Updated juni 27, 2026
Summary: Nation-state actors combine legal compulsion mechanisms such as FISA 702 with technical intrusion to reach data held in foreign-jurisdiction clouds. Sovereign, on-premises infrastructure under domestic legal control eliminates both attack surfaces simultaneously.

State-sponsored cyber espionage against European organisations operates through two structurally distinct vectors: technical intrusion into systems and legally compelled access to data held by foreign-jurisdiction cloud providers. Sovereign infrastructure, defined as computing environments under domestic legal control with no foreign-jurisdiction ownership chain, is the only architectural approach that neutralises both vectors simultaneously. For compliance officers, CISOs and IT decision-makers in public sector, finance, healthcare and legal contexts, understanding how specific threat actors exploit each vector is the precondition for proportionate investment in sovereign controls.

How APT28, APT29, Volt Typhoon and Salt Typhoon Target Cloud Environments

Each of the four major state-sponsored threat actor clusters documented by Western intelligence services uses a distinct operational pattern against cloud-hosted data, and each pattern maps to a specific architectural weakness that sovereign infrastructure removes.

APT28 and APT29: Credential abuse and OAuth exploitation

APT28 (Fancy Bear, attributed to Russia’s GRU) and APT29 (Cozy Bear, attributed to the SVR) both rely heavily on credential theft and the abuse of federated identity systems. APT29’s 2020 SolarWinds campaign and its subsequent Microsoft 365 intrusions demonstrated a consistent TTP: steal or forge authentication tokens, use OAuth application consent to gain persistent access to mailboxes and SharePoint libraries, then exfiltrate over legitimate API channels that blend with normal traffic. Because these operations use sanctioned Microsoft Graph API calls authenticated with valid tokens, they are effectively invisible to perimeter-based controls.

Sovereign on-premises infrastructure breaks this pattern at multiple points. Identity federation to a cloud IdP is eliminated, removing the OAuth token attack surface. API access to file stores is governed by local network policy rather than internet-accessible endpoints. And because the authentication logs remain on infrastructure the organisation controls, detection and forensic retention are not subject to the cloud provider’s log retention limits or incident notification policies.

Volt Typhoon and Salt Typhoon: Living-off-the-land and telecom interception

Volt Typhoon and Salt Typhoon, both attributed to the People’s Republic of China, use fundamentally different tradecraft. Volt Typhoon specialises in pre-positioning within critical infrastructure, using only built-in system tools (living-off-the-land binaries) to avoid signature detection, and establishing persistent footholds that can enable disruption or exfiltration on demand. Salt Typhoon, as disclosed in late 2024, compromised at least nine US telecommunications providers, gaining access to call metadata and lawful intercept infrastructure.

Key figure: ENISA’s Threat Landscape 2023 identified state-sponsored actors as responsible for 24 percent of all significant incidents against critical infrastructure sectors in the EU (ENISA, 2023).

Against cloud environments, Volt Typhoon exploits the trust relationships between cloud management planes and on-premises networks, particularly VPN appliances and edge devices with cloud connector software. Sovereign infrastructure that is fully disconnected from public cloud control planes removes this lateral movement path. Salt Typhoon’s interception capability depends on access to carrier-level infrastructure; organisations that route communications through sovereign, end-to-end encrypted channels with quantum-safe key exchange do not expose plaintext to intercepted carrier infrastructure.

The Legal Espionage Vector: FISA 702, the CLOUD Act and Structural Compelled Disclosure

Technical intrusion is only one route to European data. The legal compulsion route is arguably more reliable for a state-level adversary because it requires no exploitation and leaves no forensic trace in the victim’s systems.

FISA Section 702 authorises the US National Security Agency to compel US electronic communication service providers to produce communications of non-US persons located outside the United States, without a warrant and without notifying the data subject. The “upstream” collection variant allows NSA to intercept communications transiting US internet backbone infrastructure. Any European organisation whose data is stored on or transits infrastructure operated by a US-incorporated provider, including European subsidiaries of US hyperscalers, is structurally exposed to this authority.

Note: A European brand operating on AWS, Azure or Google Cloud infrastructure remains exposed to FISA 702 and CLOUD Act compelled disclosure because the underlying provider is subject to US jurisdiction regardless of where the data centre is physically located.

As ENISA has noted in its cloud security guidance: “Cloud environments do not make data inaccessible to intelligence services; they concentrate it and make compelled disclosure structurally easier.” The CLOUD Act of 2018 extended this reach, requiring US providers to produce data stored abroad when served with a valid US legal process. Analogous authorities exist in other jurisdictions: China’s National Intelligence Law of 2017 requires Chinese entities to cooperate with state intelligence work, creating equivalent structural risk for data held with Chinese-affiliated providers.

Swiss hosting under the revised Federal Act on Data Protection (revFADP) eliminates this exposure for data that remains within sovereign Swiss infrastructure operated by entities with no US or Chinese ownership or employment nexus. Switzerland is not subject to EU e-Evidence Regulation jurisdiction and has no FISA-equivalent upstream collection authority.

ENISA and BSI Technical Controls for Nation-State-Level Adversaries

Both ENISA and the BSI (German Federal Office for Information Security) have published specific technical recommendations for critical infrastructure operators facing advanced persistent threat actors. The BSI’s IT-Grundschutz Compendium states: “Critical infrastructure operators must implement network segmentation, hardware-rooted trust and verified supply chains as baseline countermeasures against advanced persistent threats.”

Control Category Recommended Measure APT Attack Surface Addressed
Network segmentation Microsegmentation with deny-by-default policies between asset tiers Lateral movement by Volt Typhoon living-off-the-land binaries
Encryption at rest with sovereign key management HSM-backed key management with no cloud provider key escrow Compelled disclosure under FISA 702 or CLOUD Act
Hardware attestation TPM 2.0 measured boot, UEFI Secure Boot, verified firmware Hypervisor-level compromise by APT29-class actors
Supply-chain verification Software Bill of Materials (SBOM), signed build pipelines, vendor security assessments SolarWinds-class build system compromise by APT28/APT29

Hardware attestation deserves particular attention. When a credible adversary has access to hypervisors, whether through cloud provider compromise or physical data centre access, software-only security controls can be bypassed. TPM 2.0-based measured boot produces a cryptographic record of every component loaded before the operating system starts, enabling detection of firmware implants of the type documented in Volt Typhoon post-exploitation toolkits.

Classifying Assets by Espionage-Risk Profile

Not all data warrants the same sovereign control investment. A defensible classification framework separates assets into three tiers based on the realistic consequence of state-sponsored exfiltration.

Tier one covers classified government data, legally privileged communications, cryptographic key material and merger-sensitive intellectual property. For these assets, the only proportionate control is sovereign on-premises infrastructure with HSM key management, hardware attestation, air-gap-capable network segmentation and no foreign-jurisdiction ownership in the entire supply chain. The average cost of a data breach reached USD 4.45 million in 2023 (IBM Cost of a Data Breach Report, 2023), but for tier-one assets the reputational, legal and geopolitical consequences typically dwarf direct remediation costs.

Tier two covers commercially sensitive IP, personnel records of cleared staff and regulated financial data. Sovereign hosting with encrypted-at-rest storage and sovereign key management is proportionate here. Full air-gap is not required, but no cloud provider with a foreign-jurisdiction ownership chain should hold the encryption keys.

Tier three covers operational data without classification or privilege status. Standard security hygiene applies, but the organisation should still evaluate whether the data aggregates into a profile valuable to a state-level adversary before defaulting to hyperscaler storage.

Distinguishing State-Sponsored Intrusions and Enabling Forensic Attribution

Incident indicators that suggest state-sponsored actors rather than financially motivated cybercriminals include: authentication anomalies spread over weeks or months rather than hours; absence of ransomware deployment or extortion contact after initial access; exfiltration of structured metadata and credentials rather than bulk file copying; and use of legitimate administrative tools with no malware signatures. The 2023 Microsoft Exchange Online breach attributed to the Chinese actor Storm-0558 exemplifies this pattern: forged authentication tokens provided persistent mailbox access for at least a month before detection.

Forensic readiness in a sovereign SIEM environment is decisive here. A sovereign SIEM that ingests authentication logs, DNS queries, network flow records and endpoint telemetry under organisational control, with retention periods set by the organisation rather than a cloud provider’s default, enables the long-baseline behavioural analysis needed to detect low-and-slow intrusions. It also preserves chain-of-custody evidence for regulatory reporting under NIS-2 Article 23 (72-hour incident notification) and GDPR Article 33, and for any subsequent attribution proceedings.

NIS-2 Article 19, the EU Cyber Solidarity Act and Accountability for Sovereign Controls

The NIS-2 Directive’s Article 19 establishes a peer-review mechanism under which ENISA coordinates assessments of whether essential entities have implemented proportionate security measures. This mechanism creates a direct accountability link between the sovereign infrastructure decisions an organisation makes and the evidence it must produce to regulators. Assertions of compliance are insufficient; organisations must demonstrate network architecture, key management audit trails and supply-chain due diligence documentation.

The EU Cyber Solidarity Act, adopted in 2024, adds a cross-border mutual assistance layer. It funds a European Cyber Shield of Security Operations Centres and establishes a Cybersecurity Reserve of pre-contracted incident response providers accessible by Member States facing significant incidents. For regulated entities, this raises the preparation standard: organisations that have invested in sovereign SIEM environments and documented incident response playbooks will be able to interface with the Cybersecurity Reserve effectively, while those dependent on hyperscaler-native logging will find forensic handover to cross-border response teams structurally difficult.

Together, NIS-2 Article 19 peer review and the Cyber Solidarity Act’s mutual assistance framework create a regulatory environment in which sovereign infrastructure is no longer merely a defensive preference but an auditable compliance requirement for essential entities in the sectors the Directives cover.

FAQ

Does moving to a European cloud provider fully eliminate FISA 702 exposure?

Only if the provider has no US-person nexus: no US parent company, no US-incorporated subsidiaries, no US-citizen employees with administrative access, and no infrastructure subject to US jurisdiction. A European brand operating on AWS or Azure infrastructure remains exposed because the underlying provider is subject to US compelled-disclosure law regardless of the data centre’s physical location.

How do Volt Typhoon and Salt Typhoon differ from ransomware groups in their cloud intrusion methods?

Volt Typhoon and Salt Typhoon prioritise stealth and persistence over disruption. They abuse legitimate credentials, live-off-the-land binaries, and OAuth token theft to move laterally without triggering standard alerting. Ransomware actors typically detonate quickly and visibly. The slow, credential-based patterns of state actors are often only detectable through anomalous authentication telemetry and long-baseline behavioural analysis in a sovereign SIEM.

What does NIS-2 Article 19 actually require organisations to demonstrate about sovereign controls?

Article 19 establishes a peer-review mechanism under which ENISA and Member State authorities assess whether essential entities have implemented proportionate technical and organisational measures. Organisations must produce evidence, not just assertions: network architecture diagrams, key management audit trails, incident response records and supply-chain due diligence documentation.

When should a CISO require hardware attestation rather than software-only security controls?

Hardware attestation, using TPM 2.0 chips and measured boot sequences, is warranted wherever an adversary with physical or privileged logical access to hypervisors is a credible threat. For tier-one assets such as legally privileged communications, classified government data and cryptographic key material, software-only controls are insufficient because a compromised hypervisor can bypass them entirely.

How does the EU Cyber Solidarity Act change incident response obligations compared to NIS-2 alone?

The Cyber Solidarity Act adds a cross-border mutual assistance layer on top of NIS-2 national reporting. It funds a European Cyber Shield of Security Operations Centres and creates a Cybersecurity Reserve of pre-contracted incident response providers. For regulated entities this means faster access to forensic and containment expertise across borders, but it also raises the bar on what constitutes adequate prior preparation, particularly regarding sovereign log retention and documented response playbooks.

Frequently asked questions

Does moving to a European cloud provider fully eliminate FISA 702 exposure?
Only if the provider has no US-person nexus: no US parent company, no US-incorporated subsidiaries, no US-citizen employees with administrative access, and no infrastructure subject to US jurisdiction. A European brand operating on AWS or Azure infrastructure remains exposed because the underlying provider is subject to US compelled-disclosure law.
How do Volt Typhoon and Salt Typhoon differ from financially motivated ransomware groups in their cloud intrusion methods?
Volt Typhoon and Salt Typhoon prioritise stealth and persistence over disruption. They abuse legitimate credentials, live-off-the-land binaries, and OAuth token theft to move laterally without triggering standard alerting. Ransomware actors typically detonate quickly and visibly. The slow, credential-based patterns of state actors are often only detectable through anomalous authentication telemetry and long-baseline behavioural analysis in a sovereign SIEM.
What does NIS-2 Article 19 actually require organisations to demonstrate about sovereign controls?
Article 19 establishes a peer-review mechanism under which ENISA and Member State authorities assess whether essential entities have implemented proportionate technical and organisational measures. Organisations must produce evidence, not just assertions: network architecture diagrams, key management audit trails, incident response records and supply-chain due diligence documentation.
When should a CISO require hardware attestation as opposed to software-only security controls?
Hardware attestation, using TPM 2.0 chips and measured boot sequences, is warranted wherever an adversary with physical or privileged logical access to hypervisors is a credible threat. For tier-one assets such as legally privileged communications, classified government data and cryptographic key material, software-only controls are insufficient because a compromised hypervisor can bypass them entirely.
How does the EU Cyber Solidarity Act change incident response obligations compared to NIS-2 alone?
The Cyber Solidarity Act adds a cross-border mutual assistance layer on top of NIS-2 national reporting. It funds a European Cyber Shield of Security Operations Centres and creates a Cybersecurity Reserve of pre-contracted incident response providers. For regulated entities, this means faster access to forensic and containment expertise across borders, but it also raises the bar on what constitutes adequate prior preparation.