Crimelords and spies for rogue states are working together, says Google

Google says the the world’s lawmakers must take action against the increasing links between criminal and state-sponsored cyber activity.

In a fresh report published today, the company’s Threat Intelligence Group listed a range of recommendations to help fend off the threat presented by cyber spies in the “Big Four” – Russia, China, Iran, and North Korea – as they deepen their ties with cybercriminals.

It said governments must designate cybersecurity as a national security priority where it isn’t already, and lawmakers should be properly incentivizing the implementation of best practices, especially in critical infrastructure.

The report did not explicitly link these arguments to any given events, but it highlighted the number of attacks targeting healthcare and the unfolding economic costs.

What’s in it for the tech vendors?

The idea of incentivization has been bandied about for some time. The UK NCSC’s CTO, Ollie Whitehouse, said last year that the cybersecurity market was “broken” and vendors must be adequately incentivized to ensure secure‐by‐design development practices are adopted, for example.

Naturally, that also brings Google itself into the scope of these required changes, not just policymakers and governments, and it acknowledges the private sector also has a role to play in securing systems.

Likewise, Whitehouse said business leaders should be financially motivated to commit to a long-term focus on maintaining cyber resilience, rather than doing repeated sprints when the time feels right.

CISA’s known exploited vulnerabilities (KEV) program, which compels federal civilian executive branch agencies to patch the most serious vulns within a tight window, is an example of how these incentives are applied to organizations. In this case, it’s more a form of negative reinforcement.

The patch rates have never been released, and when quizzed last year, former agency director Jen Easterly dodged the question.

Google also called on the authorities to enhance international cooperation, develop information-sharing networks to support joint investigations, and do more to disrupt the cybercrime ecosystem.

Regarding takedowns of ransomware crews such as LockBit and ALPHV in the past year, Google said there are always other players ready to scoop up that market share. Disruption efforts must be carried out on broader targets such as bulletproof hosters and financial intermediaries like crypto exchanges.

Disruption efforts have, in fact, already focused on these broader areas and the technical and logistical resources required to pull off these operations are extensive. The Register understands that from law enforcement’s perspective, authorities acknowledge more must be done, but they are essentially operating at capacity.

States cozying up to cybercriminals

It has long been known that an intersection exists between cybercriminals and the offensive cyber teams of Russia, China, Iran, and North Korea. But Google claims in its report today that the two sides are increasingly teaming up, with states leaning on criminal capability to further their missions.

It’s often less costly for states to rely on the crime world and in doing so it can muddy the process of attributing any hostile campaigns to the state. For resource-strapped nations like Russia, still embroiled in its invasion of Ukraine, turning to cybercrime marketplaces for malware tools or credentials can be a quick way of getting what’s needed, without developing anything in-house.

It’s something Google is seeing even from the most prolific arms of Russian intelligence. APT44, aka Sandworm, for example, “almost certainly relies on a diverse set of Russian companies and criminal marketplaces to source and sustain its more frequently operated offensive capabilities,” the report states.

UNC2589, Turla, and APT29 have also all been seen using crime marketplaces for their campaigns for years now.

Russia is by far the most reliant on the cybercriminal community for its operations, but Iran and China have leaned on it too, and North Korea’s foray into cybercriminal operations for financial gain is well documented.

“The vast cybercriminal ecosystem has acted as an accelerant for state-sponsored hacking, providing malware, vulnerabilities, and in some cases full-spectrum operations to states,” said Ben Read, senior manager at Google Threat Intelligence Group.

“These capabilities can be cheaper and more deniable than those developed directly by a state. These threats have been looked at as distinct for too long, but the reality is that combatting cybercrime will help defend against state-backed attacks.”

Underestimating the threat

Google’s view is that cybercrime isn’t treated as seriously at the national level as state-backed operations. Its threat intelligence and incident response company, Mandiant, responded to four times as many financially motivated attacks in 2024 as the previous year, but countries still see state-sponsored campaigns as a more pernicious threat to national security.

Further, the number of data leak sites almost doubled compared to 2022’s numbers in spite of high-profile takedowns and disruptions. The company’s recommended action points would help stem the serious economic disruption that cybercrime results in, according to the report.

“Cybercrime has unquestionably become a critical national security threat to countries around the world,” said Sandra Joyce, VP at Google Threat Intelligence Group. “The marketplace at the center of the cybercrime ecosystem has made every actor easily replaceable and the whole problem resilient to disruption.

“Unfortunately, many of our actions have amounted to temporary inconveniences for these criminals, but we can’t treat this like a nuisance and we will have to work harder to make meaningful impacts.”

Illustrating the threat of cybercrime to national security, it regurgitated the FBI’s figures around business email compromise scams, which led to around $55 billion in losses between 2013 and 2023.

It also looked at every major attack on the healthcare industry last year, which led to hundreds of facilities being knocked offline, thousands of appointments and procedures being delayed, and patient records stolen.

Among the most severe incidents were the attacks on Change Healthcare, 25 Romanian hospitals, the Ascension hospital network, and UK pathology services provider Synnovis.

In all cases, medical care was disrupted to varying degrees, showing how attacks on the sector are tantamount to attacks on national security.

Healthcare is a ripe target for cybercriminals for many reasons. From a lack of funding to spend on security to managing myriad systems of wildly varying ages, security in the industry is both difficult and costly when it goes wrong.

Hospitals can’t afford downtime and attackers know it. The Qilin ransomware group, for example, said in July that it would begin targeting US healthcare after its attack on Synnovis and previously said it focuses on sectors it knows pay well.

Lurkers on cybercrime forums have also indicated that the money in healthcare attacks is bigger than other sectors with their payment offers for initial access. Associates of the INC ransomware group have previously offered 2-5 percent more for initial access resources to hospitals, especially those with emergency departments. ®

READ MORE HERE