Cybercriminals are increasingly helping states like Russia and Iran target adversaries.
Russia, China and Iran are increasingly relying on criminal networks to lead cyber espionage and hacking operations against adversaries, according to a report on digital threats published on Tuesday by Microsoft.
National security officials and cybersecurity experts say it represents the increasingly blurred lines between actions directed by Beijing or the Kremlin aimed at undermining rivals and the illicit activities of groups typically more interested in financial gain.
For nations like Russia, China, Iran and North Korea, which has its own ties to hacking groups, teaming up with cybercriminals offers a marriage of convenience with benefits for both sides.
Governments can boost the volume and effectiveness of cyber activities without added cost. For the criminals, it offers new avenues for profit and the promise of government protection.
“We’re seeing in each of these countries this trend towards combining nation-state and cybercriminal activities,” said Tom Burt, Microsoft’s vice president of customer security and trust.
So far there is no evidence suggesting that Russia, China or Iran are sharing resources with each other or working with the same criminal networks, Burt said.
But he said the growing use of private cyber “mercenaries” shows how far the countries will go to weaponise the internet.
Analysis of cyber threats
Microsoft’s report analysed cyber threats between July 2023 and June 2024, looking at how criminals and foreign nations are using hacking, spear phishing, malware and other techniques to gain access and control over a target’s system.
The company says its customers face more than 600 million such incidents every day.
Russia focused much of its cyber operations on Ukraine, trying to gain entry into military and government systems and spreading disinformation designed to undermine support for the war among its allies.
Ukraine has responded with its own cyber efforts, including one last week that knocked some Russian state media outlets offline.
Networks tied to Russia, China and Iran have also targeted US voters, using fake websites and social media accounts to spread false and misleading claims about the 2024 election.
Russia and Iran will likely accelerate the pace of their cyber operations targeting the US as election day approaches, Burt said.
China has largely stayed out of the US presidential race, focusing its disinformation on down-ballot races for Congress or state and local office. Microsoft found networks tied to Beijing also continue to target Taiwan and other countries in the region.
In response, a spokesperson for China’s embassy in Washington said allegations that China partners with cybercriminals are groundless and accused the US of spreading its own “disinformation about the so-called Chinese hacking threats”.
In a statement, spokesperson Liu Pengyu said that “our position is consistent and clear. China firmly opposes and combats cyber attacks and cyber theft in all forms”.
Russia and Iran have also rejected accusations that they’re using cyber operations to target Americans. Messages left with representatives of those three nations and North Korea were not immediately returned on Monday.
Efforts to disrupt foreign disinformation and cyber capabilities have escalated along with the threat, but the anonymous, porous nature of the internet sometimes undercuts the effectiveness of the response.
US authorities recently announced plans to seize hundreds of website domains used by Russia to spread election disinformation and to support efforts to hack former US military and intelligence figures.
But investigators at the Atlantic Council’s Digital Forensic Research Lab found that sites seized by the government can easily and quickly be replaced.
Within one day of the Department of Justice seizing several domains in September, for example, researchers spotted 12 new websites created to take their place. One month later, they continue to operate.
