The AI Arms Race
This Week in Cyber: The State-Managed Threat & The AI Arms Race
Analysis Date: October 28, 2025
Source: Trescudo Intelligence • Author: Evangeline Smith, MarCom
This past week wasn't just another news cycle; it was a fundamental reframing of the entire threat landscape.
A landmark intelligence report from Recorded Future effectively tore up the old rulebook on Russian cybercrime. Concurrently, attacks on critical infrastructure surged, and the EU's NIS2 transposition deadline passed, creating a dangerously fragmented compliance landscape for any multinational corporation.
Here is Trescudo's analysis of what happened and, more importantly, what you must do about it.
1. The New Adversary: Russia's "Managed Market" of Cybercrime
The most significant development is the "Dark Covenant 3.0" analysis from Recorded Future's Insikt Group. It confirms a thesis we have long operated under: the "safe haven" theory is dead.
Russia now operates a system of "controlled impunity," actively managing its cybercriminal assets.
Following the "Operation Endgame" takedowns, Russian authorities engaged in selective enforcement. They publicly arrested "low-utility" actors and monetisation services (like the Cryptex money laundering platform) to appease Western pressure.
However, the report cites leaked chats showing that "state-useful," high-value groups like Conti and Trickbot remain protected, coordinating directly with Russian intelligence (FSB/SVR) and receiving political cover. These groups are no longer just criminals; they are geopolitical assets, evidenced by their inclusion in high-level prisoner swaps.
"This week's intelligence confirms what we've been advising clients for the past year: the line between cybercriminal and state actor has been erased. We are now facing state-protected adversaries. If your incident response plan still treats ransomware as a simple criminal act, it's not just outdated—it's dangerous."
- Derick Smith, CEO, Trescudo
Strategic Implication: An attack from a top-tier ransomware group must be treated as a quasi-state-sponsored act. Your adversary is not just criminal; they are state-protected and state-tasked. Your incident response plan must reflect this new reality.
2. The Proving Ground: Critical Infrastructure Under Siege
While the "Dark Covenant" report provides the strategy, the real-world attacks show the tactics. Last week, reports revealed that ransomware incidents have surged 34% in 2025, with 50% of all attacks now targeting critical infrastructure. The manufacturing sector saw the steepest rise, with a 61% increase.
Two incidents from the past week perfectly illustrate this:
UK Ministry of Defence (MoD) Breach: Russian hacking group "Lynx" reportedly breached a third-party contractor, the Dodd Group. This classic supply-chain attack resulted in the theft of sensitive military documents. This is precisely the risk Article 21 of NIS2 was written to address, proving that vendor-risk management is a critical security control.
Heywood Healthcare (Massachusetts): A cyberattack forced two hospitals to take all systems offline, reverting to manual, paper-based processes to protect patient data. This is a catastrophic failure of operational resilience. This is why our Healthcare Patient-Safety Bundle focuses not just on prevention but on continuity—ensuring you can function during an attack.
3. The New Weapon: The AI-Powered Arms Race
The TTPs of these groups are also evolving. The Qilin ransomware group, which has claimed over 700 attacks this year, now offers a "call a lawyer" service in its ransom note to "legally assess" the victim's potential lawsuit costs, maximising psychological pressure.
This is just the beginning.
As highlighted by Axios last week, AI is about to supercharge cyberattacks. Threat actors are already using AI to:
Write polymorphic malware that evades traditional signature-based antivirus.
Generate flawless, hyper-realistic spear-phishing emails at a massive scale.
Scan for and exploit vulnerabilities far faster than human teams can patch.
The Trescudo Analysis: You cannot fight an AI-driven, automated adversary with a manual, human-led defence. The skills gap is too wide and the attack speed is too fast.
This is why we have built our practice around AI Hyperautomation. The only way to win a machine-speed battle is with a machine-speed defence. By leveraging Agentic AI, we unify security tools (like SentinelOne, Orca, and Vicarius) into a single, autonomous platform. This allows us to automatically triage, investigate, and contain threats in seconds, not hours—reducing analyst workload and giving you a fighting chance.
4. The Policy Quagmire: A Fragmented Compliance Landscape
As these advanced threats accelerate, the policy and legal landscape is in chaos.
EU NIS2 Deadline Failure: The October 17 deadline for EU members to transpose NIS2 into national law has passed. With only about half of the states in compliance, multinational organisations now face a legal nightmare—a patchwork of different (or non-existent) laws across the EU. The European Commission has already sent reasoned opinions to 19 member states, including Germany, Ireland, and France, threatening legal action.
US SEC Rules in Effect: The F5 Networks filing on October 15, which disclosed a breach but noted a DOJ-warranted delay, shows the new SEC rules in action. Material incidents must be disclosed, adding immense legal pressure to an already chaotic incident.
This combination of legal ambiguity and high-stakes disclosure rules creates a perfect storm.
Trescudo's Final Word
You cannot wait for regulators to get organised. The threat is here, it is state-managed, and it is now being powered by AI.
Resilience in 2026 is not about buying one more tool. It's about building an integrated, automated, and legally-defensible security program that can withstand a state-level attack. It's about ensuring your hospital can still see patients, or your airport can still move passengers, even when the primary systems are down.
Sources & Further Reading
Recorded Future: Analysis: Russia's New "Dark Covenant" & Managed Cybercrime
Trescudo Solutions: Trescudo Agentic AI Hyperautomation
European Commission: NIS2 Directive Transposition Status