Here are 12 active and extremely dangerous APT and threat groups to have on your radar in 2020 and beyond
DarkHotel is a hacker group engaging in cyberespionage, highly focused and malicious attacks on C-level business executives and other high-profile individuals to compromise and steal valuable data.
DarkHotal engages in attacks on hotel and business center Wi‑Fi and physical connections
Also known as Tapaoux
Active: 2004-present
National affiliation: South Korea
Tactics, Techniques & Procedures:
Layered malicious attacks including mass P2P and file-sharing infections
Hotel Wi-Fi exploits, infecting WiFi networks of hotels popular with business executives
Combination of spearphishing, advanced malware, Inexsmar malware, and botnet automation designed to capture confidential data
2-stage malware infection, usually a Tapaoux Trojan to gain access and enumerate for high value targets
Stage 2 automated malware delivery via C&C servers
Targets then loaded with a kernel-level keylogger or other spyware
Zero-day exploits and undiscovered security gaps
Forging certificates to make legitimate appearing software updates
Primary Targets:
Defense industrial bases
Governments
Non-government organizations
Large electronics and tech manufacturers
Pharmaceutical companies
Energy sector
Political officials
North Korea, South Korea, Japan, and China
APT41 is a prolific Chinese hacker group engaging in state-sponsored cyberespionage and also operates as an independent cybercriminal organization engaging in financially motivated cyberattacks
APT41 is cunning, evasive, and persistent, able to adapt quickly to changes in a targeted network environment and incident response activity
Active: 2012-present
National affiliation: China
Tactics, Techniques & Procedures:
Spearphishing emails with attachments to gain initial access
Identify and compromise intermediary systems to gain access to other segmented parts of a network
Has utilized 46+ different types of malware, including malware shared with other Chinese espionage groups and unique custom malware
Extremely sophisticated and large arsenal of malware, including backdoors, credential stealers, keyloggers, rootkits, MBR bootkits
Reserves more advanced TTPs and malware for high-value targets
Primary Targets:
Has shifted focus from targeted intellectual property theft to strategic intelligence collection since 2015
Strong ties to both underground markets and state-sponsored missions
Targets high-tech, software, media, healthcare, pharmaceutical, travel, telecommunications, education, and video game industries
Black Vine is a dangerous APT group likely composed of freelancers with partial sponsorship by the Chinese government engaging primarily in cyberespionage
Black Vine APT is likely responsible for the massive 2015 Anthem data breach
Also known as Deep Panda, Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Codoso Team, and APT19 (although this may be 2 separate APT groups)
Active: 2012-present
National affiliation: China
Tactics, Techniques & Procedures:
Infects websites popular with corporate executives, exploits compromised targets to poach intellectual property from their organizations
Weaponized zero-day exploits
Watering-hole attacks
Custom malware including Hurix, Sakurel, Mivast
Install malware with backdoor to steal valuable data and information
Phishing lure delivering a Cobalt Strike payload
Primary Targets:
Aerospace, energy, military, and technology industries
Defense, finance, pharmaceutical, telecommunications, high tech, education, manufacturing
Legal services and investments
The Lazarus Group is a prolific APT group sponsored by the North Korean regime engaging in financial cybercrimes, money laundering, and financially-motivated cyberattacks
Also known as APT38, Gods Apostles, Gods Disciples, Guardians of Peace, ZINC, Whois Team, Hidden Cobra
APT38 is responsible for the 2014 Sony Pictures Hack, Operation Troy and identified as an active and serious threat
National affiliation: North Korea
Active: 2010-present
Tactics, Techniques & Procedures:
Gains initial access with strategic web compromise, exploiting vulnerable servers
Aggressive, use destructive malware to render victim networks inoperable following theft
Possess a unique toolset, malware, and tactics distinguishing APT38 from other North Korean APT groups
Distributed DoS attacks
EternalBlue, Mimikatz, Wannacry ransomware, Bankshot
Pivot to target servers used for SWIFT transactions and executed malware to insert fraudulent SWIFT transactions
Primary Targets:
Bitcoin & Cryptocurrency
Banks and financial institutions
Nations including the United States, South Korea, Ecuador, Mexico
Has targeted more than 16 organizations in at least 13 countries
Reportedly has attempted to steal over $1.1 billion dollars from financial institutions
Fancy bear is a prolific Russian state-sponsored APT group engaging in economic and political cyberespionage activities on high-profile targets
Responsible for high profile cyberattacks since 2015 including the Democratic National Committee hack in 2016, RNC, the U.S. White House, NATO, World Anti-Doping Agency hack, attack on Dutch ministries, German parliament, breach of the International Olympic Committee, French television and the U.S. Department of Justice among others.
Also known as APT28, Sofacy, Sednit, Pawn Storm, Tsar Team, STRONTIUM
National affiliation: Russia
Active: 2005-present
Tactics, Techniques & Procedures:
Phishing and spearphishing to gain initial access
Phishing emails with links to spoofed websites for credential harvesting
Evasive and adaptable, routinely modifying their malware and procedures to evade detection and maintain persistence in target network
Zero-day exploits
Malware drop websites disguised as news sources
Custom malware with unique signatures, malwary code obfuscation
Mimikatz, Coreshell
Primary Targets:
Germany
United States
Ukraine
U.S. political organizations
World political organizations and NATO allies
Government, military, and security organizations
High-profile media personalities
Also participates in disinformation campaigns
Dragonfly is a dangerous APT group engaging in cyberespionage and industrial sabotage
Recent attacks on energy sector targets linked to Dragonfly APT suggest the group has resurfaced in recent years
Dragonfly was linked to San Francisco International airport websites hack
Also known as Crouching Yeti, Energetic Bear
National affiliation: Russia
Active: 2010-present
Tactics, Techniques & Procedures:
Karagany, Karagany.B, Heriplor, and Listrix trojans
Spearphishing emails to gain access
Compromised websites, watering holes
Advanced custom malware with unique signatures
Goodor and Dorshel malware backdoors
Phishery toolkit
Primary Targets:
Energy and industrial sectors in North America and Europe
Industrial control systems
Utility companies
Shifted focus from targeting defense and aviation corporations to the energy sector circa 2013
United States, Switzerland and Turkey
The Equation Group is an APT group engaging in cyberespionage and U.S. government initiatives linked to the NSA
Also known as Shady Brokers, Tilded Team and attributed with the 2010 Stuxnet attack on Iran's nuclear program
Active: 2001-present
National affiliation: United States
Tactics, Techniques & Procedures:
Multiple remote access tools
DarkPulsar, DOUBLEFANTASY, DoublePulsar, EQUATIONDRUG, EQUATIONLASER, EQUESTRE, FANNY, GROK, Lambert, Plexor, Regin, TRIPLEFANTASY
Zero-day exploits
Overwrite the firmware of hard disk drives
Spyware
Primary Targets:
Iran
Syria
Afghanistan
Mali
India
Pakistan
APT10 is a clever state-sponsored Chinese APT group engaging in international cyberespionage and data theft
APT10 targets valuable military and intelligence as well as confidential business data to support Chinese corporations and Chinese national security agenda
Also known as Stone Panda, Red Apollo, menuPass, CVNX
Active: 2009-present
National affiliation: China
Tactics, Techniques & Procedures:
Spearphishing and accessing target networks through managed service providers
Malware including HAYMAKER, SNUGRIDE, BUGJUICE, QUASARRAT
PowerSploit to inject shellcode into PowerShell
Staged data exfiltration
DLL search order hijacking
Mimikatz
Utilizes a variety of sophisticated tactics to achieve goals in target network
Primary Targets:
Construction, engineering, aerospace, and telecommunications industries
Governments incuding United States, Europe, and Japan
APT29 is a Russian state-sponsored APT group engaging in cyberattacks on behalf of the Russian government and Vladimir Putin
Responsible for the 2016 DNC hack along with Fancy Bear, the 2015 attack on the Pentagon, and a U.S. phishing campaign in 2018
Also known as CloudLook, Grizzly Steppe, Minidionis, Yttrium, The Dukes, Group 100
Active: 2008-present
National affiliation: Russia
Tactics, Techniques & Procedures:
Spearphishing with malicious attachments to Microsoft Word documents, PDFs, .lnk
Kerberos pass the ticket attacks for lateral movement
Malware including Cobalt Strike, CosmicDuke, CozyDuke, CozyCar, GeminiDuke, HammerDuke, HAMMERTOSS, meek
WMI to steal credentials and execute backdoors
Mimikatz post exploitation
Primary Targets:
United States
U.S. goverment entities
Norwegian government
The Comment Crew is a prolific Chinese state-sponsored APT group engaging in cyberespionage
The Comment Crew targeted 140 U.S. companies attempting to steal IP and sensitive corporate data from 2006-2010 in Operation Seasalt
Also known as Byzantine Hades, Comment Panda, Shanghai Group, Unit 61398
Active: 2006-present
Nation of origin: China
Tactics, Techniques & Procedures:
Spearphishing with malicious attachment or hyperlink to malicious file
GetMail
Mimikatz
Pass-The Hash Toolkit
Poison Ivy
WebC2
Malware and backdoors including TROJAN.ECLTYS, BACKDOOR.BARKIOFORK, BACKDOOR.WAKEMINAP, TROJAN.DOWNBOT, BACKDOOR.DALBOT, BACKDOOR.REVIRD
Primary Targets:
Information Technology, Aerospace, Public Administration, Satellites and Telecommunications, Navigation
Scientific Research and Consulting, Education
Energy, Transportation, Construction and Manufacturing, Engineering Services, Chemicals
High-tech Electronics, Legal Services Media, Advertising and Entertainment
International Organizations
Financial Services
Food and Agriculture industry
Healthcare industry
Metals and Mining
FIN7 is a financially-motivated threat group engaging in financial cybercrimes and cyberfraud
FIN7 is separate from the Carbanak Group utilizing the same malware and FIN7 is connected to a front company named Combi Security
Active: 2015-present
Nation of origin: Russia
Tactics, Techniques & Procedures:
Spearphishing to gain initial access
Malware creating scheduled tasks "AdobeFlashSync" to establish persistence
Point-of-sale malware
Carbanak malware
SQL, JvaScript, Powershell scripts to perform tasks on the victim machines
Primary Targets:
U.S. retail, restaurant, and hospitality industries
POS systems
FIN8 is an elusive financially-motivated threat group that resurfaced in 2019 after 2 years of dormancy engaging in cybercrimes and cyberfraud
FIN8 targets companies operating point-of-sale (POS) systems by infecting them with malware, stealing payment card data to sell online
Tactics, Techniques & Procedures:
Tailored spearphishing attachments to gain access
Zero-day attacks
ShellTea/PunchBuggy backdoor and PoSlurp/PunchTrack malware with improved evasion and persistence features since re-emerging
Code that is present only in memory
Remote Code Execution
Mimikatz
Primary Targets:
Retail, restaurant, and hospitality industries
POS systems