TOP 20+ Advanced Persistent Threats

TOP 20+ Advanced Persistent Threats Teams

Advanced persistent threats (APT) refers to a State Sponsored attack that continues, in a secret manner, using innovative and sophisticated hacking methods to access a system and stay inside for a long period of time. Typical attackers are cyber criminals, like the Iranian group APT34, the Russian organization APT28, and others. Although they can come from all over the world, some of the most notable attackers come from Iran, other areas of the Middle East, and North Korea.

Understanding an Advanced Persistent Threat is also involves knowing their targets. APT attackers have been known to go after countries and the large organizations to exfiltrate information, gradually and systematically, over long stretches of time before withdrawing. The time spent within an organization’s IT system is known as “dwell time.” 

Many other types of cyberattackers have very short dwell times because they focus on getting in and out quickly. APT attackers have significantly longer dwell times, while they either chip away at accomplishing their objectives or wait for the right moment to get what they want. During the waiting period, they may study security systems and adjust their approach accordingly.

Often, these attackers focus on organizations or companies in the United States or other developed countries. Even though they may go after high value targets, attackers often try to gain access to them using smaller companies or organizations that their real targets use to do business. This may include companies along their supply lines or organizations they partner with to further their objectives.

APT attackers tend to hone in on gaining intelligence or other vital information to damage a larger system, exploit or make an organization look bad, or gain a competitive advantage.

Here are the top 20 Advanced Persistent Threat Teams from around the world

Lazarus Group Advanced Persistent Threats

• AKA: APT38, Gods Apostles, Gods Disciples, Guardians of Peace, ZINC, Whois Team, Hidden Cobra
• Targets: Bitcoin exchanges, Cryptocurrency, and Sony Corp; South Korea, United States, Australia, Germany, Guatemala, Hong Kong, India, Israel, Japan Russia, Mexico
• Techniques/Tools: Bankshot, DDoS, EternalBlue, Mimikatz, Bankshot, Http Troy, PowerShell RAT
• Significant Attack: 2014 Sony Pictures Hack, Operation Troy, WannaCry Software, Covid-19 Spear Phishing, New Mac variant of Lazarus Dacis RAT distributed
• Location: North Korea

UNC2452 Advanced Persistent Threats

• AKA: Dark Halo, Nobelium, SilverFish, StellarParticle
• Targets: SolarWinds, Pentagon, United Kingdom Government, European Parliament
• Techniques/Tools: Supply chain attack
• Significant Attack: SolarWinds Orion software attack
• Location: Unknown

Equation Group Advanced Persistent Threats

• AKA: Tilded Team
• Targets: Afghanistan, Iran, India, Mali, Pakistan, Syria
• Techniques/Tools: DoublePulsar, EQUATIONDRUG, FANNY, Lambert, Regin, GRAYFISH, Duqu, Flame
• Significant Attack: iOS exploit 2020
• Location: United States

Wizard Spider Advanced Persistent Threats

• AKA: Grim Spider, Gold Blackburn
• Targets: Defense, financial, government, and telecommunications sectors; worldwide
• Techniques/Tools: AdFind, Anchor, BazarBackdoor, BloodHound, Cobalt Strike, Dyre, Gophe, Invoke SMBAutoBrute, LaZagne, PowerSploit, PowerTrick, Ryuk, SessionGopher, TrickBot, TrickMo, Upatre
• Significant Attack: Trickbot campaigns in Italy targeting COVID-19
• Location: Russia

Carbanak Advanced Persistent Threats

• AKA: Anunak, Carbon Spider
• Targets: Australia, Austria, Brazil, Bulgaria, Canada, China, Czech, France, Germany, Hong Kong, Iceland, India, Luxembourg, Morocco, Nepal, Norway, Pakistan, Poland, Russia, Spain, Sweden, Switzerland, Taiwan, UK, Ukraine, USA, Uzbekistan
• Techniques/Tools: Antak, Ave Maria, BABYMETAL, Backdoor Batel, Bateleur, BELLHOP, Boostwrite, Cain & Abel, Carbanak, Cobalt Strike, DNSMessenger, DNSRat, DRIFTPIN, FlawedAmmyy, Griffon, HALFBAKED, Harpy, JS Flash, KLRD, Mimikatz, MBR Eraser, Odinaff, POWERPIPE, POWERSOURCE, PsExec, SocksBot, SoftPerfect Network Scanner, SQLRAT, TeamViewer, TinyMet
• Significant Attack: Bank and financial institutions were targeted with one victim losing $7.3 million and another losing $10 million
• Location: Ukraine

Sandworm Team Advanced Persistent Threats

• AKA: Telebots, Electrum, Voodoo Bear, Iron Viking
• Targets: Industrial control systems and SCADA; Georgia, Iran, Israel, Russia, Ukraine, Kazakhstan
• Techniques/Tools: BlackEnergy, Gcat, PassKillDisk, PsList
• Significant Attack: Widespread power outage in Ukraine, Russian military hack, cyber espionage attacks against NATO
• Location: Russia

Evil Corp Advanced Persistent Threats

• AKA: Indirk Spider
• Targets: Financial, government, and healthcare sectors
• Techniques/Tools: BitPaymer, Cobalt Strike, Cridex, Dridex, EmpireProject, FriedEx, Mimikatz, PowerSploit, PsExec, WastedLocker
• Significant Attack: BitPaymer ransomware paralyzed the IT systems of an Alaskan town, Arizona Beverages knocked offline by ransomware attack, Apple Zero-Day exploited in new BitPaymer campaign, Treasury sanctions Evil Corp, the Russia-based cybercriminal group behind Dridex malware
• Location: Russia

Fancy Bear Advanced Persistent Threats

• AKA: APT28, Sofacy, Sednit
• Targets: Democratic National Committee and Democratic National Convention; Germany, United States, Ukraine
• Techniques/Tools: Cannon, Coreshell, Responder, MimiKatz, spear-phishing
• Significant Attack: U.S. Department of Justice indictment 
• Location: Russia

LuckyMouse Advanced Persistent Threats

• AKA: Emissary Panda, Iron Tiger, APT27
• Targets: Aerospace, education, and government sectors; Australia, Canada, China, Hong Kong, India, Iran, Israel, Japan, Middle East, Philippines, Russia, Spain, South Korea, Taiwan, Thailand, Tibet, Turkey, UK, and USA
• Techniques/Tools: Antak, ASPXSpy, China Chopper, Gh0st RAT, gsecdump, HTTPBrowser, Htran, Hunter, HyperBro, Mimikatz, Nishang, OwaAuth, PlugX, ProcDump, PsExec, TwoFace, SysUpdate, Windows Credentials Editor, ZXShell, Living off the Land
• Significant Attack: Operation Iron Tiger
• Location: China

Sodinokibi Advanced Persistent Threats

• AKA: REvil, Sodin Targets: GandCrab, Oracle, Golden Gardens
• Techniques/Tools: REvil ransomware, privilege escalation, PowerShell, Sodinokibi ransomware
• Significant Attack: Breached managed service providers, impacting hundreds of dental offices
• Location: Unknown

Mirage Advanced Persistent Threats

• Targets: European Union, India, United Kingdom
• Techniques/Tools: Cobalt Strike, Mimikatz, MS Exchange Tool, phishing, Royal DNS
• Significant Attack: Attack on a company that provides a range of services to UK government
• Location: China

Magecart Advanced Persistent Threats

• Targets: British Airways, eCommerce, Magento, Newegg, Ticketmaster Entertainment
• Techniques/Tools: Web-skimmers, skimmer scripts
• Significant Attack: Ticketmaster breach

OilRig Advanced Persistent Threats

• AKA: APT 34, Crambus, Helix Kitten, Twisted Kitten, Chrysene
• Targets: Aviation, chemical, education, and energy sectors; Iran, Israel, Middle Eastern government; Saudi Arabia, United States
• Techniques/Tools: GoogleDrive RAT, HyperShell, ISMDoor, Mimikatz, PoisonFrog, SpyNote, Tasklist, Webmask
• Significant Attack: Shamoon v3 attack against targets in Middle East Asia, Karkoff
• Location: Iran

Comment Crew Advanced Persistent Threats

• AKA: APT 1, Byzantine Hades, Comment Panda, Shanghai Group
• Targets: Aerospace, chemical, construction, education, energy, engineering, entertainment, financial, and IT sectors; Belgium, Canada, France, India, Insrael, Japan, Luxembourg, Norway, Singapore, South Africa, Switzerland, Tawan, United Kingdom, United States
• Techniques/Tools: GetMail, Mimikatz, Pass-The Hash toolkit, Poison Ivy, WebC2 significant attack: Operation “Oceansalt”
• Location: China

Temper Panda Advanced Persistent Threats

• AKA: Admn@338, Magnesium, Team338
• Targets: Financial, government, media sectors; Hong Kong, United States
• Techniques/Tools: Bozok, LOWBALL, Poison Ivy, Systeminfo, Poison Ivy, Living off the Land
• Location: China

Syrian Electronic Army Advanced Persistent Threats

• AKA: Deadeye Jackal, SEA, Syria Malware Team
• Targets: Facebook, Forbes, Microsoft, Skype; Canada, France, United States, United Kingdom
• Techniques/Tools: DDoS, malware, phishing, spamming, website defacement
• Significant Attack: Defacement attacks against news websites such as BBC News, Associated Press, National Public Radio, CBC News, The Daily Telegraph, The Washington Post
• Location: Syria

PLATINUM Advanced Persistent Threats

• AKA: TwoForOne
• Targets: Malaysia, Indonesia, Vietnam
• Techniques/Tools: AMTsol, Dipsind, hot-patching vulnerabilities, spear-phishing, Titanium, zero-day exploits
• Significant Attack: Southeast Asia attack
• Location: China

Calypso Advanced Persistent Threats

• Targets: Brazil, Kazakhstan, Russia, Thailand, Turkey
• Techniques/Tools: EternalBlue, EternalRomance, Mimikatz, PlugX, SysInternals
• Significant Attack: Attacked governments in India, Brazil, Kazakhstan, Brazil, Russia, Thailand, Turkey
• Location: China 

Numbered Panda Advanced Persistent Threats

• AKA: APT 12, Calc Team, Crimson Iron
• Targets: Organizations in East Asia, media outlets, high-tech companies and governments, New York Times
• Techniques/Tools: DynCalc, DNSCalc, HIGHTIDE, RapidStealer, spear-phishing
• Significant Attack: New York Times breach, Taiwanese government
• Location: China

Cozy Bear Advanced Persistent Threats

• AKA: APT 29, CloudLook, Grizzly Steppe, Minidionis, Yttrium
• Targets: Norwegian Government, United States
• Techniques/Tools: Cobalt Strike, CozyDuke, Mimikatz, spear-phishing
• Significant Attacks: Attack on the Pentagon, phishing campaign in the USA
• Location: Russia

Elfin Advanced Persistent Threats

• AKA: APT 33, Magnallium
• Targets: Aerospace and energy sectors; Saudi Arabia, South Korea, United States
• Techniques/Tools: Mimikatz, NETWIRE RC, PowerSploit, Shamoon
• Significant Attacks: Organizations in Saudi Arabia and US
• Location: Supported by government of Iran

Charming Kitten Advanced Persistent Threats

• AKA: Group 83, NewsBeef, Newscaster, APT 35
• Targets: Saudi Arabia, Israel, Iraq, United Kingdom, U.S. government/defense sector websites
• Techniques/Tools: DownPaper, FireMalv, MacDownloader
• Significant Attack: HBO cyberattack
• Location: Iran

Team TNT Advanced Persistent Threats

• Targets: Amazon, Kubernetes, Windows, Alpine, Docker
• Techniques/Tools: Cryptojacking. Botnets, Cryptominers, TNTbotinger
• Significant Attack: AWS Worm attack, Chimaera campaign
• Location: Unknown

Mythic Leopard Advanced Persistent Threats

• AKA: APT 36, ProjectM, TEMP. Lapis, Transparent Tribe
• Targets: India, Indian Army
• Techniques/Tools: Andromeda, beendoor, Bozok, Breachrat, spear-phishing
• Significant Attack: Spreading fake coronavirus health advisory
• Location: Pakistan

Muddy Water Advanced Persistent Threats

• AKA: Static Kitten, Seedworm, TEMP .Zagros
• Targets: Georgia, Iraq, Israel, India, Pakistan, Saudi Arabia, Turkey, United Arab Emirates, United States
• Techniques/Tools: ChromeCookiesView, chrome-passwords, CrackMapExec, Mimikatz, PowerSploit, POWERSTATS, spear-phishing
• Location: Iran

OceanLotus Advanced Persistent Threats

• AKA: APT 32, Ocean Buffalo, SeaLotus
• Targets: Australia, Brunei, Cambodia, China, Germany, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, USA, Vietnam
• Techniques/Tools: Cobalt Strike, KerrDown, MimiKatz, PowerSploit, Terracotta VPN, 0-day exploits in MS Office
• Significant Attack: Breach of Toyota in Australia, Japan, Thailand and Vietnam; targeting Wuhan government and Chinese Ministry of Emergency Management in latest example of COVID-19 related espionage
• Location: Vietnam