The traditional distinction between cybercriminals and state-backed cyber adversaries is becoming increasingly unrealistic
as the personnel, tools, and effects of their attacks are often indistinguishable. On the eve of the 61st International Munich Security Conference, the Google Threat Intelligence Group (GTIG) has argued that financially motivated cybercrime should be recognized as a national security threat requiring international cooperation.
Historically, cybercrime has been categorized into financially motivated criminal activity and politically motivated state-sponsored attacks. While state-backed cyberattacks receive more media attention and intelligence scrutiny, financial cybercrime is far more common. In 2024, Mandiant responded to nearly four times as many financially motivated attacks as state-sponsored ones. However, adversarial states frequently co-opt cybercriminals, leveraging their expertise and tools to advance political goals. For example, Iran and North Korea have used state-backed operatives to conduct financial cybercrimes to fund their regimes.
A notable case of this overlap is Sandworm (APT44), a Russian military intelligence-linked group that has used malware from cybercriminal communities to conduct espionage and disruptive operations in Ukraine. GTIG argues that, while individual organizations may not need to differentiate between cybercriminals and state-backed hackers in their security posture, national governments must recognize cybercrime as a national security threat on par with state-sponsored hacking. Because cybercrime is inherently international, addressing it will require global cooperation.
One major reason for this convergence is that adversarial states exploit the vast pool of cybercriminals and their tools to expand their manpower, reduce costs, and maintain plausible deniability. Avoiding attribution is crucial to preventing all-out cyberwar. For example, when Russia was accused of hacking the Democratic National Committee (DNC) in 2016, President Vladimir Putin denied state involvement, suggesting cybercriminals were responsible. Nonetheless, twelve Russian intelligence officers were later indicted by a U.S. grand jury. However, in cases where kinetic conflict already exists, the need for plausible deniability diminishes. GTIG believes APT44 was behind the Prestige ransomware attacks against logistics companies in Poland and Ukraine in October 2022—one of the few instances where a Russian state-linked actor deployed disruptive cyberattacks against a NATO country.
This blending of cybercriminal resources with state-backed operations is not unique to Russia. Iran and China have employed similar tactics. Even historically, intelligence agencies have leveraged cybercriminals for espionage, as seen in 1986 when the KGB hired East German hacker Markus Hess to infiltrate U.S. and European computer networks. The difference today is the scale and impact of such operations. Criminal ransomware without decryption functions as a state-sponsored wiper attack, causing similar levels of destruction.
Cybercrime is now akin to hybrid warfare, targeting the morale and well-being of entire populations. State-backed hackers intentionally disrupt public services, but GTIG argues that cybercriminal groups, through ransomware, can achieve the same effects. Attacks on healthcare and utilities, for example, create public fear and disruption. Leaked chats from the Conti ransomware gang in 2020 reveal that attackers targeting U.S. healthcare systems were fully aware their actions would incite panic. The more critical the target, the greater the potential for public alarm an outcome aligned with the goals of state-backed hybrid warfare.
Real-world examples underscore this growing threat. A ransomware attack on an NHS contractor in the UK in June 2024 reportedly resulted in long-term physical and mental health consequences for patients. Similarly, in 2022, Costa Rica declared a national emergency after Conti ransomware attacks crippled multiple government agencies. The distinction between state-backed hackers and cybercriminals cannot be determined solely by the attack's impact or even its motivation. North Korea, for instance, engages in cyber espionage and intellectual property theft while also stealing cryptocurrency to fund its regime.
GTIG asserts that cybercrime should not be viewed separately from state-backed cyber activity because their resources, motivations, and impacts are increasingly indistinguishable. Cybercrime is now a national security issue. To combat this, GTIG recommends a stronger global approach, treating cybercrime as a security priority requiring international cooperation.
While law enforcement takedowns of ransomware groups provide temporary relief, GTIG argues that policymakers must take additional measures. These include elevating cybercrime as a national security priority, enhancing intelligence collection on cybercriminal organizations, and strengthening law enforcement's ability to investigate and prosecute cybercrimes.
Additionally, governments should invest in research and incentivize stronger cybersecurity practices, disrupt the cybercrime ecosystem by targeting key enablers like malware developers and financial intermediaries, and foster international collaboration for joint investigations and coordinated takedowns. Public awareness and education should also be improved, ensuring businesses and individuals are equipped to defend against cyber threats.
GTIG also recommends encouraging the adoption of strong private-sector security practices while reducing reliance on any single technology. Notably, GTIG does not advocate for government backdoors into encrypted messaging, recognizing the potential for such measures to aid both law enforcement and cybercriminals alike. Instead, GTIG urges policymakers to focus on dismantling the infrastructure supporting cybercriminal operations, fostering a more resilient and cooperative global cybersecurity landscape.
