Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ

State-sponsored cyber operations are expanding beyond the traditional 'Big Four' nations (China, Russia, Iran, North Korea), with Recorded Future identifying at least 20 threat actors across 13 additional countries in 2025. Regional conflicts have become the primary driver of cyber activity, with territorial disputes accounting for nearly two-thirds of observed operations. The India-Pakistan conflict in May 2025 exemplifies this trend, where both nations conducted cyber operations including DDoS attacks, website defacements, and espionage campaigns. Pakistan-linked APT36 and India-linked SideWinder conducted targeted operations against respective adversaries. Hacktivist groups aligned with state objectives are generating high-volume activity, often amplified through influence operations designed to shape conflict narratives. Organizations should assess geopolitical exposure, monitor regional tensions, and maintain robust continuity plans to mitigate increased risk of espionage or destructive cyberattacks.

Offensive cyber operations are spreading beyond the Big Four. Discover how regional conflicts are driving new state-linked cyber threats.

State-sponsored cyber operations are expanding beyond the traditional 'Big Four' nations (China, Russia, Iran, North Korea), with Recorded Future identifying at least 20 threat actors across 13 additional countries in 2025. Regional conflicts have become the primary driver of cyber activity, with territorial disputes accounting for nearly two-thirds of observed operations. The India-Pakistan conflict in May 2025 exemplifies this trend, where both nations conducted cyber operations including DDoS attacks, website defacements, and espionage campaigns. Pakistan-linked APT36 and India-linked SideWinder conducted targeted operations against respective adversaries. Hacktivist groups aligned with state objectives are generating high-volume activity, often amplified through influence operations designed to shape conflict narratives. Organizations should assess geopolitical exposure, monitor regional tensions, and maintain robust continuity plans to mitigate increased risk of espionage or destructive cyberattacks. Offensive cyber operations are spreading beyond the Big Four. Discover how regional conflicts are driving new state-linked cyber threats. Executive Summary Regional conflicts and weakened international institutions are driving the use of offensive cyber operations beyond the “Big Four” (China, Russia, Iran, and North Korea). Monitoring these threat actors requires organizations to proactively assess their geopolitical risk to understand where future threats are most likely to emerge. In 2025, Recorded Future identified at least twenty actors across thirteen “non-Big Four” countries conducting cyber operations, primarily linked to regional conflicts, domestic surveillance, or foreign espionage. Companies should closely monitor regional geopolitics and maintain strong continuity and resilience plans to protect against cyber espionage or disruptive cyberattacks. Figure 1: Trends influencing how and why state-sponsored actors beyond China, Russia, Iran, and North Korea carry out cyber operations (Source: Recorded Future) Analysis Overview of Other State Sponsors of Cyber Operations While the “Big Four” account for the majority of reported cyber threat activity, many other countries use cyber operations to advance their strategic interests. Recorded Future data shows that most observed activity outside of the “Big Four” stems from regional conflicts. Patriotic hacktivist groups, which advance state interests alongside state-sponsored espionage operations, represent the highest volume of reported activity. The degree of coordination between hacktivists and the government remains unclear and likely varies . However, their actions are included in this assessment because of their close alignment with state objectives, which means their activity correlates with interstate conflict risk. Outside of active conflict, espionage against foreign and domestic targets continues to be a major driver of cyber operations. The most cyber-capable states invest heavily in avoiding detection and attribution, given the significant negative political consequences of exposure. Tracking threat actors beyond the Big Four requires organizations to understand their geopolitical risk in order to anticipate where threats are most likely to emerge. Operating in certain regions or conflict zones likely increases the risk of cyber espionage or destructive attacks. Regional Cyber Conflicts Territorial disputes drove nearly two-thirds of observed cyber activity in 2025, according to Recorded Future data. Cyber operations focused on intelligence collection against government, defense, and other critical infrastructure. Hacktivists escalated their activity during conflicts, carrying out nuisance-level attacks amplified through influence operations. Like hacktivists, influence operations align closely with state interests during conflict, but have varying degrees of connection to the state. These activities rarely affect battlefield outcomes but are designed to signal technical sophistication or moral superiority over the adversary. India and Pakistan Between May 7 and 10, 2025, India and Pakistan exchanged a series of missile strikes — the most serious escalation between the two nuclear-armed countries in decades. Throughout the crisis, large volunteer hacktivist communities on both sides conducted disruptive attacks, primarily DDoS and website defacements. Pakistan-linked APT36 conducted espionage operations targeting the Indian government and other politically motivated targets, while threat actors linked to the Indian government, such as SideWinder, pursued Pakistani military targets. Figure 2: Cyber activity between India and Pakistan spiked alongside the outbreak of armed conflict in May 2025 (Source: Recorded Future ) Influence operations intended to shape perceptions of the conflict also intensified . Influence networks amplified hacktivist claims, often overstating their impact, such as widespread reporting on Pakistani social media...