Chinese intellectual property theft costs the US economy an estimated $225 to $600 billion annually. That's only what gets reported. The figure accounting for unreported and undisclosed theft could stretch into the trillions. Yet most security teams still think about state-sponsored threats primarily through the lens of espionage: nation-state actors stealing classified information from government agencies and defense contractors.
That framing is too narrow. State-sponsored operations span five distinct objectives, each with different targets, different TTPs, and different timelines for impact. Understanding where your organization fits into that picture changes what you prioritize and where you have gaps.
STATE-SPONSORED OBJECTIVES Espionage IP theft · Intel gathering Surveillance · Political insight Disruption & Destruction DDoS · Wiper · Ransomware Influence Disinformation · Deepfakes Hack-and-leak · Troll nets Financial Gain Crypto theft · Cyber heists IT worker fraud · Fast cash Pre-positioning Long-term covert access Critical infrastructure · OTEspionage accounts for the highest volume of APT group activity, and it's also the motive whose impact is most consistently underestimated. The objective is straightforward: access and collect sensitive intelligence, strategic data, or intellectual property to give the sponsoring state a strategic, economic, military, or political advantage. The operational signature is long-term, stealthy persistence. The longer an actor goes undetected, the more they collect.
APTs operating for espionage purposes rely heavily on custom backdoors that maintain persistent network access. Chinese state-sponsored groups share malware families across actors. PlugX, ShadowPad, and the China Chopper web shell are used by multiple Chinese APTs, which aids state-level attribution but can complicate attribution to a specific group.
The real-world impact of IP theft is easy to visualize with one case. Starting around 2007, a Chinese national coordinated with members of the People's Liberation Army to steal classified data on US military technologies, including design information on the F-22 and F-35 fighter jets. In late 2025, the PLA Air Force released the J-35A stealth fighter. The structural similarities to the F-35 are not coincidental. That's one documented case out of an ongoing campaign that costs the US economy hundreds of billions per year.
When a ransomware attack hits, the impact is immediate and hard to miss. Espionage doesn't work that way. The effects show up in competitive position, military capability, and geopolitical leverage, often years or decades later. That delayed impact is precisely why it tends to get less operational attention than the threat warrants.
ESPIONAGE SUB-OBJECTIVES IP Theft Blueprints, designs, proprietary tech Impact: Military / economic competitiveness Intel Gathering Classified data, M&A plans, strategy docs Impact: Geopolitical and economic leverage Surveillance PII, credentials, communications Impact: Account compromise, social engineering Political Insight Gov. communications, policy strategies Impact: Advantage in summits, negotiations, policyA few points worth keeping in mind: espionage operations target individuals as much as organizations, collecting PII, credentials, and communications for downstream social engineering. They target smaller organizations with niche access or data, not just large enterprises with obvious target value. Initial access still relies heavily on spear phishing and known vulnerabilities, with data exfiltrated through established C2 channels or cloud storage accounts.
Disruptive and destructive attacks generate more dramatic coverage, but they're deployed more selectively than espionage. Most sophisticated state-sponsored actors have the technical capability to launch them. Very few do, and when they do, it tracks with specific conditions: active military conflicts, sanctions, or significant geopolitical flashpoints.
Russia's Sandworm group attacked Ukraine's power grid in 2015, 2016, and 2022. NotPetya in 2017 caused an estimated $10 billion in global damage, with supply chain effects that spread far beyond the initial targets. The pattern is consistent: these attacks function as offensive weapons or retaliatory measures, not opportunistic strikes.
There's a lower-severity version worth tracking separately. State-sponsored actors have been embedding themselves in hacktivist networks to conduct disruptive attacks with plausible deniability. Individuals linked to Sandworm have been identified operating within the Cyber Army of Russia Reborn (CAR). The benefit for state actors is operational: hacktivist-style attacks are easier to execute and typically don't meet the threshold for a proportional government response.
State-sponsored ransomware sits in a distinct category. Some APT groups have deployed low-sophistication ransomware with relatively low ransom demands, which on the surface doesn't fit the financial motive pattern. The more likely explanation: ransomware serves as cover. When SOC and IR teams pivot to their ransomware playbook, concurrent espionage activity can go undetected, potentially resulting in more significant data loss than the ransomware itself. At its most effective, state-sponsored ransomware enables disruption, espionage, and financial gain from a single operation.
The supply chain dimension matters here. A disruptive attack against a vendor, distributor, or infrastructure provider can ripple through dependent organizations that weren't directly targeted and have no visibility into the original incident.
The most common misunderstanding about influence operations is the objective. State-sponsored influence actors aren't trying to generate sympathy for their country among foreign audiences. They're trying to deepen existing divisions within the target country: between citizens, between institutions, between political factions.
The mechanism is disinformation, not persuasion. Russia's Recent Reliable News (RNN) network is a dedicated infrastructure for spreading pro-Kremlin content at scale. Russia's Doppelganger group spoofs legitimate news outlets, including The Washington Post, to introduce false narratives into legitimate media channels. A fabricated story about a Ukrainian assassination plot against then-President-elect Trump was re-shared as fact by The London Times.
Disinformation Deliberately false. Created and spread with intent to mislead. Source: State-sponsored actors Examples: Fake news sites, deepfakes, troll accounts, hack-and-leak → amplified as Misinformation False information spread without malicious intent. Believed to be true. Source: Ordinary users who believe it Examples: Shared social posts, re-reported articles, family dinner conversationsAt the organizational level, the risk is more concrete than it might seem. Influence campaigns can spoof your brand, create division among employees along the same lines they create in the broader public, and damage vendor relationships if either party becomes a target. Hack-and-leak attacks, most visibly APT28's compromise of John Podesta's email before the 2016 US election, put sensitive organizational data directly into public view at strategically timed moments. PII exposure, credential leaks, and reputational damage are all on the table.
North Korea is the most documented case of a state using cyber operations for direct revenue generation. With trade severely constrained by sanctions, the country funds a substantial portion of its missile and nuclear development programs through financially motivated cyber attacks. A White House official estimated in 2023 that about half of North Korea's missile program has been funded through cyber attacks and crypto theft.
NORTH KOREA: FINANCIALLY MOTIVATED ATTACKS Jan 2015 Banco del Austro SWIFT fraud $12M Jan 2018 Coincheck Crypto-theft $530M Aug 2018 Cosmos Bank FASTCash & SWIFT $13.5M Oct 2020 CISA advisory APT38 FASTCash 2.0 warning issued June 2022 Harmony Horizon Bridge crypto-theft $100M 2024 Crypto theft $1.34B stolen IT worker scheme ~$800M (Treasury) Apr 1, 2026 Drift Protocol Crypto-theft $285M Feb 2016 Bangladesh Bank SWIFT manipulation $81M May 2017 WannaCry ransomware attack global disruption Apr 2018 IT worker scheme + Fast Cash attacks begin Sep 2020 KuCoin Crypto-theft $275M Mar 2022 Ronin Network Crypto-theft $625M Jul 2023 Alphapo, CoinsPaid Atomic Wallet Crypto-theft ~$200M combined Feb 2025 Bybit Crypto-theft (record) $1.5B Apr 18, 2026 KelpDAO Crypto-theft $292MThese attacks are operationally attractive for North Korea because they carry a low likelihood of retaliation. The primary risk is fund recovery, not a proportional response. That risk-reward ratio, combined with limited legal revenue options, makes financially motivated cyber operations central to how North Korea sustains its weapons programs. North Korean actors stole $1.34 billion in cryptocurrency in 2024, and $2.02 billion in 2025, a new record. Their cumulative total since 2017 stands at approximately $6.75 billion. In February 2025, a single attack against Bybit netted $1.5 billion, the largest crypto theft on record. Through April 2026, North Korean actors were responsible for 76% of all global crypto hack losses, again through just two operations. The US Treasury's Office of Foreign Assets Control estimated in March 2026 that the fraudulent IT worker scheme alone generated nearly $800 million in 2024.
China's APT41 represents a different pattern. Primarily an espionage group, APT41 has run financially motivated attacks concurrently with state-sponsored operations: virtual currency manipulation, ransomware, crypto theft, and a $20 million COVID-19 relief fraud. Current assessment is that those earnings benefit the individual actors rather than the Chinese government, making APT41 one of the few documented cases of a state-sponsored group operating outside state direction for personal financial gain.
Pre-positioning is the newest category on this list, and arguably the most consequential for US critical infrastructure. It's associated primarily with Volt Typhoon, a Chinese state-sponsored group active since at least 2021.
Volt Typhoon's objective isn't espionage and isn't immediate disruption. It's access preservation. They acquire and maintain long-term covert access to critical infrastructure networks, including OT-adjacent systems, to retain the option of launching disruptive or destructive attacks if and when a geopolitical trigger occurs. The most widely discussed scenario in the intelligence community is a conflict involving Taiwan, though China's broader push to expand global influence creates additional potential flashpoints.
VOLT TYPHOON: INTRUSION METHODOLOGY 1. Recon Pre-compromise reconnaissance Network topology Device mapping Target selection → 2. Initial Access Via vulnerabilities, not phishing Sylvenite cluster may provide initial foothold → 3. Blend In Living-off-the-land no custom malware Stolen credentials SOHO router proxies Hands-on-keyboard → 4. Discovery Map the network, understand OT systems Identify which switches to flip for max disruption → 5. Wait Maintain access for years Trigger: geopolitical conflict (e.g. Taiwan) activates attackWhat makes Volt Typhoon operationally difficult to detect is intentional. They use living-off-the-land techniques rather than custom malware, blending their activity with legitimate network behavior. They leverage compromised SOHO routers to proxy C2 traffic and obfuscate their infrastructure. They rely on stolen credentials and hands-on-keyboard activity rather than tooling that generates signatures. Intrusions have lasted years. Recent intelligence suggests they may be using a dedicated initial access cluster tracked as Sylvenite, consistent with a pattern seen in other sophisticated APT groups that use specialized subgroups to gain footholds before handing off to the primary team.
The critical infrastructure sectors in scope include manufacturing, utilities, transportation, government, software and technology, education, construction, maritime, defense, and media. The breadth of targeting reflects the objective: when the switch gets flipped, maximum disruption requires access across interdependent systems.
Strong foundational controls address exposure across all five categories. The following areas are where teams should focus.
DEFENSIVE CONTROL AREAS Initial Access Patch internet-facing devices aggressively. CISA KEV items: patch within 48 hours. Replace EOL devices that cannot receive updates. Identity & Behavior Monitor for anomalies: impossible travel, off-hours logins, new admin account activity. Zero trust for internal access. MFA on all accounts. Social Engineering Training must cover vishing, smishing, deepfakes, and clickfake attacks, not just email. Phishing-resistant MFA with biometric verification. Network Architecture Segment IT, IoT, and OT networks. Block direct internet access to servers to limit C2 communication and data exfiltration paths. Backup Integrity Go beyond 3-2-1. Apply the 3-2-1-1-0 rule: one immutable air-gapped copy, zero unverified restores. Test through restoration drills.Purple team exercises built from real threat intelligence, not generic TTPs, validate whether your detection and response posture holds against the actors most likely to target your specific organization. Mapping threat actor profiles, objectives, and recent TTPs to your environment's actual attack surface gives you an accurate picture of where your controls hold and where you have exposure.
For organizations in critical infrastructure sectors, network segmentation between IT and OT environments is a specific priority. Threat actors focused on pre-positioning, like Volt Typhoon, rely on lateral movement from edge devices into OT-adjacent systems to achieve their objectives. Keeping those networks separate limits that path significantly.
To watch this content on demand or talk through what it means for your specific environment, visit watch the on-demand webinar. To get started with a purple team engagement, visit uvcyber.com/getstarted.