Cyber crime has evolved to become a threat to the security of western states, according to a threat intelligence report from Google, published on the eve of the 2025 Munich Security Conference.
This coming weekend marks the 61st edition of the Atlanticist conference, which was inaugurated in 1963 to facilitate collaboration between West Germany and the US, as well as other Nato countries.
The Google Threat Intelligence Group’s report, Cyber crime: A multifaceted national security threat, says western policymakers should be taking cyber criminality just as seriously as operations conducted by nation states.
Ben Read, a senior manager at the group, said: “The vast cyber criminal ecosystem has acted as an accelerant for state-sponsored hacking, providing malware, vulnerabilities, and in some cases full-spectrum operations to states. These capabilities can be cheaper and more deniable than those developed directly by a state. These threats have been looked at as distinct for too long, but the reality is that combating cyber crime will help defend against state-backed attacks.”
The report looks at how nation states hostile to the North Atlantic countries, such as Russia, China, Iran and North Korea, are increasingly co-opting cyber criminal groups to forward their geopolitical and economic ambitions. It also looks at the deep societal impact of cyber crime, from economic destabilisation to its toll on critical infrastructure, including healthcare.
Healthcare’s share of posts on data leak sites has doubled over the past three years, according to the report. One example it gives is how, in March 2024, the Russian Anonymous Marketplace (RAMP) forum actor “badbone”, who has been associated with the INC ransomware gang, sought illicit access to Dutch and French medical, government and educational organisations, stating that they were willing to pay 2-5% more for hospitals, particularly those with emergency services.
The report sheds light into how what it calls the “Big Four” – Russia, China, Iran and North Korea – have used cyber crime, including ransomware usage, to enable espionage.
It states that Russia has mobilised its cyber criminals to spy and mount disruptive operations in support of the war with Ukraine. It says GRU-linked APT44 (aka Sandworm), a unit of Russian military intelligence, has employed malware available from cyber crime communities to conduct espionage and disruptive operations in Ukraine.
Another example the report gives is “UNC2589”, a “threat cluster” whose activity has been publicly attributed to the Russian General Staff Main Intelligence Directorate (GRU)’s 161st Specialist Training Center (Unit 29155). This, says the report, has conducted full-spectrum cyber operations, including destructive attacks, against Ukraine.
And Russian group CIGAR (aka RomCom), a group that has focused on cyber crime, has conducted espionage operations against the Ukrainian government since 2022, according to the report.
The report’s authors say CIGAR’s expansion from cyber crime into espionage activity likely supporting Russian state objectives began in October 2022, when it conducted a phishing campaign targeting Ukrainian military-related entities. CIGAR continued, says the report, to conduct intrusion activity targeting primarily Ukraine and Europe through 2023 and 2024, including campaigns leveraging zero-days in Microsoft Word, Firefox and Windows.
The report says China augments its spying operations by using advanced persistent threat groups like APT41 to mix ransomware deployment with intelligence collection. “Deliberately mixing ransomware activities with espionage intrusions supports the Chinese government’s public efforts to confound attribution by conflating cyber espionage activity and ransomware operations.”
APT41 is said to work from China and is “most likely a contractor for the Ministry of State Security”. In addition to state-sponsored espionage campaigns against a wide array of industries, APT41 is said to have a long history of conducting financially motivated operations. The group’s cyber crime activity has mostly focused on the video game sector, including ransomware deployment.
The report also suggests that Iran’s economic difficulties could be behind ransomware and hack-and-leak operations by cyber criminals.
The report highlights what it characterises as a North Korean regime policy of stealing cryptocurrency to fund missile development and nuclear programmes, as well as everyday operational costs.
It contends that the effects of cyber crime extend beyond stolen money or data breaches. These “erode public trust, destabilise essential services, and, in the most severe cases, cost lives”, say the authors. They maintain that the growing convergence of cyber crime and state-sponsored hacking requires robust action on par with the threat posed by nation-state adversaries.
The report’s authors argue: “The collaborative nature of cyber crime means that a disrupted group will be quickly replaced by others offering the same service. Achieving broader success will require collaboration between countries and public and private sectors on systemic solutions such as increasing education and resilience efforts.”
Sandra Joyce, vice-president of the Google Threat Intelligence Group, said: “Cyber crime has unquestionably become a critical national security threat to countries around the world. The marketplace at the centre of the cyber crime ecosystem has made every actor easily replaceable and the whole problem resilient to disruption. Unfortunately, many of our actions have amounted to temporary inconveniences for these criminals, but we can’t treat this like a nuisance and we will have to work harder to make meaningful impacts.”
The group advocates that governments elevate cyber crime as a national security priority and emulate private sector best security practices. “Ransomware and other forms of cyber crime predominantly exploit insecure, often legacy technology architectures.”
#Google #Cyber #crime #meshes #cyber #warfare #states #enlist #gangs