‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategy

Business leaders need to stay up to date with geopolitics to keep their cybersecurity strategies up to date and mitigate the risks posed by state-backed hacker groups.
This is the message that Paul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), delivered to attendees at a keynote session of Infosecurity Europe 2025.
The call to action from Chichester came as states known to support threat actors and engage in cyber attacks of their own step up efforts to disrupt critical infrastructure
Chichester said Russia’s cyber capabilities in particular have improved in recent years, with its invasion of Ukraine used as an opportunity to hone offensive cyber techniques. Along with Russia, Chichester focused on the threat China-backed groups pose to both public and private organizations.
“I’ll come back to this a few times, but states don’t do hacking for fun,” Chichester said.
“They do not do things for the sake of it. There is always a reason. We might not know the reason sometimes and that’s quite a challenge for us, but we shouldn’t assume that they’re just doing it because they can.”
Chichester urged businesses who are being targeted by a state APT to carefully consider why and to assess how geopolitics feeds into their defensive strategies.
“At the end of the day, cyber isn’t really just, or even, a technical thing. It’s a tool that somebody uses, be it a criminal, be it a state. How does that risk manifest itself for you?”
The past few years have seen a number of high-profile attacks by state-sponsored groups on organizations to achieve ideological and military aims. Chichester said Russia is increasingly targeting supply chains which feed into Ukraine, with defense, energy, and logistics companies firmly in its crosshairs.
In 2022, for example, Microsoft warned the Russia-backed group Seashell Blizzard was using the Prestige ransomware strain to target organizations involved in the supply or transport of humanitarian aid and military shipments to Ukraine.
This is also coming from within the GRU military intelligence service, and Chichester cited the example of Unit 29155. This Russian military sabotage unit is known for its role in the 2018 Skripal poisonings, but it is now using cyber attacks to carry out its aims.
“Ultimately, if you want to target something in the real world, you need to understand them in the cyber world. You need to understand how they operate, you need to understand their movements, you need to understand what’s going where,” Chichester explained.
“And we’re seeing that merger of that real world sabotage being joined with that cyber espionage piece as well – and also cyber sabotage.”
Russia launched a major cyber attack on Viasat, a US communications company, on 24 February 2022, the same day it invaded Ukraine. This triggered a widespread outage, impacting Ukrainian military command and control and causing knock-on outages for several thousand internet-connected German wind turbines.
Chichester said the attack was carefully-timed to hit hardest in the first 24-48 hours of the invasion and “might have been a deciding factor” in the war had events on the ground gone differently.
Despite the apparently unintentional effects on EU-based companies, Chichester used the attack as an example of how states are increasingly targeting private businesses to achieve military or ideological aims.
China is also heavily implicated in attacks on critical national infrastructure, with cyber experts Kevin Mandia and Nicole Perlroth having recently warned the nation state has ramped up its cyber aggression.
Chichester said attacks by Volt Typhoon, an advanced persistent threat (APT) that successfully breached the US electric grid for almost a year, as well as Salt Typhoon which carried out major attacks on US telcos in 2024, show groups ‘pre-positioning’ themselves inside critical infrastructure.
As warned by CISA, this could enable undetected groups to carry out devastating attacks in the event of conventional war in the long-term.
For-profit attacks remain king
Despite the growing threat posed by state-backed groups pursuing ideological and military aims, evidence suggests that businesses will still largely contend with traditional threat actors.
In a separate keynote talk at the event, James Lyne, office of the CEO at the SANS Institute and Ciaran Martin, director of CISO network at the SANS Institute and former head of the NCSC, balanced the real threat of state-backed groups with those of profit-motivated groups.
“Most people are interested in fraud,” said Lyne. “Most of this stuff is about making money, the average obsession of the average criminal gang is far more mundane.”
“I think that’s probably largely going to continue to be the case,” he added.
Lyne noted that, like the German wind farm operators inadvertently impacted by Russia’s attack on Viasat, some serious cyber attacks are mere “collateral damage” from campaigns aimed at other targets.
Martin said this was seen in the worst period of his time at the NCSC: the six-week period in 2017 in which North Korea launched the WannaCry ransomware attack, while suspected Russian groups hit Ukrainian banks and other organizations with the NotPetya malware.
“Between them, they [did] north of $10 billion of destruction and in my, sadly, favorite example from NotPetya, they’re attacking Ukrainian tax software and they end up stopping production at Cadbury’s chocolate factory in Tasmania, off the south coast of Australia.”
MORE FROM ITPRO
TOPICS
Source link