Return Cybersecurity

Cyber geopolitics 2025: between hybrid warfare and threat intelligence

Álvaro Fraile Hernández Director, Cybersecurity Services Global Group

4 minutes of reading

Cyber geopolitics 2025: between hybrid warfare and threat intelligence

Published on 14 October 2025

How states wage invisible battles and what this year's key reports reveal.

 

Introduction: the geopolitical chessboard is now played in cyberspace

International politics is no longer confined to embassies, diplomatic summits, and conventional military conflicts. In 2025, geopolitics is also being waged in a space without borders, without flags, and without bullets: cyberspace.

Targeted attacks on critical infrastructure, large-scale industrial espionage, disinformation operations within democratic processes, and algorithmic manipulation have now become common tools of state power.

Meanwhile, businesses and organisations —not just governments— find themselves caught in the crossfire of advanced actors driven by ideological, political, and economic motives. This article explores two complementary dimensions in depth:

  1. The changing nature of global cyber conflicts.
  2. What 2025 threat reports teach us about actors, tactics and emerging trends.

 

Digital hybrid warfare: a permanent, invisible and asymmetric conflict

What is hybrid warfare?

Hybrid warfare combines multiple vectors of confrontation —conventional, irregular, cyber, informational— to weaken or control an adversary without a formal declaration of war.

In the digital realm, this translates into:

  • Targeted attacks on critical systems (electric grids, healthcare, satellite networks).
  • Prolonged disinformation campaigns.
  • Economic, political or military espionage.
  • Influence operations on social media.

The aim is not destruction, but destabilisation. The goal is not direct confrontation, but gradual and persistent erosion.

 

Strategic cyberattacks: surgical precision with tactical objectives

In recent years, state and state-sponsored actors have shifted from conducting large-scale cyberattacks to employing surgical, persistent, and highly specialised operations.

Recent examples:

  • The cyber sabotage of railway networks in Poland and Ukraine, attributed to Sandworm (a group linked to Russia’s GRU).
  • Covert attacks on SCADA networks and water systems in Baltic countries.
  • Prolonged intrusions into African telecommunications networks via 0-day vulnerabilities, with geo-economic objectives.

Observed tactics:

  • Initial access via spear phishing or exploitation of VPNs and remote access software.
  • Use of fileless malware to evade EDRs.
  • Persistence through valid credentials and the use of native tools (living-off-the-land).

Attackers do not enter to destroy, but to observe, influence, and, when the time is right, act from a position of advantage.

 

Digital espionage: the revival of HUMINT... without the humans

Traditional espionage has gone digital. Now, instead of infiltrating buildings, states infiltrate networks, cloud infrastructure, code repositories, and corporate messaging environments.

Typical modus operandi:

  • APT (Advanced Persistent Threat): invisible footholds inside victims’ networks for months.
  • Compromise of high-privilege accounts (IAM hijacking) to move laterally without triggering alarms.
  • Covert exfiltration techniques using DNS tunnelling, legitimate HTTPS channels, or cloud services such as Dropbox, OneDrive, Slack.

Notable cases:

  • APT29 (Cozy Bear) infiltrated European diplomatic systems via compromised third-party credentials.
  • APT41 deployed digitally signed backdoors within industrial hardware manufacturers.

 

Influence operations: narrative as an attack vector

Disinformation is no longer amateur. These are structured operations, with political objectives, executed by bot networks, content farms, and accounts that appear legitimate.

Examples:

  • Manipulation of public discourse on social media during elections in Western Europe.
  • Mass dissemination of political deepfakes (audio and video) to generate information chaos.
  • Infiltration of alternative media to disseminate narratives aligned with foreign powers.

Tools:

  • Automatic amplification algorithms (recommenders, trending).
  • Emotional engineering via semantic network analysis.
  • Cloning of stolen verified accounts.

 

What do the 2025 threat reports reveal?

Annual threat intelligence reports from leading organisations such as Mandiant, CrowdStrike and ENISA offer a global perspective based on thousands of analysed incidents and campaigns. In 2025, several recurring patterns have emerged:

Mandiant M-Trends 2025

  • 34% increase in operations attributed to state actors, particularly in the defence, energy, and telecommunications sectors.
  • Identification of new fictitious groups posing as ransomware operators but with clearly geopolitical motivations.
  • Campaigns aimed at manipulating firmware, BIOS and industrial microcontrollers.

CrowdStrike Global Threat Report 2025

  • The average time from intrusion to exfiltration (‘breakout time’) has dropped to 36 minutes.
  • Rise of adversaries using generative AI to improve scripts, evade YARA rules and generate unique payloads.
  • Strengthening of the role of stolen identities in the attack chain, especially in cloud and hybrid environments.

ENISA Threat Landscape Report 2025

  • 27 active and mapped APTs in Europe, with a particular focus on digital infrastructure and OT networks.
  • Emphasis on the intersection between cybersecurity and digital sovereignty: storage, processing, sovereign cloud.
  • Recommendations to foster collaborative cyber intelligence, sharing indicators of compromise (IOCs) across companies, governments, and CERTs.

 

Five key cyber intelligence trends in 2025

1.- Persistent cyber espionage

  • Description: Campaigns lasting years without detection.
  • Potential risk: Theft of secrets, covert sabotage.

2.- Offensive use of AI

  • Description: Adversaries employ LLMs for scripting, evasion, disinformation.
  • Potential risk: Automation and scalability of attacks.

3.- Malware-free attacks

  • Description: Use of legitimate tools for malicious activity.
  • Potential risk: Invisibility to traditional antivirus software.

4.- Coordinated disinformation

  • Description: Bots and deepfakes to influence elections and public opinion.
  • Potential risk: Social instability, reputational crisis.

5.- Cloud-first attacks

  • Description: Direct intrusion into SaaS/IaaS environments.
  • Potential risk: Risks invisible to the corporate perimeter.

 

Conclusion: from technical defence to national cyber strategy

Cyber intelligence is no longer a luxury, but a strategic necessity for institutional, economic, and political survival. Organisations must go beyond traditional firewalls and SOCs:

  • Integrate geopolitically-informed threat analysis into risk management.
  • Actively participate in collaborative cyber intelligence ecosystems.
  • Develop in-house capabilities for early detection, attribution, and adversarial simulation.

Because the next crisis won’t start with a missile... but with a stolen login, a compromised server, or a viral fake video.

 

 

Other related insights:

The invisible danger: How Data Poisoning can turn AI into a threat

Cybersecurity

The invisible danger: How Data Poisoning can turn AI into a threat

Cybersecurity: The Indispensable Shield in the Digital Age

Cybersecurity

Cybersecurity: The Indispensable Shield in the Digital Age

CYBER RESILIENCE: strengthening digital defence

Cybersecurity

CYBER RESILIENCE: strengthening digital defence

After digital business... will the autonomus businesses follow?

Future Trends

After digital business... will the autonomus businesses follow?

A necessary step towards ethics and responsible innovation with the new European AI Regulatory Standard

Data & AI

A necessary step towards ethics and responsible innovation with the new European AI Regulatory Standard