Full Report
The Office of the Director of National Intelligence (ODNI) identified in its 2025 Annual Threat Assessment of the... The post ODNI 2025 Threat Assessment notes threats from Russia, China, Iran, North Korea targeting critical infrastructure, telecom appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: People's Republic of China (PRC)
## Attribution & Identity
Attributed to the state apparatus of the People's Republic of China (PRC). The ODNI notes the PRC remains the most active and persistent cyber threat to the U.S. government, private sector, and critical infrastructure networks.
## Activity Summary
The PRC is conducting an aggressive, whole-of-government approach, using state direction of the private sector to achieve global S&T superpower status and displace U.S. economic and military power. Specific publicly tracked campaigns include:
* **Volt Typhoon:** Campaign positioning access on U.S. critical infrastructure for potential attacks during a crisis or conflict.
* **Salt Typhoon:** Recently identified compromise of U.S. telecommunications infrastructure.
* The PRC is believed to be prepositioning for large-scale cyber operations against U.S. critical infrastructure and military assets if a major conflict with Washington becomes imminent.
## Tactics, Techniques & Procedures
- Prepositioning access on U.S. critical infrastructure networks.
- Compromising U.S. telecommunications infrastructure.
- Capabilities designed to impede U.S. decision-making, induce societal panic, and interfere with force deployment during conflict.
## Targeting
- Sectors: U.S. Government, Private Sector, Critical Infrastructure (including telecommunications).
- Geography: United States.
- Victims: Unspecified U.S. government, private sector entities, and critical infrastructure networks.
## Tools & Infrastructure
- **Campaigns/Aliases:** Volt Typhoon, Salt Typhoon.
- **Infrastructure:** Compromises of U.S. telecommunications infrastructure.
## Implications
The PRC poses the most significant and persistent cyber threat. Their cyber operations are integrated into broader geopolitical goals, aiming to achieve global dominance and establish deterrent capabilities against the U.S. by threatening irreversible damage to national systems during a potential conflict.
## Mitigations
Focus cyber defense efforts on hardening critical infrastructure and government networks against long-term, stealthy access positioning. Monitor for evidence of preparatory access/prepositioning often associated with Volt Typhoon activity.
***
# Threat Actor: Iran (Islamic Republic of Iran)
## Attribution & Identity
Attributed to state-sponsored cyber actors incentivized by Iranian leadership to be aggressive. Connected to the **IRGC (Islamic Revolutionary Guard Corps)**. Iran is viewed as a major threat due to its growing expertise and willingness to conduct aggressive cyber operations.
## Activity Summary
Iranian actors are actively conducting cyber operations, often amplifying influence operations.
* During the Israel-HAMAS conflict, U.S. private industry tracked related influence campaigns and attacks.
* **Known Activity (June 2024):** An IRGC actor compromised an email account tied to an individual with informal ties to the former President Trump’s campaign, using it to launch a targeted spear-phishing campaign against individuals within the campaign. The actor then attempted to manipulate U.S. journalists.
* Iranian actors were also cited for conducting cyber attacks against U.S. water infrastructure in 2023, drawing publicity despite limited operational effect.
## Tactics, Techniques & Procedures
- Spear-phishing against politically sensitive targets.
- Email account compromise used for follow-on targeting.
- Information manipulation targeting journalists.
- Conducting disruptive cyber attacks against physical infrastructure (e.g., water utilities).
## Targeting
- Sectors: Political campaigns (historical targeting), media/journalists, U.S. Water Infrastructure.
- Geography: United States.
- Victims: Individuals with ties to U.S. political campaigns, U.S. water utilities.
## Tools & Infrastructure
- Not specified beyond the use of compromised email accounts for targeted spear-phishing.
## Implications
Iran is utilizing cyber operations offensively to deepen military partnerships (e.g., supplying Russia) and project influence, suggesting an increasing appetite for disruptive or espionage operations against U.S. networks and data, especially in response to geopolitical events.
## Mitigations
Implement multi-factor authentication and strict email security hygiene, particularly for accounts associated with sensitive political or organizational figures. Maintain strong defenses around operational technology (OT) and critical infrastructure like water systems.
***
# Threat Actor: North Korea (DPRK)
## Attribution & Identity
Attributed to the state apparatus of North Korea (DPRK).
## Activity Summary
North Korea primarily uses cyber activities to fund its military development and economic initiatives.
* **Financial Attacks:** Stealing hundreds of millions of dollars annually through cryptocurrency theft from the U.S. and others.
* **Espionage Expansion:** Expected to expand ongoing cyber espionage to target defense industrial base companies involved in aerospace, submarine, or hypersonic glide technologies to fill gaps in their weapons programs.
## Tactics, Techniques & Procedures
- Large-scale cryptocurrency theft/financial exploitation.
- Cyber espionage targeting sensitive defense industrial supply chain components.
## Targeting
- Sectors: Financial assets (cryptocurrency), Defense Industrial Base (aerospace, submarine, hypersonic technologies).
- Geography: United States and international victims (for financial theft).
- Victims: Unspecified cryptocurrency exchanges/entities; projected targeting of defense contractors.
## Tools & Infrastructure
- Tools focused on cryptocurrency theft (not specified).
## Implications
North Korea is using cyber operations as a critical economic lifeline to sustain prohibited WMD programs. There is a high likelihood of targeted espionage against the U.S. defense industrial base in the near future.
## Mitigations
Enhance security controls around cryptocurrency wallets and financial transaction verification. Increase vetting and monitoring focused on defense contractors developing high-priority weapons systems (aerospace, hypersonics).
***
# Threat Actor: Financially Motivated Cyber Criminals (General/State-Enabled)
## Attribution & Identity
Non-state, financially motivated threat groups. Some non-state groups are noted as being enabled "both directly and indirectly" by state actors like China and India (in the context of precursors for drug trafficking).
## Activity Summary
These actors continue to target inadequately defended U.S. targets for profit, causing broad impact on the populace.
* **Ransomware:** Attacks on healthcare systems and municipal governments. In mid-2024, a major ransomware attack targeted the largest payment processor for U.S. healthcare, leading to prescription delays and ambulance diversions.
* **Extortion:** Targeting U.S. water infrastructure, following publicity generated by prior state-actor incidents.
* **OT Disruption:** Attacks targeting poorly secured industrial control systems (ICS) or utility company business networks.
## Tactics, Techniques & Procedures
- Ransomware deployment against critical services.
- Targeting ICS/SCADA environments in OT networks.
- Exploiting vulnerabilities in healthcare payment processors.
## Targeting
- Sectors: Healthcare Systems, Municipal Governments, Water Infrastructure, Utility Companies.
- Geography: United States.
- Victims: Healthcare payment processors, large and small water utilities.
## Tools & Infrastructure
- Ransomware variants (not specified).
## Implications
Financially motivated groups present an immediate threat to public safety and economic stability by capitalizing on weak defenses in legacy systems (healthcare/municipal). Their actions can create widespread societal panic and resource strain.
## Mitigations
Immediate focus on securing ICS/OT environments and patching control systems. For the healthcare sector, prioritize security around payment processing and EHR systems, and establish robust offline recovery capabilities due to high-impact ransomware threats.
***
# Threat Actor: Russia (State-Sponsored Hacktivists)
## Attribution & Identity
State-backed or inspired Russian hacktivists.
## Activity Summary
Mentioned primarily as inspirational actors for subsequent criminal attacks. Russian hacktivists conducted cyber attacks against U.S. water infrastructure in 2023, which while having little overall effect, drew substantial publicity.
## Tactics, Techniques & Procedures
- Cyber attacks against critical infrastructure (water utilities) for publicity/coercion.
## Targeting
- Sectors: Water Infrastructure.
- Geography: United States.
## Tools & Infrastructure
- Not specified.
## Implications
Their actions signal potential strategic interest in disrupting U.S. infrastructure, often inspiring or informing other criminal actors.
## Mitigations
Strengthen digital defenses around water utility operational environments.