Cyberwarfare today – and what it will look like over the next few years

Executive summary – Cyberwarfare today and the next few years

Cyberwarfare is now a permanent feature of state competition. The frontline is no longer only classified military systems – it includes power grids, water treatment plants, satellite links, telecom carriers, cloud tenants, software supply chains, and the information environment that shapes public trust.

Russia, China, Iran, and North Korea remain the most active adversaries, supported by proxy groups and access brokers. Western doctrine reflects this reality: persistent engagement, defend forward, public attribution, and civil-sector partnerships are now standard.

The operating picture in 2025 is shaped by three main drivers:

Identity-centric intrusion at cloud scale – Most serious compromises do not begin with noisy malware. They begin with stolen or abused identities, token theft, OAuth abuse, legacy protocol fallback, and over-privileged service accounts. Once attackers control identity, they pivot across email, files, chat, and cloud control planes quickly and quietly.
Prepositioning inside critical infrastructure – Long-dwell access in telecoms, energy, transport, and government is being established during peacetime. Emphasis is on living off the land – native admin tools, scripts, and scheduled tasks – to avoid detection. The goal is to have options in a crisis, not necessarily to strike immediately.
AI in the loop – Offensive use of AI already scales reconnaissance, phishing, translation, and exploit triage. The next step is autonomous AI-driven attack chains that can discover paths, link actions, and evade at speed. Defence is also adopting AI for enrichment and automated containment. The contest is about who can execute high-confidence actions faster and more safely.

Implications for governments and large corporates:

Expect more campaigns that never touch a traditional endpoint. Identity and API-level abuse against SaaS and cloud control planes will dominate.
Anticipate blended operations – DDoS combined with intrusion and influence activity – around elections, crises, and sanctions cycles.
Treat Operational Technology as strategic terrain. OT means the hardware and software that monitor and control physical processes – power generation and distribution, water treatment, manufacturing lines, rail signalling, hospital equipment. OT was built for availability and deterministic timing, not hostile networks. The IT – OT seam is where many real-world impacts begin.
Recognise that private companies are strategic infrastructure. Satellite operators, cloud platforms, undersea cable consortia, and major cyber vendors can decisively influence outcomes. Contractual clarity and tested operational arrangements matter as much as technology.
Plan for post-quantum cryptography on a multi-year horizon. Adversaries can record encrypted traffic now and decrypt later. Prioritise long-lived secrets and retained recordings.

Programme discipline, not tool sprawl, changes outcomes. Focus on identity-first control, cloud control plane hardening, supply chain provenance, ransomware-grade resilience, firm separation between IT and OT, and rehearsed incident command. Measure what matters: time to revoke a compromised token to zero access, the percentage of Tier-0 identities on phishing-resistant MFA, and proof that full restores from offline or immutable backups meet recovery objectives. Build public – private channels that work at both human and machine speed, and rehearse cross-border legal and communications response before you need it.

Near-term forecast: more identity-first attacks against cloud and SaaS, more blended pressure campaigns, early autonomous AI-led intrusions in the wild, tightening PQC timelines, and continued targeting of civic infrastructure. You will not buy your way out with one more product stack. You will execute your way out with a smaller number of controls done well and proven under stress.

What counts as cyberwarfare in 2025
The principal actors and their methods
Hard lessons from recent operations
Legal and diplomatic framework
Techniques that matter – now and next
The AI shift – from assistive to autonomous
The next few years – likely changes
A realistic playbook for governments and large enterprises
A 6 – 12 month programme
What not to do
Closing view

1) What counts as cyberwarfare in 2025

States operate across five overlapping modes:

Espionage – stealing data, plans, credentials, and communications at scale. Long dwell, quiet, identity-heavy.
Sabotage and disruption – destructive payloads, wipers, and attacks on Operational Technology.
Prepositioning – gaining persistence inside critical infrastructure during peacetime to create options during crisis. Living off the land is standard.
Coercion and extortion – ransomware-like operations, payment demands, and harassment of executives and customers.
Information operations – coordinated manipulation to discredit leaders, distort markets, or fracture alliances, increasingly with AI-generated content.

Operational Technology (OT) is the hardware and software that monitor and control physical processes – power generation and distribution, water treatment, oil and gas pipelines, rail signalling, factory robotics, building management systems, and medical devices. OT often includes ICS and SCADA components.

Unlike IT, which manages data, OT manipulates the physical world. OT systems prioritise availability, safety, and deterministic timing, and many were not designed for direct internet exposure or modern authentication. The IT – OT seam is a prime target.

2) The principal actors and their methods

Russia

Approach: blended campaigns that pair destructive OT-capable malware with information activity.
Focus: power distribution, telecoms, media, public-sector networks, and wartime logistics.
Methods: living off the land, wipers, coordinated DDoS, and pressure on public opinion.

China

Approach: patience, scale, and prepositioning.
Focus: telecoms, transport, energy, government, and key suppliers in allied states.
Methods: native admin tools, credential abuse, use of small office or home routers as operational infrastructure, long dwell times.

Iran

Approach: regional coercion with opportunistic global reach.
Focus: water authorities, municipal services, regional rivals, and Western finance or defence firms.
Methods: exposed PLC abuse, identity seams at the IT – OT boundary, website defacements for signalling.

North Korea

Approach: strategic revenue generation plus targeted espionage.
Focus: cryptocurrency exchanges, DeFi platforms, and aerospace or defence research.
Methods: social engineering of developers and exchange staff, laundering via mixers and cross-chain bridges.

The West

Approach: persistent engagement and defend forward.
Focus: disrupting adversary infrastructure, public attribution, sanctions, criminal-indictment campaigns, and industry partnership.
Methods: coordinated actions across intelligence, law enforcement, diplomacy, and private-sector partners.

3) Hard lessons from recent operations

3.1 Critical infrastructure is fair game – and often soft

Power grids: tailored malware and careful operator misuse continue to probe and sometimes disrupt electricity distribution. Real-world safety and restoration speed depend on segmentation, vendor access control, and tested manual fallback procedures.
Satellites and space systems: commercial constellations and their ground segments are inseparable from modern military and civil communications. Service constraints, jurisdiction, and financial leverage can become strategic factors.
Water and municipal services: exposed PLCs, weak identity at integrators, and flat networks make civic infrastructure a frequent target. Impact is high relative to the cost of attack.

3.2 Identity is the modern crown jewel

Modern intrusions prioritise identity abuse – token theft, OAuth consents, legacy protocols, stale service accounts, and weak conditional access. This enables lateral movement through email, files, chat, and cloud control planes with minimal malware.

3.3 Prepositioning is strategic, not incidental

Quiet presence across telecoms, energy, and transport during peacetime gives options in crisis. Detections often come from observable system activity – for example, unusual admin task creation, abnormal authentication patterns, and unexpected command execution.

3.4 Private companies are strategic terrain

Satellite operators, hyperscalers, undersea cable consortia, and cyber vendors hold levers that can influence geopolitical outcomes. Contracts, escalation paths, and operational guarantees must be engineered in peacetime.

4) Legal and diplomatic framework

Tallinn Manual 2.0 – widely cited guidance on how existing international law applies in cyberspace. Not binding, but a practical reference for sovereignty, due diligence, state responsibility, and thresholds for use of force.
UN norms – voluntary principles that discourage attacks on critical infrastructure, protect CERTs, and promote cooperation. Useful – but voluntary.
NATO policy – severe cyber operations can, in principle, trigger collective defence. The threshold is political and case-by-case.
National doctrines – the United States and United Kingdom describe persistent engagement and responsible offensive cyber power, shaping both operations and public communication.

5) Techniques that matter – now and next

Identity-centric intrusion – token theft, session hijack, legacy protocol fallback, OAuth app abuse, over-privileged service principals.
Supply chain and dependency abuse – poisoned packages, compromised CI or CD, malicious updates delivered via trusted channels.
OT-focused malware and operator misuse – from tailored protocol manipulation to abuse of legitimate vendor tools. Safety implications are real.
DDoS as cover and pressure – sustained campaigns timed with intrusion and influence activity.
Wipers and destructive tooling – often combined with data theft and harassment to increase political and operational cost.
Crypto theft at nation scale – funding mechanisms for sanctioned regimes.
AI-assisted intrusion and influence – accelerating content generation, triage, and exploitation steps, with autonomous AI-driven components on the near horizon.

6) The AI shift – from assistive to autonomous

Offence today: large language models speed reconnaissance, content generation, translation, and exploit triage.
Offence next: autonomous AI-driven attack chains that map paths, link actions, and evade at speed. Early use will likely target identity seams and cloud control planes.
Defence today: AI helps with correlation and analyst workload.
Defence next: safe automated containment for well-understood events – isolating endpoints, revoking tokens, and rolling keys when confidence is high.

7) The next few years – likely changes

Autonomous attack chains appear in the wild – not ubiquitous, but impactful. Early victims: cloud tenants with weak conditional access, stale service principals, and no real-time token revocation.
Cloud control plane as prime target – more attacks that live entirely in identity and API layers.
Blended pressure as routine – DDoS, intrusion, and information operations choreographed around elections and crises.
Space and satellite systems under scrutiny – more attempts at disruption and more contractual debate about availability under pressure.
Post-quantum planning accelerates – national authorities tighten targets, prioritising long-lived secrets and retained recordings.
Civic infrastructure targeting continues – water, local government, transport, and healthcare remain attractive due to impact and thin defences.
State – crime convergence deepens – access brokers and ransomware crews provide scalable logistics to state actors.

8) A realistic playbook for governments and large enterprises

8.1 Identity first – treat identity and access as Tier 0

Phishing-resistant MFA for human and non-human identities that can reach sensitive data or control planes.
Conditional access based on device health, location, and risk.
Just-in-time privileged access with session recording.
Continuous access evaluation – revoke tokens on risk signals, not on a schedule.
Quarterly exercises focused on identity compromise – not only ransomware.

8.2 Cloud and SaaS posture – make the control plane boring

Lock down the management plane. Isolate break-glass accounts. Log everything and forward centrally.
Review OAuth grants and third-party app access quarterly. Remove dormant consents and keys.
Enforce baseline benchmarks and policy-as-code in CI or CD for infrastructure.

8.3 Supply chain assurance – provenance over assumption

Require signed artifacts, SBOMs that you actually use, and provenance attestation.
Gate deployments on automated policy, not convenience.
Treat developer laptops and identities like administrators – hardware tokens, least privilege, and device posture.

8.4 Ransomware and destructive tooling – resilience beats purity

Offline or immutable backups with segmented management networks.
Quarterly full-restore drills that prove recovery time objectives with auditable evidence.
Pre-agreed positions on ransom and breach communications.
Legal, privacy, and PR integrated into incident command from the start.

8.5 OT and critical services – draw hard lines

Physical and logical separation of IT and OT with monitored gateways.
Broker vendor remote access with MFA, time boxing, and session recording.
Minimise services on critical hosts – allow-listing where feasible.
Tested manual fallback for safety-critical functions.

8.6 AI security – the risk you own

Inventory models, integrations, prompts, and data flows.
Guardrails at ingress and egress – sanitise inputs, control outputs, log interactions.
Red-team for prompt injection, model theft, and data leakage.
Keep humans in the loop for high-impact actions.

8.7 Public – private coordination that works

Join your sector ISAC. Establish sharing channels that run at machine and human speed.
Pre-arrange cooperation and disclosure protocols with national cyber authorities.
Use public attribution when the evidence is strong and the strategic value is clear.
Rehearse cross-border legal and regulatory response.

9) A concise 6 – 12 month programme

Months 1 – 3: establish the control plane

Harden MFA – move Tier-0 identities to phishing-resistant factors.
Enforce conditional access baselines.
Isolate and test break-glass accounts.
Verify cloud control plane logging.
Broker and record vendor remote access.

Months 4 – 6: resilience and supply chain

Bring immutable or offline backups online and run the first full-restore drill.
Enforce SBOM and signed-artifact checks in CI or CD.
Purge stale OAuth consents and application keys.
Tabletop – identity compromise and destructive ransomware.

Months 7 – 9: OT separation and monitoring

Validate segmentation in live exercises.
Configure OT gateways and allow-lists.
Enforce strong, time-boxed vendor access.

Months 10 – 12: AI and crisis readiness

Complete AI usage inventory and enable guardrails.
Finalise cross-functional crisis playbook – names, numbers, thresholds, and draft statements.
Second full-restore drill – prove the recovery time objective.
Participate in a national or sector exercise.

Three outcome metrics to keep the programme honest:

Time to revoke a compromised token to zero access.
Proportion of Tier-0 identities on phishing-resistant MFA.
Evidence that full restores from offline or immutable backups meet recovery targets.

10) What not to do

Do not rely on indicator lists or perimeter appliances to catch living-off-the-land identity abuse.
Do not treat ransomware as an IT-only issue – legal, privacy, and PR must sit inside incident command.
Do not assume satellite, cloud, or AI vendors will be available under wartime pressure unless your contracts say so and you have tested paths.
Do not wait for consensus on AI timelines – plan as if early autonomous AI-led attacks will appear in your sector.

Closing view

Cyberwarfare has settled into a persistent background condition. The playbooks are well known – identity-first intrusion, prepositioning in critical infrastructure, blended pressure with DDoS and information activity, and steadily increasing use of AI that compresses defender response time.

You will not solve this with more products. You will change outcomes with decisive practical measures: identity controls that actually work, cloud control planes you can defend, supply chain provenance, tested resilience, firm IT – OT boundaries, and rehearsed incident command.