What is geopolitical cyber risk for private companies? It is the exposure created when state-sponsored or state-linked threat actors – known as Advanced Persistent Threats (APTs) – conduct operations that directly hit private organisations, or that compromise the suppliers, telecoms, payment platforms, and cloud providers those organisations depend upon. Ukraine’s State Service of Special Communications recorded 4,315 cyber incidents in 2024, a rise of nearly 70% year-on-year. CrowdStrike’s 2025 Global Threat Report documented a 150% surge in China-nexus espionage activity in 2024. Most mid-market boards are not direct state targets – but they sit in the collateral blast radius of campaigns aimed at organisations they rely on every day.
Geopolitical cyber risk – at a glance:
- Kyivstar, December 2023: Sandworm (Russian GRU-linked) disrupted mobile and internet services for 24 million subscribers – attackers had been inside the network since at least May 2023 (Reuters, January 2024)
- CrowdStrike 2025 Global Threat Report: China-nexus cyber espionage surged 150% in 2024, targeting financial services, media, manufacturing, and engineering
- FBI, 26 February 2025: North Korea attributed to the theft of approximately USD 1.5 billion in virtual assets from Bybit – the Lazarus Group now combines espionage tradecraft with large-scale financial theft
- From 31 March 2023, Lloyd’s required state-backed cyberattack exclusions in standalone cyber policies – the scenarios boards fear most may not be covered
- Most mid-market companies are collateral targets, not primary ones: their bank, cloud provider, logistics platform, or file-transfer tool is hit first – the disruption then cascades
- Five practical controls materially reduce geopolitical cyber exposure without requiring an intelligence team: Privileged Access Workstations, network segmentation, sector-specific threat monitoring, out-of-band verification, and geopolitical scenario tabletops
- Ukraine has become the most visible laboratory for modern cyber conflict – and the techniques proven there migrate to criminal marketplaces and copycat campaigns within months
Why does a telecom attack in Kyiv affect companies across Europe?
On 12 December 2023, Kyivstar – Ukraine’s largest mobile operator – went offline. Mobile service, internet access, air-raid alerts, payment terminals, and ATMs were all affected for approximately 24 million subscribers. Reuters reported that Ukrainian investigators believed Sandworm, a Russian GRU-linked cyberwarfare unit, had maintained access inside the network since at least May 2023 – months before the outage was activated (Reuters, 12 December 2023 and 4 January 2024).
That detail carries more weight than the headline. The lesson is not merely that a large telecom can be attacked. The lesson is that state-linked operators can gain persistence, study an environment, wait, and activate disruption at a moment of strategic value. A clean security dashboard on Monday does not prove your network is clean. It proves only that no attacker has been detected yet.
For boards outside Ukraine, the instinctive reaction is distance – “we are not a government, we are not a telecom.” That reading is wrong. Geopolitical cyber operations now hit private companies directly, hit the suppliers private companies depend on, and create insurance, legal, and continuity consequences far beyond the original target.
How do private companies become collateral targets of state-sponsored attacks?
Private-sector exposure falls into three categories – and understanding which one applies to your organisation is the first step towards a realistic response.
Direct targets are organisations state-linked operators intentionally pursue because they hold intelligence value, political leverage, or critical infrastructure relevance. Defence contractors, telecoms, energy providers, transport networks, financial institutions, and satellite operators fall here. If your organisation operates in these sectors, assume some level of hostile state interest already exists.
Collateral targets are where most mid-market companies sit. They are not the ultimate objective, but they are connected to organisations that are. A manufacturer with a strategic supplier in Poland. A law firm handling sanctions-sensitive transactions. A software company used by healthcare providers. A logistics operator embedded in a defence supply chain. The MOVEit zero-day in May 2023 showed precisely how one trusted file-transfer product became the entry point for a global incident spanning more than 2,700 organisations. Cl0p was not a nation-state group – but the supply-chain lesson transfers directly.
Symbolic or opportunistic targets are organisations hit because they are visible, operate in a country perceived as hostile, or are caught in a hacktivist campaign seeking headlines. KillNet ran disruptive campaigns against European and US healthcare, airport, and financial targets between 2022 and 2024. A DDoS campaign does not need to be sophisticated to create service failure, executive distraction, and customer distrust.
Which state-sponsored threat actors are targeting private businesses?
Russia: APT28, APT29, and Sandworm
APT28 (Fancy Bear, GRU-linked) is an espionage and access-focused actor with a long history of credential theft, spear phishing, and exploitation of edge devices and collaboration platforms. It repeatedly targets the ordinary tools organisations use: e-mail, remote access, document sharing, and identity systems.
APT29 (Cozy Bear, SVR-linked) favours stealth, long dwell times, and intelligence collection. Some of the most damaging intrusions look unremarkable for months: no ransom note, no obvious outage – just an adversary inside the environment, learning it.
Sandworm (GRU) is the group boards should associate with destruction. It has been linked to the NotPetya event of 2017, which caused an estimated USD 10 billion in global damage, and to the Kyivstar attack. If Sandworm can maintain access for months then wipe core systems in a major telecom, purely technical perimeter controls are not sufficient. Resilience, segmentation, identity discipline, and tested recovery are the business-level response.
China: APT41 and the 150% surge in espionage operations
APT41 is one of the clearest examples of why boards should stop treating “state actor” as separate from “commercial risk.” Google Threat Intelligence has described APT41 as a prolific Chinese cyber threat group conducting state-sponsored espionage alongside financially motivated activity. CrowdStrike’s 2025 Global Threat Report documented China-nexus espionage activity rising 150% in 2024, with sharp increases against financial services, media, manufacturing, and industrial sectors.
For a European manufacturer, that figure is not abstract geopolitics – it is a warning about intellectual property theft, supplier compromise, and long-term access operations. The governance implication is that companies with China exposure should treat cyber espionage risk as part of strategic planning, not purely as a SOC problem.
Iran: APT33 and escalation against financial targets
Iranian-linked groups, including APT33 and Charming Kitten, combine politically shaped targeting with credential theft, social engineering, and disruptive intent. Multiple security reports in 2025 cited a roughly 700% surge in attacks targeting Israel during the June 2025 escalation (Radware and wider reporting). For boards, the practical point is that periods of regional escalation produce measurable spikes in attacks against financial services, critical infrastructure, and adjacent commercial organisations.
North Korea: Lazarus Group and the USD 1.5 billion Bybit theft
The FBI attributed the theft of approximately USD 1.5 billion in virtual assets from Bybit to North Korea on 26 February 2025. Chainalysis described it as the largest cryptocurrency theft on record. The board lesson is not “we are not a crypto exchange.” The lesson is that commercial organisations can become direct funding channels for strategic adversaries when controls fail. Lazarus Group moves fluidly between espionage, financially motivated intrusion, supply-chain compromise, and sanctions-evasion activity.
Which five controls reduce geopolitical cyber exposure for mid-market organisations?
Well-prepared organisations do not try to become intelligence agencies. They make five disciplined control choices that materially reduce exposure to both direct and second-order geopolitical cyber risk.
| Control | Purpose | Estimated cost | Implementation time | Priority |
|---|---|---|---|---|
| Privileged Access Workstations (PAW) | Separate admin accounts from internet-facing daily devices | £4,000–16,000 (hardware + config) | 3-6 weeks | High |
| Network and identity segmentation | Limit blast radius when one node is compromised | £8,000–40,000 (project + deployment) | 4-12 weeks | High |
| Sector-specific threat monitoring (CERT, ENISA, ISAC) | Translate external intelligence into operational decisions | £0–2,400/month (subscriptions + analyst time) | 2-4 weeks | Medium |
| Out-of-band verification for payments and helpdesk resets | Eliminate BEC and social-engineering attack paths | £0–1,600 (process change) | 1-2 weeks | High |
| Annual geopolitical scenario tabletop | Test continuity, insurance, and crisis comms against a realistic state-linked scenario | £4,000–16,000 (external facilitation) | Once per year | Medium |
Privileged Access Workstations. State-linked actors win repeatedly by stealing administrator credentials from ordinary laptops used for e-mail and browsing. Separate admin workstations change attacker economics immediately – forcing adversaries to compromise a harder-to-reach environment before they can control identity or recovery systems.
Segmentation. Kyivstar and NotPetya both demonstrated what happens when destructive activity reaches core environments. Segmentation – including backups, identity infrastructure, remote administration paths, and supplier-managed connections – reduces the blast radius. The objective is survivability when one part of the environment is already hostile.
Sector-relevant threat monitoring. National CERT bulletins, ENISA reporting, sector ISACs, and vendor advisories should feed operational decisions, not sit unread. A monitoring process does not need to be expensive — but it does need an owner, a cadence, and a decision path.
Out-of-band verification. Many state-linked operations begin with identity abuse or social engineering. The MGM Resorts case in 2023 showed how effectively a helpdesk identity failure defeats expensive technology. The same weakness is exploited by geopolitical and proxy actors precisely because it bypasses tooling and targets process.
Geopolitical tabletop. If your continuity plan assumes one localised outage and your cyber policy assumes ordinary criminal extortion, you have planned for the wrong incident. Run at least one annual tabletop where the trigger is a suspected state-linked event involving a supplier or regional escalation. That forces the executive team to confront sanctions, law-enforcement, disclosure, and business-interruption questions before they arrive in real time.
Learn more about TLPT testing under DORA and vulnerability scanning services.
FAQ
Are private companies targeted by state-sponsored hackers?
Yes. Some are targeted directly because they operate in strategic sectors, hold valuable intellectual property, or sit near government and defence ecosystems. Many more are hit indirectly because a supplier, telecom, software provider, or financial platform they depend on is targeted first.
What is APT28 and why should businesses care about it?
APT28, also known as Fancy Bear, is a Russian state-linked threat group associated with the GRU. Businesses should care because it repeatedly exploits normal enterprise systems – e-mail, identity, and remote access infrastructure – rather than only exotic military targets.
How does the Russia-Ukraine conflict affect cybersecurity for European organisations?
It affects European organisations through spillover risk, supplier disruption, telecom and logistics exposure, sanctions pressure, and elevated targeting of sectors seen as strategically relevant. The risk is not only direct attack – it is also dependency on organisations that are themselves being attacked.
What is the Lazarus Group and why does the Bybit theft matter to non-crypto businesses?
Lazarus Group is a North Korea-linked threat actor known for espionage, financial theft, supply-chain compromise, and sanctions-evasion activity. The FBI attributed the USD 1.5 billion Bybit theft in February 2025 to North Korea. The lesson is that state-linked actors now treat commercial organisations as direct funding sources – not only as intelligence targets.
How can I assess whether my company faces geopolitical cyber risk?
Start with geography, suppliers, sector, and data value. If you operate in manufacturing, finance, energy, logistics, telecoms, software, or healthcare – or in any supply chain connected to government or critical infrastructure – you already have material geopolitical cyber exposure, even if you are not a direct state target.
What is the difference between a hacktivist group and a state-sponsored APT?
A hacktivist group typically pursues ideological disruption, publicity, or symbolic pressure using noisier techniques such as DDoS or public data leaks. A state-sponsored APT has greater resourcing, longer time horizons, stronger operational security, and a clearer intelligence or strategic mission – though proxy arrangements and overlaps blur the distinction in practice.
Geopolitical cyber risk – free sector briefing
Patronusec offers sector-specific geopolitical threat landscape briefings that translate current state-linked activity into practical actions for your business, suppliers, and executive team. We work with organisations in financial services, manufacturing, and technology across the UK and EU.
Book a no-commitment call with our team.
