Here is a list of some of the Russian Backed Advanced Persistent Threat APT groups.
APT 28, also known as Fancy Bear, Sofancy, Sofotam, Pawn Storm, and Strontium, is a Russian-based cyber espionage group that has been active since at least 2007. The group is believed to have targeted government organizations and private sector companies in the United States, Europe, and other countries.
APT 28 is believed to be associated with the Russian military intelligence agency, GRU, and has been linked to several high-profile cyberattacks, including the 2016 US Presidential Election interference. The group is known to use a variety of tools and techniques to target its victims, including spear phishing campaigns, malware, and zero-day exploits.
APT29, also known as Cozy Bear, The Dukes, YTTRIUM, Iron Hemlock, Grizzly Steppe, and G0016, is a Russian-based cyber espionage group that has been active since at least 2008. It is believed to be associated with the Foreign Intelligence Service of the Russian Federation (SVR).
APT29 has been linked to numerous cyber-attacks against governments and private companies, including the 2016 hack of the Democratic National Committee in the United States, the 2017 NotPetya attack, and the 2019 attack on US think tank the German Marshall Fund.
APT29 has also been known to conduct espionage operations, such as stealing emails and other sensitive data, and has been known to target government and diplomatic organizations, military contractors, academic institutions, medical and health care organizations, and technology companies.
APT 32, also known as Ocean Lotus, APT-C-00, and Cobalt Dickens, is a sophisticated cyber threat group that is believed to originate from Vietnam and is believed to be active since at least 2013. The group is known to have targeted numerous organizations in the government, defense, media, maritime, and telecommunications sectors in several countries, including those in the Indo-Pacific region and the United States.
APT 32 has been linked to various tools and techniques, including phishing campaigns, malware, and spear phishing. The group has been observed using both open source and custom-built malware and has been linked to various tools, such as Winnti, RevengeRAT, and Cobalt Strike. The group has also been linked to a 0-day exploit for Flash, as well as the Cobalt Dickens malware.
APT 32 is believed to have links to the Vietnamese government, although the extent of this connection is unclear. The group is also believed to have links to other threat actors, including APT 29, APT41, AQUATIC PANDA, Anunak, and the Lazarus Group.
APT33, also known as Elfin, Refined Kitten, and Holmium, is an Iranian advanced persistent threat (APT) actor that has been active since at least 2013. The group is believed to have been involved in a range of cyber espionage operations against aviation, military, energy, and petrochemical industries in the Middle East, North America, and Europe.
APT33 has also been linked to malicious activities such as website defacement, ransomware, and data exfiltration. The group is known to use a variety of tools and techniques to gain access to target networks, including spear phishing, password spraying, malicious fileless scripts, and the exploitation of vulnerable software.
APT 34, otherwise known as OilRig, Helix Kitten, and Crambus, is a suspected Iranian threat group that has been actively targeting Middle Eastern and international victims since at least 2014. The group is known to have targeted government and private organizations in the energy, aviation, chemical, and education sectors, as well as individuals associated with these organizations.
The group is known to use a variety of malware, including web shells, RATs, backdoors, and phishing campaigns. They have also been known to use the open-source tool Cobalt Strike to deploy their malicious payloads. Additionally, the group is believed to have used the proprietary OilRig backdoor since 2017.
APT 35 (also known as Charming Kitten, Newscaster and NewsBeef) is an advanced persistent threat (APT) group with a suspected nexus to Iran. The group has been active since at least 2010 and has been linked to a number of cyber-espionage incidents, primarily targeting organizations in the Middle East and North Africa.
The group uses a variety of tools and tactics to gain access to and exfiltrate data from targeted networks, including phishing emails, malicious documents, and malicious software. APT 35 has been known to use custom tools and tactics to achieve their objectives and has also been linked to a number of zero-day exploits.
The group is believed to be responsible for the attack on Saudi Arabia’s Ministry of Foreign Affairs in 2016 and has also been linked to espionage campaigns against Israeli organizations.
APT 35 and APT 37 (aka Reaper, Group 123, and Black Banshee) are advanced persistent threat (APT) groups that have been identified by cybersecurity firms and government agencies as being responsible for numerous cyber espionage campaigns targeting various industries and government organizations.
APT 35 (aka Charming Kitten) is a threat actor believed to be operating out of Iran, while APT 37 (aka ScarCruft) is believed to be operating out of North Korea. Both of these groups have been known to use a variety of tactics, techniques, and procedures (TTPs) to steal data and disrupt operations, including spear phishing, malware, and zero-day exploits.
Additionally, both groups have been known to target specific industries, such as government, defense, energy, and telecommunications.
APT 35, also known as Group 123, is a cybercrime group based in North Korea that has been active since at least 2013. The group is best known for its attacks against South Korean targets but has also been linked to operations in other countries.
The group is believed to have ties to the North Korean government and is responsible for conducting a number of financially motivated attacks. APT 38, also known as Andariel, is a suspected North Korean-sponsored cyber espionage group that has been active since at least 2015. The group is believed to have been involved in a number of operations targeting organizations in several countries, including South Korea, Japan, the United States, and the United Kingdom.
APT 38 is believed to be connected to the Lazarus Group and to have been involved in attacks against the entertainment, financial, and defense sectors. Kimsuky is a cyber espionage group that is believed to be based in North Korea and has been active since at least 2013. The group is best known for its attacks against South Korean targets but has also been linked to operations in other countries.
Kimsuky is believed to be connected to the Lazarus Group and has been linked to a number of operations targeting organizations in several countries, including South Korea, Japan, the United States, and the United Kingdom.
APT 39, also known as Chafer, ITG13 and Sharpshooter, is believed to be an Iranian-based cyber-espionage group that has been active since at least 2014. The group is known for targeting organizations in the Middle East, Europe, and North America, primarily with the goal of gathering intelligence and data related to military, government, and energy sector targets.
The group has been known to leverage phishing, zero-day exploits, web shells, and other malicious tools to gain access to target networks. APT 39 has been known to use tools and techniques associated with other Iranian-linked APT groups, including Cadelle, ITG08, and Chafer, which suggests that the group may have some level of collaboration with other Iranian-linked APT groups.