For years, cyber threat actors have been launching attacks to spread malware and deploy tools for intelligence gathering, often driven by financial motives. However, a recent development has caught the attention of cybersecurity researchers—state-sponsored hackers assigned to espionage operations are now moonlighting as ransomware operators.
Moonlighting, in technical terms, refers to employees using official resources for a second job without their primary employer’s knowledge. This practice results in losses for the primary employer, as time, software, and computing resources are diverted elsewhere. Now, this phenomenon is emerging in the cybercrime world, with espionage actors engaging in ransomware attacks for personal gain.
One such case involves a China-based threat group known as Emperor Dragonfly. Originally tasked with intelligence gathering, this group has now been caught spreading RA World Ransomware. What remains unclear is whether Emperor Dragonfly has shifted its objectives entirely or if its members are engaging in ransomware attacks as a side hustle.
Researchers from Symantec’s Threat Hunter Team, who have been tracking these developments since June 2024, have concluded that some state actors are now engaging in financially motivated cybercrime. This could be due to personal financial incentives or increased law enforcement pressure worldwide, which has disrupted many state-backed cyber operations.
Adding to this perspective, security experts from Palo Alto Networks’ Unit 42 have observed a similar trend. They suggest that the shift may be linked to inconsistent government funding for cyber operations, leading some hackers to seek alternative income sources.
Traditionally, moonlighting has been associated with employees in software and IT sectors. However, this latest trend shows that even hackers are engaging in side gigs, leading to unusual and rare developments in the cyber threat landscape.
Interestingly, ransomware groups have evolved significantly since 2020. Many have transitioned into launching Distributed Denial of Service (DDoS) attacks and vice versa. This shift coincided with the global economic slowdown caused by COVID-19 lockdowns, prompting cybercriminals to explore new avenues to sustain their operations.
Conclusion
This is an interesting shift in the cyber threat landscape! The idea of state-sponsored hackers moonlighting as ransomware operators adds a whole new layer of complexity to cyber defense strategies. It makes attribution even trickier—were these attacks sanctioned, or just rogue elements looking for extra income?
The financial angle makes sense too. If government funding for cyber operations is inconsistent or reduced, these actors might turn to cybercrime to fill the gap. This also aligns with how ransomware gangs adapted post-2020, switching tactics based on global events and law enforcement crackdowns.
It raises a bigger question: If nation-state actors are moonlighting as financially motivated cybercriminals, how does this impact global cyber warfare policies? Would governments hold other nations accountable for ransomware attacks carried out by their own operatives, even if those operatives weren’t acting under direct orders?
What’s your take—do you think this trend will continue, or is it just a phase?
Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group “Information Security Community”!
