Why Biasing Advanced Persistent Threats over Cybercrime is a Security Risk

It’s time to rethink what the cybersecurity industry considers ‘advanced persistent threats’ (APTs). The word ‘advanced’ says it all: these government-backed hackers are considered better, more important, more worthy of money and attention. But if this was ever true, it’s not true anymore. 

Historically, this moniker has been applied to espionage threat actors operating on behalf of governments worldwide, whose activities can have huge impacts on national security: from stealing intellectual property to bolster economies and innovation, to pre-positioning in critical infrastructure to potentially have disruptive effects. The term APT was reportedly first coined in 2007 by US Air Force Colonel Greg Rattray. In 2013, Mandiant’s landmark APT1 report on Chinese cyberespionage made the term an industry standard for characterising states’ cyber operations.

These actors – especially the ‘big four’ of China, Russia, Iran and North Korea – also used to be considered much more technically sophisticated than your average cybercriminal. But such impacts and technical capabilities are no longer solely the realm of foreign state adversaries. 

The truth is that foreign government adversaries no longer have a monopoly on sophistication or persistence. Cybercriminals have just as much if not more of an impact on the Western world.

Cybercriminals – especially big-game hunting ransomware and the ecosystem that supports it – have spent years eroding people’s trust and confidence in the systems, businesses, governments and communities most critical to our wellbeing. Cybercrime has grown from a curious, pesky problem to an economically and technically disruptive scourge on society.

Now, as cybercrime actors begin adopting more technical similarities to state actors — zero day vulnerabilities, improved social engineering, dynamic attack chains causing defender headaches — it's past time to recognise that the damage they’ve caused is on par with the egregious attacks we've observed and attributed to state actors. Continuing to get this wrong means we’ll continue to fail to adequately defend ourselves against the biggest threats.

Digital spying by foreign state adversaries is still important. However, in biasing themselves towards ‘APT versus cybercrime’, information security and cybersecurity practitioners create a false dichotomy that pushes resources, attention and support to areas that don’t always align with the greatest organisational or national risk and impacts.

Cybercriminals have amassed the money, resources and techniques to operate at a level once thought the exclusive domain of government intelligence. Some of them have been known to work with state intelligence operations on the side. We have increasingly seen examples of state actors adopting techniques first developed and perfected by cybercrime threat actors. 

For years, cybercriminals have relentlessly targeted organisations globally, causing billions of dollars in losses and damages. Not only do these attacks disrupt business operations, but they also impact people’s lives and livelihoods. Attacks can also cause follow-on problems and fear within communities: hospitals closing their doors, leaving people without care or postponing procedures; stranded drivers waiting in gas stations for hours while nerves fray about potential shortages; or classes cancelled and students suffering while network outages plague educational institutions. Cyber war is here, and it’s being waged by criminals against some of the most vulnerable and critical systems supporting vital aspects of living in a healthy, functioning world. 

Historically, people thought that financially motivated attacks were ‘just cybercrime’. It’s time to change the industry’s thinking and recognise that some of the most successful cybercriminals are the most persistent and sophisticated threats. 

Cybercrime is APT

To understand how we got to the point of cybercrime becoming a billion-dollar national security threat, it’s important to understand where we came from. 

The early to mid-2000s brought us consumer-focused ransomware, asking for small payments to unlock the family photo album. But around 2007, banking trojans became a favourite payload of the criminal underworld, and Zeus and Gozi kickstarted a business model where threat actors started targeting banking details directly. When Bitcoin emerged in 2009, it massively disrupted the criminal ecosystem, dropping the need for people to steal and launder real money and instead allowing them to use cryptocurrency. Gameover ZeuS and Cryptolocker ransomware were massively successful operations that adopted the pivot to cryptocurrency and big-game hunting, launching the age of the cybercrime kingpin in the mid-2010s. From 2014 to 2016, Emotet, Trickbot and Dridex entered the scene, and while these notorious botnets started off as banking trojans, they became key loaders for ransomware which, in conjunction with ransomware-as-a-service operations like Ryuk and REvil, ushered in a new era of cybercrime. Double extortion – stealing data before encryption to hold as an additional ransom – became popular around 2019 and transformed the ransomware landscape, adding an additional layer of risk to the enterprise and to personal data. Fast-forward to today and we are seeing cybercriminal threat actors adopt a variety of complicated and effective attack chains for initial access, including the use of zero days and multi-channel attacks, as well as leveraging compelling social engineering. 

The recent increase in sophistication was catalysed in part by Microsoft disabling macros (commands that automate tasks) downloaded from the internet by default. Since the end of 2022, cybercrime threat actors – including many initial access brokers – have become much more innovative. Gone are the days of clicking ‘enable macros’ to deliver a payload. Now, threat actors are coming up with new and different attack chains, including leveraging unusual filetypes and scripts, abusing legitimate software and services, exploiting vulnerabilities, and using cloud and messaging applications to try any way available to deliver malware or steal information. 

The threat landscape is increasingly dynamic, requiring defenders to be proactive in identifying, monitoring and responding to threats. Take TA577. One of the most prolific initial access brokers (also known as the Qbot ‘tr’ threat actor) went from exclusively delivering macro-enabled documents for payload delivery to experimenting with dozens of different techniques across attack chains, sometimes testing multiple delivery chains on the same day. Notably, this actor has not been observed in email threat data since June 2024, and its activities dropped off significantly since Operation Endgame was announced in May. 

Figure: Volume and variety of TA577 techniques observed in email threat data. Data courtesy of Proofpoint.

Black Basta – the ransomware that third-party researchers have associated with TA577 payload deliveries – is still active and being delivered via social engineering, for example in campaigns using Microsoft Teams to deliver remote management tools. 

Experimentation across the cybercrime ecosystem has also led to state actors copying the same techniques. For example, in August 2024, China-aligned espionage threat actors used an attack chain with many criminal characteristics – such as the use of TryCloudflare Tunnels, file schema URIs leading to external file sharing resources for payload delivery, and the abuse of Microsoft search-ms – to deliver customised malware they called Voldemort. Additionally, in October 2024, Ukraine CERT published details on a suspected Russian espionage actor using a fake CAPTCHA ClickFix technique, first identified in use by multiple cybercriminal threat actors, in campaigns targeting government entities in Ukraine. And North Korea has been using techniques pioneered by cybercriminal threats to steal money to fund nuclear weapons development for years. 

Sophisticated exploit and technique development is now done by criminals because they can afford it. According to blockchain analysis firm Chainalysis, 2024 is set to be the highest-grossing year for ransomware payments, expected to top the $1 billion made by ransomware in 2023. Ransomware and its supporting operations are a very successful business. As we learned from the Conti Leaks back in 2022, such cybercrime enterprises have the structure, the investment, the human resources and the capabilities to build sophisticated tooling to enrich themselves. 

Cybercriminals have also been known to work on behalf of state adversaries, including high-profile Russian cybercrime operatives. In some cases, criminals have bought access from APT actors like Iranian adversaries acting as initial access brokers, according to a report from the US Cybersecurity and Infrastructure Security Agency earlier this year. 

When cybercrime actors develop exploits, insulate their infrastructure, scale their operations and continually test efficacy, they are in many ways just as advanced as some of the most dangerous state-backed adversaries. 

Changing the Mindset

The reality is that most organisations are at a far greater risk of being targeted by cybercriminals than state intelligence agencies. 

By focusing on the tactics, techniques and procedures deployed by these adversaries, we can disrupt operations, build collective defence and prevent exploitation regardless of the attribution or who is behind the activity. 

The cyber threat intelligence industry is strongly rooted in a military-government mindset in large part because so many people doing the work in private industry came from the national security space. These people bring with them the mission and objectives learned in the public sector. This can result in biasing espionage and spying over the many threats that have real-world impacts on a much greater number of people. 

State actors have more long-term, strategic objectives to support various goals, and often there is no visible or immediate harm to the target or organisation. Cybercriminals want to hurt people and businesses to make money. 

By focusing on disrupting cybercrime, there is the ability to have an immediate positive human impact and make threat actors’ lives much harder. Historically, in focusing mainly on APT, law enforcement, government and defenders have missed opportunities to disrupt cybercrime, contributing to the strength of the modern ecosystem. But that is changing.

In 2024, international public and private sector collaboration resulted in two monumental takedowns of cybercriminal threat activity that are still having considerable impacts on ecrime operations: Operation Endgame and the LockBit ransomware disruption. Operation Endgame in particular had far-reaching impacts. Europol called it the ‘largest ever operation against botnets, which play a major role in the deployment of ransomware’, and it disrupted the infrastructure of IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee and Trickbot. These malware families played a major role in the initial access broker ecosystem and were used by some of the most sophisticated cybercrime adversaries. 

Since the weeks following Operation Endgame, cybercriminal activities from some of the most prominent threat actors operating in email using the targeted loaders have decreased. And while some threat actors whose malware operations were disrupted are slowly returning, overall, the targeting of the loader ecosystem that enables ransomware activity appears to have been a success. It is likely we will see the emergence of new favoured payloads and updated attack chains from these impacted threat actors, because every disruption forces hackers to retool and reconsider their behaviours. But beyond tooling, the impacts across the ecosystem disrupt partnerships, trust and collaboration between groups, which is never good for business. 

Now is the time to focus on cybercrime. There is an inherent ‘cool factor’ in APT that influences decision-makers – and security practitioners – to care about them differently. How we communicate threats impacts how organisations, law enforcement, and defenders prioritise and deal with them. In reframing APT and the importance of cybercrime, we can change the mindset from ‘who did this?’ to ‘what is the risk and impact?’. In doing so, we can build defences against behaviours regardless of the perpetrators, and make our digital world much safer and more resilient. 

© Selena Larson, 2024, published by RUSI with permission of the author

The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.

For terms of use, see Website Ts&Cs of Use.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.