Lines Between Nation-State and Cybercrime Groups Disappearing: Google
Financially motivated threat groups traditionally have been viewed through a different lens by defenders than adversarial nation-state actors, but the lines between the two have blurred to the point of essentially being erased and they can no longer be treated as separate, according to threat researchers with Google.
In a report released this week just as the 61st international Munich Security Conference is about to get underway, researchers from Google’s Threat Intelligence Group noted that last year, analysts with the IT giant’s Mandiant group responded to almost four times more intrusions run by cybercrime actors that those by state-backed groups.
“Despite this overwhelming volume, cybercrime receives much less attention from national security practitioners than the threat from state-backed groups,” the researchers wrote. “While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions.”
In recent years, U.S. adversaries like Russia, China, Iran, and North Korea have leaned increasingly harder on financially motivated criminal actors and their tools to run attacks on entities and critical infrastructure of the United States and its allies, they wrote. It also shouldn’t be forgotten that even one-off financially motivated attacks can deliver national security consequences, they added.
Cybercrime Fueling State-Backed Attacks
“The vast cybercriminal ecosystem has acted as an accelerant for state-sponsored hacking, providing malware, vulnerabilities, and in some cases full-spectrum operations to states,” said Ben Read, senior manager at Google Threat Intelligence Group, which includes the Mandiant Intelligence and Threat Analysis Group teams. “These capabilities can be cheaper and more deniable than those developed directly by a state.”
Read added that “these threats have been looked at as distinct for too long, but the reality is that combating cybercrime will help defend against state-backed attacks.”
Google isn’t the only tech firm to see the lines blurring. In a report last month, Tomer Shloman, a security researcher for threat detection and response vendor Tellix, noted the disappearing distinction between nation-state actors – those aiming for long-term geopolitical advantages via cyber-espionage and intelligence operations – and those cybercriminals looking for financial gain by exploiting security flaws for extortion, threat, and fraud.
“However, recent evidence suggests an unsettling convergence of tactics, techniques, and even objectives, making it challenging to distinguish between them,” Shloman wrote. “This convergence not only complicates attribution efforts but also raises critical questions about the evolving nature of cyber threats and the implications for global security.”
Cybercrime Also a National Security Threat
In their report, the Google researchers noted that an attack by a nation-state group can have similar detrimental effects as those launched by financially motivated actors.
“A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care,” they wrote. “Likewise, sensitive data stolen from an organization and posted on a data leak site can be exploited by an adversary in the same way data exfiltrated in an espionage operation can be.”
Given that, “the impact of these attacks mean that they must be taken seriously as a national security threat, no matter the motivation of the actors behind it,” they added.
Russia-Ukraine War Heightens Trend
While nation-states for years have leveraged cybercriminals and their tools, the trend has accelerated since Russia launched its ongoing invasion of neighboring Ukraine in 2022, illustrating that at times of heightened need, financially motivated groups can be used to help the cause of countries.
Nation-states can buy cyber capabilities from cybercrime groups or via underground marketplaces. Cybercriminals tend to specialize in certain areas and partner with others with different skills, and the specialization opens opportunities for state-backed actors to be customers that are buying malware and other tools from criminals.
“Purchasing malware, credentials, or other key resources from illicit forums can be cheaper for state-backed groups than developing them in-house, while also providing some ability to blend in to financially motivated operations and attract less notice,” the researchers wrote.
The researchers pointed to groups like APT44 – also known as Sandworm – which serves as a unit of the GRU, Russia’s military intelligence unit and has used malware from criminal communities to run espionage and disruptive operations in Ukraine. CIGAR – aka RomCom – is a cybercrime group that has run espionage operations against Ukraine’s government for Russia.
Not Only Russia
“However, this is not limited to Russia,” they wrote. “Iranian threat groups deploy ransomware to raise funds while simultaneously conducting espionage, and Chinese espionage groups often supplement their income with cybercrime. Most notably, North Korea uses state-backed groups to directly generate revenue for the regime. North Korea has heavily targeted cryptocurrencies, compromising exchanges and individual victims’ crypto wallets.”
The Google report also talked about hybrid groups that may be focused on state-sponsored operations like espionage but also are allowed to run financially motivated campaigns to supplement their income and offset the costs of the governments backing them.
Action is Needed
Google’s analysts said policy makers need to recognize the national security threat that financially motivated groups represent and respond accordingly with new and stronger approaches that include international cooperation. They noted the resilience of the cybercrime environment, pointing to the temporary impact of takedowns of ransomware-as-a-service (RaaS) operations, after which other groups are ready to step up and fill the void.
Along with elevating cybercrime as a national security priority, they need to promote the use of strong cybersecurity measures across the spectrum – particularly in critical infrastructure – use targeted efforts to disrupt operations, enhance international cooperation, and educate individuals and people to cyberthreats.
Policy makers also should push strong security measures in the private sector, they wrote.
