The ODNI's 2025 Annual Threat Assessment covers the cyber threats posed by transnational criminals and threat actors from China, Russia, Iran and North Korea.
On March 25, 2025 the Office of the Director of National Intelligence (ODNI) published their Annual Threat Assessment of the U.S. Intelligence Community. The report is based on information from the Intelligence Community (IC), “which is committed to providing the nuanced, independent, and unvarnished intelligence that policymakers, warfighters, and domestic law enforcement personnel need to protect American lives and America’s interests anywhere in the world.” The assessment centers on the most crucial threats to the US in the next year, categorized under ‘nonstate transnational criminals and terrorists’ and ‘major state actors’, which specifically includes China, Russia, Iran and North Korea.
The assessment highlights the impact of financially motivated cyber criminals in the section on “other transnational criminals”. These threat actors target poorly protected and significant organizations, like municipal governments, healthcare systems, and other critical infrastructure institutions. Cyber attacks in these areas have endangered lives, as ransomware delayed patient care at several hospitals in 2024, and are unlikely to slow down.
China
The report also credits China as “the most active and persistent cyber threat to U.S. government, private-sector, and critical infrastructure networks.” Last year, a series of ‘Typhoon’ attacks demonstrated the sophistication of their abilities to infiltrate US infrastructure. At the end of January 2024, the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) disrupted Volt Typhoon, a PRC-sponsored cyber group by shutting down a botnet that infected hundreds of US based small office/home office routers. Volt Typhoon had been active in the US as early as 2021, quietly striking several organizations in critical infrastructure. The group was also responsible for cyber attacks in Australia, Canada, the United Kingdom, and New Zealand.
By June 2024, Flax Typhoon (another China-based group) had created a botnet that “included more than 260,000 malware-infected devices across North America, South America, Europe, Africa, Southeast Asia and Australia.” It’s noteworthy that about half (130,000) of the infected devices were located in the US. This group had a wider reach than Volt Typhoon, and infected cameras and video recorders in addition to home routers, firewalls, and storage devices. The latest Typhoon hack, still PRC-sponsored, managed to reach even more people in the US.
The Salt Typhoon hack, shared with the public on December 4, 2024, was called the “worst telecom hack in our nation’s history” by a US Senator, and for good reason. The hack compromised at least eight major telecommunications firms like AT&T and T-Mobile, the cellular metadata of ‘a large number of Americans’, and worse still, unencrypted text messages from high-ranking government officials like Donald Trump, JD Vance, and other congress employees and security personnel. The cybercriminals could have seen classified material or even listen in on live phone calls.
Russia
Russia’s cyber capabilities are also classified as a threat in the report, which emphasizes the country's work to access US critical infrastructure (like the nation’s water facilities) and their malign influence activities. Just like in previous election years, Russia interfered with the 2024 election by actively spreading disinformation and propaganda to American audiences on several corners of the internet. Employees from a state-controlled Russian media outlet gave nearly $10 million to online commentators who shared videos made to align with Russian state interests.
The Cybersecurity and Infrastructure Security Agency (CISA) did create resources on election disinformation for the public, but they have been recently archived so the site will “better reflect current policy or programs.” This change, directed by the current administration, is just one of many around disinformation and Russia. In President Trump’s first week of his second term, the Secretary of the Department of Homeland Security, Kristi Noem implied that CISA needed to be trimmed down to focus on critical infrastructure instead of stopping misinformation. CISA has since experienced staff cuts and consequently, some rehiring as a result of a judge’s order.
The Trump administration’s Defense Secretary, Pete Hegseth, has also stopped the US Cyber Command from planning against Russia for the foreseeable future. The decision came after a failed deal on minerals with Ukraine, which is currently being attacked by Russia. Hegseth’s order doesn’t prevent the National Security Agency (NSA) from planning against Russia, but it could affect the Cyber Command’s workforce, which has a sizable portion of employees focusing on Russia. Still, the ODNI’s assessment is clear on its stance on the dictatorship: “Moscow’s unique strength is the practical experience it has gained integrating cyber attacks and operations with wartime military action, almost certainly amplifying its potential to focus combined impact on U.S. targets in time of conflict…Moscow’s malign influence activities will continue for the foreseeable future and will almost certainly increase in sophistication and volume.”
Iran and North Korea
The last two countries who were listed as cyber threats were Iran and North Korea. In 2024, Iran’s cyber attacks were more aggressive and sophisticated. There was a group of Iran-based cybercriminals using ransomware to extort US organizations, and a refined email phishing that hacked Trump’s presidential campaign. Peach Sandstorm, an Iranian state-sponsored threat actor, used their own malware “Tickler” to disrupt organizations in the energy sector. North Korea’s cyber activity is one of the smaller sections in the document, with only two threats discussed - the country’s extensive theft of cryptocurrency and their cyber espionage efforts to improve their women defense technologies.
Cooperation Between Countries
The assessment concludes with information on how these countries collaborate: “Cooperation among China, Russia, Iran, and North Korea has been growing more rapidly in recent years, reinforcing threats from each of them individually while also posing new challenges to U.S. strength and power globally.” China, Iran, and North Korea have all provided economic or military support to Russia, which has otherwise been isolated for its persistent war on Ukraine. The biggest threat to the US, however, comes from one relationship - China and Russia. The two have “the greatest potential to pose enduring risks” because they “probably believe they are more capable of countering perceived U.S. aggression together than alone”.
While there haven’t been any recent cyber attacks from either country, the recent changes in America’s cybersecurity government may mean we could have a harder time addressing any incidents. The Cyber Safety Review Board was in the middle of investigating the Salt Typhoon hack when they were dismantled by Trump, CISA may have lost about 10% of its workforce due to federal cuts directed by Elon Musk, Hegseth stopped some offensive cyber operations against Russia, and the president’s National Security Council (NSC) has recently limited work countering Russian sabotage, disinformation and cyberattacks. Hopefully, the ODNI’s 2025 Annual Threat Assessment will encourage the nation’s agencies to shore up their cyber defenses in the case of an attack.