Judgement 1

Why it matters – the global view

State-sponsored actors are among the most sophisticated and persistent threats in cyberspace. They are generally motivated not by financial gain but by national objectives such as gaining strategic advantage. They may attempt to achieve these objectives through intellectual property theft, espionage, disruption of critical services, and even sabotage.

Globally, there is growing concern and increased awareness of state-sponsored malicious cyber activity, particularly against government organisations, critical infrastructure and sensitive industries.

Examples

In September 2024, US authorities warned that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) were responsible for attacks designed to cause espionage, sabotage and reputational harm.

Russian Military Cyber Actors Target US and Global Critical Infrastructure External Link

Between October 2023 and October 2024, suspected Iranian cyber actors were discovered conducting credential brute-forcing in attempts to access operational technology across the government, information technology, engineering, and energy sectors.

Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organisations. External Link

Tactics and techniques

State-sponsored actors often use techniques such as spear-phishing, zero-day exploitation, and living off the land to blend into legitimate activity on a computer system or network. They may also make use of ephemeral or disposable infrastructure, like botnets. These actors are often referred to as advanced persistent threats (APTs) due to their resourcing and ability to switch between tactics and techniques to achieve and maintain access to their targets.

Spear-phishing sees actors take the time to research victims, to create a customised and convincing message from what appears to be a trusted source. Artificial intelligence (AI) tools make this job much easier and faster.

Salt Typhoon

‘Salt Typhoon’ activity has been described by our US partner agency, CISA, as a ‘broad and significant cyber espionage campaign targeting commercial telecommunications infrastructure’. Salt Typhoon has been observed in several countries, including New Zealand. New Zealand operates similar systems to partner nations meaning New Zealand organisations need to be aware of this activity and how to defend against it.

Volt Typhoon

‘Volt Typhoon’ is a PRC state-sponsored actor that has been observed compromising the digital systems of critical infrastructure providers in the United States. The US assesses that Volt Typhoon has compromised multiple critical infrastructure organisations, including telecommunications and energy companies. The actor maintained longstanding access to these organisations using living off the land techniques. The US assesses this is pre-positioning to enable disruptive or destructive attacks against critical infrastructure in the event of a major crisis or conflict. The NCSC assesses that New Zealand’s critical infrastructure operators could be vulnerable to similar activity from PRC state-sponsored actors.

Joint advisories with international partners

Throughout the reporting year, the NCSC published a number of advisories with its international cyber security partners detailing a range of ways in which state-sponsored cyber actors are having success against even cyber-mature organisations worldwide. The NCSC joins its partners in these publications after a robust review process to validate the nature of the threat and the usability of the information to its New Zealand customers. New Zealand organisations should ask themselves, “Could we detect this kind of activity, or what changes do we need to make to do so in future?”

The following are some of the joint publications the NCSC released to help with identifying and mitigating cyber threats linked to state-sponsored actors.

In July 2024, the NCSC joined the Australian Signals Directorate’s Australian Cyber Security Centre and other international partners to release an advisory outlining a PRC state-sponsored cyber group, APT40, and the threat it posed to Australian networks.

PRC MSS tradecraft in action

In September 2024, the NCSC joined international partners to highlight and help mitigate the threat posed by a botnet created by PRC-linked cyber actors to enable malicious cyber activity.

Cyber security agencies call out PRC-linked ‘botnet’ and provide mitigation advice

In April 2025, the NCSC joined its UK counterpart and others in warning of spyware targeting Taiwanese, Tibetan, Uyghur groups and civil society actors.

MOONSHINE and BADBAZAAR spyware targeting communities and groups

In August 2025, the NCSC warned that PRC-linked state-sponsored cyber threat actors were targeting networks globally, including telecommunications, government, transportation, lodging, and military infrastructure networks.

China state-sponsored actors target networks globally

The New Zealand landscape

Cyber intrusions and incidents with potential national significance continue to threaten our safety, security and wellbeing.

Incidents linked to state-sponsored actors in the reporting year included:

compromise of a virtual private network (VPN) appliance in a medium-sized telecommunication company,
brute-forcing attempts against a central government organisation, and
spear-phishing of senior public servants.

In the 2024/25 year, nearly a quarter of the incidents of potential national significance the NCSC dealt with had suspected state-sponsored links (81 of 331 incidents). In the previous year, this proportion was 32% (110 of 343 incidents).

The apparent downward trend in reporting numbers does not reflect a softening in the threat landscape. We have continued to observe significant attacks and intrusions, which require effective management and mitigation.

The boundaries between state and criminal activity are blurring as some governments tolerate, enable and sometimes even benefit from criminal groups operating within their jurisdictions.

State-sponsored cyber actors continue to pose a persistent threat to New Zealand. We are aware of some incidents that could have had much more severe impact if they had not been detected at an early stage. An example is presented below in Case Study 1.

Additionally, as the modus operandi of some state-sponsored actors is to remain undetected, compromises can come to light much later than they occur. The international exposure of the sophisticated and high-profile cyber campaigns tracked as Salt Typhoon and Volt Typhoon has demonstrated the level of capability and potential impact of state-sponsored actors linked to the PRC Government.

Case study 1: Network compromise for espionage purposes

During 2024/25, an organisation informed the NCSC that unauthorised activity had been detected on its network, and it requested assistance.

The NCSC worked with a commercial cyber security provider to assess the threat and determine how it should be contained. Through analysis undertaken by both teams, it was concluded the activity originated from a resourceful, sophisticated suspected state threat actor that was motivated by espionage.

Investigations found that the suspected state actor had connected to an appliance on the victim’s network. The appliance had been running an outdated firmware version which was vulnerable to recently disclosed critical common vulnerabilities and exposures (CVEs). The actor had also attempted to log into staff accounts using a range of techniques including brute-forcing, and had targeted both cloud and cloud-integrated capabilities. Based on post-compromise analysis, the actor was likely seeking to maintain persistence on the victim’s network for espionage purposes, consistent with state-sponsored motivations.

A review showed that the organisation’s existing cyber security hygiene had been decisive in stopping the actor. This included strong passwords, multi‑factor authentication (MFA), and network segmentation.
Through the NCSC’s unique capabilities, we verified that no data had been stolen and offered further advice on mitigating any lingering risk.

Implications for organisations

Although critical infrastructure and government agencies are often perceived to be the main targets of state-sponsored activity, no sector is immune.

Any organisation which holds valuable information, contributes to essential services, or holds influence, may be an appealing target.

Organisations that have prepared themselves to defend against cybercriminals should be aware that preventions effective at addressing the easy access points to their systems may not be sufficient to deal with the tactics and techniques of state actors at their most sophisticated - additional measures may be required. State actors are stealthy and play the long game: they often maintain undetected access for months or years, and the impact to your organisation may not be felt immediately. Detecting these actors can require an in-depth understanding of what baseline activity is expected on your network, in order to notice tell-tale variances.

Readiness considerations

Three questions leaders should be asking:

Do we have the relationships, systems and processes to provide for early warning and coordinated response?
Are we confident in our ability to detect a sophisticated actor using living off the land type techniques?
Have we tested our ability to respond to a sophisticated intrusion designed not just to steal, but to remain undetected?

Resources

For further information, refer to the following guidance:

Key cyber security terms and their definitions can be found in our glossary:

Glossary | Rarangi kupu

Read Judgement 2

The commercialisation of cybercrime means cybercriminals have more tools