Blurring Boundaries 3 12 Key Findings 1 Tips 7 Stolen Access Credentials 6 Ransomware 5 Vulnerability Intelligence 4 Threat Snapshot 2 Blurring Boundaries 3 2024 Trends Blurring Boundaries in the Threat Actor Landscape Analysts and researchers in the cyber threat intelligence field commonly distinguish between three types of threat actors: nation-state sponsored attackers, cybercriminals and hacktivists. Each of these threat actors are typically motivated by different aims. State-sponsored actors operate on behalf of nation-states for cyber espionage purposes against targets of interest for the states sponsoring them, while cybercriminals commit cyberattacks for financial gain. Hacktivists generally carry out cyberattacks driven by political, social or ideological motives. However, in 2024, there were multiple instances of threat actors blurring the lines between traditional categories, engaging in activities driven by motivations that deviated from their classic definitions. On August 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that Iranian-sponsored group Pioneer Kitten (also known as Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm) collaborated with and acted as an initial access broker for affiliates of known ransomware gangs, including NoEscape, RansomHouse and BlackCat, 7 in exchange for a cut of the ransom payments. 15 Apart from providing the ransomware gangs with access to organizations’ networks (mainly in the US), the group also actively participated in encrypting victims’ systems and planning strategies to extort financial payment from the victims. In addition, the North Korean-backed group Andariel (also tracked as Jumpy Pisces, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly and TDrop2) was also found to be collaborating with the Play ransomware group. In October 2024, it was reported that Andariel hackers worked with the Play gang either as initial access brokers or as affiliates. 16 Other examples of the blurring lines between different threat actor types can be seen in several hacktivist groups that ventured into cybercrime in 2024. These groups launched their own ransomware and ransomware-as-a- service (RaaS) operations. One example is the alleged Italian pro-Russia and pro-Palestinian hacktivist group AzzaSec, which launched the AzzaSec RaaS in June 2024. Another example is the alleged French pro-Palestinian group Cyb3r Bytes, which introduced a ransomware called Cyberbytes. Additionally, the pro-Russia and pro-Palestinian hacktivist group CyberVolk launched its own RaaS, CyberVolk, in July 2024. 17 CyberVolk was also observed selling an infostealer malware called CyberVolk StealerV1. 12