Cybercrime evolving into national security threat: Google

Cybercrime continues to expand and evolve and has become a national security-level threat that is enabling more attacks by state-backed groups, Google warned in a new report.

Released ahead of the Munich Security Conference, the Google Threat Intelligence Group and Mandiant research covers their investigations throughout 2024 and observations from the last four years. 

Mandiant consultants responded to almost four times as many intrusions conducted by financially-motivated actors than state-backed intrusions in 2024. But Google experts found that state-backed groups were leveraging the expansion of the cybercriminal ecosystem for their own benefit. 

State-backed activity, they said, can no longer be evaluated “in isolation from financially-motivated intrusions.”

“The vast cybercriminal ecosystem has acted as an accelerant for state-sponsored hacking, providing malware, vulnerabilities, and in some cases full-spectrum operations to states,” said Ben Read, senior manager at Google Threat Intelligence Group.  

“These capabilities can be cheaper and more deniable than those developed directly by a state. These threats have been looked at as distinct for too long, but the reality is that combating cybercrime will help defend against state-backed attacks.” 

The report notes that despite the increasing volume of cybercrime, it receives much less attention from national security practitioners compared to incidents involving state-backed groups. 

The rapid evolution of cybercrime has also facilitated state-backed hacking efforts, providing governments with a breeding ground for talent and allowing states to simply purchase cyber capabilities or co-opt criminal operations for their own purposes. 

Russia, Iran, China and North Korea have all in their own way brought cybercriminals into the fold to support various initiatives and operations. 

Several notable ransomware gangs turned their focus to Ukraine after Russia’s invasion, and state-backed operations like APT44, APT29, UNC2589 and Turla have all shown evidence of exploiting information or access obtained by criminal organizations. 

Many Chinese as well as Iranian espionage groups often supplement their income with cybercrime. North Korea has become well-known for its financially motivated attacks on the cryptocurrency industry and for its wide-ranging scheme to get IT workers hired across the U.S. and Europe. 

Google warned that the overlaps do not mean the solutions to cybercrime are the same as those for nation-state attacks. Cybercrime, they said, typically involves collaboration between disparate groups across borders — meaning any solution would require international cooperation. 

“Cybercrime has unquestionably become a critical national security threat to countries around the world. The marketplace at the center of the cybercrime ecosystem has made every actor easily replaceable and the whole problem resilient to disruption,” said Sandra Joyce, vice president of Google Threat Intelligence. 

“Unfortunately, many of our actions have amounted to temporary inconveniences for these criminals, but we can't treat this like a nuisance and we will have to work harder to make meaningful impacts."

The researchers added that financially motivated cyberattacks on healthcare institutions are an area of particular concern. Studies continue to show the tangible effect on patient health outcomes that occurs among hospitals hit with ransomware.

Google said the share of posts on data leak sites related to healthcare has doubled over the past three years, at the same time as the number of data leak sites tracked by the company’s researchers has increased by nearly 50% year-over-year.