The Health-ISAC and CI-ISAC Australia recognize in a joint white paper that, as espionage, hacktivism, and financially motivated crimes continue to converge, this trajectory is driven by multiple factors, many of which depend on the societal context in which the cybercrime originates. This comes as nation-state threat actors have been observed empowering local cybercriminal outfits to further geopolitical objectives. A shadow industry of offensive cyber tooling research and development companies has emerged, widening the R&D capabilities for state-sponsored cyber espionage groups.
Additionally, relationships between intelligence agencies and ransomware actors may be present, increasing the sophistication of financially driven cybercrime gangs. Criminal elements offer plausible deniability to state-sponsored groups and may be used as proxies to launch nation-state attacks. Forward-facing intelligence consumption is essential to the success of organizations trying to navigate the opaque threat landscape.
In the white paper titled ‘Melding of State and Criminal Threat Actor Motivation: The Nebulous Normal Whitepaper,’ the agencies identify that the state can hire criminal operators on a case-by-case basis, or perhaps instead purchase the malicious software they produce, or co-opt their capabilities for a promise to look the other way as they conduct nefarious online activity. Moreover, the state retains a level of deniability if attacks are attributed to its agents.
“In the case of hacktivism, states can create fake groups or sponsor authentic hacktivist groups to launch attacks under the guise of empowered civilians. In the case of creating fake groups, this tactic has been called faketivism, and it seeks to accomplish two major objectives,” the white paper outlined. “First, as a psychological tool. By creating a fake movement, legitimate hacktivists and non-technical civilians may become inspired to join a cause sympathetic to the country that created the group. Second, as a proxy for nation-state attacks. The created group will have access to more advanced tooling, being able to launch more impactful and sophisticated attacks while maintaining plausible deniability.”
The document recognized that when it comes to cybercrime, Russia is a ‘world leader and is home to many ransomware gangs.’ The gangs are organized groups of cybercriminals that launch attacks against victims, where sensitive data is encrypted and only the payment of a ransom, usually in the form of cryptocurrency, will lead to decryption of the data. In recent years, this technique has extended to extorting victim organizations to pay, or face the public dumping of stolen data.
Unfortunately, however, this particular type of cybercrime can be quite lucrative, drawing in significant amounts of money into the Russian economy. It is moderately likely that Russian decision-makers turn a blind eye to this behavior in exchange for ransomware gangs following certain rules of engagement due to the money it brings in.
The white paper highlights the Russian APT44 group, noting that Moscow has leveraged ransomware gang software to advance its offensive kinetic objectives, exemplified by APT44, also known as Sandworm, using malware from cybercriminal organizations during Russia’s invasion of Ukraine. Google has said it believes Russian cyber espionage groups made the switch to using free or publicly available tooling due to resource constraints, seeking to hamper any efforts to attribute the attacks to the Russian state, and in the case that a campaign is discovered, it is the cybercrime gang’s malware and access that is burned, not malware and access developed by the state.
Taken to its most extreme example, North Korea directly funds its economy with cybercrime, hence its focus on cryptocurrencies and the infrastructure to support them. This is largely due to the absence of legitimate revenue streams and international trade partners. As a result, many state-sponsored cyber operations are financially motivated, which deviates significantly from the cyber espionage operations conducted to further the geopolitical agendas of China, Russia, and Iran.
The Health-ISAC and CI-ISAC Australia noted in the white paper that in the later parts of 2024 and persisting into 2025, a mass-targeting campaign of remote worker positions in the U.S. and EU has been identified. “This campaign, determined to be originating in North Korea, is using a sophisticated network of fraudsters and fabricated identities to obtain employment in organizations based in the US and EU. These operators then attempt to extort their employer for money, or send the vast majority of their salary to fund North Korean weapons development programs.”
It added that Democratic People’s Republic of Korea (DPRK) operators involved in these scams often work in laptop farms or other centralized locations that force them to work long, grueling hours with little compensation. “The compensation structure adds an additional motivation to operators in the network of fake IT workers, the well-being of them and their families. In North Korea, average citizens are subject to extreme poverty with extremely low wages for the work they perform. These criminal schemes that fund the nuclear weapons programs of North Korea are often the only way these espionage operators can feed themselves and their families.”
The white paper noted that Iran is notable for its targeting of critical infrastructure systems through nation-state activities and by sponsoring hacktivist groups, making attribution difficult for threat intelligence analysts. “An example of this dynamic is the Iranian hacktivist group CyberAv3ngers, which is suspected to be associated with the Iranian military. The group has a reputation for targeting critical infrastructure. In a particularly severe attack at the end of 2023, the group targeted the programmable logic controllers (PLCs) inside US water treatment facilities because they were manufactured by Unitronics, an Israeli technology company.”
“During the recent Israel-Iran conflagration, over 100 different hacktivist groups rushed to Iran’s side with cyber attacks on Israel or declarations of support. After the United States entered the conflict, it too became a target,” according to the white paper. “The pattern for this activity followed the typical hacktivist cycle: An initial explosion of activity, a brief plateau, a secondary surge lower than the initial burst, and rapid decline. Typically, these attacks have been unsophisticated and consisted predominantly of DDoS attacks, website defacements, and claiming data breaches against government and military organisations.”
However, it added that recent reporting has said that Iranian nation-state actors have been providing tooling, techniques, and resources to hacktivist groups. It is something that Tehran does to avoid what would be termed a conventional cyber war.
The document detailed that Chinese espionage against the U.S. typically spikes with a new U.S. administration, and attacks have reportedly doubled since 2023. Experts describe this as China’s ‘golden age of hacking,’ with state actors increasingly leveraging private industry to breach Western companies and sell access back to Beijing. Chinese interest focuses on software and security vendors to reach multiple targets efficiently.
This comes as Chinese actors have perfected techniques to route attacks through compromised U.S. networks, making them appear domestic and evading NSA scrutiny. China’s 2017 National Intelligence Law obliges organizations and citizens to support state intelligence efforts, creating a large private industrial base for cyber espionage. The scope of this private involvement was revealed by a 2024 leak from Shanghai-based contractor I-Soon, showing coordination with national intelligence agencies and linking its infrastructure to known Chinese nation-state activity clusters, underscoring the close collaboration between state and private cyber actors.
The white paper observed that Western cyber adversaries often blur the lines between state and individual activity, using non-state actors to expand their offensive capabilities. Collaborating with criminal or private elements acts as a force multiplier for geopolitical objectives, enabling destabilization, financial gain, or chaos. This approach is evident in Russian ransomware safe harboring, Iranian faketivism, North Korean state-funded cybercrime, and the sharing of tools between state and non-state actors.
Beyond criminal activity, nations like China and Russia rely on private contractors to develop malware, command-and-control infrastructure, and advanced cyber tools, creating shadow industries that extend state capabilities. These practices persist because states benefit from the lack of distinction between state and criminal operations. For defenders, this means that assuming low risk because one is not a high-value target is dangerous; even seemingly low-priority organizations may be exploited by opportunistic operators working outside traditional ‘work hours.’
The white paper outlined mitigations, noting that defending against hacktivism is often the most straightforward aspect of a broader cyber defense strategy. In a report released by Forescout analyzing hacktivist attacks in 2024, it was found that nearly 89% of attacks launched by these groups were distributed denial of service (DDoS) attacks designed to overload servers with large amounts of traffic. These attacks can be mitigated by installing web traffic filters aimed at thwarting large numbers of requests.
In general, taking a set of foundational defensive steps can go some way to improving cyber posture. These actions include ensuring that all devices – be it servers, laptops, firewalls, routers, IoT devices, VPN appliances – are promptly patched when updates are released; enabling multifactor authentication, preferably using time-based or one-time codes, wherever possible; and using a password manager to provide unique, complex passwords for each service. With each group and country tending to have different tactics, techniques, and procedures (TTPs), participating in information-sharing channels is vital to staying abreast of the latest trends and attack vectors.
Additionally, those responsible for organisational cybersecurity, such as chief information security officers, should ensure that foundational strategic controls are also in place. This includes having a proper backup regime in place and ensuring the restoration process is regularly tested, having an incident response and business continuity plan in place should a threat actor be detected on the organisation’s network, having a full asset inventory to allow patching and detection to cover all endpoints, and conducting regular risk assessments to record where gaps exist and if progress is being made.
As an organisation’s cyber posture matures, it can adopt further strategies to reduce attack surfaces. These include application allowlisting, blocking Microsoft Office macros and internet advertising, introducing network segmentation, and ensuring users have the lowest level of privilege required to perform their duties. With controls such as these in place, should an intrusion occur, the impact of the event and the reduction in lateral movement will go some way to preventing catastrophic consequences.
