This website uses cookies to ensure you get the best experience on our website.
Please note that by continuing to use this site you consent to the terms of our Privacy and Data Protection Policy .
Some of our partner services are located in the United States. According to the case law of the European Court of Justice, there is currently no adequate data protection in the USA. There is a risk that your data will be controlled and monitored by US authorities. You cannot bring any effective legal remedies against this.

Origin & Evolution: An In-Depth Exploration of Advanced Persistent Threat (APT) Groups

This blog post explores the identification of APT (Advanced Persistent Threat) Groups and their attribution in cyber-attacks. Furthermore, it delves into the intriguing scarcity of groups originating from Western countries.

An Advanced Persistent Threat (APT) can be defined as a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target. APTs are intricate, methodically designed and executed by expert cyber criminals, often sponsored or backed by nation-states or criminal organizations. These threat actors stealthily infiltrate a network to steal or manipulate data over an extended period, remaining undetected by standard security measures. Technological vigilance and robust preventive security measures are critical in thwarting these sophisticated threats. AV-Comparatives regularaly perfoms testing against such attacks.

Understanding APT Groups

APT stands for Advanced Persistent Threat, with APT Groups being the entities accountable for initiating these threats and the subsequent cyber-attacks. These groups are occasionally synonymous with Cyber Threat Actors. APT groups are usually organized criminals. Those groups include individuals, informally affiliated collectives, or substantial, well-structured organizations backed by considerable resources, sometimes including potential state sponsorship. The motivations driving these groups are diverse, primarily falling into three categories: nation-state operatives, cybercriminal syndicates, and ideologically driven factions.

Categorization and Identification of APT Groups

Frequently, these groups target similar entities or employ recurring methodologies, enabling researchers to attribute attacks to specific groups. As attackers typically strive to maintain anonymity, pinpointing an attack’s origin and discerning its exact motives can be a complex endeavour. The process of unravelling the enigma of an attack’s purpose and its responsible actors may extend over months or even years, and in some instances, achieving absolute certainty remains elusive.

As previously noted, three primary categories encompass these groups: nation-state actors, cybercriminal syndicates, and those propelled by ideological motives, including hacktivists and terrorists. Cybercriminals pursue acquiring valuable data or direct monetary theft via digital avenues, employing tactics such as mass scams, phishing emails, establishing criminal infrastructures like botnets, and precision strikes on high-value targets. Nation-state actors serve the interests of their respective countries, engaging in endeavours such as intelligence gathering, sabotage, and disinformation campaigns. Another subset consists of thrill-seekers who aim to assess system security and demonstrate their skills. The final APT group consists of corporations involved in corporate espionage or competitive sabotage.

While nation-state attacks tend to garner greater media attention, cybercriminals pose a more prevalent risk to individuals and corporate entities.

Naming Conventions in Threat Actor Attribution

Diverse research entities adopt varying naming conventions when identifying uncovered threat actors. These conventions may draw from factors such as attack motivations, methodologies employed, or the perceived country of origin.

One nomenclature system employs attack types followed by numerals, wherein APT (Advanced Persistent Threat) serves as a generic designation, FIN designates financially incentivized groups, TEMP is allocated for transient threats, and UNC denotes uncategorized threat actors. Some research institutions utilize animals or mythical creatures tied to distinct countries or motivations. Microsoft has recently embraced a fresh nomenclature, utilizing weather phenomena such as Typhoon or Sandstorm to designate groups associated with specific countries or sectors.

This variation can result in the same attack group being independently discovered and bestowed disparate titles by separate research bodies. AV-Comparatives exclusively adheres to the nomenclature used on the MITRE ATT&CK group page to mitigate potential confusion. Below, we provide a compilation of the 138 APT Groups that they list as of August 1st, 2023. Our attribution details extend from other laboratories, and personal guesses of individual researchers in instances where MITRE offers no attribution or alternative sources present more comprehensive insights. Acknowledging that attribution remains a complex endeavour, inherently fraught with uncertainty is essential. Threat actors actively endeavour to obfuscate their identity, employing tactics such as false leads to misguide investigators or mimicking methods utilized by other groups. Erroneous attribution of the source of a cyber-attack can have far-reaching repercussions, from diplomatic strains to unintended escalations in conflicts. Consequently, we cannot assert the infallibility of attribution accuracy, as our role entails relaying information collated by external sources.

Threat Actor GroupSuspected Country
admin@338 China
Ajax Security Team Iran
Andariel North Korea
Aoqin DragonChina
APT1 China
APT12 China
APT16 China
APT17 China
APT18 China
APT19 China
APT28 Russia
APT29 Russia
APT3 China
APT30 China
APT32 Vietnam
APT33 Iran
APT37 North Korea
APT38 North Korea
APT39 Iran
APT41 China
APT-C-36 Venezuela
Aquatic PandaChina
Axiom China
BackdoorDiplomacy China
BlackOasis Turkey
BlackTech China
Blue Mockingbird China
Bouncing Golf Iran
Carbanak Ukraine
Chimera China
Cleaver Iran
Cobalt Group Russia
CopyKittens Iran
Dark Caracal Lebanon
Darkhotel South Korea
DarkHydrus Iran
DarkVishnya Ukraine
Deep Panda China
Dragonfly Russia
DragonOK China
Earth LuscaChina
Elderwood China
Ember BearRussia
Equation United States
Evilnum Israel
Ferocious Kitten Iran
FIN10 Canada
FIN4 Romania
FIN5 Ukraine
FIN6 Ukraine
FIN7 Ukraine
FIN8 Russia
Fox Kitten Iran
Gallmaker Russia
Gamaredon Group Russia
GCMAN Russia
Gorgon Group Pakistan
Group5 Iran
Higaisa South Korea
IndigoZebra China
Indrik Spider Russia
Ke3chang China
Kimsuky North Korea
LAPSUS$Brazil & UK
Lazarus Group North Korea
Leafminer Iran
Leviathan China
Lotus Blossom China
Magic Hound Iran
menuPass (Stone Panda)China
Moafee China
Mofang China
Molerats Gaza
Moses Staff Iran
MuddyWater Iran
Mustang Panda China
Naikon China
Nomadic Octopus Russia
OilRig Iran
Orangeworm Brazil
Patchwork India
PittyTiger China
Poseidon Group Brazil
Putter Panda China
Rancor China
Rocke China
RTM Russia
Sandworm Team Russia
Scarlet Mimic China
Sidewinder India
Silence Lithuania
Silent Librarian Iran
SilverTerrier Nigeria
Sowbug UK
Stealth Falcon United Arab Emirates
Strider United States
Suckfly China
TA459 China
TA505 Russia
TA551 Russia
TeamTNT Germany
TEMP.Veles Russia
The White Company India
Threat Group-1314 Vietnam
Threat Group-3390 China
Thrip China
Tonto Team China
Transparent Tribe Pakistan
Tropic Trooper China
Turla Russia
Volatile Cedar Lebanon
Whitefly China
Windigo Russia
Windshift Israel
Winnti Group China
WIRTE Israel
Wizard Spider Russia
Threat actors with countries written in bold are suspected to be state-affiliated.
Groups and affiliations are based on information available as of August 1st 2023 and are subject to change.

APT Groups and Countries of Origin

The following map displays the countries from which APT Groups originate. This visual representation underscores the operational presence of these groups across every populated continent.

The chart below presents the leading countries ranked by the count of state-affiliated APT groups listed in the MITRE list, accompanied by the tally of non-state-affiliated APT groups within each nation.

Exploration and Identification of APT Groups

Cybersecurity research and the discernment of APT Groups are undertakings shared by governmental bodies and private enterprises. Security vendors occupy a distinctive vantage point, enabling them to surveil the threats their clients encounter. This grants them unparalleled insight into the global threat landscape, empowering them not only to respond to emerging threats but also to study overarching trends in cybersecurity. In contrast, government agencies predominantly concentrate on safeguarding critical infrastructure and attributing cybersecurity assaults, driven by motivations encompassing political considerations and potential financial reprisals. Furthermore, there exists a realm of independent research collectives that meticulously assemble catalogues of cyber threat actors.

The View from the Other Side – a Notable Absence

Upon examining the roster of threat actors, a conspicuous pattern emerges: a notable absence of European and American entities. A striking revelation surfaces, with nearly half of the state-affiliated groups traced back to China. Specifically, most of these attacks originate in China, often targeting the United States. The Council on Foreign Relations, headquartered in the United States, underscores the pronounced media and research spotlight on attacks linked to nation-states, regardless of the targets. Their studies underscore that a significant portion of state-sponsored cyber threat actors emanate from China, Russia, Iran, and North Korea.

The divergence between European research groups and their American counterparts becomes evident when dissecting the attribution landscape. European entities, reliant upon United States intelligence sharing and employing elevated standards for attribution, encounter fewer instances of assigning cyber threats to American origins. This trajectory aligns with governmental focus, prioritizing the exploration of attackers targeting their own interests rather than those targeting adversaries. Furthermore, the five-eyes alliance demonstrates adept coordination in “naming and shaming” foreign threat actors, a strategy that has historically been less embraced by non-Western nations following revelations of cyber-attacks from Western sources .

An additional dimension of investigation involves the media’s response to USA-initiated attacks on Europe or other Western nations. Prominent cases, such as the revelations by Edward Snowden, show the United States as likely the most advanced and active threat actor operating across the globe , not making a halt to spy also on its allies . Rewterz, who operate beyond EU and US-boundaries, has published Threat Intelligence, claiming that cyber-attacks stem from both the United States and Europe . The data in the table below from Rewterz highlights the USA as a top cyber-attack origin. This differs from group compositions done by Western countries, which mainly attribute attacks to China, Russia, and Iran.

While instances of United States-initiated cyber-attacks targeting other nations certainly exist, they frequently remain relegated to lesser media attention . Moreover, data biases contribute to this scenario, as Western cybersecurity firms encounter fewer clients in non-Western regions where they could potentially unveil attacks by Western actors.

In collective accord, this confluence of factors elucidates the perception that a disproportionate majority of cyber-attacks spring from beyond Western borders.

Safeguarding Against APT Groups

With APT groups actively generating cyber threats across the globe, it’s essential to prioritize personal defence. Strengthening your digital security using reliable software becomes a strategic requirement. AV-Comparatives, a leader in cybersecurity assessment, rigorously evaluates security products through, e.g. its Advanced Threat Protection Tests and Endpoint Prevention & Response Tests. These meticulous evaluations aim to assess the effectiveness of these products in creating robust defences against targeted attacks and complex intrusions orchestrated by APT entities.