State-Sponsored Cyber Warfare Units and the Global Threat Landscape

In May 2011, the Chinese government publicly acknowledged what cybersecurity researchers had suspected for years: a dedicated military hacking unit existed within the People’s Liberation Army. Dubbed “Blue Army,” the 30-person team was officially described as a defensive cyber warfare unit tasked with protecting Chinese government networks from attack. A spokesperson compared their skill development to ping-pong: “We have more people playing it, so we are very good at it.”

That disclosure was carefully managed. What the Chinese government didn’t mention was that Blue Army was just the visible tip of an offensive cyber capability that would, over the following fifteen years, become the most prolific state-sponsored hacking operation on the planet. And China was far from alone. By 2026, at least a dozen nations operate dedicated cyber warfare units with budgets in the billions, capabilities that rival conventional military forces, and a track record of operations that have stolen trillions in intellectual property, disrupted critical infrastructure, and reshaped geopolitics.

China: From Blue Army to Information Support Force

The original Blue Army unit was a small operation. What came after was not. In February 2013, cybersecurity firm Mandiant published a landmark report tracing years of cyber espionage against US companies to a specific PLA unit: Unit 61398, based in a 12-story building in Shanghai’s Pudong district. The report documented the theft of hundreds of terabytes of data from at least 141 organizations across 20 industries.

In 2015, the US Department of Justice took the unprecedented step of indicting five PLA officers from Unit 61398 by name for economic espionage. China denied everything, but the indictments established a norm that state-sponsored hackers could be publicly attributed and held legally accountable (at least symbolically).

China’s cyber capabilities have been restructured multiple times since then. The PLA’s Strategic Support Force (SSF), established in 2015, consolidated cyber, space, and electronic warfare under one command. In April 2024, China restructured again, creating the Information Support Force as a separate branch reporting directly to the Central Military Commission. This elevation signals that Beijing considers information warfare a domain equal in importance to the army, navy, and air force.

The threat groups attributed to China by Western intelligence agencies have grown more sophisticated. APT41 (also known as Double Dragon) operates a dual mission: state-sponsored espionage and financially motivated cybercrime, blurring the line between government operations and criminal activity. Volt Typhoon, identified by Microsoft in May 2023, was found pre-positioning access in US critical infrastructure (water treatment, power grids, telecommunications) with no espionage objective, suggesting preparation for potential disruption during a future conflict over Taiwan. Salt Typhoon, disclosed in late 2024, compromised major US telecommunications providers and accessed wiretap systems used by law enforcement, one of the most sensitive intelligence breaches in recent US history.

Russia: GRU, SVR, and the Hybrid War Model

Russia’s cyber warfare capabilities are distributed across its intelligence services, each with distinct missions and methods.

GRU Unit 26165 (publicly known as Fancy Bear or APT28) is the most aggressive. The GRU’s cyber operations are characteristically bold and disruptive: the 2016 hack of the Democratic National Committee, the 2017 NotPetya attack that caused over $10 billion in global damage (disguised as ransomware but actually a destructive wiper targeting Ukraine that spread worldwide), and ongoing operations against NATO member states.

SVR (Russia’s foreign intelligence service, operating as Cozy Bear or APT29) is subtler. The SVR conducted the SolarWinds supply chain attack discovered in December 2020, which compromised the update mechanism of a widely used IT management platform and gave Russian intelligence access to networks at the US Treasury, Commerce Department, and an estimated 18,000 other organizations. The operation ran undetected for at least nine months.

Russia’s approach integrates cyber operations with information warfare, economic pressure, and conventional military action. The 2022 invasion of Ukraine was preceded and accompanied by waves of cyberattacks against Ukrainian government systems, energy infrastructure, and communications networks. Ukraine’s resilience, supported by Western cybersecurity firms and cloud providers who helped migrate Ukrainian government data out of the country before the invasion, has become a case study in cyber defense under wartime conditions.

North Korea: Lazarus Group and the $3 Billion Heist Machine

North Korea’s cyber program is unique among nation-states because it functions primarily as a revenue generation operation for the regime. The Lazarus Group (also tracked as Hidden Cobra) has been attributed to North Korea’s Reconnaissance General Bureau and is responsible for some of the most audacious financial cybercrimes in history.

The 2014 Sony Pictures hack (retaliation for the film “The Interview”) put Lazarus on the map. But money is the primary mission. The 2016 Bangladesh Bank heist attempted to steal $951 million via fraudulent SWIFT transfers (succeeding with $81 million). Since 2017, Lazarus has pivoted heavily to cryptocurrency theft, stealing an estimated $3 billion or more through exchange hacks, DeFi protocol exploits, and sophisticated social engineering targeting crypto developers. The March 2022 Ronin Network hack alone netted $620 million. A UN panel of experts reported in 2024 that cryptocurrency theft funds approximately 40% of North Korea’s weapons of mass destruction programs.

Iran and the Emerging Players

Iran’s cyber capabilities, while less sophisticated than China’s or Russia’s, have grown significantly since 2010. The catalyst was Stuxnet, the US-Israeli cyber weapon that destroyed centrifuges in Iran’s Natanz nuclear facility. Stuxnet demonstrated to Iran (and every other nation) that cyber weapons could cause physical destruction, and Iran invested heavily in building its own capabilities in response.

APT33 (Elfin) targets aerospace and energy companies. APT35 (Charming Kitten) focuses on espionage against dissidents, journalists, and government officials. Iranian-linked groups have conducted destructive attacks against Saudi Aramco (the 2012 Shamoon wiper destroyed 35,000 computers), Israeli water infrastructure, and Albanian government systems (a 2022 attack that led Albania to sever diplomatic relations with Iran entirely).

The Western Side: US Cyber Command, NSA, and Unit 8200

Western nations are not merely defensive players. US Cyber Command (USCYBERCOM), established in 2009 and elevated to a unified combatant command in 2018, conducts both defensive and offensive cyber operations. The NSA’s Tailored Access Operations (TAO) unit, now known as the Computer Network Operations group, is widely considered the most technically capable signals intelligence and cyber operations unit in the world.

Israel’s Unit 8200, part of the Israel Defense Forces’ Intelligence Directorate, has produced an outsized share of the global cybersecurity industry’s founders and technology. Veterans of Unit 8200 have founded companies including Check Point, CyberArk, Wiz, and dozens of others. The unit is widely believed to have co-developed Stuxnet alongside the NSA and to have conducted numerous undisclosed operations.

The Five Eyes alliance (US, UK, Canada, Australia, New Zealand) coordinates cyber intelligence sharing and joint operations. The UK’s GCHQ and its National Cyber Security Centre play an active role, as do Australia’s Signals Directorate and Canada’s CSE.

Landmark Attacks That Changed the Game

Several attacks between 2020 and 2026 fundamentally altered how governments and corporations think about cyber risk.

SolarWinds (December 2020): Russia’s SVR compromised the software supply chain of SolarWinds Orion, affecting 18,000+ organizations. It demonstrated that even well-secured organizations are vulnerable through their trusted software vendors.

Microsoft Exchange (March 2021): Chinese state-sponsored group Hafnium exploited zero-day vulnerabilities in Exchange Server, compromising an estimated 250,000 servers globally before patches were available.

Colonial Pipeline (May 2021): A ransomware attack by DarkSide (a Russian-speaking criminal group with suspected state tolerance) shut down the largest fuel pipeline on the US East Coast for six days, causing fuel shortages across multiple states. Colonial paid a $4.4 million ransom.

Change Healthcare (February 2024): ALPHV/BlackCat ransomware disrupted the largest healthcare payment processing system in the US, affecting one-third of all American medical claims for weeks. UnitedHealth Group, Change’s parent company, reported the incident cost over $870 million.

AI-Powered Cyber Warfare: 2025-2026

The integration of artificial intelligence into cyber operations is the defining development of 2025-2026. Both offensive and defensive applications are accelerating rapidly.

On the offensive side, AI enables automated vulnerability discovery at scale, more convincing phishing and social engineering (AI-generated voice cloning has been used in vishing attacks impersonating executives), and malware that adapts its behavior to evade detection. On the defensive side, AI-powered security tools from companies like CrowdStrike, SentinelOne, and Palo Alto Networks analyze billions of events to detect threats that rule-based systems miss.

The concern among intelligence agencies is that AI lowers the barrier to entry for state-sponsored cyber operations. Nations that previously lacked sophisticated cyber capabilities can now accelerate their programs using commercially available AI tools. The playing field is leveling, and not in a good way.

From 30 hackers in a Chinese military unit to nation-state operations employing thousands and spending billions, the cyber warfare domain has grown into a permanent feature of international relations. The original Blue Army comparison to ping-pong was more prescient than anyone realized: every major nation now plays, and the game never ends.

Related reading on TechEngage:

• How to Protect Your Digital Identity and Social Media Accounts
• The Biggest Social Media and Tech Outages in History
• Russia’s Government Transition to Open-Source Linux

Frequently Asked Questions