The Threat of Nation-State Cyber Attacks

CYRIN Newsletter

The Threat of Nation-State Cyber Attacks

A spy on your home computer? An AI bot offering you a fake job or applying for one? Sounds like science fiction, but this science fiction has entered the real world. This month’s newsletter discusses how nation-state actors like China, Russia, North Korea, and Iran are embedding themselves within US systems. These malicious actors are not only leveraging vulnerabilities in everyday consumer hardware, but they are also turning domestic infrastructure into possible landing zones for espionage and geopolitical attacks against the United States and other countries. How did this happen and how can companies, the government and average individuals protect their data and sensitive information?

Exploitation of common infrastructure

This statement from Adrian Parham in his May 2026 article in Tech Times seems incredulous: “Your home router spent the past two years quietly working for Russian military intelligence — and nothing on your screen would ever have told you so.” Apparently, a state-sponsored actor (in this case Russia) has been covertly sinking their hooks into home routers (like TP-link and MikroTik) where they were hiding in everyday networks.

In April, in an operation that was called “Operation Masquerade” the “FBI, Department of Justice, National Security Agency (NSA), and partners from 15 countries announced the disruption of a sprawling covert network of compromised home and small-office routers operating across the United States.” It seems that something as simple as sending an email or working from home, as millions of people do, may have snagged users in a Russian operation directed by a Russian military intelligence division (GRU Military Unit 26165) known in the cyber universe as “APT28, Fancy Bear, or Forest Blizzard.”

By hijacking the routers, household devices became “silent surveillance tools.” In December 2025 at the peak of the problem, “more than 18,000 routers across at least 120 countries were feeding data to GRU-controlled servers” by rewriting a single setting inside the router, which “redirected” users to a fake login page that fed passwords and other authentication codes directly to Russian intelligence. In the United States, over “200 compromised organizations” were identified as impacted, including “5,000 consumer devices in more than 23 states.” The most alarming part was there was no alert, no popup, or any other clue to the user that the URL had been compromised in any way. The campaign to disrupt the operation— internally referred to as “FrostArmada” — was further described as “opportunistic,” seeking targets and individuals in government and military sectors, as well as critical infrastructure in the United States and at least six other countries.

Leading the initiative, Ted Docks, (special agent in charge of the Boston FBI) said that the FBI “utilized cutting-edge technology and leveraged our private-sector and international partners to unmask this malicious activity and remediate routers.”

In response to these attacks, router vulnerability has become a “severe cybersecurity risk” and thus a new area of national interest and policy making. As Parham reports, in March 2026, the FCC “banned the import of all new foreign-manufactured consumer routers into the United States.” The upshot is that your home router is a security device, and because it is linked to the internet, it will always have vulnerabilities. Consumers need to be vigilant and update the firmware, change defaults, and take every available security precaution, particularly those noted by the FBI, NSA, and Internet Crime Complaint Center.

The role of artificial intelligence and the “race” to win the tech war

A recent article by CNBC reports that U.S.-based cybersecurity giant CrowdStrike has warned of the potential for a dramatic uptick in cyberattacks from China-based entities, especially as countries fight to get ahead in the rapidly evolving world of AI and AI-related technologies. According to CrowdStrike, State-sponsored Chinese entities are aiming to “narrow the tech gap” by targeting tech companies and their AI assets. “China-nexus adversaries are escalating espionage against technology organizations to steal the AI capabilities and intellectual property they cannot build fast enough on their own,” CrowdStrike said.

This development follows on the heels of complaints from Anthropic and OpenAI about Chinese companies that “extracted competitive intelligence from the American tech companies.”

Ironically, in a long line of “tit-for-tat” reactions, on June 8, Fortune reported that Chinese officials were meeting with representatives from top Chinese tech companies including “Alibaba, ByteDance, and X.ai, about the government’s proposal to restrict overseas access to China’s most advanced AI models—including those not yet publicly released.”

Invisible, long-term infiltration

The problem with these attacks is that they can stay hidden for years. For example, citing a Google Threat Intelligence Report, CyberNews reports that between September 2023 and November 2025, a Chinese-linked hacking group spent more than a year stealing data they believed might be of interest to the Chinese government from academic, medical and military institutions before being detected. Google said that the high value information sought was “related to defense intelligence, military strategy in the Indo-Pacific, artificial intelligence, unmanned vehicles, cyber warfare programs and medical research.” According to the report, the organizations that were targeted, both in the US and Canada, employ “thousands of people with a combined research budget running into the billions of dollars.”

The hacking group UNC6508 — a new cyberespionage group that had not appeared on any security radars — was deemed responsible. Google said the organization's methods “are broadly consistent with Chinese-linked hacking activity seen over many years.” Some of the earliest detected activities exploited vulnerabilities in a web application called REDCap, “widely used by nonprofit organizations which helps users build and manage online surveys and databases.” Using “custom-built malicious software” the group managed to access sensitive personal data, including phone numbers and email addresses as well as “terms related to geo-strategic policy, military strategy, advanced technology, and medical research.” The data breach is alarming, but the lack of detection for long periods of time indicates advanced hacking strategies and workarounds of traditional security protocols.

Threats to critical infrastructure

Nation state actors compromising devices and organizations to steal sensitive data represents a serious risk to critical infrastructure. In addition, these incidents are more common during periods of geopolitical tension and conflict. A recent article by CNN reports that cybersecurity researchers discovered Iranian hackers posing as job recruiters — believed to be written by artificial intelligence - who targeted software engineers in the field of aviation. All this is thought to be “part of an elaborate espionage scheme during the US and Israeli war with Iran.” This tactic has been used by North Korean hackers in the past. This scheme used “AI personas” that successfully applied for remote tech jobs, allowing the authoritarian government to collect salaries while hackers stole important data or installed malware.

While Iran does not have missiles or drones able to hit the US and seems to pose less of a threat than China or Russia in this respect, American officials are on high alert for vulnerabilities and possible hacker intrusion in critical infrastructure, especially during a global conflict. It shows the lengths to which Tehran-linked hackers have gone to collect intelligence that could be useful for the regime’s survival in the face of US and Israeli airstrikes. If Iran had the ability to compromise aviation, oil and gas companies it could, in theory, track flight manifests or learn sensitive information about how US companies are handling the “volatile oil market.”

CNN reports that “like North Korea, Iran is making a concerted effort to infiltrate America’s high-tech sectors by posing as prospective employers or employees.”

The hacking campaign serves as a powerful warning to many “US critical infrastructure operators” who have tried to fully secure their systems despite years of federal exhortations. The main concern is that Iranian hacking groups will search for “low-hanging fruit” in critical infrastructure networks that manage oil, gas, and water systems.

Attacking critical infrastructure as a way of exacting maximum damage follows a pattern of behavior started by China, according to an op-ed by Geoffrey Cain in The Hill, who writes “The future that science fiction writers once warned about — autonomous systems deployed against the U.S. — arrived overnight.” Cain writes that these developments are “the bill coming due.” According to Cain, because Microsoft and other entities helped “develop China’s AI capabilities,” officials are now realizing that “building America’s defense infrastructure with Chinese supply chains was always a dangerous gamble.” Cain cites the urgency of this issue given the rapid advancement of AI in China. According to the article, both Microsoft and Amazon are “racing to move production out of China.”

According to a PBS news article, in the case of Iran, the goal is to “wear down the American war effort, drive up the costs of energy, strain cyber resources and cause as much pain as possible for American companies that depend on the defense industry.”

PBS went on to note that experts have their eye on Russia, China or other hackers to detect attempts to “undermine American operations in Iran” and put additional strain on the military. The report closed with the cautionary statement that essentially, Western organizations need to remain on “high alert.”

What can be done?

Cybersecurity officials encourage users to treat your home router like the security device that it is. Linked to the internet, it will always have vulnerabilities and to protect your data consumers must update firmware regularly, change default credentials and passwords, and take every available security precaution.

According to the Center for Strategic and International Studies, “The U.S. government and industry need to put considerable effort and resources toward making critical infrastructure and government systems resilient and ready for this new form of warfare. Systems must be able to fail, reset, and recover in minutes, not days, with minimal disruption to essential services.”

Perhaps most importantly in terms of global cybersecurity, government, private entities and government officials need to form resilient and robust security strategies that can meet the rapid escalation of AI’s advanced technologies and capabilities, while ideally anticipating ways in which these tactics might evolve.

How can CYRIN help?

We live in an increasingly dangerous and dynamic world, where cybersecurity flaws can be increased exponentially with the use of AI. It can become our partner, our friend, but in the wrong hands it can be a dangerous adversary. At CYRIN we’ve been working for years on these problems, setting up realistic skills-based training to develop systems and answers to some of these vexing questions.

We understand that continuing innovation is needed as the marketplace continues to change. That’s why we stress continuing education and training, because the job is never done. We continue to work with our industry partners to address major challenges and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.

For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce. In an increasingly digitized world, training and experiential training are critical. A full-blown cyberattack is not something you can prepare for after it hits, no matter who the adversary is.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Our new programs, including our new “mini labs,” AI, and Digital Twins, can create real-world conditions for you to practice before you must act. Cyber is a team effort; to see what our team can do for you look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

< Read other CYRIN Newsletters

Contact Us for details or to Set Up a CYRIN Demo
+1-800-850-2170 sales@cyrintraining.com

Watch CYRIN: The Next-Generation Cyber Range

Learn More About How CYRIN Online Training Can Benefit You