding most criminal groups. Attribution combines technical indicators, infrastructure, language artefacts, victimology and intelligence reporting.
● Examples
- 01
Sandworm (Russia GRU Unit 74455) was attributed to NotPetya in 2017 and multiple attacks on Ukrainian power infrastructure.
- 02
Volt Typhoon (China) was disclosed in 2023 as pre-positioning in US critical infrastructure for potential disruption.
● Frequently asked questions
What is Nation-State Actor?
A government-sponsored or government-aligned threat actor that conducts cyber operations to pursue strategic, intelligence, military, or economic objectives. It belongs to the Defense & Operations category of cybersecurity.
What does Nation-State Actor mean?
A government-sponsored or government-aligned threat actor that conducts cyber operations to pursue strategic, intelligence, military, or economic objectives.
How does Nation-State Actor work?
Nation-state actors are intelligence agencies, signals-intelligence organisations, military cyber commands, or contractors operating under state direction. They run long-running campaigns for espionage, pre-positioning in critical infrastructure, sabotage, influence operations, and offensive cyber. Examples include Russia-linked Sandworm and APT29 (Cozy Bear), China-linked APT41 and Volt Typhoon, Iran-linked APT34 (OilRig) and Charming Kitten, North Korea-linked Lazarus Group, and US/Five-Eyes capabilities documented in the Shadow Brokers leaks. They typically have larger budgets, custom malware, zero-day exploits, supply-chain access, and operational security exceeding most criminal groups. Attribution combines technical indicators, infrastructure, language artefacts, victimology and intelligence reporting.
How do you defend against Nation-State Actor?
Defences for Nation-State Actor typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Nation-State Actor?
Common alternative names include: State-sponsored actor, State actor.
● Related terms
- defense-ops№ 057
APT Group
A named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors.
- defense-ops№ 1145
Threat Actor
An individual or group that intentionally causes or attempts to cause harm to information systems, organisations, or people through cyber operations.
- attacks№ 017
Advanced Persistent Threat (APT)
A stealthy, well-resourced threat actor — typically state-sponsored — that gains long-term, undetected access to a target network to steal data or pre-position for disruption.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
- defense-ops№ 1131
Tactics, Techniques and Procedures (TTPs)
A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
● See also
- № 458Hacktivist