Cybercrime and cyberwarfare are converging around shared TTPs

At a glance

What this is: This is an analysis of how cybercrime and cyberwarfare are converging around shared attack methods, with supply-chain trust abuse and AI-assisted operations increasing risk across connected enterprises.

Why it matters: It matters because IAM and NHI controls are now part of national-resilience defense, not just enterprise hardening, especially where OAuth, tokens, proxies, and trusted integrations expand blast radius.

👉 Read CyberArk's analysis of cybercrime and cyberwarfare convergence

Context

Cybercrime and cyberwarfare are increasingly using the same access paths, which makes the identity layer a primary attack surface rather than a supporting control. When attackers can reuse trusted integrations, stolen tokens, and legitimate administrative paths, traditional perimeter thinking fails, and NHI governance becomes central to limiting blast radius.

The article frames a real governance gap: attribution helps coordination, but it does not stop the compromise itself. For IAM and NHI practitioners, the hard problem is not classifying the actor after the fact. It is interrupting the trust chain before abuse of OAuth, service access, or supply-chain relationships turns one foothold into broad exposure.

Key questions

Q: How should security teams respond when cybercrime and cyberwarfare use the same TTPs?

A: Teams should prioritize disruption of the attack chain over actor classification. That means tightening identity controls, revoking exposed tokens quickly, isolating trusted integrations, and improving detection for lateral movement. Attribution still matters, but only after containment is underway and response partners can help widen defensive action.

Q: Why do supply-chain attacks create such a large IAM and NHI risk?

A: Supply-chain attacks matter because they inherit trust from the victim’s own access model. A compromised integration, OAuth grant, or service account can extend into many downstream environments without a new login event. That creates a large blast radius, so governance must focus on scope, delegation, and revocation speed.

Q: What is the difference between attributing an attack and stopping an attack?

A: Attribution explains who may be responsible and can improve intelligence sharing, sanctions, and sector coordination. Stopping the attack requires technical disruption of credentials, tokens, privileges, and movement paths. In practice, defenders need both, but the immediate priority is always containment and access reduction.

Q: How can organisations reduce risk from AI-assisted attacks on identities?

A: Organisations should shorten credential lifetime, narrow privilege scope, and watch for rapid multi-stage identity abuse. AI-assisted attacks can compress reconnaissance, exploitation, and exfiltration into a short window, so identity controls must assume faster attacker iteration. The safest response is to limit what any single identity can do if misused.

Technical breakdown

Why trust-chain abuse beats direct intrusion

Modern attacks often avoid direct exploitation of a target’s edge and instead abuse the trust relationships embedded in software, integrations, and delegated access. OAuth tokens, API permissions, vendor-to-vendor connections, and service credentials can all become alternate paths into otherwise well-defended environments. Once a trusted path is compromised, the attacker inherits normal-looking access and can move laterally without triggering the same alarms as a brute-force intrusion. This is why supply-chain compromise is so effective: the trust model itself becomes the entry point. For NHI security, the issue is not only who authenticated, but which machine or integration was allowed to act on that authentication.

Practical implication: Map every trusted integration and delegated token path, then reduce standing trust wherever the business can tolerate tighter scoping.

How living off the land changes detection

Living off the land means attackers use legitimate tools and built-in administration features to blend into routine operations. Instead of dropping obvious malware, they rely on normal system binaries, management consoles, or identity-native APIs to hide their activity inside accepted behavior. That makes detection dependent on context, such as unusual token use, improbable access sequences, excessive privilege reach, or a service account operating outside its normal workload pattern. For NHI teams, this is a governance problem as much as a monitoring problem because the same identities that keep systems running can also become covert attack infrastructure.

Practical implication: Build detections around abnormal identity behavior, not only malware signatures or blocked binaries.

Why AI lowers the cost of coordinated abuse

AI changes attacker economics by compressing time and reducing the skill needed to run multi-stage operations. It can help automate reconnaissance, credential harvesting, exploit development, and post-exploitation workflow, which shortens the window defenders have to detect and isolate abuse. That is especially dangerous in environments where identities already have broad reach across SaaS, cloud, and partner ecosystems. The security implication is that response speed matters more when machine-assisted operations can pivot from discovery to impact very quickly. The control objective shifts toward limiting what any one identity or agent can do if compromised.

Practical implication: Treat autonomous and semi-autonomous tooling as a reason to tighten least privilege and shorten credential lifetime.

Threat narrative

Attacker objective: The objective is to turn trusted access into scalable reach across multiple environments while keeping activity indistinguishable from normal operations.

1. Entry occurs through compromised trust relationships, including abused OAuth connections, shared integrations, or exposed credentials that look legitimate to downstream systems.
2. Escalation follows when the attacker reuses valid tokens, service permissions, or built-in administration tools to expand access without triggering obvious malicious artifacts.
3. Impact comes from lateral movement, data theft, ransomware deployment, or covert persistence across connected organizations and supply-chain partners.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shared tactics matter more than actor labels. Cybercrime and cyberwarfare increasingly reuse the same technical playbook, which means the defender’s first job is to break the attack chain, not to wait for perfect attribution. Identity abuse, token misuse, and trusted integration compromise can all produce the same operational damage regardless of motive. Practitioners should treat TTP mitigation as the primary control objective.

Supply-chain trust has become identity risk. OAuth delegation, vendor integrations, and service accounts can extend trust farther than most governance models were designed to allow. That creates an identity blast radius where one compromised relationship can reach many downstream systems. NHI governance must therefore treat third-party trust as part of access design, not as a procurement afterthought.

AI compresses the defender’s response window. When automation can accelerate recon, privilege abuse, and exfiltration, waiting for human-scale incident confirmation is too slow. This shifts security priorities toward rapid containment, short-lived credentials, and tighter privilege boundaries. Organizations that still rely on slow manual response will feel the gap first in NHI-heavy environments.

Attribution is a coordination tool, not a control. Knowing whether an incident is criminal, state-backed, or a blend of both can improve intelligence sharing and response support, but it does not replace containment. The operational lesson is to pair technical disruption with external coordination through ISACs, national agencies, and sector partners. Teams should use attribution to widen response, not to delay it.

Identity blast radius is the new strategic exposure metric. The article’s core theme is that connected access paths matter more than isolated systems. When a single machine identity, token, or integration can cross organizational boundaries, governance must focus on scope reduction, conditional access, and continuous review. Practitioners should measure how far a trusted identity can travel, then shrink that reach.

From our research:

• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, which shows the governance problem is already influencing program design.
• For the broader access-governance picture, see The 52 NHI breaches Report for real-world examples of how credential abuse and trust-chain failure scale across environments.

What this signals

Identity blast radius is becoming the practical metric that matters. As shared integrations and delegated access spread across enterprise ecosystems, the question is no longer whether a system is trusted, but how far that trust reaches. Security teams should be measuring cross-domain reachability for service identities, tokens, and partner permissions, then shrinking it wherever business operations allow. For adjacent guidance on access discipline, see NIST SP 800-63 Digital Identity Guidelines.

The programmatic implication is that NHI governance must align with zero-trust assumptions instead of relying on inherited trust between systems. That means re-evaluating long-lived tokens, broad-scoped OAuth grants, and shared administration paths before an incident forces the issue. When a single machine identity can traverse multiple environments, the control gap is structural, not tactical.

With 6 distinct secrets manager instances on average, fragmentation is already undermining centralised control, according to The State of Secrets in AppSec. The next step is not more storage, but better governance across issuance, rotation, and revocation paths.

For practitioners

• Map shared trust paths across SaaS and cloud ecosystems Inventory OAuth grants, partner integrations, API tokens, and service accounts that can cross organizational boundaries. Flag any path where one identity can reach multiple downstream systems without fresh authorization.
• Reduce standing privilege in machine and integration identities Move high-reach service accounts and automation identities to just-in-time access where possible, with scope-limited roles and short-lived tokens. Reassess any identity that can administer more than one environment.
• Detect abuse through identity behavior baselines Monitor for unusual token use, atypical management commands, improbable access sequences, and service identities acting outside established workload patterns. Tune detections to legitimate-looking activity rather than malware alone.
• Build cross-sector response playbooks Pre-negotiate escalation paths with ISACs, national CERTs, and critical suppliers so attribution can quickly translate into shared intelligence and containment support. Include decision points for coordinated revocation of tokens and partner access.

Key takeaways

• Cybercrime and cyberwarfare now share the same access patterns, so defenders must focus on breaking TTPs before they can rely on attribution.
• Trusted integrations, delegated OAuth access, and service identities can create a blast radius that reaches far beyond the original target.
• AI shortens attacker timelines, which makes least privilege, short-lived access, and rapid containment core controls rather than best practices.

Key terms

• Trust Chain: The trust chain is the set of delegated relationships that lets one system, token, or integration act on behalf of another. In NHI security, it is often the real attack surface because compromise travels through legitimate permissions instead of obvious malware.
• Identity Blast Radius: Identity blast radius is the amount of downstream access an identity can reach if it is misused or compromised. The larger the blast radius, the more quickly one token, service account, or OAuth grant can turn into enterprise-wide exposure.
• Living Off The Land: Living off the land describes attack activity that relies on legitimate tools, commands, and built-in administrative functions already present in the environment. This tactic is difficult to detect because it blends into normal operations and often looks like routine identity-driven activity.

Deepen your knowledge

Cybercrime and cyberwarfare convergence is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is dealing with shared trust paths, delegated access, or machine identity sprawl, it is worth exploring.

This post draws on content published by CyberArk: When cybercrime meets cyberwarfare. Read the original.