The cyber threat landscape is dominated by two key adversaries: Advanced Persistent Threats (APTs) and organized cybercriminal groups. While both entities engage in malicious cyber activities, their motives, techniques, and operational structures reveal notable distinctions. At the same time, overlaps in their methodologies and alliances create a complex threat matrix that demands a nuanced understanding in the evolving environment today.

More and more, ATP and Nation State actors have been leveraging criminal groups for initial access, recruitment, financial gain, and as fodder to cover their larger aims. While the criminal groups also may be pressed into working for groups like those of the state of Russia, others may not even know that they are working with or for a nation state. A primary example of cooperation though, is that of the criminal actors based in Russia, who are relatively safe from being arrested if they do not commit crimes on Russian state assets or citizens. Effectively, the safe harbor model that Russia has created, likely will be mirrored by other nation states as well if the ends support their ultimate goals.

This post unpacks the differences and intersections between APTs and cybercriminal groups, providing insights into their operations and the challenges they pose.

---

Key Differences Between APTs and Cybercriminal Groups

Motivation

• APTs: Primarily driven by political, economic, or military objectives, APTs are typically linked to nation-states. Their goals often include:
  • Espionage: Stealing intellectual property, trade secrets, or state secrets.
  • Sabotage: Disrupting critical infrastructure or government operations.
  • Influence: Conducting disinformation campaigns or targeting electoral systems.

• Cybercriminal Groups: These groups are profit-motivated, focusing on financial gain through:
  • Ransomware attacks and extortion.
  • Financial fraud, such as stealing credit card details or engaging in cryptocurrency theft.
  • Selling stolen data on dark web marketplaces.
    

As stated at the top of this report, these motivations are now getting murky due to the hybridization of these actor sets working together or being used by each other for other goals. In fact, the ransomware activities of the DPRK are a prime example of nation state groups performing not only financially based criminal activity, but also using the access and extortion to further their national goals that also include espionage.

As the ecosystems evolve it is highly likely that we will see more of this activity, making it harder to investigate and to prosecute.

---

Targets

• APTs: Their targets are typically high-value entities, including:
  • Government agencies.
  • Defense contractors.
  • Critical infrastructure sectors (e.g., energy, healthcare, and transportation).
  • Political dissidents and activists.

• Cybercriminal Groups: These actors often cast a wider net, targeting:
  • Small and medium businesses (SMBs).
  • Enterprises with vulnerable systems.
  • Individual users, particularly for scams and phishing.

Recent events have shown that the criminal and the nation state actors are now mixing their targeting for various reasons. In the case of ransomware, targeting of infrastructure (Colonial Pipeline) highlighted that criminal actors could have a large force multiplier effect by taking out infrastructure with a simple ransomware attack as opposed to longer planned and operational attacks that the nation states may have had underway.

Today, with supply chain attacks and the general interconnectivity of everything and everyone (corporations included as well as infrastructures they own and manage) proved out to be very effective as a means to other ends that a nation state would like to effect. All of these cases have opened the eyes of nation states to the notion that criminal actors could be conveniently used.

---

Techniques and Tactics

• APTs:
  • Sophistication: They employ advanced, stealthy techniques to maintain persistence over long periods.
  • Zero-Day Exploits: APTs frequently leverage undisclosed vulnerabilities, giving them an edge in avoiding detection.
  • Operational Patience: These actors often infiltrate systems for months or years, quietly exfiltrating data or positioning themselves for strategic impact.

• Cybercriminal Groups:
  • Speed Over Stealth: Cybercriminals prioritize quick monetary rewards, often deploying ransomware or selling stolen data immediately.
  • Commodity Malware: Many rely on off-the-shelf tools or ransomware-as-a-service (RaaS) offerings.
  • Scalable Attacks: Cybercriminals frequently use phishing campaigns or automated tools to compromise multiple targets simultaneously.

Given the coalescing of criminal and nation state actors for operations, the notion that only a nation state could afford a 0day is outdated. Criminal forums are often selling not only data but 0day today, nation state actors have been known to frequent these places as well seeking anything that they could use.

Additionally, the notion around patience versus speed, is still a part of operational decisions, but, with the hybridizing of these groups, the operational tempo could be in fact sped up by the use of the criminal actor group as a diversion or initial access in a signal to noise attack.

It has also been noted that in the case of certain APT actor groups, the use of commodity malware has been used to also obfuscate their activities as well as bypass EDR solutions and other means of detection and deterrence in furtherance of their goals.

---

Operational Structure

• APTs:
  • State Sponsorship: APTs often operate under the directive or protection of nation-states, providing them with substantial resources and immunity from local law enforcement.
  • Highly Skilled Teams: These groups comprise highly trained professionals with expertise in cyber operations, intelligence analysis, and exploit development.

• Cybercriminal Groups:
  • Decentralized Networks: Organized crime groups are often less hierarchical, with loose affiliations of developers, affiliates, and intermediaries.
  • Profit-Driven Specialization: Members may specialize in particular activities, such as malware development, money laundering, or phishing kit creation.

Again, these have merged in the last few years and make if harder to determine who may be behind the attacks being perpetrated. Many ransomware as a service (RAAS) operations today are very professional even if many of their individuals within are young and brash.

The motivations are becoming more nuanced, while financial gain works for every group these days, considering that many ransomware attacks lead to millions in profits for the groups that lock up orgs that decide then to pay up. Once again the case of DPRK shows how the weaponization of ransomware has given them a financial access that the Hermit Kingdom does not have and the funds from those activities have funded their nuclear programs as well as their nation state APT activities.

---

Challenges in Differentiating Between APTs and Cybercriminal Groups

Attribution Complexity: The use of similar TTPs makes it difficult to attribute attacks to a nation-state or a criminal syndicate. Threat actors often mimic each other to confuse investigators.

Hybrid Operations: Groups may shift between APT and criminal roles based on circumstances. For example, a cybercriminal group might align temporarily with a nation-state to carry out specific attacks.

Evolving Tactics: The fluid nature of cyber operations means groups frequently adopt each other’s strategies, blurring the lines between state-sponsored and criminal activities.

All of the cross pollination of groups, actors, tactics, techniques, and general blurring of lines, makes it ever more difficult to defend systems and networks from a force multiplied adversary threatscape today. This muddying of the waters and there creativity that it affords the actor sets, being able to pick up TTP’s from each other makes it all the more complicated for blue teams.

As we move forward, I personally would like to see more CTI operations take this into account and not solely focus on the Nation State actors over everything else. In fact, the MITRE ATT&CK framework, I believe has a new criminal version as well that should be leveraged in performing your CTI and Hunt work today.

However, all too often the scope is too small and things are missed.

---

Conclusion

Understanding the distinctions and overlaps between APTs and cybercriminal groups is crucial for developing effective defense strategies. While their motives and approaches may differ, the convergence of techniques and shared ecosystems increases their collective threat. By staying informed and adopting a multi-layered security approach, organizations can better protect themselves against these formidable adversaries.

The crossover effects we have been seeing in these last couple of years should be a wake up call for everyone in CTI at the least but in general, the security community needs to understand this is in fact happening and that changes should occur in operational understanding.

~K