During investigations, one of the first questions asked is simple:
“Is this crime, or is this espionage?”
The answer changes how long the attacker stays, what they target, how quiet they are, and how the incident should be handled.
Treating espionage like cybercrime leads to false conclusions.
Treating cybercrime like espionage wastes time.
Cybercrime: Fast, Loud, and Transactional
Cybercrime is about profit.
Attackers want something they can convert into money quickly.
Once value is extracted, they move on.
Common Cybercrime Goals
1. Ransom payments
2. Credential resale
3. Financial fraud
4. Access brokerage
5. Cryptomining
What It Looks Like on the Ground
In real incidents, cybercrime activity usually shows:
1. Rapid lateral movement
2. Broad scanning
3. Aggressive escalation of privileges
4. Quickly deploying multiple payloads
5. Little concern for stealth
When someone engages in crime, they tend to act out in a noisy, impatient, and inefficient fashion.
Espionage is a Quiet, Targeted, and Patient Activity
Espionage is primarily focused on gaining access and understanding as opposed to immediate material gain.
Cybercriminals (attackers) work very hard to observe the targets of their cyber-espionage over a prolonged time frame.
Typically, cyber espionage efforts have several common goals.
Common goals of cyber espionage include:
1. Obtaining strategic intelligence
2. Gaining long-term access
3. Monitoring communications
4. Creating a map of internal processes
5. Preparing to influence targets
What It Looks Like in Real Environments
Espionage campaigns typically show:
1. Minimal lateral movement
2. Precise access choices
3. Very limited tooling
4. Long dwell times
5. Almost no operational mistakes
The absence of activity is often the strongest signal.
Tooling Is Not the Difference
This is where many teams go wrong.
Both espionage groups and criminals use:
1. Open-source tools
2. Living-off-the-land techniques
3. Cloud-native access
4. Stolen credentials
The intent and behavior matter more than the tools.
The same PowerShell command can support either objective.
Behavior Over Time Tells the Story
During investigations, the difference becomes clear when looking at timelines.
Cybercrime Timelines
1. Compromise → escalate → deploy → monetize
2. Hours or days
3. Repeated actions across many systems
Espionage Timelines
1. Compromise → wait → observe → adjust
2. Weeks or months
3. Very few systems touched
One optimizes for speed.
The other optimizes for invisibility.
Real-World Observation Patterns
From real incident reviews:
1. Cybercrime often breaks things accidentally
2. Espionage avoids breaking anything at all
3. Cybercrime leaves artifacts everywhere
4. Espionage leaves gaps and questions
If responders say, “This doesn’t make sense,” espionage is often involved.
Data Theft vs Data Awareness
Cybercrime steals data to sell it.
Espionage often reads data without removing it.
Examples seen repeatedly:
1. Email access without mass downloads
2. Database queries without dumps
3. File access without modification
4. Configuration review without changes
Nothing appears missing, yet nothing is private anymore.
Why Espionage Is Harder to Prove
Cybercrime announces itself through damage.
Espionage hides behind normal behavior.
Challenges include:
1. Legitimate credentials used
2. Trusted IP ranges
3. Low-volume access
4. Minimal logging artifacts
Attribution becomes a question of probability, not certainty.
Why Misclassification Is Risky
If espionage is treated like cybercrime:
1. Systems are rebuilt too quickly
2. Access paths are not fully understood
3. Adversary presence may persist
If cybercrime is treated like espionage:
1. Response slows unnecessarily
2. Business impact increases
3. Recovery is delayed
Correct classification shapes the response.
Practical Indicators to Monitor
There are no definite signals but patterns can indicate the following things:
1. Increase in Lifetime Access with No Direct Monetization
2. Multi-time Access to Strategic System(s)
3. Emphasis on Identity Platforms
4. Curiosity in Communication Tools
5. No Activity Following the Original Compromise
These indicators generally lead to indications away from criminal activity.
Key Takeaways
1. Cybercrime seeks money; espionage seeks insight
2. Speed versus patience is the core difference
3. Tools overlap, behavior does not
4. Espionage values silence over scale
5. Misclassification increases long-term risk
Not every quiet attacker is sophisticated.
But most sophisticated attackers are quiet.
