The Intelligence War: Nation-State Cyber Threats | John Fokker, Trellix

John Fokker, Head of Threat Intelligence at Trellix, has shared critical insights into the evolving landscape of cyberthreats, emphasizing the surge in advanced persistent threats (APTs), sophisticated cyber warfare strategies, and the influence of geopolitical tensions.

He highlights a significant 45% increase in global APT detection volume from Q4 2024 to Q1 2025, with a striking 136% surge in attacks targeting the United States, particularly in the telecommunications sector.

These attacks are growing more complex, with state-sponsored actors leveraging generative AI and machine learning to enhance their capabilities.

For instance, AI-powered tools enable realistic social engineering attacks through voice synthesis and facilitate the creation of fraudulent documents or real-time processing of stolen credentials, with such tools available on the black market for as little as $0.30 USD.

State-Sponsored Actors

Additionally, Fokker notes a convergence between financially motivated cybercriminals and state-sponsored actors from nations like China, Russia, North Korea, and Iran, who are adopting similar tactics, blurring traditional distinctions between these groups.

Geopolitical motivations are a driving force behind these cyberattacks, with state-backed groups targeting critical sectors such as manufacturing, government, and technology to gain strategic or financial advantages. China-based actors, for example, are shifting from phishing to exploiting zero-day and known vulnerabilities, while Russia-aligned groups have intensified their activities in response to global conflicts, particularly to undermine Western support for Ukraine.

Iran’s cyber capabilities have also matured, focusing on asymmetric tactics like cyberattacks and proxies amid tensions with Israel. Fokker emphasizes that these actors target high-value sectors like manufacturing, which accounted for 26% of attacks in 2024, due to their role in global supply chains and access to sensitive data. This geopolitical-cyber convergence underscores the need for heightened awareness and collaborative defenses to counter these sophisticated threats.

Cyber Warfare

In terms of cyber warfare strategies, Fokker describes a multi-vector approach that integrates disinformation campaigns, disruptive attacks, and destructive operations, often synchronized with kinetic military activities.

AI amplifies the scale and speed of psychological operations, spreading fake narratives and deepfakes to erode trust and sow confusion. Despite the advanced technologies, attackers remain fallible, as seen in cases like a Black Basta ransomware attack where an encryption tool failed, forcing a pivot to data leaks.

Fokker advocates for proactive threat hunting and operational threat intelligence, which involves understanding attackers’ tactics, techniques, and procedures (TTPs) to anticipate and mitigate risks. Trellix’s global sensor network, detecting hundreds of millions to a billion malicious files monthly, supports this approach, as does their collaboration with law enforcement agencies like Europol, the FBI, and CISA to disrupt cybercrime, such as the takedown of the REvil ransomware gang.

To defend against state-sponsored attacks, Fokker stresses the importance of integrating operational threat intelligence into cybersecurity strategies to overcome barriers like integration challenges, regulatory constraints, and the rapid evolution of threats.

Organizations should adopt AI and automation for threat detection, malware analysis, and translating technical data into business-relevant insights for board-level communication. Mapping attackers’ TTPs is critical, as these are harder for adversaries to change, enabling defenders to detect rebranded or evolving threats. Collaborative intelligence sharing through Information Sharing and Analysis Centers (ISACs) and public-private partnerships enhances collective resilience.

Additionally, Fokker emphasizes proactive measures like industry-specific risk assessments, robust employee training on phishing and password hygiene to counter identity-based attacks, and advanced data protection tools, such as Trellix’s Optical Character Recognition for endpoint data loss prevention.