Advanced Persistent Threat (APT) Groups

Advanced Persistent Threat (APT) Groups

In this article, we first briefly give the background information on cyber threats and cyber threat actors and then list prominent Advanced Persistent Threat (APT) groups.

In this article, we provide a list of prominent Advanced Persistent Threat (APT) groups upon first discussing the background information on cyber threats and cyber threat actors.

What Is a Threat in Cyber Security?

In cyber security, a threat is an activity with the potential to adversely impact an information system by compromising the confidentiality, integrity and availability of the resources contained on the information system.


“Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.”

Ref: NIST SP 800-39 Managing Information Security Risk

Cyber threats occur in a cyber environment where people, processes and technology are involved. In this cyber environment, threats are caused by the following threat source types:

  • Adversarial: Hostile cyber or physical attacks conducted by malicious individuals, hacker groups and organizations or by nation-state actors.
  • Accidental: Erroneous actions by non-malicious individuals, such as employees.
  • Structural: Structural failures of organization-controlled resources, such as hardware or software.
  • Environmental: Natural and man-made disasters, accidents, and failures such as fire, flood, hurricane, earthquake etc.

Threat Source

“The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.”

Ref: FIPS PUB 200 Federal Information Processing Standards Publication: Minimum Security Requirements for Federal Information and Information Systems

Cyber Threat Actors

Cyber threats that are categorized as adversarial according to the threat source type are caused by cyber threat actors. They are either states, groups or individuals with malicious intent to take advantage of vulnerabilities to gain unauthorized access and cause destruction, disclosure and/or modification on the information system.

Each cyber threat actor has different motivations and they vary significantly with respect to their capabilities, sophistication, training levels and support for their activities. Among these, nation-state actors are considered to be the most sophisticated threat actors with dedicated and state-of-the-art resources and tools. Following the nation-state actors, cyber criminal groups or organizations are thought to be highly malicious with their moderate level of sophistication in their attack techniques and considerably good level of attack resources and tools.

Advanced Persistent Threat (APT)

Threat actors that are in the top tier of sophistication and have advanced capabilities and state-of-the art attack tools are often called as Advanced Persistent Threats (APTs).

Advanced Persistent Threat (APT)

“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).

These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat:

(i) pursues its objectives repeatedly over an extended period of time;
(ii) adapts to defenders’ efforts to resist it; and
(iii) is determined to maintain the level of interaction needed to execute its objectives.”

Ref: NIST SP 800-39 Managing Information Security Risk

APTs mostly conduct their malicious activities in utmost care to evade detection. For this purpose, they conduct in-depth reconnaissance on the targets to gather information on the target’s organizational and IT infrastructure, company culture, employees, security policies and procedures etc. Secondly, APTs persist at the targets for an extended period of time until they reach their long term goals. Another unique feature of APTs is their ability to adapt to the changes in the implemented security controls at the target. To add to their distinctive features, APTs usually take the time to discover zero-day vulnerabilities and develop zero-day exploits or malware that the targets cannot detect. Last but not least, social engineering techniques constitutes a major part of their attack tactics and techniques, in addition to the advanced and complex technical attacks.

Quote by John McAfee

Social engineering has become about 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more.

John McAfee

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

APT Attack Life Cycle

APT attacks almost always follow a similar attack life cycle to the one described below:

  • Initial Compromise: Social engineering techniques (such as spear phishing), zero-day exploits or advanced malware are used to gain the initial access to the victim’s infrastructure.
  • Establish Foothold: Remote administration software is installed to create a back door to the target environment.
  • Escalate Privileges: Additional exploits or password attacks are conducted to escalate the initial privileges gained to system or administrator level.
  • Internal Reconnaissance: Collect targeted information from the victims environment and gather more information on the IT infrastructure for lateral movement.
  • Move Laterally: Expand control to other workstations and servers to gain access to more information as stated in the attack mission.
  • Maintain Presence: Maintain continued access to the compromised workstations and servers.
  • Complete Mission: Exfiltrate stolen information from the victim’s environment.

Prominent Advanced Persistent Threat (APT) Groups

Among a few others, MITRE, FireEye and Crowdstrike are the three major cybersecurity organizations that track and monitor APT groups globally. However, each organization names the APTs with different names and schemes. For instance, MITRE and FireEye name APTs numerically while Crowdstrike gives animal names (e.g., “Panda” for China, “Bear” for Russia, “Kitten” for Iran etc.) to each APT group according to their country of origin.

What follows is a list (ordered by country of origin) of active and most prominent Advanced Persistent Threat (APT) groups around the world. Note that, since APT groups act in utmost secrecy, there is not enough information on them. In this regard, some of the information provided below is alleged rather than being confirmed facts.

APT1 (PLA Unit 61398)

  • Origin: China
  • Description: “Attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, a.k.a., Unit 61398.” (Ref: MITRE ATT&CK)
  • Primary Target Countries: Belgium, Canada, France, Israel, Japan, Norway, Switzerland, UAE, UK, USA.
  • Primary Target Sectors: Aerospace, Education, Energy, Financial Government, Healthcare, IT, Mining, Research, Telecommunications, Transportations.
  • Primary Attack Method(s): Exploiting comment feature of legitimate web sites.
  • Attacks: Operation GhostNet, Operation Aurora, Operation Shady RAT.

APT41 (Double Dragon)

  • Origin: China
  • Description: “Chinese state-sponsored espionage group that also conducts financially-motivated operations.” (Ref: MITRE ATT&CK)
  • Primary Target Countries: Belgium, Finland, France, Germany, Italy, Qatar, Sweden, Turkey, UAE, UK, USA.
  • Primary Target Sectors: Healthcare, Telecom, Technology, Video Game Industries.
  • Primary Attack Method(s): Passive Backdoors, Malware.
  • Attacks: Video Game Industry Attacks.

APT33 (Elfin)

  • Origin: Iran
  • Description: “Suspected Iranian threat group that has carried out operations since at least 2013.” (Ref: MITRE ATT&CK)
  • Primary Target Countries: Saudi Arabia, South Korea, USA.
  • Primary Target Sectors: Aviation, Energy Companies/Agencies.
  • Primary Attack Method(s): Phishing and Spear Phishing, Shamoon, Mimikatz, PowerSploit, Spyware.
  • Attacks:

APT35 (Charming Kitten)

  • Origin: Iran
  • Description: “Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, dating back as early as 2014.” (Ref: MITRE ATT&CK)
  • Primary Target Countries: Canada, China, France, Germany, India, Israel, Netherlands, Saudi Arabia, Turkey, UAE, UK, USA.
  • Primary Target Sectors: U.S. and Middle Eastern Military Organizations, Governmental Organizations.
  • Primary Attack Method(s): Social Engineering
  • Attacks: Operation Saffron Rose, Operation Cleaver, HBO Cyber Attack.

Unit 8200

  • Origin: Israel
  • Description: “An Israeli Intelligence Corps unit of the Israel Defense Forces responsible for collecting signal intelligence (SIGINT) and code decryption” (Ref: Wikipedia: Unit 8200)
  • Primary Target Countries: Iran, Lebanon, Palestine, Syria.
  • Primary Target Sectors: Industrial Control Systems, Nuclear Enrichment Facilities
  • Primary Attack Method(s): Social Engineering, Advanced Malware, Zero-Day Exploits.
  • Attacks: Stuxnet, Duqu, Flame, Operation Orchard, Operation Full Disclosure, The Ogero Incident.

APT37 (Lazarus Group)

  • Origin: North Korea
  • Description: “Suspected North Korean cyber espionage group that has been active since at least 2012.” (Ref: MITRE ATT&CK)
  • Primary Target Countries: China, India, Japan, Kuwait, Russia, South Korea, Vietnam.
  • Primary Target Sectors:
  • Primary Attack Method(s):
  • Attacks: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are You Happy?, FreeMilk, Northern Korean Human Rights.

APT38 (Lazarus Group)

  • Origin: North Korea
  • Description: “Financially-motivated threat group that is backed by the North Korean regime.” (Ref: MITRE ATT&CK)
  • Primary Target Countries: Australia, Canada, China, France, Germany, India, Israel, Japan, Russia, South Korea, UK, USA.
  • Primary Target Sectors: Banks, Financial Institutions.
  • Primary Attack Method(s): Ransomware
  • Attacks: Operation Troy, Hack of Sony Pictures, Operation Blockbuster, WannaCry Attack, Cryptocurrency Attacks (2017).

APT28 (Fancy Bear)

  • Origin: Russia
  • Description: “A threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.” (Ref: MITRE ATT&CK)
  • Primary Target Countries: Australia, Belgium, Canada, China, France, Germany, India, Iran, Israel, Japan, NATO, Netherlands, New Zealand, Norway, South Africa, Spain, Sweden, Switzerland, Turkey, UAE, UK, Ukraine, USA.
  • Primary Target Sectors: Aviation, Automotive, Defense Institutions and Military, Financial, Healthcare, Industrial Energy, IT, Oil and Gas, Telecommunications.
  • Primary Attack Method(s): Spear Phishing, Mimikatz, Coreshell.
  • Attacks: Attacks on Prominent Journalists, EFF Spoof (White House and NATO Attack), Democratic National Committee Hack, International Olympic Committee and IAAF Hack, Think Tank Attack (2019) etc.

APT29 (Cozy Bear)

  • Origin: Russia
  • Description: “A threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR). They have operated since at least 2008” (Ref: MITRE ATT&CK)
  • Primary Target Countries: Belgium, China, India, Japan, Kazakhstan, New Zealand, South Korea, Turkey, Ukraine, USA.
  • Primary Target Sectors: Government Networks in Europe and NATO Member Countries, Research Institutes, Think Tanks.
  • Primary Attack Method(s): Malware.
  • Attacks: Democratic National Committee Hack, Pentagon Hack, Think Tank Attack and NGOs Hack, Operation Ghost.

Equation Group

  • Origin: USA
  • Description: “A sophisticated threat group that employs multiple remote access tools.” (Ref: MITRE ATT&CK)
  • Primary Target Countries: Afghanistan, Belgium, Brazil, France, Germany, India, Iran, Iraq, Israel, Kazakhstan, Lebanon, Palestine, Qatar, Russia, Switzerland, Syria, UAE, UK.
  • Primary Target Sectors: Aerospace, Defense Institutions and Military, Energy, Government, Oil and Gas, Telecommunications, Transportation.
  • Primary Attack Method(s): Remote Access Tools (RAT), Zero-Day Exploits, Malware.
  • Attacks: Regin, Stuxnet.

For a more thorough list of prominent Advanced Persistent Threat (APT) groups and detailed information on their tactics and techniques, please refer to the MITRE ATT&CK.

Quote by Tim Cook
Quote by Tim Cook

The reality of today from a cyber security point of view — I think some of the top people predict that the next big war is fought on cyber security.

Tim Cook


Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

To read more Cyber Threat Intelligence (CTI) resources, you could also visit our CTI posts page.