Across today’s threat landscape, the divide between cybercrime and cyberwarfare is disappearing. Financially motivated groups and state-sponsored actors rely on the same tactics, techniques, and procedures (TTPs)—exploiting zero-day and one-day vulnerabilities, abusing ransomware-as-a-service (RaaS) platforms, hiding behind proxies, and living off the land (LotL) within legitimate IT environments.
They also often target the same enterprises. Even organizations with no direct geopolitical relevance can be caught in the crosshairs as part of a broader national supply chain.
That’s why defenders must first focus on mitigating TTPs, closing attack vectors and disrupting the kill chain, because that’s what can actually stop attacks. Still, understanding who and why adds room for maneuver. Because when attribution points to a nation-state or a coordinated criminal network, defenders can draw on national agencies, information-sharing and analysis centers (ISACs), and global partnerships for faster collaboration and support.
The order of operations is clear: disrupt capabilities first, then use attribution as a means of leverage.
The ripple effect of third-party supply chain attacks
Attackers increasingly exploit trusted integrations to breach many organizations at once, and even well-secured enterprises can become targets simply by being connected to valuable ecosystems. Consider these high-profile breaches, which demonstrate the risks of interconnected digital ecosystems:
- Salesloft–Drift OAuth compromise (2025): Attackers abused legitimate OAuth trust between Salesloft and Drift to move laterally into connected Salesforce environments. By chaining OAuth tokens and API permissions, they gained broad access across hundreds of companies, effectively turning a marketing-integration feature into a large-scale infiltration path.
- MOVEit vulnerability (2023): The MOVEit file-transfer flaw enabled criminal and state actors to compromise the data of thousands of organizations through a single vulnerable software component in one of the largest data breaches to date.
These incidents prove that attackers no longer need to breach targets directly. Instead, they follow the trust chain. That means defenders must prioritize mitigation of shared TTPs, such as credential theft, token misuse, and integration abuse, before attribution comes into play.
Inside the strategic gray zone of cyber conflict
Recent incidents show how easily criminal tactics and state objectives can converge.
The 2021 SolarWinds Russian espionage campaign weaponized trusted software updates to insert malicious code into the Orion platform, providing long-term covert access to government and corporate networks worldwide. One of the most significant cyber incidents of its time, it demonstrated how attackers exploit supply-chain trust at scale.
In the same year, a ransomware attack on a national pipeline began as an extortion attempt, but it triggered national emergency measures when fuel distribution was halted. The situation became so severe that the U.S. President urged Russia to take action against the group, warning that ransomware targeting critical infrastructure had crossed a red line.
In 2025, a Qilin case blurred motives further when its RaaS platform was used by an Iranian state actor to publish exfiltrated data from Israel’s Shamir Medical Center. After realizing that this association could expose them to U.S. Treasury Department sanctions from the Office of Foreign Assets Control (OFAC), the Qilin group deleted its ransom post, demonstrating how profit-driven cybercriminal infrastructure can become entangled in geopolitical conflict in ways its operators may not anticipate.
While all of these attacks presented different motives, they used similar methods, including the exploitation of trusted systems, credential abuse, and lateral movement under legitimate access.
This overlap in tactics is no coincidence. These examples are part of a larger trend: the convergence of criminal and state-sponsored tactics creates a strategic gray zone that demands defenders detect and mitigate shared TTPs quickly, while using attribution intelligence to strengthen coordination across borders and industries.
AI in cyberattacks: Lower barriers, higher risks
Artificial intelligence is further accelerating the convergence between cyberwarfare and cybercrime, especially as agentic capabilities become more commonplace.
In November 2025, Anthropic reported an AI-enabled espionage campaign, purportedly originating from China, through which attackers utilized the Claude large language model (LLM) automation to conduct reconnaissance, develop exploits, and harvest credentials. Most alarmingly, the report states that 80 to 90% of tasks were completed autonomously.
Meanwhile, Factory AI disrupted an attempt to misuse its Droids platform for an automated attack. The event underscored both sides of AI’s impact: the technology lowers the entry barrier for attackers, but it also empowers defenders who automate threat detection and response.
AI now:
- Lowers entry barriers for smaller actors to run complex operations.
- Compresses dwell time, shrinking reaction windows from days to hours.
- Arms defenders with automation to detect, contain, and investigate faster.
In short, AI is the new equalizer, and those who automate faster gain the advantage.
Defending against the convergence of cybercrime and cyberwarfare
As the lines blur and technology accelerates, defenders need a new playbook. Cybercrime and cyberwarfare are no longer separate categories; they share infrastructure, tools, and objectives.
Recent findings from Amazon Threat Intelligence further underscore this convergence. According to AWS, nation-state actors are increasingly coordinating cyberattacks with physical operations, blurring the line between digital and kinetic warfare. For example, cyber intrusions have been observed immediately preceding or coinciding with physical attacks on critical infrastructure, amplifying the impact and complicating response efforts. This real-world fusion of tactics highlights why defenders must not only mitigate technical threats but also foster rapid, cross-sector collaboration, because the consequences now extend beyond the digital realm into physical safety and national security.
True resilience depends on three priorities:
- Focus on TTPs and capabilities: Map and mitigate how attacks unfold—from initial access to exfiltration—before attribution is known.
- Disrupt the kill chain: Speed and automation in detection, isolation, and privilege control can turn crises into containable events.
- Use attribution to strengthen collaboration: Understanding who attacked and why matters most when it fuels public-private cooperation, such as through ISACs, national CERTs, and joint intelligence programs that scale protection across industries.
When motives blur, and technologies accelerate, clarity, speed, and partnership define a strong defense.
And while mitigating TTPs is the immediate shield, collaboration and information-sharing are the lasting force multipliers.
Because in a world where cybercrime and cyberwarfare converge, clarity is defense and unity is power.
Omer Grossman is chief trust officer (CTrO) and head of CYBR Unit at CyberArk.
