Trellix and CSIS Find Organizations Outmatched by Nation-State Cyber Threat Actors

Report Highlights Increased Government Support Required to Defend Against Sophisticated Nation-States


  • 86 percent of respondents believe they have been targeted by a cyberattack conducted by a group acting on behalf of a nation-state
  • Only 27 percent of respondents said they have complete confidence in the ability of their organization to differentiate between nation-state cyberattacks and other cyberattacks
  • 10 percent of organizations surveyed do not have a cybersecurity strategy, including nine percent of critical infrastructure providers
  • 9-in-10 respondents think the government should do more to support organizations and protect critical infrastructure against state-backed cyberattacks
  • More than 90 percent said they were willing to share information publicly when they faced a nation-state cyberattack, but not always with full details of the attack or its effect

SAN JOSE, Calif.--()--Today Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), and the Center for Strategic and International Studies (CSIS) released a global report, In the Crosshairs: Organizations and Nation-State Cyber Threats, examining security professionals’ mindsets towards nation-state actors, the extent they are being targeted, how nation-state actors differ from other cyber criminals and how they view the role of government in responding to attacks. The report found Russia and China among the most likely suspects of being behind successful cyberattacks resulting in data loss, service disruption, and industrial espionage, which led to significant costs to the organizations attacked.

“As geopolitical tensions rise, the likelihood of nation-state cyberattacks rises as well,” said Bryan Palma, CEO of Trellix. “Cybersecurity talent shortages, outdated IT infrastructure, and remote work are the greatest challenges in today’s operating environment. Organizations must improve their automation, remediation, and resiliency capabilities to defend against increasingly sophisticated attacks.”

The report, written by CSIS and based on research conducted by Vanson Bourne, surveyed 800 IT decisions makers in Australia, France, Germany, India, Japan, the United Kingdom and the United States, from a variety of industries. It highlights the volume and severity of nation-state cyberattacks is a substantial problem for the international community and organizations are looking to governments to help solve. The report will be launched from a virtual CSIS event today, March 28 at 3 p.m. EDT and can be watched live or by recording via the event site. Trellix CEO Bryan Palma and Trellix Head of Cyber Investigations John Fokker will discuss the findings as well as the threat landscape and the need for private/public partnerships.

Organization Risk. Ninety-two percent of respondents have faced or suspect they have faced a nation-state backed cyberattack in the last 18 months or expect to face one in the future. The report also finds most organizations struggle to confidently and accurately determine if a cyberattack is linked to a nation-state given technical challenges and the efforts hackers go to hide their identity. Unlike cyber criminals, nation-state actors focus on conducting intelligence operations to gain intellectual property and data to serve an economic or military goal, while also leaving backdoors in organization infrastructure for reentry.

The risk to organizations is significant, with the average nation-state-backed cyberattack costing an estimated $1.6 million per incident. Yet the report finds 10 percent of organizations surveyed do not have a cybersecurity strategy.

Consumer Impact. While access to consumer data was the motive for nearly half of reported state-backed incidents, only 33 percent of organizations reported reaching out to their customers to disclose the incident. The respondents view personally identifiable information (PII) related to either their customers or employees—as one of the main factors they would be targeted (46 percent and 40 percent respectively). As organizations prepare their cybersecurity strategies, risks to reputation and trust are at stake. Transparency with end customers should be considered in addition to ensuring direct communication with cybersecurity vendors, partners and government agencies. Additional information for consumers can be found on the Trellix blog.

Government Guidance. The report found 92 percent of respondents were willing to share information about an attack, but not always the full details. Overall, organizations are looking to the government for guidance into how they can protect themselves while being hindered by a lack of breach disclosures. Ninety percent of respondents think the government should do more to support and protect critical infrastructure from cyberattacks. In the U.S., programs like the Cyber Safety Review Board, CISA’s Shield Up and the White House’s new Office of the National Cyber Director are examples of programs governments worldwide should continue to develop to help protect critical infrastructure.

“Nation-states and their criminal proxies are some of the most dangerous cyber attackers because they are capable, best resourced and extremely persistent,” said James Lewis, senior vice president and director, Strategic Technologies Program for CSIS. “It’s not surprising that nation-states, particularly China and Russia, are behind many of the cyberattacks organizations experience; what is surprising is that 86 percent of respondents in this survey believe they have been targeted by a group acting on behalf of a nation-state, and only 27 percent are completely confident in their organization’s ability to recognize such an attack in contrast to other cyberattacks.”

Latest Threat. Trellix Threat Labs today also announced new findings, uncovering activity from advanced persistent threat (APT) group Nomad Panda, also known as RedFoxtrot. Trellix has determined with medium confidence that RedFoxtrot has been leveraging a new variant of the PlugX malware which Trellix has named “Talisman.” The Talisman variant of the malware has been used to target defense and telecommunications victims across South Asia, likely to advance China’s Belt and Road initiative which aims to expand trade and economic relationships across Europe, Asia and Africa. Additional details on RedFoxtrot and the latest PlugX activity can be found in the Trellix Threat Center.

Additional Resources

About Trellix

Trellix is a global company redefining the future of cybersecurity. The company’s open and native extended detection and response (XDR) platform helps organizations confronted by today’s most advanced threats gain confidence in the protection and resilience of their operations. Trellix’s security experts, along with an extensive partner ecosystem, accelerate technology innovation through machine learning and automation to empower over 40,000 business and government customers. More at

About CSIS

The Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit policy research organization dedicated to advancing practical ideas to address the world’s greatest challenges. CSIS’s purpose is to define the future of national security. They are guided by a distinct set of values—non-partisanship, independent thought, innovative thinking, cross-disciplinary scholarship, integrity and professionalism, and talent development. CSIS’s values work in concert toward the goal of making real-world impact.


Sarah Erman


Sarah Erman