It is no longer realistic to treat cybercriminals and state-backed cyber adversaries as separate threats – the personnel, tools, and effects are often indistinguishable.

On the eve of the 61st international Munich Security Conference, the Google Threat Intelligence Group (GTIG) argues that financially motivated cybercriminal activity should be treated as a threat to national security requiring coordinated international cooperation.

Cybercrime is traditionally classified as either financially motivated cyber criminality or state-backed politically biased intrusions. While state-backed cyberattacks often receive more media attention, and perhaps more intelligence scrutiny, financially motivated crime is more common (in 2024, Mandiant responded to almost four times more financial than state-backed attacks).

Both sets of attackers are criminals, but there is no clearcut distinction since adversarial nations can and do co-opt criminals for state activity and can and do purchase criminal capabilities to further their political aims. Similarly, Iran and North Korea have used state-backed operatives to conduct financially motivated crimes to finance their regimes.

Sandworm (APT44) is a good example of the intermingling of state actors and criminal tools. While linked to the GRU (a Russian military intelligence unit), APT44 has employed malware available from cybercrime communities to conduct espionage and disruptive operations in Ukraine

While the average victim organization needs make little distinction between attacker motivation within its own defensive posture, GTIG now argues that at a national level the general cybercriminal threat should be treated as a national security threat like state-backed hacking groups. But since cybercrime is international in its make-up, tackling this threat will require international cooperation.

Adversarial states take advantage of the large pool of cybercriminals and their tools. Doing so increases their manpower, lowers their costs, and – crucially – provides plausible deniability of state involvement. This plausible deniability is essential to avoid triggering an all-out cyberwar. 

Russian state leverages malware, tools and manpower
from crime marketplaces

When Russia was accused of hacking the DNC in 2016, Putin said it wasn’t the Russian state. Pointing a finger at cybercriminals, he said, “We definitely don’t do such things at a state level.” Twelve Russian intelligence officers were later indicted by a US grand jury.

Adversarial nations have historically avoided triggering full-scale cyberwar for fear that it might in turn trigger a kinetic conflict. But where a kinetic conflict already exists, the importance of deniability decreases. GTIG believes APT44 was responsible for delivering the Prestige ransomware against logistics entities in Poland and Ukraine in October 2022 in “a rare instance in which APT44 deployed disruptive capabilities against a NATO country.”

As global geopolitical tensions increase, so does the importance and validity of distinguishing between state-backed and ‘simple’ criminality decrease.

This intermingling of cybercriminal people and tools with state-backed operations is not limited to Russia: both Iran and China have done similar. Nor is it new. As long ago as 1986, the KGB employed an East German hacker named Markus Hess to compromise and steal data from military and industrial computers in the US, Europe, and East Asia – most notably the Lawrence Berkeley National Laboratory.

The difference now is the scale of the practice and the damage that can be caused. Criminal ransomware without decryption is little different to a state-backed wiper.

Part of hybrid warfare is to damage the morale and well-being of the people of the target nation. This is obviously part of the remit of state-backed groups – GTIG argues that criminal groups can have a similar effect through ransomware. Attacks against healthcare and utilities can cause widespread problems affecting ordinary people. 

Criminals are aware of this, as confirmed in the Conti Leaks. The actors involved in the planned 2020 attacks against US healthcare knew they would cause public alarm, with one actor writing ‘there will be panic’. The more critical the service, the more attractive the target. Potential public ‘panic’, as demanded by state-backed hybrid warfare, is now inseparable from financially motivated criminal ransomware.

In the UK, it was reported that a June 2024 ransomware attack on an NHS contractor led to multiple cases of “long-term or permanent impact on physical, mental or social function or shortening of life-expectancy.”

In 2022, again involving Conti, ransomware attacks against Costa Rican government agencies caused sufficient disruption to the nation for the president to declare a national emergency.

The distinction between state-backed operators and simple criminals cannot be measured by the effect of the attack. Nor indeed can it be measured by the motivation for the attack – and North Korea is a prime example. NK’s cyberattacks perform the usual state purpose of cyber espionage and technology IP theft, but also engage in widespread financially motivated cryptocurrency theft to support the national government.

Put simply, cybercrime (a criminal threat) should not be treated in isolation from state-backed cyber activity (a national security political threat) because the manpower, tooling, motivations, and effects are impossible to separate. Cybercrime is now a national security issue.

“We believe tackling this challenge will require a new and stronger approach that recognizes the cybercriminal threat as a national security priority requiring international cooperation,” says GTIG. “More must – and can – be done.”

Government takedowns of ransomware groups are useful but provide only temporary relief for the attacked and a temporary inconvenience for the attacker. The cybercrime ecosystem is resilient, international and quickly recovers from individual takedowns. While these should continue, GTIG recommends that policymakers take additional steps.

These steps should include elevating cybercrime as a national security priority; that is, prioritizing intelligence collection and analysis on cybercriminal organizations, and enhancing law enforcement capacity to investigate and prosecute cybercrime.

Strengthening cybersecurity defenses by incentivizing best practices and investing in research and development of new security technologies that can improve resilience.

Disrupting the cybercrime ecosystem by targeting the key enablers such as malware developers, bulletproof hosting providers, and financial intermediaries (including cryptocurrency exchanges). In short, “to dismantle the infrastructure that supports cybercriminal operations.”

Enhancing international cooperation by prioritizing “the development of international frameworks for information sharing, joint investigations, and coordinated takedowns of cybercriminal networks.”

Empowering individuals and businesses through cybersecurity awareness and education, and enabling service providers to act against cybercriminals through legislation. This should also include resources for reporting and recovering from cyberattacks.

Elevating strong private sector security practices by encouraging the adoption of proven technologies and discouraging overreliance on a single technology.

The one explicit recommendation GTIG does not suggest is government backdoors into end-to-end encrypted messaging. This would undoubtedly help governments in fighting cybercrime through increased access to intelligence; but it is a political and social hot potato. It may be implied in GTIG’s existing recommendations – or it may simply be that CTIG believes that weakening encrypted messaging will help the criminals as much as it will help the authorities.

Related: White House Issues National Security Memorandum for Critical Infrastructure

Related: Beyond the Hype: Questioning FUD in Cybersecurity Marketing

Related: Kapeka: A New Backdoor in Sandworm’s Arsenal of Aggression

Related: US, Japan, South Korea Blame North Korean Hackers for $660M Crypto Heists

Related: Economic Warfare: Attacks on Critical Infrastructure Part of Geopolitical Conflict