Who are the new-wave hackers bringing the world to a halt?

An average of about four “nationally significant” cyberattacks were launched in the UK every week in the last year, twice as many as in the previous 12 months, according to the UK cyber agency’s latest annual review.

“Cyber is being used by state and non-state actors,” said the National Cyber Security Centre, “and the overall cyber threat to the UK is growing from an already high level.”

Following the recent cyberattacks on Jaguar Land Rover, Marks & Spencer and Asahi, other companies are desperately trying to avoid the same thing happening to them.

The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Where do they come from?

Globally, around half of cyberattacks in 2024 may be attributed to financially motivated cybercriminals, while state-sponsored actors accounted for around a third, according to a report by Cognyte.

The “Big Four” – North Korea, Iran, Russia and China – are highest on the UK’s state actor list, said Politico. Three are considered “hostile states” and “Britain has an uneasy relationship with the latter”.

But a group of young, English-speaking hackers, who sometimes go by the name of Scattered Spider, claimed responsibility for the recent large-scale attacks on M&S and Jaguar Land Rover, although this hasn’t been confirmed.

How do the new hacking groups work?

Ransomware is still one of the “most acute and pervasive cyberthreats” to the UK, said the National Cyber Security Centre. This was underscored in the attacks on British retailers this year, but most cybercriminals are “sector agnostic”. They target organisations that are vulnerable, hold sensitive data and are likely to pay a ransom.

One Russian group, Qilin, is “cementing its place as one of the most prolific ransomware-as-a-service operations in the world”, said Digit. It recently claimed responsibility for a cyberattack on Japan’s Asahi Group – which also owns Peroni and UK chain Fuller’s – forcing the “suspension of order and shipment operations in Japan”.

Like many other new groups, Qilin operates as a ransomware-as-a-service (RaaS) network, said IBM. Unlike conventional “gangs”, it functions more as a “business model” that can even run “customer-service portals to help affiliates troubleshoot deployment”.

Whereas traditional attacks were carried out by highly technical malware, this “game-changing” RaaS business model rents out cutting-edge malware in return for “20% to 40% of the profits”. Overcoming the time-intensive and “limited scalability” of old gang models, RaaS provides “nearly anyone with malicious intent” with the means to “carry out powerful attacks using advanced tools”.

How are states using cyberattacks?

Countries like Russia, Iran and China are “increasingly relying on criminal networks” to target political “adversaries”, said AP News. Security officials are reporting more and more “growing collaboration” between governments and hackers, demonstrating “increasingly blurred lines” between state espionage and hackers motivated by financial gain.

This “marriage of convenience” is set to become more popular, as the symbiotic relationship is hard to break: governments experience a “boost” in cyber activity “without added cost”, while new profit opportunities and “government protection” are directly in the attackers’ interests.

Russia’s invasion of Ukraine, for example, has “inspired a growing number of pro-Russia hacktivist groups”, said the UK cyber agency. Without formal state control, they choose Western targets based on vulnerability, which “makes their activities less predictable”.