Skip to main content

The blurring line between nation-state and cyber-criminals

The line between nation states and underground criminal activity has often been thought of as distinct, and something which would never become blurred. However, with each passing hack, the line between the two is becoming fuzzier than it’s ever been. It should come as no surprise that crossover between nation-state advanced persistent threat (APT) groups and underground criminal actors is common. It makes too much sense for both parties: a nation-state shields itself from attribution and culpability, and criminals find someone willing to pay them for their services and stolen data. Here are some examples of this relationship that Intel 471 has detected.

Russian and North Korean cyber-crime activity

Russia is widely known to be involved in a plethora of cyber-criminal activity, ranging from espionage to stealing intellectual property. This includes attempts to steal Covid-19 vaccine research and its suspected involvement in the Solar Winds incident in 2020.

The latter incident involved inserting code into a third-party IT provider’s services. This type of incident, commonly referred to as a “software supply-chain attack,” has been the cornerstone of some of the biggest security incidents of the past decade. This tactic started within the cyber-criminal underground and has become a hallmark of elite-level, nation-state hacking groups that have refined it to maximise its impact.

Similarly to threat actors backed by the Russian government, actors backed by North Korea (DPRK) are also widely known to conduct a variety of activities against organisations. Moreover, there are known links between criminals and DPRK nation-state actors, particularly that of Lazarus Group. Lazarus, according to our analysis, is linked to high-profile attacks against SWIFT payment gateways and other financial institutions.

More recently, DPRK threat actors have been indicted by the US government for plans to steal and extort more than $1.3 billion from financial institutions and businesses.

It is not surprising that both DPRK and Russian nation-state threat actors maintain trusted relationships, often with criminals within the cyber-criminal underground. One example of this is the relationship between DPRK threat actors and Russian cyber-criminal group TA505. Intel 471 has reported that Trickbot malware used by TA505 operators has been linked to Lazarus infections.

Intel 471 Forward Look

This type of crossover in tactics, techniques and procedures (TTPs) used by criminal underground actors and nation-state actors can be explained in a number of ways. Firstly, nation-state APTs have tapped into the underground, using it for products, goods and services. For example, APTs may purchase code used in supply-chain attacks and then modify it to fit their needs. Additionally, criminal actors providing products, goods or services have been persuaded by nation-states through a variety of methods to conduct work alongside them or on their behalf.

The trend of crossover between nation-states and the cyber-criminal underground is likely to continue for the foreseeable future, especially with this symbiotic relationship being a win-win for both parties. Cyber-criminals can monetise accesses and glean data of interest while nation-state actors can gather confidential information or intellectual property.

Over the next six to 12 months, it is likely that we will see a number of attacks against a plethora of organisations by this partnership, all in the pursuit of data or money. Both are of vital importance to both parties, especially for nation-state actors such as North Korea, who may want to steal money in order to fund government programmes – to build a nuclear weapon, for example.

The question for the future is not whether the line between nation-state and cyber-crime will continue to blur. This should be evident by now. The real question is, what nation-state threat actors will continue to act like cyber-criminals?

About Intel 471

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using near-real-time insights into the latest malicious actors, relationships, threat patterns, and imminent attacks relevant to their businesses. Our TITAN platform collects, interprets, structures, and validates human-led, automation-enhanced results. Clients across the globe leverage this threat intelligence with our proprietary framework to map the criminal underground, zero in on key activity, and align their resources and reporting to business requirements. Intel 471 serves as a trusted advisor to security teams, offering ongoing trend analysis and supporting your use of the platform.

By Brad Crompton, Cyber Threat Intelligence Analyst, Intel 471

Learn more at


All rights reserved Teiss Recruitment Ltd.