Full Report
“The vast cybercriminal ecosystem has acted as an accelerant for state-sponsored hacking, providing malware, vulnerabilities, and in some cases full-spectrum operations to states,” said Ben Read of Google Threat Intelligence Group.
Analysis Summary
# Threat Actor: General Cybercriminal Ecosystem / State-Linked Actors
## Attribution & Identity
The report focuses on the symbiotic relationship between the cybercriminal ecosystem and state-backed hacking groups, rather than a single specific threat actor. The analysis details collaboration or exploitation between criminal entities and state actors from **Russia, Iran, China, and North Korea**. The document also references specific established APTs that benefit from or leverage criminal operations, including **APT44, APT29, UNC2589, and Turla**.
## Activity Summary
The summary highlights the finding that state-backed groups are leveraging the expansion of the cybercriminal ecosystem, using it as an "accelerant" to gain malware, vulnerabilities, or full-spectrum operations that are cheaper and more deniable than domestically developed capabilities. Financially-motivated actors conducted almost four times as many intrusions as state-backed intrusions in 2024. Notable activities include:
* Ransomware gangs shifting focus toward Ukraine following Russia’s invasion.
* Chinese and Iranian espionage groups supplementing income via cybercrime.
* North Korea's well-known financially motivated attacks on the cryptocurrency industry and large-scale scheme employing IT workers in the US and Europe.
* A significant increase in ransomware attacks against healthcare institutions, with data leak site shares doubling over the past three years.
## Tactics, Techniques & Procedures
The TTPs described are generally inherent to the broader cybercriminal ecosystem leveraged by states:
* Exploiting **information or access obtained by criminal organizations** (used by APT44, APT29, UNC2589, Turla).
* **Ransomware** deployment (specifically targeting healthcare).
* **Financially motivated attacks** (common across various criminal groups).
* Acquisition or co-option of criminal capabilities/operations by state actors.
## Targeting
- Sectors: **Healthcare** (area of particular concern due to tangible patient health outcomes), **Cryptocurrency Industry** (North Korea).
- Geography: Targeted regions were not specified, but involvement noted from actors linked to **Russia, Iran, China, and North Korea**.
- Victims: Specific organizations are not named, but the impact on **hospitals/healthcare institutions** is highlighted.
## Tools & Infrastructure
- Malware families used: **Ransomware** (implied by discussion of ransomware gangs).
- Infrastructure (C2, domains, IPs): Not specifically detailed in this high-level summary, but the existence of a dynamic **"marketplace"** facilitating easy attribution replacement is noted.
## Implications
Cybercrime is now considered a **critical national security threat**. The interconnectedness means that combating cybercrime indirectly defends against state-backed attacks, but the marketplace structure makes the overall ecosystem highly resilient to disruption. The primary implication is that traditional separation of cybercrime mitigation from state-sponsored threat responses is ineffective.
## Mitigations
* Recognize cybercrime as a critical national security threat, not merely a nuisance.
* Implement solutions requiring significant **international cooperation**, as cybercrime involves disparate groups across borders.
* Specifically enhance defenses for susceptible sectors like **healthcare** against ransomware.