US Adversaries Increasingly Rely on Cybercriminals and Their Malware

Listen to this Post

2025-02-11

A Growing Threat in Cyberspace

Adversarial governments, particularly Russia, are increasingly turning to cybercriminals and their malware to advance their cyber operations, according to a recent report by Google’s Threat Intelligence Group. While there has always been some overlap between state-sponsored hackers and cybercriminals, the report highlights a growing trend: governments are not just borrowing techniques but actively collaborating with criminals to fulfill their strategic goals.

One major factor driving this shift is the resource constraints and operational demands faced by state-backed hacking groups. Instead of developing their own tools, these groups now leverage free or commercially available malware, a trend that has intensified since Russia’s invasion of Ukraine. For instance, Russian military intelligence hackers, known as APT44 or Sandworm, have been using cybercriminal malware like Radthief and Warzone—malware that was recently targeted in a U.S. operation.

The trend is not exclusive to Russia. Google has observed similar patterns from China, Iran, and North Korea, with Iranian hackers also deploying Radthief in May of last year. The cybercriminal ecosystem has become a powerful force multiplier for state-sponsored hacking, offering cheap, deniable capabilities that states find highly attractive.

Sometimes, the collaboration is even more direct. China, for example, has been using cybercriminal gangs to obscure its espionage operations. Other cybersecurity firms, like Trellix, have also noticed this convergence, making it increasingly difficult to differentiate between cybercriminal and state-sponsored activities.

Ultimately, Google’s report underscores a critical takeaway: cybercrime is no longer just a financial threat—it has become a significant national security issue. With cybercriminal marketplaces enabling the rapid replacement of compromised actors, the cybercrime ecosystem remains resilient against disruption, posing an escalating risk to global cybersecurity.

What Undercode Says: The Rising Convergence of Cybercrime and Cyber Warfare

1. A Shift in Cyber Warfare Strategies

Governments have long engaged in cyber espionage, but their increasing reliance on criminal malware signals a strategic shift. Instead of investing years in developing sophisticated cyber weapons, states now exploit existing black-market tools, reducing costs and accelerating their operations. This outsourcing model makes cyber warfare more agile, scalable, and difficult to attribute directly to nation-states.

2. Cost-Effective and Deniable Operations

State-sponsored hacking is expensive. Developing zero-day exploits, custom malware, and attack infrastructure requires time and expertise. By leveraging tools from the cybercriminal underground, adversarial nations gain access to ready-made capabilities at a fraction of the cost. Additionally, using cybercriminal tools offers plausible deniability, allowing governments to distance themselves from attacks while still benefiting from them.

3. Russia’s Escalation Amid the Ukraine War

Russia’s cyber operations have intensified since its invasion of Ukraine, with military intelligence groups like APT44 increasingly using criminal malware. This suggests that war-related cyber strategies are evolving to incorporate more unconventional and easily accessible tools. The use of Radthief and Warzone highlights how Russia is adapting to resource constraints by tapping into the broader cybercriminal market.

4. China’s Espionage Through Criminal Networks

China’s strategy of embedding espionage efforts within cybercriminal operations presents a significant challenge for defenders. By outsourcing certain cyber activities to criminal groups, China gains an extra layer of obfuscation, making it harder for cybersecurity analysts and intelligence agencies to attribute attacks with certainty.

5. Iran and North Korea Following Suit

Iran and North Korea have also adopted similar tactics. Iran’s use of Radthief malware demonstrates its willingness to embrace cybercriminal tools, while North Korea has long been known for its financially motivated cyber activities, including cryptocurrency theft to fund its regime. These trends indicate a broader global shift towards hybrid cyber operations that blend state and criminal capabilities.

6. The Blurring of Cybercrime and National Security

The line between state-sponsored hacking and cybercrime is becoming increasingly blurred. Cybercriminal groups often operate with tacit government approval or direct cooperation, especially in nations where law enforcement turns a blind eye to their activities. This makes it harder for cybersecurity professionals and governments to counteract threats effectively.

7. Challenges in Cyber Defense and Attribution

Attributing cyberattacks has always been a complex task, but the increasing use of shared tools and techniques makes it even more difficult. If the same malware is used by both criminal groups and government hackers, distinguishing between a financially motivated attack and a state-sponsored operation becomes nearly impossible. This complicates international responses and legal actions against perpetrators.

8. The Cybercrime Marketplace’s Role in Resilience

Google’s report highlights how the cybercrime ecosystem has made every actor easily replaceable. Unlike traditional military operations, where eliminating key personnel can cripple an enemy’s capabilities, cybercrime thrives on decentralization. When one hacker is caught, another quickly takes their place, making disruption efforts less effective.

9. Future Implications for Global Cybersecurity

The growing interdependence between cybercriminals and state actors means that national security threats will increasingly emerge from underground cyber markets. As long as there is a thriving marketplace for malware, exploits, and hacking services, adversarial nations will have an incentive to tap into these resources for their own gain.

10. The Need for a Coordinated Response

Governments and cybersecurity organizations must work together to disrupt these cybercriminal marketplaces and reduce the availability of sophisticated hacking tools. Strengthening international cybercrime laws, improving threat intelligence sharing, and holding complicit nations accountable will be crucial steps in countering this evolving threat.

The cyber battlefield is evolving, and the fusion of cybercrime and cyber warfare is making threats more unpredictable than ever. As state-backed hackers increasingly rely on criminal tools, the challenge for defenders grows more complex. Addressing this issue requires not only technological solutions but also stronger international collaboration and policy enforcement.

References:

Reported By: https://cyberscoop.com/u-s-adversaries-increasingly-turning-to-cybercriminals-and-their-malware-for-help/
https://www.facebook.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image