Skip to main content


Top 25 Threat Actors – 2019 Edition

Top 25 Threat Actors – 2019 Edition

Hacking at the end of 2019 is a lot different than the “hackers” of the mid-2000’s, and certainly a far cry from a 15-year old kid in his mom’s basement eating Cheetos and “hacking the planet” many people have in their minds.

Today, hacking – in whatever form you choose to label it (cybercrime, threat actors, espionage, etc.) – is modern warfare or big business; sometimes both. Some hacking groups, aka “threat actors,” have stood out by their actions, their longevity, their methods, or a combination of all three.


APTs, Hacktivists, and Ransomware… oh my!

There are a few different types of threat actors listed out in this article, including:

  • Advanced Persistent Threat (APT) groups
  • Cybercrime-as-a-Service (CaaS) groups
  • Hacktivists

An Advanced Persistent Threat (APT) is an attack (typically performed by state-sponsored hacking groups and/or organized crime syndicates) that occurs when an unauthorized user utilizes advanced and sophisticated techniques to gain access to a system or network. APTs are more concerning than the everyday “hacker,” as they typically target high-value organizations and governments with the goal of stealing information over a long period of time. A regular hacker would gain access to a system, do what they needed, and leave quickly. However, an APT group tends to hack and use small businesses as steppingstones to reach larger organizations because the smaller organizations are not as well defended.

Two cybersecurity defense and research organizations – Mandiant (FireEye) and Crowdstrike – track and monitor threat actors across the globe. APT groups are numerically named by Mandiant, and depending on the country, Crowdstrike names APT groups by animals. For example, a China APT group would be designated with “Panda,” Russian groups with “Bear,” and Iran with “Kitten.”

Cybercrime-as-a-Service groups are today’s mafia – creating, packaging, and reselling tools to anyone that wants to make a cyber-dollar on the internet via ransomware, DDoS attacks, phishing emails, or other malicious software-and-services. Many APT groups use some of these cybercrime-as-a-service tools to gain access to networks or cover their tracks, but a few hacking groups thrive solely on selling cyber-weapons for money.

Finally, while Hacktivists didn’t start this fire, they made sure the general public was aware that hacking was rising to prominence. Anonymous, a decentralized organization known for “doxing” (posting information online) any individual or organization it deems necessary and supporting the “Occupy” movements, is probably the most well-known hacktivist collective still today. Many others exist or have risen to prominence, including the Shadow Brokers, Edward Snowden, and the Lizard Squad. Below is a list of the top 25 Advanced Persistent Threat Actors from the last 10 years, including the known-locations of each group, whom the threat actors target, the tools they use, and each group’s significant attacks.


The List 

1. Lazarus Group (APT)
AKA: APT38, Gods Apostles, Gods Disciples, Guardians of Peace, ZINC, Whois Team, Hidden Cobra

  • Origin: Pyongyang, North Korea
  • Operating Since: 2010
  • Targets: Bitcoin, Cryptocurrency, Ecuador, Mexico, Sony Corp, South Korea, United States
  • Techniques/Tools: Bankshot, DDoS, EternalBlue, Mimikatz, Wannacry
  • Significant Attacks: 2014 Sony Pictures Hack, Operation Troy

2. Fancy Bear (APT)
AKA: APT28, Sofacy, Sednit

  • Origin: Russia
  • Operating Since: 2010
  • Targets: Democratic National Committee, Democratic National Convention, Germany, United States, Ukraine
  • Techniques/Tools: Cannon, Coreshell, Responder, MimiKatz, Spear-phishing
  • Significant Attacks: Operation “Pawn Storm” (2014), EFF spoof - White House and NATO attack (2015), Breach of Democratic National Committee (2016), World Anti-Doping Agency attack (2016), Attack on Dutch ministries (2017), IAAF Hack (2017), German elections (2017), Breach of the International Olympic Committee (2018), Olympic Destroyer (2018), U.S. Department of Justice indictment (2018), German Think Tank Attacks (2019)

3. Cobalt Group (APT)
AKA: Cobalt Spider, Cobalt Gang, Gold Kingswood

  • Origin: Russia
  • Operating Since: 2016
  • Targets: financial institutions around the globe, ATMs, card processing, payment systems, and SWIFT systems
  • Techniques/Tools: AmmyyRAT, ATMSpitter, ATMRipper Cobalt Strike, CobInt, Cyst Downloader, Mimikatz, Metasploit Stager, More_eggs, SDelete, SoftPerfect Network Scanner, and SpicyOmelette
  • Significant Attacks: First Commercial Bank in Taiwan (2016), Government Saving Bank in Thailand (2016), spear-phishing campaigns targeting Russian banks (2017, 2018)

4. FIN7 (APT)
AKA: Carbanak, Annuak, Carbon Spider

  • Origin: Russia
  • Operating Since: 2015
  • Targets: U.S. retail, restaurant, and hospitality sectors
  • Techniques/Tools: Astra, Bateleur, Carbanak, Cobalt Strike, Griffon, HALFBAKED, POWERSOURCE, SQLRAT and TEXTMATE
  • Significant Attacks: spear-phishing campaigns targeting SEC personnel and financial institutions (2017), phishing emails using Microsoft Word documents and fileless malware targeting US restaurants (2017); Red Robin, Chili’s, Arby’s, Burgerville, Omni Hotels, and Saks Fifth Avenue (2018)

5. Mirage (APT)
AKA: APT15, Ke3chang, Vixen Panda, GREF, Playful Dragon, RoyalAPT

  • Origin: China
  • Operating Since: 2010
  • Targets: European Union, India, United Kingdom
  • Techniques/Tools: Cobalt Strike, Mimikatz, MirageFox, MS Exchange Tool, Phishing, Royal DNS
  • Significant Attacks: Operation “Ke3chang” Syrian espionage (2010), Attack on subcontractors providing services to UK Government (2017), Operation “MirageFox” remote access trojan (2018)

6. Magecart (CaaS)

  • Origin: unknown; at least 6 distinct groups, with ties to Cobalt and FIN6
  • Operating Since: 2015
  • Targets: online shopping carts, Magento eCommerce platforms
  • Techniques/Tools: Web-skimmers, Skimmer scripts
  • Significant Attacks: British Airways (2018), Newegg (2018), Ticketmaster breach (2018), Forbes magazine (2019), hundreds of college campus bookstores (2019)

7. Equation Group (APT)
AKA: Tilded Team

  • Origin: United States (may be a collection of US government groups)
  • Operating Since: 2001
  • Targets: Afghanistan, Iran, India, Mali, Pakistan, Syria
  • Techniques/Tools: DarkPulsar, DOUBLEFANTASY, DoublePulsar, EQUATIONDRUG, EQUATIONLASER, EQUESTRE, FANNY, GROK, Lambert, Plexor, Regin, TRIPLEFANTASY, and many others
  • Significant Attacks: Iran’s nuclear program – Stuxnet (2010)

8. OilRig (APT)
AKA: APT 34, Crambus, Helix Kitten, Twisted Kitten

  • Origin: Iran
  • Operating Since: 2012
  • Targets: Iran, Israel, Middle Eastern government, Saudi Arabia, United States
  • Techniques/Tools: GoogleDrive RAT, HyperShell, ISMDoor, Mimikatz, PoisonFrog, SpyNote, Tasklist, Webmask
  • Significant Attacks: Shamoon (2012), Targeted Attacks against Banks in the Middle East (2016) Shamoon v3 attack against targets in Middle East Asia (2018)

9. Comment Crew (APT)
AKA: APT 1, Byzantine Hades, Comment Panda, Shanghai Group

  • Origin: China
  • Operating Since: 2006
  • Targets: General Staff Departments, 2nd Bauru of the People's Liberation Army
  • Techniques/Tools: GetMail, Mimikatz, Pass-The Hash Toolkit, Poison Ivy, WebC2
  • Significant Attacks: Operation “Seasalt” targeting 140 US companies in the quest for sensitive corporate and intellectual-property data (2006-2010), Operation “Oceansalt” (2018)

10. Syrian Electronic Army (Hacktivist)
AKA: Deadeye Jackal, SEA

  • Origin: Syria
  • Operating Since: 2011
  • Targets: Facebook, Forbes, Microsoft, Skype, United States, United Kingdom
  • Techniques/Tools: DDoS, Malware, Phishing, Spamming, Website Defacement
  • Significant Attacks: Defacement attacks against news websites such as BBC News, Associated Press, National Public Radio, CBC News, The Daily Telegraph, The Washington Post. (2018)

AKA: TwoForOne

  • Origin: China
  • Operating Since: 2009
  • Targets: Malaysia, Indonesia, Vietnam
  • Techniques/Tools: AMTsol, Dipsind, hot-patching vulnerabilities, spear-phishing, Titanium, zero-day exploits
  • Significant Attacks: Southeast Asia attack - Operation “EasternRoppels” (2018)

12. Anonymous (Hacktivist)

  • Origin: decentralized
  • Operating Since: 2003
  • Targets: Brazil, Kazakhstan, Russia, Thailand, Turkey
  • Techniques/Tools: Guy Fawkes masks, website defacement, DDoS attacks, social media compromise
  • Significant Attacks: Defacement of SOHH and AllHipHop websites (2008), Iranian election protests (2009), Operation Facebook (2011), Occupy Wall Street (2011), Syrian Government E-mail Hack (2012), Vatican website DDoS Attacks (2012), Federal Reserve ECS Hack (2013), Operation Hong Kong (2014), Operation KKK (2015)

13. Numbered Panda (APT)
AKA: APT 12, Calc Team, Crimson Iron

  • Origin: China
  • Operating Since: 2009
  • Targets: Organizations in East Asia, media outlets, high-tech companies and governments, New York Times
  • Techniques/Tools: DynCalc, DNSCalc, HIGHTIDE, RapidStealer, Spear-phishing
  • Significant Attacks: New York Times breach (2012), Taiwanese Government (2016)

14. Dynamite Panda (APT)
AKA: APT 18, Scandium, TG-0416, Wekby

  • Origin: China
  • Operating Since: 2009
  • Targets: Government, Industries Medical, Manufacturing, Technology, United States
  • Techniques/Tools: Gh0st RAT, hcdLoader, HTTPBrowser, Pisloader, Roseam, StickyFingers and 0-day exploits for Flash
  • Significant Attacks: US Community Health Systems data breach (2014)

15. Cozy Bear (APT)
AKA: APT 29, CloudLook, Grizzly Steppe, Minidionis, Yttrium, The Dukes, Group 100

  • Origin: Russia
  • Operating Since: 2008
  • Targets: Norwegian Government, United States
  • Techniques/Tools: Cobalt Strike, CosmicDuke, CozyDuke, CozyCar, GeminiDuke, HammerDuke, HAMMERTOSS, meek, Mimikatz, Spear-phishing
  • Significant Attacks: Attack on the Pentagon (2015), Phishing campaign in the USA (2018)

16. Elfin (APT)
AKA: APT 33, Magnallium

  • Origin: Supported by the government of Iran
  • Operating Since: 2013
  • Targets: Aerospace companies, Energy Companies, Saudi Arabia, South Korea, United States
  • Techniques/Tools: Mimikatz, NETWIRE RC, PowerSploit, Shamoon
  • Significant Attacks: Saudi Arabia Organizations (2019), United States Organizations (2019)

17. Charming Kitten (APT)
AKA: Group 83, NewsBeef, Newscaster, Poarastoo

  • Origin: Iran
  • Operating Since: 2014
  • Targets: Saudi Arabia, Israel, Iraq, United Kingdom, U.S. government/defense sector websites
  • Techniques/Tools: DownPaper, FireMalv, MacDownloader
  • Significant Attacks: Operation “Newscaster” (2011), HBO cyberattack (2017)

18. Ricochet Chollima (APT)
AKA: APT 37, Group 123, Red Eyes, Reaper

  • Origin: North Korea
  • Operating Since: 2012
  • Targets: Republic of Korea, Japan, Vietnam
  • Techniques/Tools: DOGCALL, HAPPYWORK, NavRAT, PoohMilk Loader, Spear-Phishing, 0-day Flash and MS Office exploits
  • Significant Attacks: Operation Golden Time (2016), Are you Happy? (2017), FreeMilk (2017), Northern Korean Human Rights (2017), Evil New Year (2016, 2018), Operation Holiday Wiper (2019), Operation Black Banner (2019)

19. Mythic Leopard (APT)
AKA: APT 36, ProjectM, TEMP. Lapis, Transparent Tribe

  • Origin: Pakistan
  • Operating Since: 2016
  • Targets: India, Indian Army
  • Techniques/Tools: Andromeda, beendoor, Bozok, Breachrat, Spear-phishing
  • Significant Attacks: Operation “Transparent Tribe” (2016), Operation “C-Major” (2016), spear-phishing of Central Bureau of Investigation and Indian Army impersonating Indian Think Tank (2017)

20. Sodinokibi (CaaS)
AKA: REvil, Sodin

  • Origin: Unknown
  • Operating Since: 2019
  • Targets: managed services providers and small businesses globally; Asia, Eastern Europe
  • Techniques/Tools: REvil Ransomware, Privilege Escalation, PowerShell, Sodinokibi RansomWare, MinerGate, XMRig, RIG Exploit Kit
  • Significant Attacks: Breached managed service providers, impacting hundreds of dental offices (2019)

21. Muddy Water (APT)
AKA: Static Kitten, Seedworm, TEMP.Zagros

  • Origin: Iran
  • Operating Since: 2017
  • Targets: Georgia, Iraq, Israel, India, Pakistan, Saudi Arabia, Turkey, United Arab Emirates, United States
  • Techniques/Tools: ChromeCookiesView, chrome-passwords, CrackMapExec, Mimikatz, PowerSploit, POWERSTATS, Spear-phishing
  • Significant Attacks: MuddyWater spear-phishing campaigns against Middle East, India, USA, SW Asia, and Turkey (2017-2018), Seedworm espionage attacks (2018), Operation “BlackWater” (2019)

22. Patchwork (APT)
AKA: APT -C-09, Chinastrats, Dropping Elephant, Monsoon, Quilted Tiger

  • Origin: India
  • Operating Since: 2014
  • Targets: Bangladesh, Pakistan, Sri Lanka
  • Techniques/Tools: BADNEWS, MazeRunner, PowerSploit, QuasarRAT, Spear-phishing, Unknown Logger
  • Significant Attacks: Targeting U.S. Think Tanks (2018)

23. Energetic Bear (APT)
AKA: Dragonfly, Crouching Yeti, Electrum, Group 24, Koala Team

  • Origin: Russia
  • Operating Since: 2011
  • Targets: China, France, Germany, Ireland, Italy, Japan, Poland, Turkey, United States
  • Techniques/Tools: nmap, PHPMailer, PSExec, Spear-phishing
  • Significant Attacks: phishing emails against energy sectors (2013), Power outage at Ukrenergo in the Ukraine (2016), Watering Hole Attack on Turkish critical infrastructure (2017)

24. Sandworm Team (APT)
AKA: Iron Viking, Voodoo Bear, Quedagh, TeleBots

  • Origin: Russia
  • Operating Since: 2009
  • Targets: Education, Energy, Government, and Telecommunications, particularly in the Ukraine and Eastern Europe
  • Techniques/Tools: BlackEnergy, Gcat, PassKillDisk, NotPetya, BadRabbit
  • Significant Attacks: Widespread power outages on the Ukraine (2015), NotPetya (2016), BadRabbit ransomware (2017)

25. OceanLotus (APT)
AKA: APT 32, Ocean Buffalo, SeaLotus

  • Origin: Vietnam
  • Operating Since: 2014
  • Targets: Australia, Brunei, Cambodia, China, Germany, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, USA, and Vietnam
  • Techniques/Tools: Cobalt Strike, KerrDown, MimiKatz, PowerSploit, Terracotta VPN, 0-day exploits in MS Office
  • Significant Attacks: Terracotta VPN (2015), Operation “Cobalt Kitty” (2017), New MacOS Backdoor (2018), macOS malware update (2019), Breach of Toyota in Australia, Japan, Thailand and Vietnam (2019)


The Big Takeaway

Threat actors – whether Advanced Persistent Threat groups, Cybercrime-as-a-Service organizations, or Hacktivists – pose a very real and much more impactful threat than your standard “hacker.” When these threat actors have been discovered and appear to be gone, that may not be the case. The hackers may have left multiple backdoors to allow them to come back whenever they choose. All of these threat actors use advanced tools to steal private information, which is why small and large businesses need to be aware of these threats and protect their private information.



Written by: Jon Waldman and Edin Cordona 
SBS CyberSecurity, LLC


SBS Resources: 

{Service} Network Security: When it comes to network security, knowledge is power. Understanding the weaknesses found in your network and remediating these flaws keeps the power in your hands, and not in the hands of cybercriminals. SBS network security tests are tailored to the size and complexity of your organization, providing a personalized experience from start to finish. Working with an SBS network security engineer following our proven methodologies will ensure thorough and consistent testing results and a more secure network. Our network security services include: 


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Ethical Hacker

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, December 12, 2019
Categories: Blog