MANY HANDS, LIGHT WORK Financially motivated hackers are helping their espionage counterparts and vice versa Two players who mostly worked independently are increasingly collaborative. Dan Goodin Feb 13, 2025 6:00 am | 4 Credit: Lino Mirgeler/picture alliance via Getty Images Credit: Lino Mirgeler/picture alliance via Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreTheres a growing collaboration between hacking groups engaging in espionage on behalf of nation-states and those seeking financial gains through ransomware and other forms of cybercrime, researchers noted this week.There has always been some level of overlap between these two groups, but it has become more pronounced in recent years. On Tuesday, the Google-owned Mandiant security firm said the uptick comes amid tighter purse strings and as a means for concealing nation-state-sponsored espionage by making it blend in with financially motivated cyberattacks.Opportunities aboundModern cybercriminals are likely to specialize in a particular area of cybercrime and partner with other entities with diverse specializations to conduct operations, Mandiant researchers explained. The specialization of cybercrime capabilities presents an opportunity for state-backed groups to simply show up as another customer for a group that normally sells to other criminals. Purchasing malware, credentials, or other key resources from illicit forums can be cheaper for state-backed groups than developing them in-house, while also providing some ability to blend in to financially motivated operations and attract less notice."The report noted an increase in the sharing of malware between cybercrime groups and the governments of Russia, China, and Iran. The sharing goes both ways. Examples of threat actors working for these governments include:The use by the Russian-state hacking group APT44 of multiple pieces of crimeware with names including DarkCrystalRat, WarZone, and RadThief. APT44 has also used the hosting infrastructure of a well-known bulletproof host. Bulletproof hosts provide services that are tailored to cybercriminals to ensure their operations arent taken down by law enforcement.The use of the same RadThief malware by an Iranian-state actor tracked as UNC5203.A China-state espionage operator tracked as UNC2286 repeatedly using the SteamTrain ransomware along with a ransomware note from a different group tracked as DarkSide.On Thursday, researchers with the Symantec security firm reported on a collaboration that worked the other wayuse by the RA World ransomware group of a distinct toolset that previously has been seen used only in espionage operations by a China-linked threat group.The toolset, first spotted in July, was a variant of PlugX, a custom backdoor. Timestamps in the toolset were identical to those found by security firm Palo Alto Network in the Thor PlugX variant, which company researchers linked to a Chinese espionage group tracked under the names Fireant, Mustang Panda, and Earth Preta. The variant also had similarities to the PlugX type 2 variant found by security firm Trend Micro.Further espionage attacks involving the same PlugX variant occurred in August, when the attacker compromised the government of a southeastern European country. That same month, the attacker compromised a government ministry in a Southeast Asian country. In September 2024, the attacker compromised a telecoms operator in that region, and in January, the attacker targeted a government ministry in another Southeast Asian country.Symantec researchers have competing theories about the reason for this collaboration:There is evidence to suggest that this attacker may have been involved in ransomware for some time. In a report on RA World attacks, Palo Alto said that it had found some links to Bronze Starlight (aka Emperor Dragonfly), a China-based actor that deploys different ransomware payloads. One of the tools used in this ransomware attack was a proxy tool called NPS, which was created by a China-based developer. This has previously been used by Bronze Starlight. SentinelOne, meanwhile, reported that Bronze Starlight had been involved in attacks involving the LockFile, AtomSilo, NightSky, and LockBit ransomware families.It is unclear why an actor who appears to be linked to espionage operations is also mounting a ransomware attack. While this is not unusual for North Korean threat actors to engage in financially motivated attacks to subsidize their operations, there is no similar history for China-based espionage threat actors, and there is no obvious reason why they would pursue this strategy.Another possibility is that the ransomware was used to cover up evidence of the intrusion or act as a decoy to draw attention away from the true nature of the espionage attacks. However, the ransomware deployment was not very effective at covering up the tools used in the intrusion, particularly those linking it back to prior espionage attacks. Secondly, the ransomware target was not a strategically significant organization and was something of an outlier compared to the espionage targets. It seems unusual that the attacker would go to such lengths to cover up the nature of their campaign. Finally, the attacker seemed to be serious about collecting a ransom from the victim and appeared to have spent time corresponding with them. This usually wouldnt be the case if the ransomware attack was simply a diversion.The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employers toolkit.Tuesdays report from Mandiant also noted the use of state-sponsored malware by crime groups. Mandiant researchers also reported observing what they believe are Dual Motive groups that seek both financial gain and access for espionage.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 4 Comments