惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
D
DataBreaches.Net
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
B
Blog RSS Feed
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
S
Secure Thoughts
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
V2EX - 技术
V2EX - 技术
腾讯CDC
GbyAI
GbyAI
G
Google Developers Blog
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
Schneier on Security
Schneier on Security
Microsoft Security Blog
Microsoft Security Blog
Jina AI
Jina AI
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
MyScale Blog
MyScale Blog
Help Net Security
Help Net Security
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
AI
AI
MongoDB | Blog
MongoDB | Blog
Scott Helme
Scott Helme
J
Java Code Geeks
Engineering at Meta
Engineering at Meta
H
Heimdal Security Blog
H
Help Net Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
云风的 BLOG
云风的 BLOG
Microsoft Azure Blog
Microsoft Azure Blog
S
Security Affairs
TaoSecurity Blog
TaoSecurity Blog
The GitHub Blog
The GitHub Blog
Hacker News: Ask HN
Hacker News: Ask HN
Martin Fowler
Martin Fowler
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Last Week in AI
Last Week in AI

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ
2025-12-17 · via Recorded Future

Executive Summary

Regional conflicts and weakened international institutions are driving the use of offensive cyber operations beyond the “Big Four” (China, Russia, Iran, and North Korea). Monitoring these threat actors requires organizations to proactively assess their geopolitical risk to understand where future threats are most likely to emerge.

In 2025, Recorded Future identified at least twenty actors across thirteen “non-Big Four” countries conducting cyber operations, primarily linked to regional conflicts, domestic surveillance, or foreign espionage.

Companies should closely monitor regional geopolitics and maintain strong continuity and resilience plans to protect against cyber espionage or disruptive cyberattacks.

Figure 1: Trends influencing how and why state-sponsored actors beyond China, Russia, Iran, and North Korea carry out cyber operations (Source: Recorded Future)

Analysis

While the “Big Four” account for the majority of reported cyber threat activity, many other countries use cyber operations to advance their strategic interests. Recorded Future data shows that most observed activity outside of the “Big Four” stems from regional conflicts. Patriotic hacktivist groups, which advance state interests alongside state-sponsored espionage operations, represent the highest volume of reported activity. The degree of coordination between hacktivists and the government remains unclear and likely varies. However, their actions are included in this assessment because of their close alignment with state objectives, which means their activity correlates with interstate conflict risk.

Outside of active conflict, espionage against foreign and domestic targets continues to be a major driver of cyber operations. The most cyber-capable states invest heavily in avoiding detection and attribution, given the significant negative political consequences of exposure.

Tracking threat actors beyond the Big Four requires organizations to understand their geopolitical risk in order to anticipate where threats are most likely to emerge. Operating in certain regions or conflict zones likely increases the risk of cyber espionage or destructive attacks.

Regional Cyber Conflicts

Territorial disputes drove nearly two-thirds of observed cyber activity in 2025, according to Recorded Future data. Cyber operations focused on intelligence collection against government, defense, and other critical infrastructure. Hacktivists escalated their activity during conflicts, carrying out nuisance-level attacks amplified through influence operations. Like hacktivists, influence operations align closely with state interests during conflict, but have varying degrees of connection to the state. These activities rarely affect battlefield outcomes but are designed to signal technical sophistication or moral superiority over the adversary.

India and Pakistan

Between May 7 and 10, 2025, India and Pakistan exchanged a series of missile strikes — the most serious escalation between the two nuclear-armed countries in decades. Throughout the crisis, large volunteer hacktivist communities on both sides conducted disruptive attacks, primarily DDoS and website defacements. Pakistan-linked APT36 conducted espionage operations targeting the Indian government and other politically motivated targets, while threat actors linked to the Indian government, such as SideWinder, pursued Pakistani military targets.

Figure 2: Cyber activity between India and Pakistan spiked alongside the outbreak of armed conflict in May 2025 (Source: Recorded Future)

Influence operations intended to shape perceptions of the conflict also intensified. Influence networks amplified hacktivist claims, often overstating their impact, such as widespread reporting on Pakistani social media that hackers had shut down 70% of India’s electric grid. These operations are intended to portray their own side as more capable and their adversary as vulnerable, underscoring the importance of narrative control in conjunction with military operations.

Thailand and Cambodia

Similar to cyber engagements observed between India and Pakistan, hacktivist operations bolstered by influence campaigns significantly escalated between Thai hackers and Cambodian hackers following the May 2025 conflict. These were largely carried out by self-proclaimed patriotic hacktivist groups. Operations included DDoS attacks, website defacements, and data leak operations. More targeted hack-and-leak operations were also intended to reveal politically damaging information about the other country’s leadership. Influence operation narratives emphasized that the opposing side was the aggressor in the conflict, likely in order to garner both domestic and international support.

Morocco and Algeria

While tensions between Morocco and Algeria have not escalated into armed conflict, cyber hostilities increased significantly in 2025. In the context of these tensions, pro-Algerian hacktivists have allegedly carried out a series of high-profile attacks on Moroccan institutions, striking the National Social Security Fund, the National Agency for Land Conservation, and the Ministry of Justice. The hackers, going by JabaROOT, leaked personal and financial data of millions of Moroccan citizens, potentially exacerbating existing domestic tensions over income disparity. The cyberattacks may have been intended to demonstrate Moroccan vulnerability while maintaining a level of deniability for the Algerian government. Moroccan hacktivists responded with retaliatory data breaches against the Algerian government and education institutions.

Espionage Operations Outside of Armed Conflict

While many more countries almost certainly engage in cyber espionage, the following threat actors have been tracked attempting to collect information on targets of political significance:

  • While India-linked threat actors such as SideWinder and Bitter have traditionally targeted neighbors like Pakistan, Sri Lanka, and Bangladesh, espionage against European diplomatic entities increased significantly in 2024, demonstrating a broader targeting scope.
  • Vietnam has accelerated its development of cyber capabilities. APT32, likely linked to the Vietnamese government, has carried out operations against Chinese cybersecurity researchers as well as against internal dissidents. In the past, this group has also targeted car manufacturers, foreign governments, and others, driven by geopolitical and economic priorities.
  • At least two threat actor groups observed conducting espionage operations have been linked to Türkiye: Marbled Dust and StrongPity, who prioritize regional and domestic targets. In addition, a robust online community of patriotic hacktivists targets regional and international adversaries, whether historical (such as Armenia and Greece) or in modern disputes (France and Germany).
  • Stealth Falcon, linked to the United Arab Emirates, has been observed exploiting a zero-day vulnerability to target a Turkish defense organization. The group has been active since at least 2016, targeting government and defense organizations primarily in the Middle East and Africa.

Political and diplomatic priorities make intelligence targets predictable. Organizations should assess not only their regional exposure but also whether their industry aligns with strategic priorities, as sectors tied to national strategy are the most likely targets for espionage.

Domestic Surveillance Activity

Many states use their cyber capabilities to monitor domestic security concerns, which can include law enforcement or national security priorities, monitoring political opposition, or conducting economic espionage on behalf of a key national industry. Domestic surveillance capabilities are often supplemented with commercial off-the-shelf spyware, such as Intellexa’s Predator or Candiru’s DevilsTongue. Similar to understanding political priorities for cross-border espionage, companies should assess whether they possess data that may be of political significance to the government of a country in which they operate. States that lack sufficient oversight or legal privacy protections pose an increased risk of intrusive cyber monitoring and surveillance.

Figure 3: (Left) Graphical representation from the Insikt Group report titled Dark Covenant of the direct and indirect links between Russian Intelligence Services and individuals in the Russian cybercriminal underground; (Right) Infographic of reported cyberattack by Russian state-backed ransomware operators against German military contractors

(Source: Recorded Future)

Outlook

  • Cyberattacks are likely to increase as international alliances weaken: The Thailand-Cambodia and India-Pakistan conflicts demonstrate an increased willingness to use force to pursue regional goals. Deployments in multilateral peacekeeping operations decreased by 40% over the last decade, likely due to challenges in generating the necessary support for intervention. This makes it more likely that states will turn to violence to resolve disputes, as opposed to non-violent negotiations. Cyber and influence operations are becoming increasingly common features in these conflicts, serving as a low-cost means of signaling strength, shaping narratives, and imposing limited disruption.
  • Cyber capability build-up may follow conventional military build-up: NATO countries in Europe, as well as South Korea and Japan, are increasing their military spending. While many of these countries already have advanced cyber capabilities, they may seek to invest in more sophisticated offensive capabilities to augment conventional forces. Legal and doctrinal changes, such as in Japan and South Korea, are also laying the groundwork for a shift from a defensive cyber policy to an offensive posture.
  • Commercial cyber capabilities may be sought for interstate conflict: Countries seeking to gain a cyber advantage in advance of a regional conflict may turn to commercial offensive tools, similar to the growing reliance on these tools for internal law enforcement or counterterrorism operations. This reduces the barrier to entry for smaller or less technically mature states, enabling more actors to conduct sophisticated intrusions, targeted espionage, and high-impact disruption.

Mitigations

  • Use Recorded Future’s Geopolitical Intelligence to monitor regional conflicts and geopolitical developments for risks to international and outsourced operations.
  • Use Recorded Future’s Threat Intelligence to track threat actor groups and detect TTPs associated with non-Big Four countries.
  • Understand the risk of surveillance for personnel traveling to high-risk countries and take mitigating actions such as using alternative devices. Use Recorded Future’s Country Risk Data in the Geopolitical Intelligence module to assess surveillance and other travel risks.
  • Ensure continuity-of-operations plans are in place to mitigate the impacts of disruptive or destructive attacks. Use Recorded Future Analyst-on-Demand for bespoke research on how your organization might be targeted.

Figure 4: Starting with these four questions can help you understand threat actors’ motivations for targeting your organization (Source: Recorded Future)

Risk Scenario

A longstanding territorial dispute between Country A and Country B erupts into a military skirmish at the border, with risks of further escalation. Country A is home to a robust business process outsourcing industry serving some of the world’s largest international corporations.

First-Order Implications

Groups claiming to be patriotic hacktivists from both countries conduct hack-and-leak operations and website defacements. These are amplified by partisans on social media who often exaggerate the impact of these attacks.

  • Competitive disadvantage: Hack-and-leak operations expose sensitive internal documents, including proprietary trade secrets and embarrassing communications.
  • Increased surveillance risk: The conflict increases domestic surveillance activity in Country B to monitor for internal threats. International employees traveling to Country B are subject to enhanced surveillance.

Second-Order Implications

Actors claiming to be hacktivists supporting Country A escalate cyber operations, carrying out persistent cyberattacks against Country B’s electrical grid. As a result, Country B experiences rolling blackouts in the capital city.

  • Operational disruption: The blackouts prevent call centers from performing essential business functions, resulting in significant service delays and revenue losses for corporations worldwide.
  • Physical security risk: Anger over blackouts increases public support for escalating operations against Country A. The escalation of conflict increases the risk of harm to employees or the destruction of facilities.

Third-Order Implications

The United States and China become increasingly involved in the conflict between Country A and Country B, providing military, logistical, and cyber capabilities to their preferred country. The external support prolongs the conflict and increases the risk of involving neighboring countries.

  • Conflict escalation: With more weapons and logistical support from great power backers, fighting between Country A and Country B expands from the border to strikes further in the interior. Both military and civilian casualties increase as violence escalates.
  • Regional economic impact: Extended disruptions may cause international corporations to move operations to more stable regions, leading to a negative economic impact in the region.

Further Reading