Full Report
A Google Threat Intelligence Group report notes that Russia in particular has been doing this since the Ukraine war began. The post U.S. adversaries increasingly turning to cybercriminals and their malware for help appeared first on CyberScoop.
Analysis Summary
This article details a general trend observed by Google Threat Intelligence regarding nation-state adversaries leveraging cybercriminal ecosystems, rather than focusing on a single named threat actor. Therefore, the summary below aggregates observations related to groups mentioned in the context of this trend.
# Threat Actor: Observed State-Sponsored Cyber Espionage Groups (General Trend)
## Attribution & Identity
The primary adversarial nations observed engaging in this behavior include **Russia**, **China**, **Iran**, and **North Korea**.
**Associated Groups/Aliases Mentioned (Specifically linked to Russia):**
* **APT44** (Russian military intelligence-sponsored)
* **Sandworm** (Russian military intelligence-sponsored)
## Activity Summary
The summary focuses on the increasing reliance of U.S. adversaries on cybercriminals and their resources (malware, tools, vulnerabilities) to advance state goals. This trend is attributed to resource constraints and operational demands faced by these state actors, particularly accelerated by the war in Ukraine for Russia. China has been observed using cybercriminal gangs specifically to mask its espionage activities.
## Tactics, Techniques & Procedures
The main TTP discussed is the **borrowing or adoption of cybercriminal malware and tooling**.
- Use of free or publicly available malware commonly employed by criminal actors.
- Hiding espionage efforts behind criminal camouflage (China).
- Utilizing the robust, resilient, and often deniable marketplace provided by the cybercrime ecosystem.
- *No specific MITRE ATT&CK IDs were mentioned in the provided text.*
## Targeting
The article discusses the general activities of state-sponsored actors, which typically target government, defense, critical infrastructure, and intellectual property sectors globally.
- Sectors: **Not explicitly detailed**, but implied to include government/military (due to APT44/Sandworm reference) and sectors targeted by espionage/influence operations.
- Geography: **Global**, with a specific focus on actors targeting U.S. interests.
- Victims: **No specific victims** were named, but campaigns mentioned impacted entities targeted by Russian military intelligence.
## Tools & Infrastructure
- **Malware families used (specifically linked to Russian military intelligence):**
- Radthief
- Warzone
- **Infrastructure:** Mentions a U.S. operation targeting internet domains used to sell the Warzone malware service.
- *Specific IoCs (IPs/Domains) were not detailed and were outside the scope of the summary.*
## Implications
Cybercrime has transformed into a **critical national security threat**. The marketplace central to the cybercrime ecosystem makes adversarial capabilities cheaper, more deniable to the states sponsoring them, and extremely resilient to disruption, as actors are easily replaceable. This blurs the lines between nation-states and cybercriminals.
## Mitigations
- Defending organizations need to recognize that **cybercrime tools are now state-sponsored tools**, increasing the complexity of attribution and defense.
- The resilience of the cybercrime marketplace must be factored into disruption strategies, as tools and actors are easily substituted.
- Security measures must account for a wider variety of malware and TTPs, including those traditionally seen only in financially motivated campaigns, now leveraged for espionage.