Open Threat Actor Profiles

APT28 (also tracked as Fancy Bear, Forest Blizzard, STRONTIUM, Pawn Storm, Sednit, and Sofacy) is a Russian military intelligence (GRU) cyber espionage group attributed to Unit 26165 of the 85th Main Special Service Center (GTsSS). Active since at least 2004, APT28 conducts intelligence collection aligned with Russian military and geopolitical objectives. The group is known for sophisticated spearphishing campaigns, zero-day exploitation, and credential harvesting operations targeting government, military, defense, political organizations, media, and anti-doping agencies across NATO member states and former Soviet countries. APT28 gained widespread public attention for its role in the 2016 US presidential election interference, including the DNC breach and subsequent hack-and-leak operations. In recent years, the group has expanded targeting to Western logistics and technology companies supporting Ukraine, as documented in the May 2025 joint advisory (CISA AA25-141A). The group demonstrates sustained evolution in tradecraft, including the development of custom exploit tools (GooseEgg), novel access techniques (Nearest Neighbor Wi-Fi attack), and webmail exploitation campaigns (Operation RoundPress).

APT29 is attributed to Russia's Foreign Intelligence Service (SVR) and is one of the most sophisticated state-sponsored threat groups in operation. Known for supply chain attacks like SolarWinds and persistent espionage campaigns targeting government agencies, diplomatic entities, and technology companies across NATO countries. APT29 is characterized by its exceptional operational security, use of novel malware, and ability to maintain long-term access.

APT41 is a unique dual-mission Chinese threat group that conducts both state-sponsored espionage and financially motivated cybercrime. Attributed to contractors working with China's MSS, the group has targeted healthcare, telecoms, technology, and video game companies. Several members were indicted by the US DOJ in 2020. Known for supply chain attacks, exploitation of zero-day vulnerabilities, and large-scale data theft operations.

FIN7 is one of the world's most sophisticated financially motivated threat groups. Originally focused on POS malware for credit card theft, the group evolved into ransomware operations. Notable for operating a fake security company 'Combi Security' to recruit unwitting developers. Multiple members have been arrested, including alleged leader Andrii Kolpakov, but the group continues operations with new TTPs.

Kimsuky is a North Korean espionage group focused on intelligence collection supporting DPRK nuclear and geopolitical interests. Specializes in highly targeted social engineering against think tanks, academics, diplomats, and journalists covering Korean Peninsula affairs. Known for extensive use of credential phishing, reconnaissance operations, and deploying custom malware for long-term intelligence gathering.

Lazarus Group is North Korea's most prolific cyber threat actor, operating under the Reconnaissance General Bureau. Unique among nation-state groups for combining espionage with large-scale financial theft to fund the DPRK regime. Responsible for the 2014 Sony Pictures attack, the $81M Bangladesh Bank heist, the WannaCry ransomware pandemic, and billions in cryptocurrency theft. Sub-groups include BlueNoroff (financial) and Andariel (espionage).

MuddyWater is an Iranian state-sponsored group linked to MOIS conducting espionage operations primarily against Middle Eastern, Central Asian, and Western government and telecommunications organizations. Known for heavy use of legitimate tools like Atera, ScreenConnect, and SimpleHelp for remote access, making detection difficult. The group frequently uses living-off-the-land techniques and spearphishing with macro-enabled documents.

OilRig is an Iranian state-sponsored cyber espionage group linked to Iran's Ministry of Intelligence. The group primarily targets organizations in the Middle East with a focus on government, energy, chemical, and telecommunications sectors. Known for sophisticated spearphishing campaigns, custom DNS tunneling implants, and exploitation of trust relationships. OilRig frequently operates alongside other Iranian groups and shares infrastructure.

Sandworm is Russia's most destructive cyber threat group, responsible for the first-ever cyberattacks to cause power outages (Ukraine 2015/2016), the NotPetya attack causing $10B+ in global damages, and Olympic Destroyer. Attributed to GRU Unit 74455, the group specializes in destructive operations against critical infrastructure, with a focus on Ukraine. Six GRU officers were indicted by the US DOJ in 2020.

Turla is one of the oldest and most sophisticated Russian cyber espionage groups, attributed to the FSB's Center 16. Active since the mid-1990s, the group is known for its innovative techniques including satellite-based C2, hijacking other threat actors' infrastructure, and deploying rootkits. Turla's Snake malware network was dismantled by the FBI in 2023 via Operation MEDUSA, but the group continues to develop new capabilities.