RSAC™ 2025 Conference: Nation-State Attackers Are Everyone’s Problem Now

• Nation-state attackers are expanding their focus with small and mid-sized businesses becoming some of their favorite targets.
• Sophisticated threats demand advanced protections from aggressive tactics employed by nation-state groups including China, Russia, North Korea and Iran.
• Small and medium-sized businesses (SMBs) for years assumed they were too small to be targeted by enterprise-grade threats, but now only enterprise-grade security can protect them.
• By leveraging AI and threat intelligence to predict attackers’ next moves and prevent damage to organizations, groundbreaking innovations like Incident Prediction may be the key to staying ahead of these persistent nation-state attackers.

The moment we saw the nearly packed house for our RSAC™ 2025 Conference presentation, Under Siege: How APTs and Nation-States Are Targeting Everyone, we knew the topic we’d chosen was already prominent in the minds of security professionals. The session title–including the term “under siege”–reflects the significant changes we’ve been seeing across the threat landscape over the last few years. Advanced persistent threats (APTs) and nation-state actors are no longer exclusively targeting governments, military organizations or large corporations. ​Today, these sophisticated attackers are targeting businesses of all sizes—including small and medium-sized businesses (SMBs). ​

Over the years, these smaller businesses haven’t worried much about APTs; they assumed nation-state attackers didn’t view them as a valuable target. For a long time, they were largely correct. But that assumption no longer holds true today. As attacks become more automated we expect ransomware and other threats targeting these organizations to grow exponentially. To defend themselves against enterprise-grade threats, organizations need to deploy enterprise-grade, AI-powered solutions and better understand the tactics, tools and strategies employed by these bad actors. 

Emerging trends in cyber threats ​

Historically, APTs focused on high-value targets such as government entities and large enterprises. ​However, state-sponsored actors have widened their scope, going downmarket and targeting mid-market and SMBs for economic espionage, supply chain infiltration and ransomware attacks. ​Here’s how these trends have become particularly evident in the activities of nation-state actors from China, Russia, North Korea and Iran. ​

China: A multifaceted threat ​

China’s cyber operations are vast and highly active, with multiple groups leveraging shared intelligence, resources and contractor networks. ​These groups have a wide range of targets, from governments to SMBs, and strategic rivals such as the U.S., Russia, India and Europe, as well as neighboring countries like Taiwan and Japan. ​Their tactics include DLL sideloading, legitimate tool and infrastructure reuse, and noisy operations with little concern for attribution. ​

Recently, China-linked groups have been moonlighting as ransomware operators, targeting industries such as manufacturing, engineering, pharmaceuticals and IT services. ​These actors used tools previously reserved only for nation-state attacks to deploy ransomware instead for their personal gain, marking a significant shift in their operations. ​

Russia: Unsophisticated ​but persistent

Unlike China, Russia’s attacking entities are all in-house and they’re very clearly aligned to just a few groups, i.e., military agencies. ​Groups like Shuckworm, linked to Russia’s Federal Security Service (FSB), specialize in attacks against Ukraine. ​They often rely on a mass “spray and pray” technique, sending out phishing links in tons of emails. While their methods are often unsophisticated, their persistence results in collateral damage to lots of unintended victims. ​

North Korea: Sophisticated espionage and extortion ​

North Korea is unique in their own right. Compared to other nation states—including China— they are the only nation state to actually go after currency for pure economic gain, frequently targeting cryptocurrency organizations. In addition, North Korea continues to use a variety of other schemes to generate foreign currency from impersonating U.S. workers to executing ransomware attacks. The U.S. Department of Justice recently indicted a North Korean man named Rim Jong Hyok, a member of the Stonefly group linked to the North Korean Reconnaissance General Bureau (RGB), for extorting U.S. healthcare providers and laundering ransom proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide.  

Iran: Aggression and espionage operations ​

Iranian cyber groups such as Druidfly and Seedworm are known for their destructive attacks and espionage operations. Druidfly targets countries hostile to Iran, including Albania and Israel, while Seedworm focuses on organizations in the Middle East and beyond. ​These groups employ adept social engineering tactics, custom backdoors and ransomware like DarkBit, often serving as a cover for their devastating attacks. ​

Back to basics with a strategic defensive twist ​

Nation-state attacks will undoubtedly continue targeting SMBs and mid-size organizations. Defending against these advanced threats requires a combination of prevention, detection and response strategies. ​Security teams must focus on reducing their attack surface, detecting malicious activity and responding effectively to incidents. Advanced attackers often use living-off-the-land (LOTL) strategies, leveraging legitimate tools to evade detection. ​

Organizations of all sizes must take immediate steps to strengthen their security posture and defend against these threats. Here’s how:

1. Adjust threat models: Recognize that advanced threats targeting SMBs are the new reality and update threat models accordingly. ​
2. Address LOTL threats. Review user policies to limit attack surfaces and block rarely used internal tools. ​Adaptive security technologies can automate this process, while ongoing analyst training can ensure quick responses to advanced tactics. Don’t stop there: Adopt protections that specifically aim to prevent LOTL attacks from executing–a crucial defense given that from 2021 to 2023, half of all ransomware attacks used LOTL tools.
3. Deploy IPS. Ensure comprehensive coverage across the infrastructure, including an intrusion protection system (IPS) for East-West traffic. ​
4. Evaluate coverage: Endpoint security is critical, but at this point, it’s likely not enough. Consider adding an endpoint detection and response (EDR) solution, which provides vast and deep visibility into all your endpoints–and hunts down and stops threats that sidestep frontline protections.
5. Expand threat intelligence: Stay current on tools, tactics and procedures used by APTs and nation-state actors. ​
6. Create your own forensic files. By deploying high-integrity forensic capabilities, teams can achieve comprehensive visibility into attacks. ​Look for solutions that continuously record and store endpoint activity–essential for understanding what happened so you can prevent it from happening again.

Predictive security: The next frontier ​​

There is no easy button to push that defends against nation-state attacks. But if security teams can frustrate attackers just enough, they will go somewhere else. When we looked closely at the problem, we asked ourselves: What else can we do? What other mitigations can we add? If we see evidence of malicious activity in the early stages of an attack, can we say, “Hey, with reasonable confidence, the next thing the attacker is going to do is X or Y,” and then put controls in place to block that expected activity? 

Thanks to AI, the answer is yes. Inspired by large language models (LLMs), our recently launched predictive security capability—Incident Prediction—leverages AI in a breakthrough way that predicts and disrupts the next steps attackers might take before damage can occur. ​And it can do this with up to 100% confidence.

When an attack does happen, we catalog every step of that attack. ​By training on 500,000 attack chains, Symantec’s Incident Prediction can disrupt attackers’ plans, buy time for security teams and limit business disruption. With accurate predictions in 80% of incidents, its potential to revolutionize threat defense is undeniable—and hard for security teams to pass up.  

Ready to turn your defenses up to 11? Learn more about how Incident Prediction can help protect your organization against nation states and ransomware groups.