Facebook X-twitter Linkedin
Call Us: 301.541.3237
blacksmith infosec compliance service caas

Global Geopolitics and Espionage Campaigns (2025 Update)

Share Article:

Table of Contents:

Recent cyberespionage campaigns reveal an alarming global surge in state-sponsored hacking — especially targeting telecom, government, and media. In this article, we’ll explore notable government-aligned cyber activity in 2025.

Chinese State-Aligned Attacks on Telecom Networks

This year, “Salt Typhoon,” a hacking group almost certainly linked to the People’s Republic of China (PRC), was confirmed to be targeting Canadian telecommunications providers. In February 2025, three network devices at a major provider were compromised using the CVE-2023-20198 vulnerability. The attackers extracted configuration files and set up GRE tunnels to siphon network traffic, enabling both data theft and clandestine surveillance. According to Canadian and U.S. authorities, this campaign appears broader and may affect MSPs and cloud providers, allowing attackers to access business clients as secondary victims.

Their campaign focused on exfiltration of phone records, wiretap details, and sensitive communications involving political and government figures — a pattern that persisted across North America and globally. These operations leverage specialized knowledge of network devices including provider edge routers, and frequently modify devices for long-term access.

 

Global Reach and Espionage Tactics

Salt Typhoon’s activity exemplifies wider Chinese campaigns: the U.S. and twelve international partners have jointly warned of critical infrastructure attacks linked to Chinese state-backed actors in over 80 countries and more than 200 targets in the U.S. alone. These operations target not just telecoms, but also hospitality, transportation, and government networks. Gaining access to backbone routers or modifying network devices allowed espionage agents to surveil individuals’ communications, movements, and relationships.

The campaign was unusually broad — unlike “classic” espionage which targets strategic interests, Salt Typhoon and affiliates sometimes picked targets indiscriminately, violating global privacy norms. Among the Chinese companies helping facilitate this campaign are Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology, each sanctioned or flagged by Western authorities for direct assistance to Beijing’s intelligence apparatus.

Iranian State-Aligned Cyber Threats and Geopolitics

Recent months have seen a noticeable escalation in Iranian government-affiliated cyber campaigns, reflecting regional tensions and Iran’s evolving digital strategy. These efforts are closely tied to the country’s geopolitical goals and regional rivalries.

Disruption, Espionage, and Hacktivism

Multiple U.S. federal agencies — including the NSA, CISA, and FBI — have issued warnings about an uptick in Iranian state-sponsored and IRGC-linked actors targeting vulnerable U.S. networks, especially in critical infrastructure sectors such as government and utilities. Iran’s offensive mix includes Distributed Denial of Service (DDoS) campaigns, destructive malware, ransomware, and spear-phishing attacks. These are often opportunistic and exploit outdated software or weak credentials.

One recent campaign saw Iranian actors exploit over 100 embassy email accounts globally, using hijacked credentials to launch targeted spear-phishing assaults and collect intelligence. This campaign leveraged ongoing geopolitical tensions to gain access to sensitive diplomatic communications.

Iranian hacktivist and cybercrime groups have also been observed amplifying their impact by staging psychological operations: for example, the CyberAv3ngers defaced U.S. water system displays and manufactured panic about unsubstantiated power-grid hacks, shifting the national cyber strategy toward shaping public narratives as much as damaging infrastructure. In the 12-day 2025 Israel-Iran conflict, coordinated Iranian attacks combined technical breaches with messaging campaigns designed to influence public perception — sometimes using recycled data leaks for psychological effect.

Europe and Political Operations

European countries are actively combating Iranian covert activity. The UK, for example, recently arrested eight Iranian nationals on suspicion of planning terror attacks and coordinating state-sponsored illicit activities in London. Over 20 Iran-backed plots have been disrupted in the UK since 2022, many targeting dissidents and Jewish sites and reflecting both counterintelligence priorities and proxies for broader geopolitical strategy.

Iran’s cyber activity frequently supports its regional ambitions — disrupting political opposition in Europe, retaliating against Israeli and Gulf state actions, and demonstrating deterrence as nuclear negotiations continue amid instability in Syria and elsewhere.

Geopolitical Motivation

Iran’s motivation lies in projecting regional influence, responding to direct military conflicts, maintaining plausible deniability through hacktivist proxies, and sending signals to rivals such as Israel, Saudi Arabia, and the U.S.. When conventional military or diplomatic tools are constrained, cyber operations provide a means to retaliate, disrupt, and shape global narratives.

Iran’s cyber operations are no longer isolated or reactive — they are a key, proactive aspect of the nation’s defense and diplomatic strategy, with substantial impacts for global security and the shape of regional conflict.

Government and Media Sector Breaches

  • In December 2024, Chinese hackers breached a third-party vendor for the U.S. Treasury, accessing thousands of files related to high-level officials and policies. (CSIS)

  • In 2024, Chinese hacks against Taiwanese government and telecom systems doubled, with daily attempts reaching 2.4 million, including successful disruption and data theft. (CSIS)

  • Throughout 2025, Russian-affiliated groups attacked election systems in Romania, leaking credentials on hacker forums and escalating attacks during national presidential voting periods. (CSIS)

  • In June 2025, Google confirmed a targeted breach traced to ShinyHunters, which extracted business contact records via sophisticated voice phishing—demonstrating how espionage and cybercrime tactics now overlap in the media and tech sectors. (bright defense)

  • In May 2025, the U.K.’s National Cyber Security Center named China as the dominant threat to national cybersecurity after a series of hacks and breaches involving British government departments and critical infrastructure. (CSIS)

  • Hackers spied on the emails of roughly 103 U.S. bank regulators at the Office of the Comptroller of the Currency for over a year, ending in early 2025. (CSIS)

  • In March 2025, a network of front companies linked to a Chinese tech firm targeted recently laid-off U.S. federal workers using recruitment ads on job sites. The operation utilized fake consulting firms with non-functional contact details and addresses, mirroring methods identified by the FBI as potential foreign intelligence recruitment tactics. (CSIS)

 

Wrapping It Up

Recent state-aligned cyberattacks confirm that geopolitics increasingly plays out through covert network operations — exposing the telecom, government, and media sectors worldwide. These real-world examples, sourced from confirmed advisories and incident reports, illustrate the urgent need for heightened vigilance and international cooperation in cyber defense.

Additional Articles
compliance demand rises for msp in 2026
Rising Regulatory Pressure on SMBs: Why Compliance is Now a Critical Priority
Read More
cyber insurance and compliance
Cyber Insurance and Compliance: The New Gatekeepers
Read More
compliance with spreadsheets better option
Compliance: Make 2025 the Last Year of Spreadsheets
Read More

Check Out Our Compliance Podcast on Spotify!

Get NIST-y!