Key Takeaways:
- Threat actors are increasingly collaborating and sharing intelligence to achieve common goals
- This collaboration is leading to more adaptive, outcome-driven attacks that are harder to detect
- The economics of cybercrime favor cooperation over competition, with attackers sharing access and resources to minimize risk and increase returns
- The line between crime and espionage is blurring, with tools and techniques being repurposed for different objectives
- Defenders must shift their thinking to account for collaborative attacks and prioritize intelligence sharing, defense validation, and curiosity-driven threat hunting
Introduction to the New Threat Landscape
The traditional mental model of cyber threats, where separate actors operate in parallel with distinct motives and targets, is no longer accurate. Today, many of the most capable threat actors are collaborating, sharing intelligence, and combining skill sets in adaptive, outcome-driven alliances. This "supergroup" model is becoming a dominant force in the modern threat landscape, with different players coming together to execute campaigns and then disbanding or continuing to work together as needed. This collaboration is not limited to specific groups or regions, but rather is a global phenomenon that is redefining the way attacks are assembled and executed.
The Evolution of Threat Actor Collaboration
Threat actor collaboration is not new, but the depth and intent of cooperation have changed significantly in recent years. Criminal forums and marketplaces have existed for years, but the current level of collaboration is more sophisticated and driven by a desire to achieve common goals. Recent reporting on overlapping activity between groups such as ShinnyHunters, LAPSUS$, and Scattered Spider illustrates how this model plays out in practice, with actors converging around shared access, tooling, or opportunities and collaborating when incentives align. This fluid ecosystem allows roles and partnerships to evolve based on what works, rather than rigid group identity.
The Economics of Cybercrime
The economics of cybercrime increasingly favor cooperation over competition. As defenses improve and law enforcement pressure grows, easy wins are disappearing, and attackers are responding by reducing risk and increasing return. Sharing access shortens dwell time, pooling reconnaissance lowers cost, and dividing profit across a successful campaign beats walking away empty-handed after a failed solo attempt. From the attacker’s perspective, taking a smaller share of a larger outcome is simply rational, and collaboration allows them to move faster, minimize exposure, and adapt when conditions change. This logic is not emotional or ideological, but rather a business-driven decision to maximize returns.
The Blurring of Crime and Espionage
The line between crime and espionage continues to blur, with tools originally built for espionage being repurposed for ransomware and access gained through criminal campaigns being used for intelligence collection. In many cases, criminal groups operate with an understanding of who provides protection, tolerance, or de facto safe harbor, shaping how and where they act. Malware families evolve into modular frameworks that can support multiple objectives depending on who controls them. This blurring of lines means that defenders must plan for overlap, not separation, and understand that a campaign that looks financially motivated today may serve strategic objectives tomorrow using the same tooling.
The Challenges Facing Defenders
While attackers collaborate freely, defenders remain fragmented, with threat intelligence siloed across vendors, industries, and regions. Valuable signals are often treated as proprietary rather than shared, and many organizations see only a small slice of a much larger campaign. This creates a dangerous asymmetry, where attackers combine partial insights into a complete picture, while defenders dismiss anomalies because each one appears benign in isolation. Many major incidents follow this pattern, with something looking unusual but not urgent, and no single alert demanding action. The connection is only obvious after the damage is done.
The Need for Speed
The pace of modern attacks makes this gap even more dangerous, with attackers often in and out within minutes. Telemetry still needs to move from endpoints to back-end systems, through analysis pipelines, and into the hands of an analyst. By the time a human sees the alert, the opportunity to stop the attack has passed. This makes trust in untested controls risky, and detection and response capabilities must work as expected without human intervention. Assumptions are no longer sufficient, and defenders need confidence that their controls will detect coordinated, multi-stage attacks the moment they occur.
What Needs to Change
The rise of adversary supergroups requires a shift in defensive thinking. First, intelligence sharing must become more operational, with insights that are timely, contextual, and usable across environments. Second, organizations must continuously validate their defenses against real attacker behavior, testing whether controls can stop today’s tactics to ensure they will perform tomorrow. Finally, security teams must reward curiosity, as many threats are missed not because data is unavailable, but because the signal looks normal enough to ignore. In a collaborative threat landscape, that assumption is costly, and defenders must be willing to think differently to stay ahead of the threats.
The New Shape of Cyber Conflict
Cyber threats are no longer solo acts, but rather coordinated performances built from shared access, shared intelligence, and shared tooling. The "boy band" era of cybersecurity is not a metaphor for show, but rather a reflection of a structural shift in how attacks are assembled and executed. Defenders who continue to plan for isolated actors will fall behind those who recognize collaboration as the new baseline. Attackers are already working together, and defense strategies must keep up accordingly. By understanding the new threat landscape and adapting to the changing dynamics of cyber conflict, defenders can improve their chances of success and stay ahead of the threats.
