Cybercriminals, Nation-State Actors Now Indistinguishable: Google

Financially motivated cybercriminal groups and nation-state actors are increasingly indistinguishable, according to the Cybercrime: A Multifaceted National Security Threat report from Google’s Threat Intelligence Group. The report, released ahead of the 61st Munich Security Conference, highlights a nearly fourfold increase in cyber intrusions by financially motivated actors compared to those by state-sponsored groups.

“Despite this overwhelming volume, cybercrime receives much less attention from national security practitioners than the threat from state-backed groups,” reads the report. “While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions.”

The convergence of cybercriminal and nation-state activities has accelerated in recent years, with adversaries such as Russia, China, Iran, and North Korea increasingly relying on criminal actors to facilitate cyber operations. This reliance extends beyond simple collaboration, as cybercriminals provide malware, vulnerabilities, and full-spectrum operations to state actors, offering them cost-effective and deniable capabilities.

Ben Read, Senior Manager, Google Threat Intelligence Group, says that addressing cybercrime will contribute to defending against state-sponsored attacks. “These threats have been looked at as distinct for too long, but the reality is that combating cybercrime will help defend against state-backed attacks.” 

Blurring Lines Between Cybercrime and State-Sponsored Operations

Other cybersecurity researchers have also observed this trend. Tomer Shloman, Security Researcher, Tellix, reports an increasing overlap in tactics, techniques, and objectives between cybercriminal groups and nation-state actors. “This convergence complicates attribution and defense efforts, as these groups share resources, tactics, and objectives. The use of AI by both attackers and defenders is also reshaping the cyber threat landscape, introducing new challenges and opportunities,” writes Shloman.

Cybercriminal activities now carry direct national security implications. The Google report highlights that attacks by cybercriminal groups can yield the same consequences as those by state-sponsored actors. The disruption of a hospital by ransomware or a state-backed wiper attack results in identical operational and patient care impacts. Similarly, sensitive data stolen for financial gain can be exploited in ways that mirror traditional espionage.

Russia-Ukraine Conflict Accelerating the Trend

Although state actors have long leveraged cybercriminal groups, this practice has intensified following Russia’s invasion of Ukraine in 2022. State-backed entities increasingly purchase malware, credentials, and other cyber capabilities from underground marketplaces, benefiting from cybercriminal specialization while reducing development costs and minimizing detection risks.

For example, Russia’s GRU-linked group APT44 (Sandworm) has utilized malware sourced from criminal communities for espionage and disruptive operations in Ukraine. The cybercriminal group CIGAR (RomCom) has also conducted espionage operations aligned with Russian state objectives.

Similarly, Security Boulevard reports that Iranian state-sponsored groups have deployed ransomware to fund operations while simultaneously conducting espionage. Chinese espionage groups frequently engage in cybercrime to supplement their revenue streams, while North Korean state-backed groups have targeted cryptocurrency exchanges, adds Security Boulevard.

Policy and Security Implications

The Google report underscores the need for policymakers to acknowledge financially motivated cybercrime as a national security threat. Strategies must be adapted to address the resilience of the cybercrime ecosystem, where ransomware-as-a-service (RaaS) operations quickly rebound after law enforcement takedowns, says Google.

To mitigate these threats, Google’s analysts recommend the following actions:

• Elevate cybercrime to a national security priority.

• Strengthen cybersecurity measures across critical infrastructure sectors.

• Implement targeted efforts to disrupt cybercriminal operations.

• Enhance international cooperation on cyberthreat intelligence sharing.

• Promote cybersecurity awareness among organizations and individuals.

Additionally, the report urges policymakers to encourage stronger cybersecurity standards in the private sector to mitigate financial and state-backed cyberthreats. As cybercriminals continue to intersect with state actors, a comprehensive and coordinated response will be essential to addressing this evolving security landscape.

“The evolution of nation-state threat actors from strictly geopolitical operations to hybrid models incorporating financial and criminal motives demonstrates the dynamic nature of the cyberthreat landscape,” says Shloman. “As their methods and alliances become more sophisticated, the task of defending against such actors grows increasingly complex.”