What Is a Cyber Attack in Geopolitics?

1. Denial-of-service (DoS)/distributed denial-of-service (DDoS)

A denial-of-service (DoS) attack uses one computer to overload a service, causing a shutdown. A distributed denial-of-service (DDoS) attack is more disruptive; it uses a vast, dispersed network of infected devices called a botnet to launch a multisource flood that is nearly impossible to block. These attacks work by overwhelming resources, often through volumetric attacks that clog the target's entire internet connection. In a geopolitical context, these low-cost attacks are weapons of chaos, designed to:

• Undermine public trust: By making critical services, such as banking or media, unavailable, they erode confidence in the government.
• Cause strategic disruption: They sabotage an opponent's command and control by hindering military or economic functions.
• Serve as a distraction: The noisy flood ties up security teams, allowing other, quieter hackers to slip in unnoticed.

The pro-Russian hacking group NoName057(16) claimed responsibility for DDoS attacks targeting various Italian government, financial and transportation websites in January 2025. These attacks, which caused temporary disruptions, were a response to Italy's continued support for Ukraine, specifically following Ukrainian President Volodymyr Zelenskyy's visit to Rome and Prime Minister Giorgia Meloni's reaffirmed commitment to aid Kyiv. Targets included the Ministry of Infrastructure and Transport and local public services. Italy's National Cybersecurity Agency (ACN) worked swiftly to mitigate the impact and restore services.

2. Strategic intelligence collection and data theft

Strategic intelligence collection is a sophisticated, long-term method of cyber attack designed to gather high-value information without detection. These operations are typically executed by an advanced persistent threat (APT): a highly skilled, well-funded group often tied to a nation-state. Rather than causing immediate disruption, this approach acts as a "digital spy," remaining hidden within a network for months or years. The objective is to achieve long-term geopolitical advantages by quietly exfiltrating government secrets, classified defense blueprints or crucial intellectual property. This sustained, covert intelligence gathering is a core component of modern cyberwarfare.

Salt Typhoon, a Chinese state-sponsored APT, targeted telecommunications providers to conduct strategic espionage. By infiltrating "lawful intercept" systems and core routers, they accessed sensitive metadata and unencrypted communications from political figures. This demonstrates how commercial entities are leveraged as "side doors" for high-stakes geopolitical intelligence gathering.

3. Supply chain cyber attacks

Supply chain attacks are a sophisticated technique employed by state-sponsored actors to bypass primary targets’ defenses. By exploiting the "weakest link," such as a smaller, less secure vendor or a trusted third-party service provider, foreign adversaries can gain covert, long-term access to critical national systems. From a geopolitical perspective, this is an act of statecraft designed to compromise a rival country's national security or economic stability. These operations may involve compromising hardware or software components at the manufacturing stage to install persistent backdoors for long-term cyber espionage or future sabotage.

The SolarWinds attack, for example, compromised the software build process of the Orion network management software, allowing attackers, believed to be Russia’s Foreign Intelligence Service, to inject malicious code (SUNBURST) into legitimate updates. This created a backdoor that enabled months of undetected access to thousands of organizations globally, including US federal agencies, thereby escalating geopolitical tensions.

4. Destructive malware attacks

Destructive malware attacks are digital weapons used by nation-states or their proxies for strategic sabotage and disruption, rather than financial gain. So-called wipers are commonly used to cause widespread irreversible damage to their targets' data.

Unlike ransomware, a wiper's sole purpose is to permanently overwrite or corrupt data. The primary targets are often critical infrastructure, such as government networks, power grids and financial systems, with the aim of causing widespread chaos and weakening an adversary’s economy. The use of wipers, especially in contexts such as the Russia-Ukraine conflict, demonstrates a clear intent to inflict maximum, irreversible damage as a strategic military or political objective.

The NotPetya attack in 2017, attributed to Russian military intelligence, is widely cited as the most destructive wiper attack in history, masquerading as ransomware. Originating in Ukraine, it spread globally and crippled major multinational corporations. The malware was engineered to make decryption impossible, confirming its true purpose was irreversible destruction, with total financial damage estimated at more than $10 billion.

5. Targeted ransomware attack

From a geopolitical perspective, targeted ransomware attacks are a form of digital aggression. They are carefully chosen to strike critical infrastructure, such as energy, healthcare or transportation, or government institutions. The goal shifts from merely collecting a ransom to causing widespread societal disruption and economic instability. These attacks are often conducted by criminal groups, either state-sponsored or operating with the tacit approval of a nation-state, granting that state plausible deniability for the aggression.

An example of the geopolitical use of ransomware is North Korea’s state-sponsored revenue generation model. Through units such as the Lazarus Group, the North Korean regime has weaponized ransomware — for example, in the 2017 WannaCry outbreak — not merely for criminal profit, but as a strategic tool of statecraft. In the face of international sanctions, these cyber operations serve as a financial lifeline, funnelling “hard currency” directly into the state’s treasury to fund its weapons programs, effectively turning cybercrime into a pillar of national security.

6. Spear phishing

Spear phishing is a highly targeted cyber attack that exploits human trust. Meticulously crafted for a specific individual, such as a government official or defense contractor executive, it is a key tool in cyber espionage and digital warfare, often orchestrated by nation-state actors. The goal is to infiltrate an enemy's network to steal highly sensitive information, such as national security secrets or defense plans. This social engineering tactic grants the foreign adversary a secret foothold, effectively compromising national security without using conventional force.

The 2016 breach of the Democratic National Committee involved suspected Russian state-sponsored hackers using spear-phishing emails to steal login credentials. The subsequent public release of the stolen data during the US presidential election was an act of political disruption with profound geopolitical consequences.

7. Disinformation campaigns

A disinformation campaign is a sophisticated form of information warfare in which a state actor deliberately creates and spreads false or misleading information to achieve a political objective in another country. It primarily uses the digital landscape, such as social media, fake news sites and deepfakes, to wage a "soft" attack. The primary goal is to cause political chaos and social disruption by exploiting existing societal divisions and eroding public confidence in democratic institutions. This is a low-cost, high-impact tool of international conflict.

Russian interference in the 2016 US presidential election, primarily orchestrated by the Russian government’s Internet Research Agency, involved creating hundreds of fake social media accounts to push highly polarized and sensational false narratives. The strategic goal was to sow discord and promote general chaos and instability within the US.

8. Sabotage of critical infrastructure (ICS/SCADA)

This is essentially a form of cyberwarfare targeting vital services such as power grids, water treatment plants and transportation systems, which are operated by industrial control systems and supervisory control and data acquisition (SCADA) systems. The primary goal is to cause real-world physical damage or widespread societal chaos, offering an asymmetric way to inflict harm with plausible deniability. By crippling core services, the attacker aims to paralyze the target nation's economy and erode public trust, mirroring the effects of traditional warfare.

The December 2015 BlackEnergy malware attack on Ukraine's power grid was the first publicly acknowledged cyber attack to successfully cause a power outage. The attack, attributed to Russian threat group Sandworm, took control of SCADA systems, plunging more than 225,000 people into darkness for hours.

9. Zero-day exploits

A zero-day exploit is a secret vulnerability in software that the defensive side is entirely unaware of, making it virtually impossible to stop. From a geopolitical perspective, a state's decision to use a zero-day exploit for sabotage, such as destroying industrial equipment, is a significant escalation. This means the attacking nation sacrifices its long-term intelligence-gathering capability for a short-term, high-impact strategic objective, publicly demonstrating a superior offensive capability.

The TRITON malware attack in 2017 on a Middle Eastern petrochemical facility targeted a safety instrumented system, a computer designed to prevent catastrophic plant failures. This was the first publicly identified cyberweapon specifically designed to compromise human safety by simultaneously disrupting operations and disabling safety measures.

10. Cyber-enabled financial theft

Cyber-enabled financial theft is a deceptive tactic in which a nation-state uses the pretense of simple criminal theft to achieve a geopolitical goal. To the public, it appears to be a digital bank robbery, but the true motive is often to generate revenue to evade international sanctions or to fund clandestine operations. The key is plausible deniability. By crafting the attack to appear as the work of financially motivated criminals, the sponsoring state can execute a strategic act of aggression, such as disrupting a rival's financial markets or undermining confidence in its banking system, while diverting international condemnation.

The Lazarus Group, a state-sponsored hacking entity linked to North Korea, routinely conducts cyber-enabled financial theft against global financial institutions and cryptocurrency exchanges. A prime example is the massive theft from the Central Bank of Bangladesh's New York Federal Reserve account in 2016 via fraudulent SWIFT requests, as well as the ongoing theft of hundreds of millions of dollars in cryptocurrency.

11. Website defacement/hacktivism

Hacktivism is a form of digital influence operation that focuses less on stealing data and more on psychological impact and geopolitical messaging. It involves visible, public methods such as changing the content on an adversary's official government or media website (defacement) or leaking stolen, embarrassing documents (hacktivism) to cause confusion and distrust. By allowing the attack to be attributed to an ambiguous hacktivist group, the sponsoring state can exert significant pressure on an adversary’s political process without risking overt military or diplomatic retaliation.

Following Russia's invasion of Ukraine, numerous hacktivist groups launched waves of website defacement attacks against organizations in countries supporting Ukraine. By replacing official web content with pro-Russian propaganda, the attackers aimed to project influence and undermine public confidence in the targeted governments.

12. Insider threat exploitation

Insider threat exploitation is a uniquely dangerous form of geopolitical sabotage because the vulnerability lies in trust, not technology. It involves a nation-state recruiting or manipulating an individual who already has authorized access to a target organization's sensitive data or systems. This method bypasses advanced external defenses and grants unparalleled access to highly sensitive intelligence. It also provides the highest degree of plausible deniability, as the public narrative can focus on the rogue individual, diverting international condemnation from the sponsoring state.

A sophisticated evolution of the insider threat is the state-directed infiltration of global corporations. Recently, the US Justice Department and international intelligence agencies have identified thousands of North Korean nationals using falsified identities and “front” companies to secure remote IT positions in Western firms. These individuals are not typical employees; they are state operatives who use their privileged system access to exfiltrate proprietary data, generate revenue for the regime's weapons programs, and potentially plant “logic bombs” or backdoors for future state-sponsored cyber attacks.