Insights from Google Threat Intelligence Highlights The Expanding Threat of Cybercrime

Cybercrime has become a dominant force in the digital threat landscape, increasingly overshadowing traditional state-sponsored hacking. Comprehensive research from Google Threat Intelligence Group (GTIG) found financially motivated cyber intrusions vastly outnumber state-backed intrusions. "In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions," reports Google. This surge in financially driven attacks places an immense burden on cyber defenders and national security agencies. Cybercrime receives less attention compared to espionage-focused operations, despite its economic and security implications. Google emphasizes that cybercrime should not be analyzed in isolation, as "cybercrime also facilitates state-backed hacking by allowing states to purchase cyber capabilities, or co-opt criminals to conduct state-directed operations to steal data or engage in disruption." This evolving dynamic has enabled nation-states to leverage criminal networks, particularly in Russia, Iran, China, and North Korea, for cyber operations that serve both financial and intelligence-gathering objectives.

One of the most alarming trends GTIG identified is the increase in cyberattacks on healthcare institutions, which have doubled in frequency over the past three years. Data leak sites have proliferated, increasing by nearly 50% annually, with hospitals being frequent victims of ransomware and extortion schemes. The ransomware group Qilin, also known as AGENDA, recently targeted U.S. healthcare organizations, escalating attacks on hospitals and medical clinics throughout 2024. Cybercriminals recognize healthcare as a lucrative target due to its reliance on immediate access to patient data, increasing the likelihood of ransom payments. "A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care," GTIG notes, highlighting the convergence of cybercrime and national security threats. The consequences extend beyond ransom demands—studies have linked ransomware attacks on hospitals to increased patient mortality, supply chain disruptions, and prolonged system outages that delay critical medical services.

The economic impact of cybercrime is extensive, affecting not only individual victims but entire national economies. The Costa Rican government declared a national emergency in 2022 following a crippling ransomware attack by the Conti group, which disrupted tax collection, pension services, and medical systems, halting imports and exports and costing millions in losses. In the United States, a healthcare provider reported $872 million in "unfavorable cyberattack effects" after suffering a major breach. The FBI’s Internet Crime Complaint Center (IC3) estimates that business email compromise (BEC) scams alone have resulted in $55 billion in losses globally over the past decade. Financially motivated attacks place an ongoing strain on economic competitiveness, particularly in smaller or developing nations with limited resources for cybersecurity defenses. The Record reports that "state-backed activity can no longer be evaluated in isolation from financially-motivated intrusions," as cybercriminals often enable state actors by selling access to compromised networks or laundering stolen funds through illicit financial channels.

The intersection of cybercrime and state-backed hacking is particularly evident in Russia's ongoing cyber operations. Russian military intelligence group APT44 (also known as Sandworm) has integrated cybercrime-sourced malware into its espionage and disruptive attacks against Ukraine. The group has used commercially available malware from underground forums, blending state-sponsored hacking with criminal capabilities. Meanwhile, North Korea has taken a direct approach to financially motivated cyber operations, conducting large-scale cryptocurrency heists to fund the regime. GTIG estimates that North Korean cyber actors have stolen approximately $3 billion in cryptocurrency since 2017, targeting exchanges, individual wallets, and blockchain-related services. Additionally, GTIG reports that "operations carried out in support of the state, but by criminal actors, have numerous benefits for their sponsors, including a lower cost and increased deniability." This pattern is also observed in Iranian and Chinese cyber operations, where groups such as UNC5203 and APT41 engage in a hybrid model of espionage and financially driven attacks.

Google Threat Intelligence warns that cybercrime has evolved into a persistent national security threat that requires global cooperation to combat effectively. Law enforcement crackdowns on individual cybercriminal groups have only resulted in temporary disruptions as other actors quickly emerge to fill the void. Addressing this challenge requires coordinated efforts between governments, law enforcement, and private industry to dismantle cybercrime infrastructure, disrupt financial networks, and enforce stricter international cybersecurity regulations. Google emphasizes that "the vast cybercriminal ecosystem has acted as an accelerant for state-sponsored hacking," reinforcing the need for systemic solutions rather than isolated takedowns.