The nation-state cyber threat landscape approaching 2028 is characterized by an unprecedented convergence of capability, intent, and opportunity. The four primary adversary nations — China, Russia, Iran, and North Korea — have each developed distinct cyber doctrines that reflect their strategic objectives, resource constraints, and risk tolerances. Understanding these doctrines, the specific campaigns they have spawned, and the trajectory they are following is essential for anticipating the threat environment that will confront governments, enterprises, and critical infrastructure operators through 2028.
China: Pre-Positioning for Conflict
The most strategically significant development in nation-state cyber operations since 2023 has been the discovery and ongoing tracking of China’s pre-positioning campaigns against U.S. critical infrastructure. The campaign known as Volt Typhoon, first publicly attributed by Microsoft and the Five Eyes intelligence alliance in May 2023, represented a paradigm shift in how Western intelligence agencies assess Chinese cyber intentions.
Unlike traditional Chinese cyber espionage — which focused on intellectual property theft, economic intelligence, and political surveillance — Volt Typhoon demonstrated that Chinese operators were systematically gaining and maintaining persistent access to networks supporting water treatment, electrical grids, telecommunications, transportation systems, and military logistics across the United States and its Pacific allies. The campaigns used living-off-the-land techniques, avoiding custom malware in favor of built-in Windows administration tools that blend seamlessly with legitimate network activity, making detection extraordinarily difficult.
The strategic logic behind Volt Typhoon is chillingly clear: in the event of a military confrontation over Taiwan or other flashpoints, China wants the capability to disrupt or destroy critical infrastructure supporting U.S. military operations and civilian resilience. CISA Director Jen Easterly’s characterization of the campaign as preparation to “deliver crippling blows” was unusually direct for a senior government official.
By 2026, the intelligence community has identified at least three additional Chinese operational clusters conducting similar pre-positioning activities, each targeting different infrastructure sectors with varying tradecraft. The campaign designated Salt Typhoon, revealed in late 2024, penetrated major U.S. telecommunications providers including AT&T and Verizon, compromising lawful intercept systems and gaining access to the communications metadata — and in some cases content — of senior government officials and political figures.
The implications for 2028 are severe. Chinese pre-positioning operations are ongoing, expanding in scope, and demonstrably difficult to eradicate even when discovered. U.S. critical infrastructure operators face the prospect of defending against a well-resourced adversary that has had years to embed itself in their networks, that uses techniques specifically designed to evade detection, and that has the strategic patience to maintain dormant access for years until activation is ordered.
Russia: Hybrid Warfare and the Weaponization of Everything
Russia’s cyber doctrine has been forged in the crucible of the Ukraine conflict, which has served as the world’s most extensive real-world laboratory for cyber warfare since 2022. Russian operations against Ukraine have encompassed destructive wiper attacks (WhisperGate, HermeticWiper, CaddyWiper, and numerous others), sustained targeting of energy infrastructure during winter months, compromise of satellite communications (the Viasat hack on the eve of the invasion), disinformation campaigns, and persistent espionage against Ukrainian government and military networks.
The lessons Russia has drawn from Ukraine are nuanced. On one hand, cyber operations alone proved insufficient to achieve strategic objectives — Ukraine’s defensive resilience, aided by Western technology companies and intelligence agencies, demonstrated that determined defenders can maintain operational capability even under sustained cyber assault. On the other hand, Russia has refined techniques for combining cyber operations with kinetic strikes, using network access to gather targeting intelligence for missile attacks on energy infrastructure and to disrupt emergency response communications during kinetic campaigns.
Russia’s intelligence services — the GRU (military intelligence), SVR (foreign intelligence), and FSB (domestic security, with significant foreign operations) — maintain distinct cyber units with overlapping but differentiated mandates. The GRU’s Unit 26165 (APT28/Fancy Bear) and Unit 74455 (Sandworm) remain the most aggressive, responsible for operations ranging from election interference to destructive attacks on infrastructure. The SVR’s APT29 (Cozy Bear) continues to conduct highly sophisticated espionage operations, as demonstrated by its exploitation of the SolarWinds Orion platform and subsequent targeting of cloud service providers.
Looking toward 2028, Russian cyber operations will be shaped by the trajectory of the Ukraine conflict, the state of Russia-NATO relations, and the outcome of the 2028 U.S. presidential election. If the conflict in Ukraine continues or expands, Russia will have both the motivation and the operational experience to escalate cyber operations against Western targets. The GRU has demonstrated a willingness to conduct destructive operations outside Ukraine — the NotPetya attack in 2017 caused over $10 billion in global damages — and the constraints that have limited Russian cyber escalation against NATO members may not hold indefinitely.
Russian information operations targeting the 2028 U.S. election cycle are virtually certain. The GRU’s interference in the 2016 election, combined with subsequent operations in 2018, 2020, and 2024, has established a pattern that Russian leadership shows no inclination to abandon. The availability of AI-generated content — deepfakes, synthetic text, and automated social media personas — will significantly enhance the scale and sophistication of these operations.
Iran: From Nuisance to Destructive Capability
Iran’s cyber capabilities have matured significantly since the early days of rudimentary website defacements and DDoS attacks. The Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) now operate multiple advanced persistent threat groups — including APT33 (Elfin), APT34 (OilRig), APT35 (Charming Kitten), and MuddyWater — that have demonstrated the ability to conduct espionage, destructive attacks, and influence operations across the Middle East, Europe, and the United States.
Iran’s most distinctive cyber capability is its willingness to conduct destructive attacks against civilian infrastructure. The 2012 Shamoon attack against Saudi Aramco — which destroyed over 30,000 workstations — was an early demonstration. Subsequent operations have targeted banks, water utilities, and industrial control systems across the Gulf states and beyond. In 2023, Iranian operators were linked to attacks on water treatment facilities in the United States, exploiting default passwords on Unitronics programmable logic controllers.
The Iran-Israel cyber conflict has escalated dramatically since 2020, with both sides conducting increasingly aggressive operations. Israeli-linked operations have disrupted Iranian fuel distribution networks, steel manufacturing facilities, and port operations. Iranian retaliation has targeted Israeli water systems, hospitals, and defense contractors. This escalation cycle shows no signs of abating and is likely to intensify as regional tensions over Iran’s nuclear program, proxy warfare, and the Israel-Palestine conflict continue.
For 2028, the key concern is Iran’s growing capability to conduct destructive operations at scale, combined with a geopolitical environment that provides ample motivation. Iran’s cyber forces have invested heavily in developing capabilities against industrial control systems and operational technology — the types of systems that run power plants, water treatment facilities, and oil and gas operations. An Iranian decision to retaliate against Western sanctions or military pressure through cyber means could have significant consequences for critical infrastructure operators worldwide.
North Korea: The World’s Most Prolific Cyber Criminal State
North Korea occupies a unique position in the nation-state cyber landscape: it is the only country that has openly weaponized cyber operations as a revenue-generation mechanism. The Lazarus Group (APT38) and its sub-clusters have stolen an estimated $6 billion in cryptocurrency since 2017, with the pace of theft accelerating dramatically. The $1.5 billion Bybit exchange hack in February 2025 — the largest single cryptocurrency theft in history — demonstrated that North Korean operators possess world-class offensive capabilities when motivated by financial gain.
The financial imperative driving North Korean cyber operations is existential. International sanctions have severely constrained Pyongyang’s ability to generate legitimate foreign currency revenue. Cryptocurrency theft has become one of the regime’s primary sources of hard currency, funding missile development, nuclear weapons programs, and the lifestyles of the ruling elite.
North Korean operations extend beyond cryptocurrency theft. The regime maintains a sophisticated network of IT workers who obtain remote employment at Western technology companies using fraudulent identities, generating salary income that is repatriated to Pyongyang. The FBI has identified thousands of such workers, but the scale of the operation makes comprehensive detection extremely difficult.
North Korea has also demonstrated destructive cyber capabilities, most notably the 2014 attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack, which the U.S., UK, and other governments attributed to North Korean operators. The WannaCry attack, which leveraged the NSA’s stolen EternalBlue exploit, affected over 200,000 computers across 150 countries and caused an estimated $4 billion to $8 billion in damages.
The 2028 Convergence
The approaching 2028 threat horizon is defined by the convergence of four distinct but interrelated nation-state cyber programs, each pursuing different strategic objectives with increasingly sophisticated capabilities. China is preparing for potential military conflict by pre-positioning in critical infrastructure. Russia is refining hybrid warfare techniques honed in Ukraine. Iran is building destructive capabilities driven by regional conflict. North Korea is stealing billions to fund regime survival.
For defenders, this convergence creates a multi-threat environment of unprecedented complexity. A critical infrastructure operator must simultaneously defend against Chinese pre-positioning campaigns, Russian destructive capabilities, Iranian ICS-focused operations, and the opportunistic threat of North Korean ransomware or supply chain compromise. The tactics, techniques, and procedures of each adversary are different, requiring distinct detection strategies and incident response plans.
The 2028 U.S. presidential election, the Los Angeles Olympics, ongoing geopolitical tensions, and the accelerating deployment of AI in both offensive and defensive operations will further complicate an already daunting threat landscape. Organizations that fail to account for the nation-state dimension of cyber risk — treating cybersecurity as purely a criminal threat or a compliance exercise — will be dangerously unprepared for what is coming.