# The Expanding Partnership Between Cybercriminals and Nation-State Hackers
## Introduction
Cybercrime has traditionally been classified into two main categories: those who perform cyberattacks for monetary gain, like ransomware collectives, and those who engage in cyber espionage for nation-states. Nonetheless, recent findings indicate a growing collaboration between these factions, merging the distinctions between financially motivated cybercrime and state-sponsored hacking.
A recent analysis from Mandiant, a security firm owned by Google, reveals that this partnership is becoming increasingly evident as state actors aim to disguise their espionage efforts as financially driven cyberattacks. Furthermore, acquiring malware and hacking tools from cybercriminals often proves to be more economical for state-affiliated groups than creating them internally.
## The Growth of Cybercrime Specialization
Contemporary cybercriminals frequently focus on specific niches, such as malware creation, credential theft, or ransomware delivery. This specialization enables state-backed entities to procure cybercrime tools and services from illegal marketplaces, facilitating their integration into financially motivated initiatives.
Mandiant experts have noticed a rise in malware exchanges between cybercriminal organizations and government entities from Russia, China, and Iran. Some notable instances include:
– **Russia:** The Russian hacking collective APT44 has utilized various types of crimeware, including DarkCrystalRat, WarZone, and RadThief. They have also exploited bulletproof hosting services intended to shield cybercriminals from law enforcement actions.
– **Iran:** The Iranian state actor UNC5203 has also been detected employing the RadThief malware, indicating the sharing of hacking tools across groups.
– **China:** An espionage faction from China, UNC2286, has been seen using the SteamTrain ransomware in conjunction with a ransom note from DarkSide, a prominent ransomware entity.
## Espionage Tools Employed in Ransomware Incidents
While state-affiliated hackers have started to utilize cybercriminal tools for espionage, a reciprocal trend is emerging. Cybercriminals are increasingly adopting tools that were previously linked to nation-state espionage efforts.
For instance, researchers at Symantec recently disclosed that the RA World ransomware group had deployed a toolset that was formerly associated with a Chinese espionage collective known as Fireant (also referred to as Mustang Panda or Earth Preta). This toolset, a variant of the PlugX backdoor, had been previously utilized in espionage attacks aimed at governmental bodies in Europe and Southeast Asia.
The application of espionage tools in ransomware incidents raises numerous inquiries. Symantec researchers have proposed several theories:
1. **Monetary Incentives:** The attacker might have been attempting to generate additional income using resources from their employer, a state-sponsored hacking group.
2. **Concealment Strategy:** The ransomware operation might have been employed to mask an espionage initiative. Yet, the execution of the attack failed to effectively obscure the tools used, diminishing the likelihood of this theory.
3. **Combined Motive Operations:** Certain factions may be involved in both espionage and financially driven attacks, aiming to enhance their overall impact.
## The Rise of Dual Motive Groups
Mandiant researchers have pinpointed what they label “Dual Motive” groups—threat actors who chase both financial and espionage objectives. These factions might utilize state-sponsored malware for cybercrime or exploit ransomware to finance their activities.
This development is particularly alarming because it complicates attribution for cybersecurity experts and law enforcement. If a cyber incident appears to be financially motivated, investigators might miss underlying espionage goals.
## Conclusion
The escalating collaboration between cybercriminals and nation-state hackers marks a substantial transformation in the cyber threat environment. As financially driven hackers and espionage groups interchange tools, infrastructure, and knowledge, cyberattacks are evolving in sophistication and becoming increasingly challenging to attribute.
Organizations must maintain a proactive stance, implementing comprehensive cybersecurity protocols to defend against both financially motivated cybercrime and state-sponsored threats. Additionally, international collaboration among governments and cybersecurity entities will be crucial in tackling this advancing challenge.
As the boundaries between financial crime and espionage continue to blur, businesses, governments, and individuals must stay informed and proactive in their defense against these emerging threats.
