Cybercrime Multifaceted National Security Threat

Cybercrime Multifaceted National Security Threat

Leave a Comment / Cybersecurity Leadership, Insider Risk & Human Defense, Risk, Governance & Compliance, The Lab: Reviews & Insights, Threat Intelligence & Ops / By
Cybercrime Multifaceted National Security Threat

Cybercrime is a major issue, making up most of the malicious activity online and taking up a lot of resources from defenders. In 2024, Mandiant Consulting dealt with almost four times more financially-motivated intrusions than state-backed ones. Despite this, cybercrime doesn’t get as much attention from national security practitioners as state-backed threats do. However, the impact of cybercrime on critical infrastructure, like hospitals and energy sectors, shows that it should be taken just as seriously

The Google Threat Intelligence Group (GTIG) report, “Cybercrime: A Multifaceted National Security Threat,” isn’t just another cybersecurity report; it’s a stark wake-up call. It clearly articulates how financially motivated cyberattacks, even those seemingly unconnected to state-sponsored activity, pose a serious threat to national security.

This isn’t just about stolen credit cards anymore. We’re talking about ransomware crippling hospitals, disrupting energy grids, and impacting essential services – real-world consequences that demand our immediate attention. This article dives deep into the report’s technical aspects, offering CISOs and CIOs actionable insights and mitigation strategies to bolster their defenses.

Stand-alone Cybercrime as a National Security Threat 

Even financially-motivated cyber intrusions without state ties can harm national security. Ransomware attacks on critical infrastructure, such as the 2021 Colonial Pipeline attack and the 2023 Petro-Canada incident, highlight the potential for severe consequences. The healthcare sector has been particularly affected, with ransomware attacks leading to life-threatening consequences for patients

The Evolving Threat Landscape

The report’s core message is clear: cybercrime has outgrown its financial nuisance status and become a genuine national security concern. The sheer volume of financially motivated attacks is staggering.

GTIG’s data reveals that in 2024, Mandiant Consulting responded to almost four times more intrusions driven by financial gain than those attributed to nation-state actors. This shift underscores the need to broaden our perspective. We must recognize the potential for any financially motivated attack to trigger cascading national security implications.

Data Leak Sites: The New Extortion Playbook

Adding fuel to the fire is the rise of Data Leak Sites (DLS). GTIG has seen a dramatic increase in DLS victims since 2022, particularly in healthcare. These sites are where cybercriminals publicly dump stolen data after a ransomware or data theft incident, applying immense pressure on victims to pay up.

This double extortion tactic not only damages reputations but also exposes sensitive information, potentially leading to further exploitation and harm. Technically, this means we need to focus not only on breach prevention but also on minimizing the impact of data exfiltration should a breach occur.

image 2

Cybercrime Supporting State Activity

 States are increasingly using cybercriminal capabilities to support their objectives. For example, Russian intelligence services have used criminally sourced tools and infrastructure for espionage and disruptive operations. Groups like APT44 and UNC2589 have employed malware from cybercrime communities to target Ukrainian entities. Similarly, Iranian and Chinese threat groups have mixed ransomware activities with espionage to confuse attribution and raise funds

The report also highlights the increasingly blurred lines between cybercrime and state-sponsored espionage. Collaboration between cybercriminals and national security agencies, especially during geopolitical tensions, is becoming more frequent. This convergence is a force multiplier. Cybercriminals gain access to advanced techniques and resources, while state actors leverage existing criminal infrastructure for their own agendas.

image 4

Russian Cybercriminal Actors and State Objectives Russian intelligence services have increasingly leveraged relationships with cybercriminal groups to advance national objectives and augment intelligence collection, especially since the full-scale invasion of Ukraine. This involves both new efforts and the continuation of pre-existing relationships with financially-motivated, Russia-based threat actors. Current and former members of these groups have carried out intrusion activities likely in support of state objectives.

CIGAR (UNC4895, RomCom) CIGAR, also known as UNC4895 and RomCom, is a dual financial and espionage-motivated threat group active since at least 2019. Initially focused on financially-motivated operations, the group expanded into espionage activities supporting Russian national interests following the invasion of Ukraine. CIGAR’s high operational tempo, constant evolution of its malware arsenal, and exploitation of multiple zero-day vulnerabilities suggest a level of sophistication and resourcefulness unusual for typical cybercrime actors.

Technical Details:

  • Targeted Intrusion Activity: Dates back to late 2022, targeting Ukrainian military and government entities.
  • Phishing Campaigns: In October 2022, CERT-UA reported a phishing campaign distributing emails allegedly from the Press Service of the General Staff of the Armed Forces of Ukraine, leading to the deployment of RomCom malware.
  • Zero-Day Vulnerabilities: In 2023 and 2024, CIGAR leveraged zero-day vulnerabilities, including CVE-2023-36884 in Microsoft Word and CVE-2024-9680 in Firefox, chained with CVE-2024-49039 in Windows, to conduct intrusion activities.

Criminals Supporting State Goals Countries, including Russia, can hire or co-opt financially-motivated attackers to conduct espionage and attack missions on behalf of the state. This includes purchasing tools for state-backed intrusion groups.

CONTI At the outset of Russia’s invasion of Ukraine, the CONTI ransomware group publicly announced its support for the Russian government. Leaked server logs revealed that some members were interested in conducting targeted attacks, possibly taking directions from a third party. Former CONTI members are part of an initial access broker group, UAC-0098, conducting targeted attacks against Ukraine.

Chinese-Language Operator Supports Espionage Goals UNC5174 (“Uteus”) UNC5174, using the “Uteus” hacktivist persona, claims affiliation with China’s Ministry of State Security. The group conducts for-profit intrusions and has weaponized multiple vulnerabilities soon after their public announcement.

Technical Details:

  • Exploited Vulnerabilities: CVE-2024-1709 in ConnectWise ScreenConnect and CVE-2024-3400 in Palo Alto Network’s GlobalProtect appliances.

Hybrid Groups Enable Cheap Capabilities Some groups conduct financially-motivated operations to supplement their income while primarily engaging in state-sponsored espionage.

APT41 , a prolific cyber operator likely contracted by China’s Ministry of State Security, conducts both state-sponsored espionage and financially-motivated operations, including ransomware deployment and stealing digital certificates.

Iranian Groups Deploy Ransomware for Disruption and Profit Iranian espionage groups conduct ransomware operations and disruptive hack-and-leak operations, sometimes monetizing stolen data for personal gain.

UNC757 collaborated with ransomware affiliates to gain network access and deploy ransomware for a percentage of the profits. The group has historical ties to the persona “nanash” and hack-and-leak operations associated with PAY2KEY ransomware.

North Korean Cyber Threat Actors North Korean threat actors conduct financially-motivated operations to generate revenue for the regime and fund espionage campaigns.

APT38 , aligned with the Reconnaissance General Bureau (RGB), attempted thefts from financial institutions totaling over $1.1 billion USD. The group has also deployed destructive malware against target networks.

Technical Details:

  • Cryptocurrency and Blockchain Targeting: UNC1069 (CryptoCore) and UNC4899 (TraderTraitor) focus on financial gain by targeting cryptocurrency and blockchain entities.

DPRK IT Workers  pose as non-North Korean nationals seeking employment globally to generate revenue for the regime, enabling it to evade sanctions and fund its weapons programs. They have increasingly leveraged their access to engage in malicious intrusion activities.

image 5

UNC1069 (CryptoCore) and UNC4899 (TraderTraitor) are successors to APT38, focusing on financial gain by targeting cryptocurrency and blockchain entities. In December 2024, TraderTraitor stole $308 million USD in cryptocurrency from a Japan-based company.

APT43 (Kimsuky) funds itself through cybercrime to support its primary mission of collecting strategic intelligence. It targets foreign policy and nuclear security, using sophisticated technical capabilities and social engineering tactics.

UNC3782 conducts financial crime operations against the cryptocurrency sector and espionage activity, targeting South Korean organizations combating cryptocurrency-related crimes.

APT45 (Andariel) conducts espionage operations focusing on government, defense, nuclear, and healthcare entities. It has also engaged in financially-motivated operations, including ransomware development.

DPRK IT Workers pose as non-North Korean nationals seeking employment globally to generate revenue for the North Korean regime. They leverage their access to engage in malicious intrusion activity and extort organizations.

A Comprehensive Approach: The Only Way Forward

The GTIG report emphasizes the need for a comprehensive strategy to combat this multifaceted threat. This means moving beyond purely technical solutions and embracing strategic, collaborative, and awareness-driven initiatives.

To effectively tackle the cybercriminal threat, a comprehensive approach is needed. This includes:

  1. Elevating Cybercrime as a National Security Priority: Governments must allocate resources, prioritize intelligence collection, enhance law enforcement capacity, and foster international cooperation to dismantle transnational networks.
  2. Strengthening Cybersecurity Defenses: Promoting robust security measures across all sectors, particularly critical infrastructure, and investing in advanced security technologies.
  3. Disrupting the Cybercrime Ecosystem: Targeting key enablers like malware developers, bulletproof hosting providers, and financial intermediaries through legal, technical, and financial measures.
  4. Enhancing International Cooperation: Developing international frameworks for information sharing, joint investigations, and coordinated takedowns of cybercriminal networks.
  5. Empowering Individuals and Businesses: Raising awareness about cyber threats, promoting cybersecurity education, and supporting initiatives that enhance resilience against attacks.
  6. Elevating Strong Private Sector Security Practices: Prioritizing technology transformation, adopting secure technologies, diversifying vendors, and requiring interoperability across the technology stack

Let’s delve into the technical challenges highlighted in the report:

  • Advanced Persistent Threats (APTs): While often associated with nation-states, APT-style attacks are increasingly used by sophisticated cybercriminals. These attacks are stealthy, persistent, and focused on long-term infiltration, often using custom malware, zero-day exploits, and advanced social engineering.
  • Ransomware’s Evolution: Ransomware has evolved beyond simple file encryption. Modern ransomware gangs employ double extortion, stealing data before encryption and threatening public release. They are also increasingly targeting critical infrastructure for maximum disruption and financial gain.
  • Sophisticated Exfiltration: Data exfiltration techniques are becoming harder to detect. Attackers use DNS tunneling, steganography, and compromised cloud accounts to exfiltrate data, demanding robust Data Loss Prevention (DLP) strategies.
  • Supply Chain Attacks: Compromising software or hardware in the supply chain grants attackers access to numerous downstream targets. These attacks, like the SolarWinds incident, are incredibly difficult to defend against due to the inherent trust relationships involved.
  • Living off the Land (LotL): Attackers are increasingly using existing tools and resources within the target environment to blend in. This “living off the land” technique makes it harder to distinguish malicious activity from normal operations.

Actionable Insights and Mitigation Strategies:

  • Proactive Security Posture: We need to shift from reactive to proactive security. This includes:
    • Threat Hunting: Actively searching for malicious activity within the network.
    • Vulnerability Management: Continuously scanning and patching vulnerabilities.
    • Security Audits & Penetration Testing: Regularly assessing security controls and identifying weaknesses.
  • Multi-Layered Security (Defense in Depth): Implementing multiple security layers:
    • Endpoint Security: Protecting devices from malware and unauthorized access with EDR and anti-malware.
    • Network Security: Securing the network perimeter and internal segments with firewalls and IDS/IPS.
    • Data Security: Protecting sensitive data with encryption, access control, and DLP.
    • IAM: Controlling user access with MFA and least privilege.
  • Advanced Security Technologies: Leveraging advanced tools:
    • SIEM: Collecting and analyzing security logs.
    • EDR: Monitoring endpoint activity and detecting malicious behavior.
    • Threat Intelligence Platforms: Gathering and analyzing threat data.
    • AI/ML: Automating threat detection and response.
  • Collaboration and Information Sharing:
    • Sharing threat intelligence and best practices.
    • Collaborating with law enforcement.
    • Building public-private partnerships.
  • Security Awareness Training:
    • Phishing and social engineering awareness training.
    • Password management best practices.
    • Secure data handling procedures.
  • Incident Response Planning:
    • Incident detection mechanisms.
    • A comprehensive incident response plan.
    • Recovery procedures.
  • Network Visibility

Key Takeaways for CISOs and CIOs

  • Cybercrime is a national security threat: Cybercrime, particularly ransomware attacks, poses a serious threat to critical infrastructure, including energy and healthcare sectors. Disruptions to these sectors can have devastating consequences on individuals and society.  
  • Financially motivated attacks are increasing: In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions.  
  • Data leak sites are on the rise: Since 2022, GTIG has observed a notable increase in the number of data leak site (DLS) victims, particularly within the hospital subsector. DLS are used to release victim data following data theft extortion incidents, pressuring victims to pay a ransom.  
  • Collaboration between cybercriminals and state actors: There is an increasing overlap between cybercrime and state espionage, with collaboration between cybercriminals and national security agencies, especially during geopolitical conflicts.  

The Fight Continues

The GTIG report provides invaluable insights. By understanding the technical challenges and implementing these strategies, CISOs and CIOs can significantly strengthen their defenses. This requires a proactive, multi-layered approach, combined with continuous monitoring, threat intelligence, and a strong security culture. The fight against cybercrime is ongoing, and vigilance is paramount. We need to act now, and we need to act together.

You can download the full report here :

Security reports

Keywords

understanding national security information understanding national security information security information in cyber intrusion cybercrime a multifaceted national security

Leave a Comment

Your email address will not be published. Required fields are marked *