The Line Between Nation States and Cybercrime Is Blurring: That’s Bad News for CISOs

Everyone’s feeling more worried about geopolitical risk these days. That’s due largely to the chaos engulfing Washington, although global tensions have been building for some time. The most recent World Economic Forum (WEF) Global Risks Report, for example, claims that the risk “most likely to present a material crisis on a global scale in 2025” is a “state-based armed conflict.” It joins “cyber insecurity” and “misinformation and disinformation” on the list of top 10 biggest short-term risks.

Cyber will be a key domain for the big power rivalry set to define the coming decades. Yet the associated risks for CISOs and their organisations are increasingly hard to define. That’s because the once clear demarcation between nation-state and cybercrime activity is beginning to blur. Security leaders will need to rely on industry best practices to navigate these uncharted waters safely.

The Rules Are Changing

Both Microsoft and Google Mandiant have recently documented the growing crossover between nation-state campaigns and cybercrime. In many ways, this is not a new phenomenon. However, recent events are exacerbating the problem. The Google report notes that “the heightened level of cyber activity following Russia’s war in Ukraine has shown that, in times of heightened need, the latent talent pool of cybercriminals can be paid or coerced to support state goals”.

There are several aspects to this:

1. Nation states using off-the-shelf cybercrime tools and services

This has several benefits for governments. Using pre-built cybercrime tools is cheaper than developing custom alternatives in-house. It helps to obfuscate the true origin or intent of attacks. And such tools “can be operationalised on short notice without immediate links to past operations”, according to Google.

State-backed groups might buy or rent malware and exploits, credentials, botnet infrastructure, stolen information, initial access or other offerings easily located on the cybercrime underground. For example:

• Microsoft claimed in December 2024 that the Russian Turla (Secret Blizzard) group was using Amadey bot malware linked to cybercrime activity, in order to target Ukrainian military entities
• In May 2024, Google identified an Iranian group, UNC5203, using the RADTHIEF backdoor in an operation targeting the Israeli nuclear research industry.

Chinese group UNC2286 used STEAMTRAIN ransomware and a ransom note associated with the DarkSide group in order to hide what was a cyber-espionage campaign, Google says

2. Co-opting of cybercrime groups

Nation states are also reaching out to cybercriminals personally to enlist their help. Once again, this can reduce costs, free up internal staff to work on more strategic goals and enhance plausible deniability. We can see this with:

• Russian FSB group Aqua Blizzard which “handed off” access to 34 compromised Ukrainian devices to cybercrime group Storm-0593 for post-exploitation work, according to Microsoft
• The Cigar (RomCom) cybercrime gang, which has conducted “espionage operations” against the Ukrainian government since 2022, Google says
• Chinese private sector cybersecurity firm i-Soon, which the US recently sanctioned, and apparently ran hacking-for-hire operations for Beijing between 2016-23, charging $10,000-$75,000 per compromised email inbox, and also earned money training government law enforcers.

3. Allowing state hackers to moonlight

• There are a growing number of examples where ostensibly state-sponsored groups are being allowed to make money on the side. According to Google, “this can allow a government to offset direct costs that would be required to maintain groups with robust capabilities”. Examples include:
• Prolific Chinese threat group APT41, which has a “long history” of financially motivated activity, according to Google. This includes ransomware targeting the video game sector and even the theft of COVID relief funds.
• Iran group UNC757, which was discovered last year, collaborating with ransomware affiliates from NoEscape, RansomHouse and ALPHV.

4. Nation states behaving like cybercrime groups

• This one refers almost exclusively to North Korea, which targets financial and crypto firms for funds to support its nuclear and missile programmes. Most recently:
• North Korean state hackers were blamed for the biggest-ever cyber heist when $1.5bn in crypto was stolen from Bybit.
• A growing trend of North Korean IT workers tricking Western companies into employing them has emerged. Once in place and working remotely, they send their salaries back to Pyongyang. The fraudsters can also use privileged access to steal sensitive information and/or extort their former employers once their role has been terminated. It’s a threat that will increase as AI makes it easier to create convincing fake personas.

What CISOs Can Do

These trends land CISOs with multiple challenges.

“It makes it harder to predict attacker behaviour and increases the risk of collateral damage,”  Bugcrowd founder Casey Ellis warns ISMS.online. “For example, a ransomware attack might initially appear financially motivated but could later reveal geopolitical intent. CISOs must now account for a broader range of adversaries, each with varying levels of sophistication, resources, and objectives. On top of this, cyber-criminal groups and government offence teams have very different equities around what they will or won’t do, which adds to the overall unpredictability.”

Without clear attribution, CISOs may also be hamstrung in their response, he adds,

“Strong cybersecurity hygiene – like asset identification, vulnerability management, and incident response planning – remains foundational. However, understanding who is attacking you can refine your defences,” Ellis argues.

“For instance, a state-sponsored threat might target intellectual property, while a cybercriminal group might focus on financial gain. Attribution also informs collaboration with law enforcement and intelligence agencies, helping to address systemic issues like safe havens for attackers.”

If they can understand who is attacking them and why, CISOs can start to craft an effective response, Fenix24 CISO Heath Renfrow tells ISMS.online.

“If it’s cybercriminals, the focus should be on rapid containment, eradication, and hardening defences to prevent repeat attacks. But in the case of nation-state actors, response efforts may require extended monitoring, counter-intelligence tactics, and coordination with government agencies,” he explains. “Hybrid threats demand a multi-layered defence – combining Zero Trust, real-time threat intelligence and post-incident resilience strategies.”

Meanwhile, AI and automation will become increasingly important for CISOs as threats evolve, argues Deepwatch CISO, Chad Cragle.

“AI-driven threat detection and automated response helps security teams scale against adversaries that operate at speed and volume. Ultimately, security strategies must be threat-agnostic and adaptable,” he tells ISMS.online.

“As the lines between cybercrime and nation-state activity continue to blur, rigid, siloed security programs will struggle to keep up. Organisations prioritising resilience, adaptability, and intelligence-driven defence will be best positioned to mitigate risk—no matter who is behind the attack.”

Security leaders following standards like ISO 27001 will find it easier to embrace these best practices. And they would be right to do so. An apparent détente between the US and Russia is unlikely to change the long-term threat landscape. Better plan now for a more complex, opaque and dangerous future.