How geopolitical hackers target and take down public infrastructure

When people think about cyberattacks, the first images that come to mind are often stolen credit cards or ransomware emails. But when attackers are aligned with governments or geopolitical interests, the playbook looks different. Forget crypto heists and password leaks, these actors are interested in disruption, intimidation, and long-term strategic advantage.

In our latest episode of Random but Memorable, we spoke with Hayley Benedict, a Cyber Intelligence Analyst at RANE, about how these attacks unfold. She walked us through a typical process that threat actors follow when targeting public infrastructure or essential services.

Step 1: Define the mission

Every attack begins with intent. Is the goal to quietly gather information, create confusion, or take down a system? The mission dictates every other move.

As Benedict explains, “If it’s espionage, attackers are probably going to target someone or something specific. But if the goal is simply to cause chaos or disruption, then the approach is often more opportunistic.”

Espionage requires patience and stealth, while disruption tends to exploit whatever weakness is easiest to hit. “Usually – unless they're really trying to do something really big, like go after a major system or send a loud message – they're probably casting a wide net, looking for vulnerabilities, and deploying attacks wherever they can get in,” Benedict says. 

She cites one common example. “One area I always flag is water systems, because they tend to be locally managed and are more likely to face resource constraints, which can mean fewer resources dedicated to cybersecurity or legacy equipment that can’t be updated anymore.”

Step 2: Reconnaissance

Once the mission is set, attackers need to understand their target. As Benedict puts it: “Any cyber attack would start with reconnaissance. [Attackers] gather intel on their target’s network, their systems, their personnel… who can they target that would give them that kind of access?”

That research often draws on publicly available data, leaked credentials, or even details found on social media.

Step 3: Gaining access

With weak spots identified, the attacker looks for a way in. “This could be through phishing attacks, targeting unpatched vulnerabilities, or credential stuffing,” Benedict says. “In some cases, it’s social engineering, where they’re just calling employee help desks saying they’re an employee who’s locked out.”

AI-powered tools make it faster and easier for attackers to launch social engineering attacks, for example by generating more convincing emails or phone scripts in multiple languages. (We discuss these tactics at length with Rebecca Tobac in episode 15.2.)

Getting into a system once isn’t usually enough for most missions. “Once they have access, they move laterally to gain a deeper foothold,” Benedict explains. “If they’re targeting critical infrastructure, they’re probably looking for operational technology or control systems.”

Step 4: Achieve the objective

The next stage looks different depending on the objective. It’s often defined by the type of organization orchestrating the attack, and the ability and resources of that group. “What I see most is data theft because it’s less likely to have any kind of retaliation, beyond a denouncement of the attack,” Benedict explains. 

Data theft often provides intelligence for future attacks and can even be stored for “harvest now, decrypt later” strategies, where stolen but encrypted data is saved in the hope that future computing power will make it readable.

Alternatively, as Benedict explains, “for nation-state actors, if there is a political or ideological driver, the goal could be to cause disruption.”

This type of attack might involve deploying malware that can lie dormant, waiting to be triggered remotely. Or, for more ambitious attacks, attackers might position themselves to expand into more sensitive areas of the network. 

That type of attack tends to be harder to pull off. “Causing disruption – for example by gaining control over industrial control systems – is a little bit harder than exfiltrating data,” Benedict explains. 

Step 5: When things go wrong

Not every attack goes undetected. According to Benedict, if an organization notices an attack in real time, “organizations will usually take systems offline to prevent deeper intrusion.” 

She goes on to say: “If [the attackers are] opportunistic, they would probably just rely on other targets. But if it’s a nation-state actor… it’s likely they would pivot, change their approach, and try again.”

For opportunistic actors, being caught means moving on. For well-resourced teams, it often means regrouping and returning with a new tactic.

Beyond breaking systems 

Benedict notes that cyber operations aren’t always about shutting down networks. Sometimes the goal is to erode trust itself: “Online, on social media, there are always nation-state influence operations happening simultaneously… sowing doubt or mistrust is going on all the time.”

This side of the playbook uses misinformation to destabilize societies without ever touching physical infrastructure. And though most people will never be the direct target of a state-sponsored attack, the effects can ripple outward – through higher prices, disrupted services, or stolen personal data.

As Benedict explained: “Temporary disruptions to public services like transit systems or financial institutions… businesses could shut down, leading to financial losses or even layoffs. Health services could be disrupted. These are all real-world impacts of cyber attacks.”

Listen to the full conversation

To hear Hayley Benedict’s full analysis – including the evolving role of AI and developments we might see in the near future – tune in to the full episode of Random but Memorable on our YouTube channel or wherever you get your podcasts. We’d love to hear your thoughts on our Community forum.