Threat Actors

Intelligence

Understanding who attacks you is as important as understanding how they attack. This guide covers major threat actor categories, notable APT groups, and their documented tactics, techniques, and procedures.

Actor Attribution

Attribution is challenging and often uncertain. Many threat actors use similar tools and techniques. Names vary across vendors (e.g., APT29 = Cozy Bear = The Dukes = NOBELIUM). Always cross-reference multiple sources.

Featured Threat Actors

🇷🇺

APT29 (Cozy Bear)

The Dukes • NOBELIUM • Midnight Blizzard +1 more

ESPIONAGE● ACTIVE
Russian Foreign Intelligence Service (SVR)

Highly sophisticated, patient operators known for SolarWinds supply chain attack (2020). Focus on intelligence gathering against government and diplomatic targets.

🎯 Target Sectors

GovernmentThink TanksIT ProvidersHealthcare

⚔️ Key TTPs

  • Supply chain compromises
  • Living-off-the-land
  • OAuth/token theft
  • Cloud service abuse

🦠 Associated Malware

SUNBURSTTEARDROPBEATDROPEnvyScout

💥 Notable Attacks

  • SolarWinds (2020)
  • Microsoft Exchange (2021)
  • TeamViewer (2024)
View on MITRE ATT&CK →
🇰🇵

Lazarus Group

Hidden Cobra • ZINC • Labyrinth Chollima +1 more

FINANCIAL● ACTIVE
North Korea RGB (Reconnaissance General Bureau)

North Korean state-sponsored group conducting both espionage and financially motivated attacks, including cryptocurrency heists and ransomware operations.

🎯 Target Sectors

CryptocurrencyBanksDefenseMedia

⚔️ Key TTPs

  • Spearphishing
  • Watering holes
  • Supply chain attacks
  • Cryptocurrency theft

🦠 Associated Malware

HOPLIGHTELECTRICFISHAppleJeusDTrack

💥 Notable Attacks

  • Sony Pictures (2014)
  • Bangladesh Bank (2016)
  • WannaCry (2017)
  • Ronin Bridge ($625M)
View on MITRE ATT&CK →
💀

LockBit

LockBit 3.0 • LockBit Black • ABCD Ransomware

FINANCIAL● ACTIVE
Ransomware-as-a-Service (RaaS) Operation

Most prolific ransomware group responsible for ~44% of global ransomware attacks. Operates affiliate program with sophisticated double/triple extortion tactics.

🎯 Target Sectors

HealthcareFinanceManufacturingGovernment

⚔️ Key TTPs

  • Initial access brokers
  • RDP exploitation
  • Double extortion
  • Data leak sites

🦠 Associated Malware

LockBit 3.0StealBitMimikatzCobalt Strike

💥 Notable Attacks

  • Royal Mail UK (2023)
  • Boeing (2023)
  • ICBC (2023)
View on MITRE ATT&CK →

MITRE ATT&CK Matrix Navigator

The MITRE ATT&CK framework maps threat actor behaviors to standardized techniques. Click any technique to view detailed information and defensive countermeasures. Highlighted techniques are commonly used by nation-state APTs.

Enterprise ATT&CK Matrix - Common APT Techniques

Click technique for detailsHighlighted
Recon
Resource Dev
Initial Access
Execution
Persistence
Priv Esc
Defense Evasion
Cred Access
Discovery
Lateral Move
Collection
C2
Exfiltration
Impact
14 Tactics • 58 Techniques shownFull ATT&CK Matrix →

Threat Actor Categories

🏛️ Nation-State Actors (APTs)

Government-sponsored groups with significant resources. Focus on espionage, intellectual property theft, and strategic objectives. Known for persistence and sophistication.

Examples: APT28, APT29, Lazarus Group, APT41

💰 Cybercrime Syndicates

Financially motivated groups operating ransomware, banking trojans, and fraud schemes. Often operate as Ransomware-as-a-Service (RaaS) or affiliate programs.

Examples: LockBit, BlackCat/ALPHV, FIN7, Conti

📢 Hacktivists

Ideologically motivated groups targeting organizations for political or social causes. Tactics include DDoS, defacement, and data leaks.

Examples: Anonymous, KillNet, IT Army of Ukraine

🕵️ Insider Threats

Malicious or negligent insiders with legitimate access. Can be recruited by external actors or act independently for financial gain or revenge.

Motivations: Financial, revenge, ideology, coercion

Russia-Linked Actors

APT28 (Fancy Bear)

Also: Sofacy, Sednit, STRONTIUM, Forest Blizzard

GRU Unit 26165

Associated with Russian military intelligence (GRU). Known for targeting government, military, and media organizations. Responsible for DNC hack (2016) and numerous espionage campaigns.

Key TTPs

  • • Spearphishing with malicious attachments
  • • Zero-day exploits (Windows, Office)
  • • Credential harvesting via OAuth abuse
  • • Custom malware: XAgent, Zebrocy, Drovorub

Target Sectors

  • • Government & military
  • • Defense contractors
  • • Media organizations
  • • Political campaigns

APT29 (Cozy Bear)

Also: The Dukes, NOBELIUM, Midnight Blizzard

SVR

Associated with Russia's Foreign Intelligence Service (SVR). Highly sophisticated, patient operators known for SolarWinds supply chain attack (2020). Focus on intelligence gathering.

Key TTPs

  • • Supply chain compromises
  • • Living-off-the-land techniques
  • • OAuth/token theft
  • • Custom malware: SUNBURST, TEARDROP

Target Sectors

  • • Government agencies
  • • Think tanks & NGOs
  • • IT service providers
  • • Healthcare & research

Sandworm

Also: Voodoo Bear, IRIDIUM, Seashell Blizzard

GRU Unit 74455

Destructive operations unit. Responsible for NotPetya (2017), Ukrainian power grid attacks (2015, 2016), and Olympic Destroyer (2018). Focus on sabotage and disruption.

Key TTPs

  • • Destructive malware (wipers)
  • • ICS/SCADA targeting
  • • Supply chain attacks
  • • Custom malware: Industroyer, BlackEnergy

Target Sectors

  • • Critical infrastructure
  • • Energy sector
  • • Government (Ukraine focus)
  • • Global events (Olympics)

China-Linked Actors

APT41 (Double Dragon)

Also: Winnti, BARIUM, Wicked Panda

MSS

Unique dual-mission actor conducting both state-sponsored espionage and financially motivated attacks. Known for supply chain compromises and targeting gaming/tech companies.

Key TTPs

  • • Supply chain compromises
  • • Code signing certificate theft
  • • Rootkits and bootkits
  • • Custom malware: ShadowPad, PlugX

Target Sectors

  • • Gaming & technology
  • • Healthcare & telecom
  • • Higher education
  • • Media & entertainment

APT1 (Comment Crew)

Also: Comment Panda, PLA Unit 61398

PLA

One of the first publicly attributed Chinese APT groups (Mandiant 2013 report). Focus on intellectual property theft from Western companies.

Key TTPs

  • • Spearphishing campaigns
  • • Webshells for persistence
  • • Custom backdoors
  • • Long-term data exfiltration

Target Sectors

  • • Aerospace & defense
  • • Energy & utilities
  • • Manufacturing
  • • Technology

Volt Typhoon

Also: BRONZE SILHOUETTE, Vanguard Panda

PRC

Active since 2021, targeting U.S. critical infrastructure. Notable for heavy use of living-off-the-land techniques to evade detection. Pre-positioning for potential future disruption.

Key TTPs

  • • Living-off-the-land binaries (LOLBins)
  • • SOHO router compromises
  • • NTDS.dit extraction
  • • Minimal malware footprint

Target Sectors

  • • Communications
  • • Energy & utilities
  • • Transportation
  • • Water & wastewater

North Korea-Linked Actors

Lazarus Group

Also: HIDDEN COBRA, Zinc, Diamond Sleet

RGB

Most prominent DPRK threat actor. Responsible for Sony Pictures hack (2014), Bangladesh Bank heist (2016), WannaCry (2017), and numerous cryptocurrency thefts totaling billions of dollars.

Key TTPs

  • • Social engineering via fake job offers
  • • Supply chain attacks (npm, PyPI)
  • • Cryptocurrency bridge exploits
  • • Custom malware: BLINDINGCAN, AppleJeus

Target Sectors

  • • Cryptocurrency/DeFi
  • • Financial institutions
  • • Defense & aerospace
  • • Technology companies

Kimsuky

Also: Velvet Chollima, Thallium, Emerald Sleet

RGB

Espionage-focused group targeting South Korean government, think tanks, and academics. Known for credential theft and social engineering. Often impersonates journalists and academics.

Key TTPs

  • • Credential phishing
  • • Malicious browser extensions
  • • HWP document exploits
  • • Custom malware: BabyShark, AppleSeed

Target Sectors

  • • Government (Korea focus)
  • • Think tanks & research
  • • Academia
  • • Journalists

Iran-Linked Actors

APT33 (Elfin)

Also: Refined Kitten, Magnallium, Peach Sandstorm

IRGC

Targets aviation, energy, and petrochemical sectors. Known for destructive wiper attacks (Shamoon variants) and password spraying campaigns.

Key TTPs

  • • Password spraying
  • • Spearphishing with job lures
  • • Destructive wipers
  • • Custom malware: TURNEDUP, DROPSHOT

Target Sectors

  • • Aviation & aerospace
  • • Energy & petrochemical
  • • Defense
  • • Saudi Arabia focus

APT34 (OilRig)

Also: Helix Kitten, IRN2, Hazel Sandstorm

MOIS

Espionage group targeting Middle Eastern governments and critical infrastructure. Known for DNS tunneling and custom tooling. Tools leaked in 2019 (Lab Dookhtegan).

Key TTPs

  • • DNS tunneling for C2
  • • LinkedIn social engineering
  • • Webshells
  • • Custom malware: TONEDEAF, VALUEVAULT

Target Sectors

  • • Government (Middle East)
  • • Financial services
  • • Energy
  • • Telecommunications

Israel-Linked Actors

Unit 8200

Also: Israeli SIGINT National Unit

IDF

Elite signals intelligence unit of the Israel Defense Forces. Alumni have founded major cybersecurity companies (NSO Group, Check Point, Palo Alto Networks). Attributed to Stuxnet development (with NSA).

Key TTPs

  • • Zero-day development & exploitation
  • • ICS/SCADA targeting
  • • Mobile device exploitation
  • • Notable: Stuxnet, Duqu, Flame

Target Sectors

  • • Nuclear facilities (Iran focus)
  • • Critical infrastructure
  • • Regional adversaries
  • • Telecommunications

NSO Group (Pegasus)

Commercial Spyware Vendor

Private

Israeli cyber-intelligence company selling Pegasus spyware to governments. Zero-click exploits targeting iOS/Android. Sanctioned by US (2021). Linked to surveillance of journalists and activists.

Key TTPs

  • • Zero-click iOS exploits (iMessage)
  • • Android exploitation
  • • Network injection attacks
  • • Full device compromise & exfil

Capabilities

  • • Real-time location tracking
  • • Microphone/camera activation
  • • Message interception (E2E encrypted)
  • • Credential harvesting

Candiru

Also: Saito Tech Ltd, Grindavik Solutions

Private

Israeli spyware company selling surveillance tools to governments. DevilsTongue malware targets Windows. Sanctioned by US alongside NSO Group (2021). Operates under multiple shell companies.

Key TTPs

  • • Browser zero-days (Chrome, IE)
  • • Windows privilege escalation
  • • Watering hole attacks
  • • DevilsTongue spyware

Target Sectors

  • • Journalists & dissidents
  • • Human rights activists
  • • Politicians & diplomats
  • • Civil society organizations

Predatory Sparrow

Also: Gonjeshke Darande

Suspected IDF

Hacktivist group suspected of Israeli state ties. Responsible for disruptive attacks on Iranian infrastructure including steel facilities (2022), gas stations (2021), and rail systems (2021).

Key TTPs

  • • ICS/OT targeting
  • • Destructive payloads
  • • Public announcement of attacks
  • • Video evidence release

Notable Attacks

  • • Khouzestan Steel (2022) - physical damage
  • • Iran gas stations (2021)
  • • Iran Railways (2021)
  • • Broadcast hijacking

Ransomware Groups

LockBit

Ransomware-as-a-Service (RaaS)

Cybercrime

Most prolific ransomware operation (2019-2024). Operates affiliate program with profit sharing. Known for fast encryption and aggressive extortion. Disrupted by Operation Cronos (Feb 2024).

Key TTPs

  • • Initial access via RDP, VPN exploits
  • • Cobalt Strike for C2
  • • Double/triple extortion
  • • StealBit data exfiltration

Notable Attacks

  • • ICBC (2023)
  • • Royal Mail UK (2023)
  • • Boeing (2023)
  • • Numerous healthcare orgs

BlackCat / ALPHV

Rust-based Ransomware-as-a-Service

Cybercrime

First professional Rust-based ransomware (2021). Cross-platform (Windows, Linux, ESXi). Known for SEC complaint extortion tactic. Exit scammed affiliates in March 2024.

Key TTPs

  • • Cross-platform targeting
  • • VMware ESXi focus
  • • Novel extortion tactics
  • • Searchable leak site

Notable Attacks

  • • Change Healthcare (2024)
  • • MGM Resorts (2023)
  • • Reddit (2023)
  • • Western Digital (2023)

Scattered Spider

Also: UNC3944, Octo Tempest, 0ktapus

Cybercrime

Young, English-speaking cybercrime group known for social engineering and SIM swapping. Affiliated with ALPHV. Notable for targeting identity providers (Okta, Microsoft).

Key TTPs

  • • IT helpdesk impersonation
  • • SIM swapping for MFA bypass
  • • SMS phishing (smishing)
  • • Identity provider targeting

Notable Attacks

  • • MGM Resorts (2023)
  • • Caesars Entertainment (2023)
  • • Twilio/Cloudflare (2022)
  • • Numerous tech companies

Tracking Threat Actors

Query threat actor information using MITRE ATT&CK Navigator or the ATT&CK API:

bash 
# Query MITRE ATT&CK for group information
curl -s "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" | \
  jq '.objects[] | select(.type=="intrusion-set") | {name: .name, aliases: .aliases, description: .description}'

# Search for specific group
curl -s "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" | \
  jq '.objects[] | select(.type=="intrusion-set" and .name=="APT29")'

Vendor Naming Cross-Reference

Different vendors use different naming conventions. Here's a quick reference:

MITRE Microsoft CrowdStrike Mandiant
APT28 Forest Blizzard Fancy Bear APT28
APT29 Midnight Blizzard Cozy Bear APT29
Lazarus Group Diamond Sleet Labyrinth Chollima APT38
APT41 Brass Typhoon Wicked Panda APT41

Red Team Application

When conducting adversary emulation, select a threat actor relevant to your client's industry and geography. Use their documented TTPs to create realistic attack scenarios that test whether defenses can detect and respond to actual threats.

Related Topics

TTPs & MITRE ATT&CK

IOC Analysis

Intelligence Sources

AD Attack Paths