Government-backed hackers once reserved these techniques for targeted campaigns. Today, those techniques appear in everyday malware. For MSPs, the distinction between “targeted” and “opportunistic” attacks is disappearing.
“The line between nation-state attacks and criminal attacks is disappearing faster than many organizations realize,” says Pranav Bhatnagar, a cybersecurity researcher, author, and business advisor focused on AI security and emerging technology risk.
“Ten years ago, advanced persistence, stealthy lateral movement, supply chain compromise, and sophisticated phishing campaigns were primarily associated with government-backed threat actors. Today, many of these same techniques are available for purchase, rent, or download through criminal ecosystems.”
Advanced tradecraft becomes mainstream
At the same time, Bhatnagar points to industrialization as the driving force behind this shift.
“A ransomware group no longer needs elite technical talent in-house. They can purchase phishing kits, malware loaders, credential theft tools, AI-generated social engineering content, and initial access from underground marketplaces. What once required a nation-state budget can now be assembled like building blocks.”
AJ Thompson of Northdoor plc says this convergence is accelerating.
“The lines between nation-state and criminal cyber activity have been blurred for some time, but over the past few months there has definitely been an acceleration of this trend. Techniques that were once associated with highly resourced, targeted campaigns are increasingly being incorporated into mainstream cybercriminal operations, making sophisticated attacks accessible to a much broader range of threat actors.”
Meanwhile, Thompson says the broader threat landscape is driving this accessibility.
“Cybercriminals now have access to a wide range of tools, automation, AI, malware-as-a-service platforms, and previously leaked nation-state tooling, allowing them to attack at scale in highly sophisticated ways.”
Likewise, Nikolas Lamprou, founder of Solve Tech Today, says the distinction is collapsing from both directions.
“For years, defenders triaged on a quiet assumption: sophisticated, targeted intrusions were the nation-states’ problem, and everyone else was just dodging opportunistic commodity malware. That line has collapsed, and it’s collapsing in both directions. State groups now reach for off-the-shelf infostealers, while criminal crews borrow state tradecraft wholesale.”
Once a single intrusion can pair espionage-grade access with a commodity ransomware payload, he says, “‘targeted versus opportunistic’ stops telling you anything useful.”
What MSPs are seeing in the field
In practice, MSPs are already seeing this shift. Bhatnagar says automation has transformed threats facing SMBs.
“Today, attackers use automation to scan thousands of organizations simultaneously. Once they find a weakness, they can deploy techniques that previously would have been considered highly targeted operations.”
His message is simple: “Every organization should assume that sophisticated attackers can reach them.”
For example, Thompson says supply chain compromises illustrate this shift.
“Rather than directly attacking their primary target, cybercriminals can use sophisticated approaches to attack a small company further down the supply chain and gain access through the back door,” he says.
In addition, attackers are combining techniques more effectively.
“Rather than relying solely on technical exploits, they are combining credential theft, social engineering, lateral movement, and supply chain compromise techniques to maximize their chances of success.”
More importantly, Bhatnagar says attackers have gained access to more sophisticated tools. Average skill levels have changed far less.
“The biggest shift I see is that attackers no longer need to be sophisticated individuals. They only need access to sophisticated tools. That is why cybersecurity today is less about defending against a specific type of attacker and more about building resilience against increasingly accessible attack capabilities.”
The new reality for MSPs
As a result, the disappearing distinction creates two immediate challenges for MSPs.
“First, you can no longer deprioritize a vulnerability on the logic that ‘only a nation-state would bother to weaponize it’ — the exotic exploit this quarter is in a commodity kit the next, so patch windows have to be measured in weeks, not years.”
Second, he says, attackers increasingly target MSPs themselves.
“MSPs are now the supply chain. Trusted, persistent access into dozens of downstream clients is exactly the leverage both state and criminal actors want, which makes target-grade hardening — least privilege, MFA everywhere, segmented management planes — the new baseline, not a luxury.”
Resilience as readiness
Therefore, Thompson recommends balancing resilience and prevention.
“This shift reinforces the need for organizations to focus less on who might attack them and more on their ability to detect, respond and recover when an incident occurs,” he says. “Cyber resilience has become just as important as prevention. Strong identity controls, continuous monitoring, effective threat detection and well-rehearsed incident response plans are no longer optional safeguards — they are now fundamental business requirements.”
So, what should MSPs do differently?
Bhatnagar recommends focusing on the fundamentals. His checklist includes identity controls, MFA, endpoint detection and response, vulnerability management, phishing awareness training, and tested offline backups.
Ultimately, all three experts urge MSPs to abandon outdated assumptions. Nation-state-level tactics are no longer limited to nation-state actors. MSPs must adapt accordingly.
Photo: pedro7merino / Shutterstock
