Nation-state actor

A nation-state actor is a government-backed intelligence or military service operating in cyberspace. Long campaigns, custom tooling, willingness to burn zero-days on individual targets when the strategic value justifies the cost. The threat tier above commercial spyware operators, below open warfare. Mandiant, Microsoft Threat Intelligence, CrowdStrike, and Recorded Future publish public attribution work that names the major actors (APT28, Lazarus Group, Kimsuky, Cozy Bear, etc.).

What it means in practice

Naming the actor with precision changes the threat model. The Russian SVR (APT29, Cozy Bear) operates differently from the Chinese MSS (APT41, Winnti) which operates differently from the North Korean Lazarus Group (the financial-extraction and crypto-stealing specialist) which operates differently from Iranian APT35 (Charming Kitten, the journalist and dissident specialist). Each has signature TTPs (techniques, tactics, procedures), operational tempos, and target-selection patterns. For most operators, the relevant question is not “am I targeted” (which is unknowable in real time) but “do I do work that would interest one of these actors enough to commit resources.” That question has a yes-or-no answer, and the answer determines how much defensive investment is warranted.

Who is targeted, and by whom

Most readers of this fiche will not be targets of nation-state operations. The exceptions are real and important: prominent investigative journalists working on intelligence, organized crime, or authoritarian-government stories (APT28 documented targeting of ICIJ Pandora Papers contributors, APT41 documented targeting of Hong Kong journalists, Charming Kitten documented targeting of Iran-focused researchers and activists), human-rights lawyers representing political prisoners across borders, NGO staff in conflict zones doing work that contradicts host-country narratives, and former intelligence-community personnel who retain clearance-relevant knowledge. The cost asymmetry is brutal: the actor has thousands of operators, you are one person; structural defenses (compartmentation, hardened devices, identity separation) shift the calculus more than tactical defenses.

What you can change today

If your work plausibly puts you in the targeting bracket, the realistic posture is structural rather than tactical. Run a hardened device (GrapheneOS or iOS in Lockdown Mode) for sensitive work, kept physically separate from your personal device. Compartment identities so a successful operation against one persona does not cascade. Subscribe to Citizen Lab and Mandiant threat-intelligence reports for the actor groups most relevant to your work; the briefing rhythm helps you understand when targeting tempo escalates. For most readers in the lower-target population: the defensive baseline (hardware key 2FA, password manager, no SMS recovery, basic compartmentation between personal and professional accounts) addresses a far larger share of likely threats than the nation-state-defense layer.

Related articles