State‑backed Campaigns Rising

State-backed hacking groups from China, Iran, and Russia now sit behind many of the most damaging cyber intrusions hitting governments, infrastructure operators, and large companies. (microsoft.com) The Cybersecurity and Infrastructure Security Agency said nation-state actors pose an elevated threat to U.S. national security and continue to target critical infrastructure Americans rely on every day. CISA’s overview names China, Iran, North Korea, and Russia as the main government-backed cyber threats it tracks. (cisa.gov) Microsoft’s 2025 Digital Defense Report said destructive cloud-focused campaigns rose 87% and said adversaries are attacking supply chains, identities, and cloud systems at a pace that is shrinking response times. The company also said AI-driven phishing is now three times more effective than traditional campaigns. (microsoft.com) A supply-chain attack works by compromising a trusted vendor, software update, or service provider so the attacker can ride that trust into many downstream networks at once. Microsoft says those attacks aim at developers, source code, build systems, and update mechanisms rather than a single victim’s firewall. (microsoft.com) One Iranian operation, MuddyWater, has run that playbook for years. In a February 24, 2022 joint advisory, CISA, the Federal Bureau of Investigation, U.S. Cyber Command, and Britain’s National Cyber Security Centre said MuddyWater is part of Iran’s Ministry of Intelligence and Security and has conducted broad campaigns since about 2018. (cisa.gov) That advisory said MuddyWater targeted telecommunications, defense, local government, and oil and natural gas organizations across Asia, Africa, Europe, and North America. The agencies said the group used phishing, public vulnerability exploits, open-source tools, and malware families including PowGoop, Small Sieve, Canopy, Mori, and POWERSTATS. (cisa.gov) The campaign tied to MuddyWater expanded again in October 2025. The Record, citing research from Group-IB, reported the group targeted more than 100 government entities and international organizations across the Middle East and North Africa in a phishing operation. (therecord.media) BleepingComputer reported the same campaign deployed version 4 of the Phoenix backdoor against more than 100 government entities. Dark Reading said the targets were government-related organizations across the Middle East and North Africa. (bleepingcomputer.com, (darkreading.com) Google Cloud’s Cybersecurity Forecast 2026 says nation-state operations remain a core part of the threat picture even as cybercrime stays the most disruptive global threat. Mandiant’s 2026 M-Trends report says some intrusions now last for years and some ransomware handoffs between criminal partners have collapsed to seconds. (services.google.com, (cloud.google.com) The practical shift for defenders is that some incidents cannot be treated like ordinary extortion cases or one-off malware infections. When the same operators mix espionage, phishing, supply-chain access, cloud abuse, and long-term persistence, the response starts to look less like routine cleanup and more like countering a sustained state campaign. (cisa.gov, (microsoft.com)