The blurring of lines between cybercrime and APT attacks underscores the increasingly fluid and multifaceted nature of today’s cyberthreats.
There was a time when the boundary between cybercrime and advanced persistent threat activity was rather easy to discern. Cybercriminals were fuelled solely by the profit motive. And their counterparts in the government carried out mainly cyberespionage campaigns, plus the occasional destructive attack, to further their employers’ geopolitical goals. However, in recent months, this line has begun to dissolve, including when it comes to ransomware, a trend also noted by ESET’s latest Threat Report.
This has potentially major implications for IT and security leaders – not only increasing the risk of attack, but also changing the calculus around how to mitigate that risk.
You could argue that ransomware attacks launched by allegedly state-sponsored hackers is, in fact, nothing new. In 2017, alleged state-affiliated operatives are thought to have launched WannaCry (aka WannaCryptor), the first ever global ransomworm. It was only halted after a security researcher stumbled upon and activated a “kill switch” hidden in the malicious code. In the same year, alleged state-sponsored hackers launched the NotPetya campaign against Ukrainian targets, although in this case it was actually destructive malware disguised as ransomware in order to throw investigators off the scent. In 2022, ESET observed the Sandworm group using ransomware in a similar way: as a data wiper.
The line between alleged state-backed operations and financially motivated crime has been blurring ever since. As we also noted a while back, many dark web vendors sell exploits and malware to state actors, while some governments hire freelance hackers to help with certain operations.
However, these trends appear to be accelerating. Specifically in recent past, ESET and others have observed several apparent motives:
Government hackers are said to be deliberately using ransomware as a money-making tool for the state. This is often alleged about North Korea, where threat groups are claimed to target cryptocurrency firms and banks with sophisticated mega-heists. It is claimed they made about $3bn in illicit profits from this activity between 2017 and 2023.
In May 2024, Microsoft observed Moonstone Sleet deploying custom ransomware dubbed “FakePenny” on the next works of several aerospace and defense organizations, after first stealing sensitive information. “This behavior suggests the actor had objectives for both intelligence gathering and monetization of its access,” it said.
Andariel group is also suspected to have provided initial access and/or affiliate services to the ransomware group known as Play. That’s because Play ransomware was spotted in a network previously compromised by Andariel.
Another motive for state involvement in ransomware attacks is to let government hackers earn some money from moonlighting. One example is the group Pioneer Kitten (aka Fox Kitten, UNC757 and Parisite) which has been spotted by the FBI “collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments.”
It worked closely with NoEscape, Ransomhouse, and ALPHV (aka BlackCat) – not only providing initial access, but also helping to lock down victim networks and collaborate on ways to extort victims.
State-linked APT groups are also using ransomware to cover up the true intent of attacks. This is what the ChamelGang (aka CamoFei) is believed to have done in multiple campaigns targeting critical infrastructure organizations in East Asia and India, as well as the US, Russia, Taiwan and Japan. Using the CatB ransomware in this way not only provides cover for these cyber-espionage operations, but also enables operatives to destroy evidence of their data theft.
It’s obvious why government-backed groups are using ransomware. At the very least, it provides them with a useful cover of plausible deniability which can confuse investigators. And in many cases, it does so while increasing state revenue and helping to motivate government-employed hackers who are often little more than poorly paid civil servants. The big question is whether it really matters who is doing the attacking? After all, Microsoft has even uncovered evidence of government agencies outsourcing work wholesale – although in the case of Storm-2049 (UAC-0184 and Aqua Blizzard, no ransomware was involved.
There are two schools of thought here. On the one hand, best practice security advice should still ring true – and be an effective way to build resilience and accelerate incident response—whoever is doing the attacking. In fact, if state-aligned APT groups end up using cybercrime tactics, techniques and procedures (TTPs), this may even benefit network defenders, as these are likely to be easier to detect and defend against than sophisticated custom tools.
However, there’s also an argument for saying that understanding one’s adversary is the essential first step to managing the threat they pose. This is explained in the 2023 research report, Cyber Attacker Profiling for Risk Analysis Based on Machine Learning: “One of the essential components of cyber security risk analysis is an attacker model definition. The specified attacker model, or attacker profile, affects the results of risk analysis, and further the selection of the security measures for the information system.”
That said, if you don’t know the identity of your adversary, there are still ways to mitigate the impact of their ransomware attacks. Here are 10 best practice steps:
Ensure all sensitive assets are protected by multi-layered security software from a reputable supplier, including for desktops, servers and laptops/mobile devices
According to one estimate, organized crime accounted or 60% of data breaches last year, versus just 5% attributed to nation states. But the latter share is growing, and the breaches themselves could have an outsized impact on your organization. Continued awareness and proactive risk management are essential.
This guest blog was originallt publised by our partners at ESET Ireland and re-published with their permission.
Stay ahead of the curve with the latest in IT News, Offers, and Cyber Security advisories. Sign up for our mailing list today to keep your digital world secure and informed. Sign up now!
