Cyber Proxies
Cyber Proxies: Strategic tools in modern conflict and espionage
The word proxy is interesting. In Latin, procuro means manage, administer - from pro (“on behalf of”) and curo (“I care for”). Today a proxy is a person or entity who is authorized to act on behalf of another person or entity.
In today’s digitally interconnected geopolitical landscape, state and non-state actors increasingly rely on intermediaries to conduct cyber operations that serve strategic objectives, while enabling plausible deniability. These intermediaries, commonly referred to as cyber proxies, play a crucial role in shaping the modern threat environment.
Cyber proxies are individuals, groups, or organizations, ideologically motivated, financially incentivized, or state-aligned, that carry out cyber activities on behalf of a government or powerful actor, but without formal acknowledgment or attribution.
These proxies operate in a grey zone that blurs the lines between state action and criminal behavior, creating legal and diplomatic challenges in attributing responsibility and mounting a response under international law.
Unlike traditional espionage agents embedded in foreign territories, cyber proxies often work remotely and autonomously, operating from jurisdictions that are either unable or unwilling to cooperate with international investigations. This strategic ambiguity enables sponsoring states to deny involvement in operations that may violate international norms, such as cyber espionage, disinformation campaigns, or destructive cyberattacks against critical infrastructure.
For corporations, financial institutions, and government contractors, cyber proxies represent a severe and often underestimated risk vector. Unlike cybercriminals, proxies affiliated with or supported by state actors possess highly sophisticated tools, zero-day exploits, and long-term strategic objectives. These adversaries are capable of penetrating supply chains, exfiltrating trade secrets, and conducting reconnaissance over extended periods of time without detection. They target organizations not for their intrinsic value but as stepping stones toward more strategic entities, what is often referred to as "island hopping."
Risk and compliance officers must consider the risk of state-aligned cyber proxies not only in terms of direct cyberattacks, but also in the context of third-party risk, reputational harm, and exposure to international sanctions or regulatory scrutiny. Specific risk assessments should be based on geopolitical developments, attribution reports, and participation in public-private threat intelligence sharing programs.
Organizations need to ensure that incident response plans and breach disclosure procedures reflect the increasing likelihood that threat actors may not be lone hackers or criminal enterprises, but instead cyber proxies operating under strategic state guidance. This has implications for how incidents are reported to authorities, how legal counsel is engaged, and how stakeholders are informed. In some jurisdictions, failing to distinguish between nation-state-linked actors and ordinary cybercriminals in a breach report may constitute a material omission or misstatement, with regulatory or liability consequences.
Cyber proxies represent a convergence of espionage, warfare, and criminality, reshaping the contours of national security and corporate risk. Legal frameworks have yet to fully adapt, leaving risk and compliance professionals in a position where they must anticipate regulatory developments, adopt a proactive posture in cybersecurity governance, and maintain close alignment with threat intelligence functions. As cyber conflicts increasingly unfold through proxies and deniable actors, organizations must be prepared not only to defend against these threats, but to understand their place within a broader strategic and legal context.
Cyber Proxies and Asynchronous Warfare
The emergence of cyber capabilities as instruments of state power has transformed traditional models of warfare and deterrence. Central to this transformation is the concept of asynchronous warfare, a doctrine not merely of asymmetry in capability, but of deliberate disparity in timing, tempo, and strategic patience. In contrast to symmetric conflict, where adversaries operate on a shared timeline of engagement and response, asynchronous warfare enables an actor to shape the battlespace incrementally, over extended periods, exploiting the latency inherent in legal, diplomatic, corporate, and bureaucratic systems.
Asynchronous warfare is not new in principle. Guerrilla tactics, espionage, and protracted insurgencies have long demonstrated the power of strategic delay and calculated engagement. However, the digital domain introduces new dimensions to this doctrine. In cyberspace, time is not linear but elastic; the attacker may act in milliseconds, yet the defender must navigate compliance regimes, internal reporting procedures, incident response protocols, and regulatory disclosure obligations—processes that unfold in weeks or months. This disconnect becomes a source of strategic leverage.
At the core of asynchronous warfare is initiative without escalation. Nation-state actors, through proxies or covert units, conduct long-term reconnaissance, infiltration, and exploitation campaigns that remain below the threshold of armed conflict. These operations are not intended to trigger immediate retaliation, but to accumulate positional advantage: access to sensitive networks, insight into adversary capabilities, disruption potential, and influence over strategic narratives. The attacker is not in a hurry. It is the defender who is placed in a cycle of reactive urgency, detecting, containing, investigating, reporting, and remediating while the adversary moves on, silently adjusting its tactics, techniques, and procedures (TTPs).
This doctrine is particularly well-suited to authoritarian regimes or centralized strategic command structures, where long-term planning horizons are not constrained by electoral cycles, judicial oversight, or public accountability. Asynchronous warfare allows these actors to achieve cumulative effects, without the visibility or political cost of overt confrontation. Each individual operation may appear minor or ambiguous in isolation. Yet over time, the aggregation of stolen intellectual property, corrupted data, psychological pressure, institutional fatigue, and reputational harm erodes the strategic resilience of the target state or organization.
For risk and compliance experts, asynchronous warfare introduces a profound dilemma. Legal systems are designed to respond to events, discrete, attributable, and actionable. Asynchronous campaigns, by contrast, unfold in a space of persistent ambiguity. There may be no single incident that justifies escalation, legal recourse, or public attribution. The attacker thrives in this ambiguity, knowing that institutions struggle to marshal coherent responses to slow, low-intensity, deniable aggression.
Consider the lifecycle of a typical asynchronous cyber operation. Initial access may be obtained through malware, phishing, or supply chain compromise. Months, sometimes years pass as the intruder maps the network, escalates privileges, and identifies valuable data repositories. During this phase, no outward sign of conflict exists. The presence is passive, often undetected. When exfiltration or sabotage occurs, it may appear as a one-time breach. In reality, it is merely a checkpoint in a broader strategy of informational dominance and deterrence shaping.
Moreover, asynchronous warfare challenges the very notion of proportionality and imminence in law. A government may identify an intrusion but lack the legal authority to respond forcefully if the operation did not result in immediate or tangible harm. Yet the strategic harm is real and compounding. By exploiting this legal temporal gap—between detection and deterrence, between breach and retaliation—adversaries achieve what is effectively warfare by erosion.
In the private sector, this leads to a structural disadvantage. Corporations, especially in critical infrastructure sectors, are compelled to act in real time, with limited intelligence and under the scrutiny of regulators and stakeholders. Their adversaries, by contrast, operate in slow motion with the luxury of deniability. This disparity reinforces the argument that cybersecurity is not solely a technical issue, but a national security concern with legal, geopolitical, and compliance implications.
One of the key enablers of asynchronous warfare is the integration of intelligence operations into non-military domains. The goal is not disruption. Instead, adversaries embed themselves into global information ecosystems, like media, academia, supply chains, diaspora networks, and use these platforms to cultivate influence, collect intelligence, and destabilize perception over time. The digital environment facilitates this by allowing constant surveillance, predictive profiling, and narrative manipulation with minimal traceability.
Importantly, asynchronous warfare is not a one-sided phenomenon. Democratic states too have begun to adapt, employing pre-positioning strategies, persistent engagement doctrines, and forward defense in cyberspace. Nevertheless, legal norms and democratic transparency impose constraints that authoritarian systems often do not recognize. The asymmetry, therefore, remains both temporal and normative. One side acts without constraint; the other must justify every action within a legal and ethical framework.
From a regulatory and compliance standpoint, this places increasing importance on resilience by design. Asynchronous warfare cannot be deterred solely by firewalls or endpoint detection. It requires continuous monitoring, cross-sector threat intelligence sharing, legal readiness, and geopolitical risk awareness. Companies must recognize that they may be targets not because of who they are, but because of their position within a broader strategic ecosystem. A logistics provider, a legal services firm, or a research university may become an unwitting entry point for strategic exploitation.
The compliance function must therefore expand its horizon beyond breach response and privacy law. It must include a capacity to assess long-term adversarial presence, third-party risk from geopolitical vectors, and the legal consequences of operating in a contested digital space. Risk assessments must evolve from static checklists to dynamic threat modeling that accounts for time as a weapon.
Asynchronous warfare represents a defining feature of modern geopolitical conflict. It leverages the structural weaknesses of legal and institutional timeframes, exploits the slowness of democratic deliberation, and redefines conflict as a persistent, low-visibility, high-impact continuum. It shapes the threat landscape, informs strategic posture, and defines the adversarial logic behind many of today’s most complex and enduring cyber campaigns.
Espionage-as-a-Service and Cyber Proxies
We have a structural shift in the way intelligence operations are conducted in the 21st century. What was once the exclusive domain of nation-state intelligence services is now being diffused across a transnational, opaque web of actors offering services, tools, and expertise to the highest bidder—state or non-state.
This phenomenon, described as Espionage-as-a-Service (EaaS), sits at the confluence of privatized intelligence and state-sponsored cyber operations. When viewed through the lens of cyber proxies, EaaS reflects a doctrinal evolution: a model of statecraft that delegates critical intelligence functions to deniable, commercially motivated actors, blurring the boundaries between crime, commerce, and national security.
Espionage-as-a-Service refers to the commodification of digital espionage capabilities. Actors offering EaaS maintain the infrastructure, skills, and tradecraft required to conduct high-level intrusion campaigns, but they do so not under a flag, a uniform, or a formal oath of service to any state, but under the logic of market exchange. These providers sell access to stolen data, offer bespoke network infiltration services, or license sophisticated spyware tools, often under the guise of legitimate cybersecurity products or penetration testing tools. The underlying principle is that state capabilities are now increasingly rented rather than built.
For nation-states, this model is attractive. It enables plausible deniability, provides immediate access to matured capabilities, and reduces operational overhead. States can obfuscate their involvement behind layers of intermediaries, legal entities, shell companies, and transnational infrastructure, while still achieving their strategic objectives: exfiltration of proprietary data, surveillance of dissidents, collection of foreign intelligence, and strategic disruption of adversarial systems.
Cyber proxies are the connective tissue of this ecosystem. They are non-state actors, sometimes independent, sometimes cultivated, who act in furtherance of a state’s objectives without formal incorporation into its military or intelligence apparatus. These actors may include mercenary hackers, private cybersecurity firms with dual roles, disinformation networks, or research collectives functioning as fronts for intelligence operations. In many jurisdictions, especially where rule of law is subordinate to national security prerogatives, cyber proxies are not merely tolerated—they are strategically integrated into the national doctrine.
Whereas traditional espionage operations were centralized, secretive, and vertically controlled, modern cyber espionage through proxies and service models is modular, scalable, and horizontally distributed. The state no longer needs to own the entirety of the intelligence process. It can outsource reconnaissance, infiltration, and even psychological operations to actors incentivized by profit, ideology, or geopolitical alignment. These actors in turn rely on overlapping infrastructures: bulletproof hosting services, access-as-a-service brokers, malware-as-a-service platforms, and underground data markets. The architecture of cyber conflict is therefore not state-centric, it is ecosystemic.
The operational implications are profound. EaaS actors often operate across jurisdictions, using global cloud infrastructure and encrypted communications to evade detection and law enforcement. Their clients are not exclusively states; some serve multiple patrons simultaneously, including organized crime syndicates, corporate espionage clients, and authoritarian governments. This multi-tenancy complicates attribution and response. The same actor that exfiltrates data from a defense contractor for a state intelligence agency may sell vulnerability data to a rival, or conduct unrelated ransomware attacks for private enrichment.
From a compliance and regulatory perspective, this creates a radically asymmetric risk environment. Legal entities—particularly those operating in critical sectors such as aerospace, defense, energy, pharmaceuticals, or technology, must now contend with adversaries who possess state-level sophistication without being legally accountable under international law. These actors exploit latency in legal frameworks, jurisdictional fragmentation, and limitations in incident attribution to operate with impunity.
Cyber proxies operating under an EaaS model often maintain long-term persistence in their targets, allowing for continuous espionage and adaptive campaign evolution. Unlike traditional cybercriminals who seek quick exploitation or monetization, these actors are methodical. They mimic nation-state dwell time, sometimes remaining undetected for months or years. They deploy sophisticated evasion techniques, custom tooling, and obfuscation strategies—including the use of misleading indicators of compromise (IOCs) and false flag tactics—to frustrate forensic investigations and delay legal or political response.
Espionage-as-a-Service, in its modern form, is a natural evolution of hybrid warfare and strategic ambiguity. It allows states to deny involvement, avoid direct diplomatic consequences, and shape the strategic environment at minimal cost. It permits adversaries to accumulate advantage without triggering conventional thresholds of response. And it challenges the core assumptions of national sovereignty, legal jurisdiction, and corporate risk governance.
The intersection of Espionage-as-a-Service and cyber proxy doctrine represents a new frontier in the digital threat landscape. It is a frontier defined not by the absence of law, but by its exploitation, where states strategically leverage legal gaps, outsource capabilities, and mask aggression behind private actors operating in murky legal territory. In this theatre of sub-threshold conflict, the adversary may be unknown, but the harm is very real.
The "fortunately we have not been hacked" oxymoron
Among corporate executives, regulators, and even policymakers, one phrase is routinely repeated as a badge of operational success or institutional resilience: “Fortunately, we have not been hacked.” This assertion, often made with confidence and sincerity, is meant to signal that the organization is secure, its systems intact, and its information uncompromised. However, when examined from a legal, risk, and cybersecurity standpoint, this statement reveals a troubling combination of ignorance, complacency, and conceptual error. It is, in many ways, an oxymoron, a declaration of security based on the absence of evidence, rather than evidence of absence.
The assertion that one has not been hacked presupposes perfect visibility, complete situational awareness, and a robust understanding of both internal systems and external threat actors. Yet the very nature of contemporary cyber-espionage, stealthy, persistent, and highly evasive, renders such certainty deeply flawed. In the vast majority of sophisticated intrusions, detection lags behind infiltration not by hours or days, but by weeks, months, or even years. Cyber threat actors—particularly those conducting nation-state espionage or operating under the doctrine of strategic patience, do not seek immediate disruption or overt ransom. Instead, they aim to remain invisible for as long as possible, maintaining access, extracting information, and observing internal communications until either their goals are achieved or the intrusion is uncovered by sheer coincidence.
From a legal standpoint, the claim of not having been hacked is fundamentally precarious. Under numerous regulatory frameworks, the duty to protect information assets is not contingent on the discovery of a breach. Rather, it is premised on the demonstrable implementation of appropriate technical and organizational measures. In other words, a firm’s legal obligations are forward-looking and risk-based, not dependent on whether an intrusion has been detected. To state that one has not been hacked is therefore irrelevant, and in some cases legally hazardous, if it implies that the organization has not undertaken sufficient risk mitigation merely because no evidence of compromise has been found.
The legal risk is compounded by the evolving tactics of advanced persistent threat (APT) groups and state-aligned cyber proxies. These actors often exploit supply chains, third-party service providers, cloud misconfigurations, or dormant software vulnerabilities, and use advanced obfuscation techniques to evade traditional detection methods. When organizations rely solely on internal security logs, perimeter defenses, or endpoint alerts, they risk missing the broader and more insidious techniques that define modern espionage. Consequently, the absence of detected breaches may simply reflect the inadequacy of detection tools and methodologies rather than the nonexistence of intrusions.
Risk professionals and compliance officers must also consider the fallacy embedded in the “fortunately, we have not been hacked” statement. It presumes that what is not seen does not exist, and that ignorance equates to safety. This mindset fails to account for the asymmetric nature of cyber conflict. In this environment, adversaries often possess better intelligence about the target’s systems than the defenders themselves. Many successful espionage campaigns, such as those discovered during incident response engagements, reveal an attacker’s understanding of internal workflows, naming conventions, or administrative routines that exceed the defender’s own documentation.
Cyber espionage is not associated with disruption. The intention is to leave systems undisturbed, users unaware, and logs clean. A targeted exfiltration of trade secrets, negotiation strategies, or national security information can occur with such precision that the organization’s IT and security teams remain oblivious for extended periods. In this context, to assert “we have not been hacked” is to potentially overlook the defining characteristic of espionage: its invisibility.
This oxymoron becomes even more dangerous when it influences strategic decision-making. Executives who are reassured by this narrative may underfund cybersecurity initiatives, delay necessary audits, or deprioritize training and awareness programs. Legal departments may assume that the risk of liability is low, given the perceived lack of breaches. Boards may mistakenly interpret silence as proof of success. This self-reinforcing cycle of underestimation not only creates operational vulnerabilities but also exposes the organization to legal consequences should an undetected breach be discovered later by external regulators, journalists, or forensic experts.
The statement also disregards the systemic nature of cyber risk. No organization exists in isolation. Through interconnected supply chains, cloud-based ecosystems, shared platforms, and federated identity systems, most firms are embedded within complex digital relationships. A successful intrusion against a strategic partner, software vendor, or outsourced IT service provider may provide indirect access to the organization’s data or systems. If the organization has no mechanism to assess or monitor these dependencies, it may never know that it has, in fact, been compromised by extension. In such cases, the declaration of safety becomes not only incorrect but misleading to stakeholders, regulators, and customers.
The phrase we examine reflects a cultural failure in the way cybersecurity is communicated at the executive and governance levels. Cybersecurity is not a binary state of being hacked or not hacked. It is a condition of ongoing exposure, dynamic adversarial pressure, and continuous improvement. The correct posture is not defensive complacency, but strategic vigilance. Boards and executive committees should frame cyber risk in terms of probability, adversarial capability, and organizational resilience, not based on the current visibility of intrusions. Just as public health experts do not declare a population disease-free merely because no symptoms have been reported, cybersecurity professionals should not assume the absence of compromise simply because no alarm has sounded.
The phrase “Fortunately, we have not been hacked” is not a statement of fact, but an expression of assumption. It ignores the stealth and sophistication of modern adversaries, disregards the regulatory requirement for demonstrable risk-based controls, and falsely equates undetected with unharmed. For law, risk, and compliance experts, this mindset is not merely outdated, it is dangerous. The real measure of an organization’s cybersecurity posture is not whether it has been hacked, but whether it is prepared to detect, respond to, and recover from the inevitable. Silence is not security. And what is unseen may still be unfolding in the shadows.
Cyber Risk GmbH, some of our clients
