DPRK state-sponsored intrusion set publicly attributed to the Reconnaissance General Bureau's 3rd Bureau (Andariel). Treated by MITRE as a sub-cluster of Lazarus Group; conducts both espionage agains…
PRC state-sponsored intrusion set publicly attributed by the U.S. DOJ to the Ministry of State Security's Tianjin State Security Bureau, operating through Huaying Haitai. Best known for the Cloud Hop…
Iranian state-affiliated intrusion set publicly attributed to Rana Intelligence Computing — an MOIS (Ministry of Intelligence and Security) front company sanctioned by the U.S. Treasury OFAC in Septe…
Chinese state-sponsored cyberespionage actor publicly attributed to the Ministry of State Security (MSS) Hainan State Security Department. Targets maritime industries, defense, government, and resear…
Chinese state-affiliated group notable for blending espionage with financially-motivated operations (game-industry currency theft, cryptocurrency). Implicated in multiple software supply-chain compro…
DPRK state-sponsored intrusion set treated by most vendors as the financial-operations subgroup of Lazarus, attributed to the Reconnaissance General Bureau. Responsible for the major SWIFT-network ba…
Russian state-sponsored intrusion set publicly assessed by Microsoft as associated with the GRU but operationally distinct from Forest Blizzard (APT28) and Seashell Blizzard (Sandworm). Conducted the…
Chinese state-sponsored intrusion set assessed to operate on behalf of the Ministry of State Security (MSS). Best known for the OPM breach (discovered May 2014, exfiltration through April 2015) — the…
Russian cybercrime syndicate publicly attributed by the U.S. Treasury OFAC in December 2019, which sanctioned founder Maksim Yakubets. Operators of the Dridex banking trojan, the BitPaymer and Wasted…
Russian state-sponsored intrusion set publicly attributed by the Security Service of Ukraine (SBU) to FSB officers based in Russian-occupied Crimea. The longest-running publicly-documented intrusion…
PRC state-sponsored intrusion set named by Microsoft for the January 2021 mass exploitation of on-prem Exchange Server via the ProxyLogon chain (CVE-2021-26855 / -26857 / -26858 / -27065). Hafnium op…
DPRK state-sponsored actor focused on intelligence collection against South Korean and Western policy targets — diplomats, academics, journalists, and think-tank researchers working on Korean Peninsu…
DPRK state-sponsored umbrella set associated with the Reconnaissance General Bureau. Mixes financially-motivated operations (including major cryptocurrency exchange thefts and SWIFT-network bank intr…
Russian-speaking ransomware-as-a-service operation that by mid-2023 was the most prolific ransomware brand on public leak-site tracking by victim count. Disrupted in February 2024 by Operation Cronos…
Iranian state-sponsored actor publicly attributed in 2022 by U.S. Cyber Command to subordinates of the Ministry of Intelligence and Security (MOIS). Conducts espionage and access operations against t…
PRC state-aligned intrusion set focused on espionage against European government and NGO targets, Southeast Asian government and military targets (especially around the South China Sea), Mongolia, Ta…
PRC state-sponsored intrusion set publicly attributed by ThreatConnect and Defense Group Inc. to the People's Liberation Army Unit 78020 (Chengdu Military Region Second Technical Reconnaissance Burea…
Russia-aligned intrusion set conducting hybrid espionage and financially-motivated operations — ESET, Microsoft, and Unit 42 track it as a single actor straddling state-objective targeting (Ukrainian…