This post is also available in:
עברית (Hebrew)
A growing trend has emerged in the world of cyber warfare, as countries like Russia, China, and North Korea increasingly turn to cybercriminal groups to further their state objectives. According to a recent report by Google’s Threat Intelligence Group (GTIG), this collaboration offers several advantages, including reduced costs and greater deniability, especially when linked to sensitive state activities like Russia’s ongoing war in Ukraine.
The report highlights that Russian intelligence agencies have significantly ramped up their reliance on cybercriminal gangs, both established and new, to bolster their operations. This approach has been particularly evident since Russia’s full-scale invasion of Ukraine, with cybercriminals assisting in intelligence gathering and enhancing Russia’s offensive cyber capabilities. Instead of developing sophisticated malware or hacking tools themselves, these groups often purchase them from underground forums, offering a cheaper and more discreet solution for the government.
Several prominent cybercriminal groups have shown public allegiance to Russia and have played an active role in supporting Russian goals. One such group, APT44, has been particularly resourceful, utilizing criminally sourced tools and infrastructure that can be quickly deployed without directly linking them to past operations conducted by Russian military intelligence. APT44 has made extensive use of tools such as DARKCRYSTALRAT (DCRAT), WARZONE, and RADTHIEF.
A notable instance of this collaboration was a campaign that targeted a Ukrainian drone manufacturer, where spear-phishing emails were used to deploy SMOKELOADER, a malware loader, which in turn introduced the RADTHIEF malware.
While Russia is the most prominent nation identified in utilizing cybercriminal resources, China and North Korea have also been increasingly linked to similar tactics. This evolving partnership between nation-states and cybercriminals underscores the growing complexity of modern cyber conflicts, where attribution and accountability become more challenging. For states, leveraging these illicit resources not only strengthens their cyber operations but also provides an added layer of plausible deniability in the face of international scrutiny.
