Cybercrime: A Multifaceted Threat to National Security

Breached Company

15 Feb 2025 — 11 min read

In today's interconnected world, cybercrime has emerged as a significant and multifaceted threat to national security, demanding attention and resources on par with traditional state-sponsored espionage and military aggression. While state-backed hacking is rightly considered a severe risk, it should not be evaluated in isolation from financially motivated intrusions. Cybercrime, predominantly driven by financial incentives, represents a pervasive and relentless danger that can have far-reaching consequences for individuals, organizations, and entire nations.

cybercrime-multifaceted-national-security-threat

cybercrime-multifaceted-national-security-threat.pdf

565 KB

The Sheer Volume and Impact of Cybercrime

The statistics surrounding cybercrime paint a stark picture of its prevalence and impact. According to the Google Threat Intelligence Group (GTIG), cybercrime constitutes a majority of the malicious activity online and occupies the majority of defenders' resources. In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions. This overwhelming volume highlights the ubiquitous nature of cybercrime and the immense strain it places on cybersecurity professionals.

A single financially motivated operation can have severe effects. Cybercrime, particularly ransomware attacks, poses a serious threat to critical infrastructure. Disruptions to energy infrastructure, such as the 2021 Colonial Pipeline attack, a 2022 incident at the Amsterdam-Rotterdam-Antwerp refining hub, and the 2023 attack on Petro-Canada, have disrupted citizens' ability to access vital goods. While the impacts in these cases were temporary and recoverable, a ransomware attack during a weather emergency or other acute situation could have devastating consequences.

Cybercrime's Impact on Healthcare

Beyond energy, ransomware attacks on the healthcare sector have had the most severe consequences on everyday people. The healthcare industry, especially hospitals, almost certainly continues to be a lucrative target for ransomware operators given the sensitivity of patient data and the criticality of the services that it provides. Since 2022, GTIG has observed a notable increase in the number of data leak site (DLS) victims from within the hospital subsector. Data leak sites, which are used to release victim data following data theft extortion incidents, are intended to pressure victims to pay a ransom demand or give threat actors additional leverage during ransom negotiations. In July 2024, the Qilin (aka "AGENDA") DLS announced upcoming attacks targeting US healthcare organizations, following through with attacks on a regional medical center and multiple healthcare and dental clinics. In March 2024, the RAMP forum actor "badbone," associated with INC ransomware, sought illicit access to Dutch and French medical, government, and educational organizations, willing to pay 2–5% more for hospitals, particularly those with emergency services.

Studies have shown that the disruptions from ransomware attacks go beyond inconvenience and have led to life-threatening consequences for patients. A study from the University of Minnesota - Twin Cities School of Public Health showed that among patients already admitted to a hospital when a ransomware attack takes place, "in-hospital mortality increases by 35 - 41%". Public reporting stated that a June 2024 ransomware incident at a contractor for the UK National Health Service led to multiple cases of "long-term or permanent impact on physical, mental or social function or shortening of life-expectancy," with more numerous cases of less severe effects.

Ransomware operators are aware that their attacks on hospitals will have severe consequences and will likely increase government attention on them. Leaked private communications broadly referred to as the "ContiLeaks" reveal that the actors expected their plan to target the US healthcare system in the fall of 2020 to cause alarm, with one actor stating "there will be panic".

Economic Consequences and Data Leaks

The economic disruption caused by cybercrime is substantial. On May 8, 2022, Costa Rican President Rodrigo Chaves declared a national emergency caused by CONTI ransomware attacks against several Costa Rican government agencies. These intrusions caused widespread disruptions in government medical, tax, pension, and customs systems. With imports and exports halted, ports were overwhelmed, and the country reportedly experienced millions of dollars in losses. In just one example, a US healthcare organization reported $872 million USD in "unfavorable cyberattack effects" after a disruptive incident. In the most extreme cases, these costs can contribute to organizations ceasing operations or declaring bankruptcy. The US Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) has indicated that between October 2013 and December 2023, business email compromise (BEC) operations alone led to $55 billion USD in losses. The cumulative effect of these cybercrime incidents can have an impact on a country's economic competitiveness.

In addition to deploying ransomware, criminal groups have added the threat of leaking data stolen from victims to bolster their extortion operations. This tactic has increased the volume of sensitive data being posted by criminals and created an opportunity for it to be obtained and exploited by state intelligence agencies. The number of data leak sites has proliferated, with the number of sites tracked by GTIG almost doubling since 2022. Leaks of confidential business and personal information by extortion groups can cause embarrassment and legal consequences for the affected organization, but they also pose national security threats. If a company's confidential intellectual property is leaked, it can undermine the firm's competitive position in the market and undermine the host country's economic competitiveness. The wide-scale leaking of personally identifiable information (PII) also creates an opportunity for foreign governments to collect this information to facilitate surveillance and tracking of a country's citizens.

The Intersection of Cybercrime and State Activity

Since the earliest computer network intrusions, financially motivated actors have conducted operations for the benefit of hostile governments. The heightened level of cyber activity following Russia's war in Ukraine has shown that, in times of heightened need, the latent talent pool of cybercriminals can be paid or coerced to support state goals. Operations carried out in support of the state, but by criminal actors, have numerous benefits for their sponsors, including a lower cost and increased deniability. As the volume of financially motivated activity increases, the potential danger it presents does as well.

Modern cybercriminals are likely to specialize in a particular area of cybercrime and partner with other entities with diverse specializations to conduct operations. The specialization of cybercrime capabilities presents an opportunity for state-backed groups to simply show up as another customer for a group that normally sells to other criminals. Purchasing malware, credentials, or other key resources from illicit forums can be cheaper for state-backed groups than developing them in-house, while also providing some ability to blend in to financially motivated operations and attract less notice.

Google assesses that resource constraints and operational demands have contributed to Russian cyber espionage groups' increasing use of free or publicly available malware and tooling, including those commonly employed by criminal actors to conduct their operations. Following Russia's full-scale invasion of Ukraine, GTIG has observed groups suspected to be affiliated with Russian military intelligence services adopt this type of "low-equity" approach to managing their arsenal of malware, utilities, and infrastructure. The tools procured from financially motivated actors are more widespread and lower cost than those developed by the government. This means that if an operation using this malware is discovered, the cost of developing a new tool will not be borne by the intelligence agency; additionally, the use of such tools may assist in complicating attribution efforts. Notably, multiple threat clusters with links to Russian military intelligence have leveraged disruptive malware adapted from existing ransomware variants to target Ukrainian entities.

APT44, a threat group sponsored by Russian military intelligence, almost certainly relies on a diverse set of Russian companies and criminal marketplaces to source and sustain its more frequently operated offensive capabilities. Since Russia's full-scale invasion of Ukraine, APT44 has increased its use of such tooling, including malware such as DARKCRYSTALRAT (DCRAT), WARZONE, and RADTHIEF ("Rhadamanthys Stealer"), and bulletproof hosting infrastructure. APT44 campaigns in 2022 and 2023 deployed RADTHIEF against victims in Ukraine and Poland. In one campaign, spear-phishing emails targeted a Ukrainian drone manufacturer and leveraged SMOKELOADER, a publicly available downloader popularized in a Russian-language underground forum, to load RADTHIEF. In October 2022, a cluster assessed with moderate confidence to be APT44 deployed PRESSTEA (aka Prestige) ransomware against logistics entities in Poland and Ukraine, a rare instance in which APT44 deployed disruptive capabilities against a NATO country. In June 2017, the group conducted an attack leveraging ETERNALPETYA (aka NotPetya), a wiper disguised as ransomware, timed to coincide with Ukraine's Constitution Day marking its independence from Russia.

UNC2589, a threat cluster whose activity has been publicly attributed to the Russian General Staff Main Intelligence Directorate (GRU)'s 161st Specialist Training Center (Unit 29155), has conducted full-spectrum cyber operations, including destructive attacks, against Ukraine. The actor is known to rely on non-military elements including cybercriminals and private-sector organizations to enable their operations, and GTIG has observed the use of a variety of malware-as-a-service tools that are prominently sold in Russian-speaking cybercrime communities. In January 2022, a month prior to the invasion, UNC2589 deployed PAYWIPE (also known as WHISPERGATE) and SHADYLOOK wipers against Ukrainian government entities in what may have been a preliminary strike.

In September 2022, GTIG identified an operation leveraging a legacy ANDROMEDA infection to gain initial access to selective targets conducted by Turla, a cyber espionage group assessed to be sponsored by Russia's Federal Security Service (FSB). In late 2021, GTIG reported on a campaign conducted by APT29, a threat group assessed to be sponsored by the Russian Foreign Intelligence Service (SVR), in which operators used credentials likely procured from an infostealer malware campaign conducted by a third-party actor to gain initial access to European entities.

While Russia is the country that has most frequently been identified drawing on resources from criminal forums, they are not the only ones. For instance, in May 2024, GTIG identified a suspected Iranian group, UNC5203, using the aforementioned RADTHIEF backdoor in an operation using themes associated with the Israeli nuclear research industry. In multiple investigations, the Chinese espionage operator UNC2286 was observed ostensibly carrying out extortion operations, including using STEAMTRAIN ransomware, possibly to mask its activities.

In addition to purchasing tools for state-backed intrusion groups to use, countries can directly hire or co-opt financially motivated attackers to conduct espionage and attack missions on behalf of the state. Russian intelligence services have increasingly leveraged pre-existing or new relationships with cybercriminal groups to advance national objectives and augment intelligence collection.

CIGAR is a dual financial and espionage-motivated threat group. Active since at least 2019, the group historically conducted financially motivated operations before expanding into espionage activity that GTIG judges fulfills espionage requirements in support of Russian national interests following the start of Russia's full-scale invasion of Ukraine. Targeted intrusion activity from CIGAR dates back to late 2022, targeting Ukrainian military and government entities. CIGAR activity in 2023 and 2024 included the leveraging of zero-day vulnerabilities to conduct intrusion activity. At the outset of Russia's full-scale invasion of Ukraine, the CONTI ransomware group publicly announced its support for the Russian government.

Another form of financially motivated activity supporting state goals are groups whose main mission may be state-sponsored espionage that are, either tacitly or explicitly, allowed to conduct financially motivated operations to supplement their income. APT41 is a prolific cyber operator working out of the People's Republic of China and most likely a contractor for the Ministry of State Security that has a long history of conducting financially motivated operations. Over the past several years, GTIG has observed Iranian espionage groups conducting ransomware operations and disruptive hack-and-leak operations.

Financially motivated operations are broadly prevalent among threat actors linked to the Democratic People's Republic of Korea (DPRK). These include groups focused on generating revenue for the regime as well as those that use the illicit funds to support their intelligence-gathering efforts. A March 2024 United Nations (UN) report estimated North Korean cryptocurrency theft between 2017 and 2023 at approximately $3 billion. APT38 was responsible for the attempted theft of vast sums of money from institutions worldwide, including via compromises targeting SWIFT systems.

A Comprehensive Approach

Tackling this challenge will require a new and stronger approach recognizing the cybercriminal threat as a national security priority requiring international cooperation. The structure of the cybercrime ecosystem makes it particularly resilient to takedowns. Financially motivated actors tend to specialize in a single facet of cybercrime and regularly work with others to accomplish bigger schemes.

If a single ransomware-as-a-service provider is taken down, many others are already in place to fill in the gap that has been created. This resilient ecosystem means that while individual takedowns can disrupt particular operations and create temporary inconveniences for cybercriminals, these methods need to be paired with wide-ranging efforts to improve defense and crack down on these criminals' ability to carry out their operations.

GTIG urges policymakers to consider several steps:

Demonstrably elevate cybercrime as a national security priority: Governments must recognize cybercrime as a pernicious national security threat and allocate resources accordingly.
Strengthen cybersecurity defenses: Policymakers should promote the adoption of robust cybersecurity measures across all sectors, particularly critical infrastructure.
Disrupt the cybercrime ecosystem: Targeted efforts are needed to disrupt the cybercrime ecosystem by targeting key enablers such as malware developers, bulletproof hosting providers, and financial intermediaries such as cryptocurrency exchanges.
Enhance international cooperation: Cybercrime transcends national borders, necessitating strong international collaboration to effectively combat this threat.
Empower individuals and businesses: Raising awareness about cyber threats and promoting cybersecurity education is crucial to building a resilient society.
Elevate strong private sector security practices: Ransomware and other forms of cybercrime predominantly exploit insecure, often legacy technology architectures.