State-backed cyber actors “hiding behind ransomware operations”

Industrials remained the most targeted sector, accounting for 29% of recorded attacks, while North America continued to be the most affected region globally.

Qilin retained its position as the most prolific ransomware operation in May, being responsible for 15% of all observed attacks. Meanwhile, The Gentlemen ranked as the second most active threat actor for the second consecutive month, suggesting the relatively new group is continuing to establish itself within the ransomware ecosystem.

Adopting cyber criminal tactics

This month’s Threat Intelligence Report highlights growing evidence that nation state actors are increasingly leveraging tools, infrastructure and operational models traditionally associated with financially motivated cyber crime to disguise espionage and intelligence-gathering operations.

The NCC Group’s analysis follows reports linking an Iranian state-backed MuddyWater campaign to activity disguised as Chaos ransomware. Researchers found the operation incorporated ransomware branding, extortion notes and victim negotiation channels in an apparent effort to mask its true objectives and complicate attribution.

Matt Hull, vice-president of cyber intelligence and response at the NCC Group, said: “Historically, organisations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation state operations designed to support strategic objectives. That distinction is becoming increasingly difficult to make.”

Hull continued: “What we’re seeing is a convergence of criminal and state-backed activity. Threat actors are sharing infrastructure, adopting common tooling and, in some cases, deliberately operating behind established ransomware brands to obscure attribution and delay response efforts.”

Embellishing that last point, Hull observed: “This creates a more complex threat environment. Organisations can no longer assume a ransomware incident is purely financially motivated. Understanding an adversary’s behaviour, objectives and operational context is becoming just as important as identifying the malware or ransomware group involved.”

Rising geopolitical tensions

The detailed report suggests that growing strategic competition between China and the United States, alongside increasing geopolitical tensions across the Indo-Pacific region, may drive further cyber espionage activity from state-aligned threat actors. Organisations operating within critical infrastructure, supply chains and strategically significant sectors are likely to remain attractive targets for intelligence gathering and long-term network access operations.

Further, the research highlights evolving Artificial Intelligence (AI)-assisted cyber crime capabilities. This month’s analysis examined Kitana, an ‘adversary-in-the-middle’ fraud platform identified by the NCC Group, which demonstrates how AI-assisted development is accelerating cyber criminal tooling, while lowering barriers to entry for less sophisticated actors.

*Further information is available online at www.nccgroup.com/uk