Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Ransomware
Russia, China, Iran and North Korea Tapping Cybercrime Services, Google Says
The cybercrime-as-a-service economy continues to power ransomware and other criminal enterprises, as well as nation-state attacks, collectively posing a clear and present danger to the West’s national security, experts warn.
See Also: 57 Tips to Secure Your Organization
Google’s Mandiant incident response group in a new report says that in 2024, it helped organizations respond to nearly four times as many intrusions traced back to financially motivated groups, versus cyber operations tied to nation-state actors.
Regardless of the underlying motivation, experts see the tactics, techniques and procedures involved increasing overlap, perhaps by design.
“The vast cybercriminal ecosystem has acted as an accelerant for state-sponsored hacking, providing malware, vulnerabilities and in some cases full-spectrum operations to states,” said Ben Read, a senior manager at the Google Threat Intelligence Group. “These capabilities can be cheaper and more deniable than those developed directly by a state. These threats have been looked at as distinct for too long, but the reality is that combatting cybercrime will help defend against state-backed attacks.”
From a geopolitical standpoint, the damage and disruption caused by attacks that are ostensibly financially motivated can often be the same as if they were ordered by an adversary’s head of state.
“A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care,” Google’s report says. “Likewise, sensitive data stolen from an organization and posted on a data leak site can be exploited by an adversary in the same way data exfiltrated in an espionage operation can be.”
At a geopolitical level, the extent to which adversaries do this by design, versus tolerating it as a useful outcome, remains an open question. What is clear is that “the distinction between nation-state actors and organized cybercriminals is becoming increasingly blurred in our rapidly evolving cyber landscape,” said Tomer Shloman, a security researcher at Trellix, in a recent report.
“Historically, these groups had distinct motivations: nation-states sought to achieve long-term geopolitical advantages through espionage and intelligence operations, while cybercriminals focused on financial gain, exploiting vulnerabilities for extortion, theft and fraud,” he said.
Today, when looking at Russia, China, Iran or North Korea, government and criminal efforts increasingly appear to commingle, he said.
Some of this appears to do with governments tapping domestic hacking talent. Russia has long had a reputation for tolerating cybercriminals, provided they only targeted adversaries and did favors on demand for security and intelligence services. Likewise, China appears to have been outsourcing significant hacking efforts to private hacking-for-hire firms.
More recently, numerous governments – or private hackers working on their behalf – appear to themselves be relying to a greater extent on commercial hacking tools and infrastructure.
That has clear implications for cyber defenders, and serves as a reminder that robust cyber hygiene helps battle not just nation-state hackers, but also criminals, hacktivists, teenagers or anyone else who might be attempting to hack their network.
Taking this perspective isn’t new. Recasting cybercrime as a national security threat that demands a whole-of-government response was a clear goal – and arguably, outcome – of the public/private Ransomware Task Force, which in 2021 issued pioneering guidance for combating such attacks.
These recommendations comprised a number of areas, covering such domains as diplomacy, cyber defense, business resilience, cryptocurrency and law enforcement, reflecting the national security threat ransomware continues to pose.
The task force issued its recommendations just weeks before the devastating disruption caused by the mid-2021 attack on Colonial Pipeline, which disrupted fuel supplies across the U.S. East Coast and led then President Biden to publicly chastise Russian President Vladimir Putin for allowing criminality to flourish inside Russia’s borders.
Policymakers have continued to recast cybercrime as a threat not just to businesses and critical sectors, but broader national security.
On Tuesday, the U.S., U.K. and Australian governments jointly sanctioned Russian bulletproof hosting service Zservers, which they said supported in part ransomware attacks launched by LockBit.
Services such as Zservers are part of an “illicit supply chain” that helps ransomware groups in particular continue to flourish, by helping them “to launch attacks, extort victims and store stolen data,” the U.K. government said.
“Putin has built a corrupt mafia state driven by greed and ruthlessness,” said British Foreign Secretary David Lammy. “It is no surprise that the most unscrupulous extortionists and cybercriminals run rampant from within his borders.”
Russian intelligence services are reportedly themselves users of such tools and services. “Russia has drawn on criminal capabilities to fuel the cyber support to their war in Ukraine,” Google’s Threat Intelligence Group said. Examples it cited include the Russian military intelligence group tracked as Sandworm, aka APT44, employing commercial hacking tools for cyber espionage and disruptive operations, as well as Moscow tapping the typically cybercrime-focused RomCom group to run cyber espionage operations against Ukraine.
Russia isn’t the only country accused of failing to firewall government and criminal hacking.
“Iranian threat groups deploy ransomware to raise funds while simultaneously conducting espionage, and Chinese espionage groups often supplement their income with cybercrime,” Google’s Threat Intelligence Group said. “Most notably, North Korea uses state-backed groups to directly generate revenue for the regime. North Korea has heavily targeted cryptocurrencies, compromising exchanges and individual victims’ crypto wallets.”
More urgent action is needed by governments to combat these threats, and Google recommends focusing on new ways to disrupt cybercrime. “Cybercrime has unquestionably become a critical national security threat to countries around the world,” said Sandra Joyce, head of Google Threat Intelligence. “We can’t treat this like a nuisance and we will have to work harder to make meaningful impacts.”
link