Artificial intelligence is rapidly transforming the cyber threat landscape, with state-sponsored actors increasingly leveraging AI to enhance the scale, speed, and sophistication of their operations. As of October 2025, 50% of respondents at critical infrastructure organizations reported already facing an AI-powered attack in the past year (Axios). In November 2025, Anthropic disclosed detecting what researchers assess as the first publicly known case of a Chinese state-sponsored group using AI to autonomously conduct approximately 80-90% of a cyber espionage campaign, with the AI performing reconnaissance, exploitation, and data exfiltration with minimal human intervention (Anthropic).

• A G20 government or government agency
• A major cybersecurity firm (such as CrowdStrike, Mandiant, Kaspersky, Palo Alto Networks, Microsoft Threat Intelligence, Google Threat Intelligence, or similar established firms)
• A major technology company's security division
• Authoritative international cybersecurity organizations (such as CISA, NCSC, or equivalent national agencies)

If a threat actor group is attributed to the attack but state sponsorship is not explicitly confirmed, the group will qualify as state-affiliated if it appears on established APT lists (such as MITRE ATT&CK Groups, Mandiant APT Groups, or similar authoritative sources) with assessed or suspected nation-state ties. Attribution terminology such as “state-sponsored,” “state-backed,” “nation-state actor,” “APT group,” or references to specific nation-state threat groups (e.g., “APT28,” “Lazarus Group,” “Volt Typhoon”) will be considered evidence of state actor involvement. Attribution may be public or reported through credible media sources and does not need to be definitive but must represent a formal assessment with reasonable confidence.

3. Significant disruption to G20 critical infrastructure: The attack must cause measurable operational disruption to critical national infrastructure within any G20 member country, regardless of the intended target. For the purposes of this question, critical national infrastructure includes: 

• Energy systems (electricity grids, power plants, oil and gas facilities) 
• Water and wastewater systems
• Transportation systems (air traffic control, rail systems, ports), 
• Telecommunications networks, 
• Financial services infrastructure
• Healthcare facilities and systems
• Government services and networks
• Food and agriculture systems
• Chemical facilities
• Nuclear facilities
• Emergency services
• Industrial control systems supporting any of the above sectors.

Examples of measurable disruption include, but are not limited to:

• Service outages affecting consumers or operations for at least 2 hours
• Forced shutdown of systems or facilities
• Confirmed unauthorized access to operational technology or industrial control systems that disrupts operations
• Data theft affecting operations or services
• Financial losses exceeding $1 million USD
• Impacts requiring emergency response measures

• Cyber attacks using traditional methods without substantial AI involvement
• Attacks attributed solely to non-state actors, cybercriminal groups, or hacktivists without demonstrated state ties (even if they use AI)
• Attacks impacting critical infrastructure outside G20 countries
• Attempted attacks that were blocked or prevented before causing disruption
• Disruptions lasting less than 2 hours unless they meet other significance thresholds listed above
• Attacks causing only reputational damage, data breaches without operational disruption, or minor inconveniences