The 10 most dangerous cyber threat actors

When hacking began many decades ago, it was mostly the work of enthusiasts fueled by their passion for learning everything they could about computers and networks. Today, nation-state actors are developing increasingly sophisticated cyberespionage tools, while cybercriminals are cashing in millions of dollars targeting everything from Fortune 500 companies to hospitals.

Cyberattacks have never been more complex, more profitable, and perhaps even more baffling. At times, drawing clear lines between different kinds of activities is a challenging task. Nation-states sometimes partner with each other for a common goal, and sometimes they even appear to be working in tandem with cybercriminal gangs. Moreover, once a malicious tool is released, it is often recycled and reused by competing threat actors.

Following are some of the most creative and dangerous cyberespionage and cybercriminal groups, listed in no particular order:

Lazarus (a.k.a. Hidden Cobra, Guardians of Peace, APT38, Whois Team, Zinc)

A group associated with North Korea, Lazarus is known for perhaps the biggest cyber heist of all time: the attack on the Bangladesh Bank, which led to the theft of more than $100 million in February 2016. Yet, the group did much more than that.

Lazarus has been behind numerous operations in the past decade, starting with DDoS attacks against South Korean websites, then moving on to targeting financial organizations and infrastructure in this country, continuing with the attack on Sony Pictures in 2014, and the launch of the WannaCry ransomware in 2017.

In recent years, Lazarus started looking into ransomware and cryptocurrency, and it also targeted security researchers to gain information about ongoing vulnerability research. This group has “unlimited resources and very good social engineering skills,” Dmitry Galov, security researcher at Kaspersky, says.

These social engineering skills were put to work during the ongoing COVID-19 health crisis, when pharmaceutical companies, including vaccine makers, became some of Lazarus’s most urgent targets. According to Microsoft, the hackers sent spear-phishing emails that included “fabricated job descriptions,” luring their targets into clicking on malicious links.

“This group differs from others because while it is a state-sponsored group, their targets are not state governments, but businesses and sometimes individuals who may have information or access that North Korean spies might want to get their hands on,” Adam Kujawa, director of Malwarebytes Labs, says.

Lazarus uses a variety of custom malware families, including backdoors, tunnelers, data miners, and destructive malware, sometimes developed in-house. It spares no effort in its relentless campaigns.

“APT38 is unique in that they are not afraid to aggressively destroy evidence or victim networks as part of their operations,” according to Mandiant Threat Intelligence (FireEye). “This group is careful, calculated, and has demonstrated a desire to maintain access to victim environments for as long as necessary to understand the network layout, required permissions, and system technologies to achieve its goals.”

UNC2452 (a.k.a Dark Halo, Nobelium, SilverFish, StellarParticle)

In 2020, thousands of organizations downloaded a tainted software update of the SolarWinds Orion software, giving the attacker a point of entry into their systems. The Pentagon, the UK government, the European Parliament, and several governmental agencies and companies across the world fell victims to this supply chain attack.

The cyberespionage operation had gone unnoticed for at least nine months before it was discovered on December 8, 2020, when security company FireEye announced it was a victim of a state-sponsored attacker that stole several of its red team tools. This hack proved more extensive than initially thought. The supply chain attack on SolarWinds Orion software was just one entrance channel used by the attacker. Researchers found another supply chain attack, this time on Microsoft cloud services. They also noticed that several flaws in Microsoft and VMware products were exploited.

“UNC2452 is one of the most advanced, disciplined, and elusive threat actors we track,” says Charles Carmakal, SVP and CTO of Mandiant Threat Intelligence (FireEye). “Their tradecraft is exceptional. They have a mastery of both offensive and defensive skills—and have used that knowledge to refine their intrusion techniques to hide in plain sight.” He adds that UNC2452 demonstrated “a level of operational security that is rarely seen,” being able to spend so much time inside government agencies and companies without getting caught.

The NSA, the FBI, and a few other US agencies said that the operation was sponsored by Russia, and the US imposed sanctions. They argued that the hack has likely been the work of the Foreign Intelligence Service of the Russian Federation (SVR). Other clues point to the Cozy Bear/APT29 group.

However, the story seems to be more tangled. Kaspersky researchers noticed several fragments of code that link this attack to the Russian-speaking gang Turla (Snake, Uroburos), which targeted governments and diplomats across Europe and the US Another report, published by Secureworks, says that a China-based hacking group, Spiral, also targeted SolarWinds customers in a separate operation.

Equation Group (a.k.a. EQGRP, Housefly, Remsec)

Another threat actor with exceptional skills and resources, Equation Group, started operating in the early 2000s, maybe even earlier. It only made headlines in 2015, though, after security researchers at Kaspersky published a report that detailed some of the group’s state-of-the-art tools. One of the headings of the report read: “A rendezvous with the ‘God’ of cyberespionage.”

Equation Group got its name because it uses strong encryption and advanced obfuscation methods. Its tools are highly sophisticated and have been tied to the NSA’s Tailored Access Operations (TAO) unit.

The group targeted government, military, and diplomatic organizations; financial institutions; and companies operating in telecom, aerospace, energy, oil and gas, media, and transportation. Many of the victims were based in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.  

One of Equation Group’s most powerful tools is a module that can reprogram the hard drive firmware of various manufacturers, including Seagate, Western Digital, Toshiba and IBM, to create a secret storage vault that survives wiping and reformatting. The group also created a USB-based command and control mechanism that allowed the mapping of air-gapped networks. It did it before a similar feature was integrated into Stuxnet.

These cutting-edge technologies ended up in the hands of other nation-state threat actors. Equation Group’s tools were acquired and repurposed by the Chinese cyberespionage actor Buckeye (Gothic Panda, APT3, UPS Team), which used them in 2016 to attack companies in Europe and Asia, according to Symantec. Researchers at CheckPoint discovered that Zirconium (APT31), another China-sponsored group, cloned Equation Group’s EpMe exploit for Windows privilege escalation, creating a tool called Jian. All this happened before the Shadow Brokers leaks in 2017, when several hacking tools created by the Equation Group, including the notorious EternalBlue exploit used in the WannaCry attack, appeared online.

“Cyber weapons are digital and volatile by nature,” wrote CheckPoint researchers Eyal Itkin and Itay Cohen. “Stealing them and transferring from one continent to another can be as simple as sending an email.”

Carbanak (a.k.a Anunak, Cobalt—overlaps with FIN7)

In 2013, several financial institutions were hacked following the same pattern. The attacker sent spear-phishing emails trying to penetrate organizations. Then it used various tools to reach PCs or servers that could be used to extract data or money. The cybercriminal gang responsible for these attacks, Carbanak, carried out its campaigns meticulously, just like APTs, often spending months inside a victim’s systems without being noticed.

The Carbanak group is probably headquartered in Ukraine, and among its targets are financial companies primarily based in Russia, the US, Germany, and China. One victim lost $7.3 million due to ATM fraud, while another one had $10 million taken after its online banking platform had been targeted. Sometimes, the group commanded ATMs to dispense cash at predetermined time without on-site human interaction.

Several security companies investigated Carbanak back in 2014, and all had different conclusions. “[Carbanak] seemed to be two different groups using the same malware,” Ariel Jungheit, senior security researcher at Kaspersky, says. “One group was focused primarily on financial institutions (this one was investigated heavily by Kaspersky), while the other group focused more on retail organizations. Although this is disputed by others, the main theory is that there was one initial group that later fell into several subgroups.”

In March 2018, Europol announced that it had arrested the mastermind of the Carbanak group after a “complex investigation.” Yet, today, many cybercriminals that were part of the gang are still active, perhaps part of different groups, Jungheit says. The FIN7 cybercriminal gang is interested mainly in retail and hospitality, while Cobalt focuses on financial institutions.

“The impact of law enforcement action targeting individuals associated with large and well-resourced criminal groups such as FIN7 can be difficult to assess, as core responsibilities can often be shared across many people or teams,” says Jeremy Kennelly, senior manager of analysis at Mandiant Threat Intelligence (FireEye). “This arrest was not followed by a significant shift in FIN7’s tactics, techniques and procedures,” he adds.

Sandworm (a.k.a. Telebots, Electrum, Voodoo Bear, Iron Viking)

Russian cyberespionage group Sandworm has been linked to some of the most destructive incidents of the past decade, including the power outages in Ukraine in 2015 and 2016, the 2017 NotPetya supply chain attack that delivered malware that initially passed for ransomware, the attacks against the 2018 Pyeongchang Winter Olympics after Russian athletes were banned for doping, and operations related to elections in several countries, including the US in 2016, France in 2017, and Georgia in 2019.

“The October 2019 indictments of GRU officers reads like a laundry list of many of the most important cyberattack incidents we have ever witnessed,” John Hultquist, VP of Mandiant Threat Intelligence (FireEye), says. “We assess with high confidence that Russian military intelligence GRU unit 74455 sponsors Sandworm activity.”

In recent years, the group’s tactics, techniques and procedures have changed to integrate ransomware, something that the researchers don’t necessarily find surprising. “Encryption-based ransomware commonly associated with broadly targeted cybercrime campaigns could easily be repurposed by cyber espionage actors for a type of destructive attack,” Ben Read, director of analysis at Mandiant Threat Intelligence, says.

Evil Corp (a.k.a. Indrik Spider)

Evil Corp got its name from the ‘Mr. Robot’ series, but its members and its exploits predate the show. This Russian-speaking group is the creator of one of the most dangerous banking Trojans ever made, Dridex, also known as Cridex or Bugat. The group attacked Garmin in 2020 and dozens of other companies.

Court documents show that Evil Corp uses a franchise business model, giving access to Dridex in exchange for $100,000 and 50% of the revenues. The FBI estimates that the group stole no less than $100 million in the past decade.

Security researchers say that, in addition to Dridex, Evil Corp has also created the WastedLocker ransomware family and the Hades ransomware. ESET also announced that the BitPaymer ransomware was probably the work of the same threat actor. “What sets this group apart is how effective they are in their attacks, with many security organizations comparing Evil Corp operations to what we see from state-sponsored, heavily resourced and trained actors,” Kujawa says.

In 2019, the US Department of Justice charged two prominent members of the group, Maksim Yakubets and Igor Turashev, with several criminal charges, including conspiracy to commit fraud and wire fraud, yet this hasn’t stopped the gang from carrying on its activity. “Over the past year, this adversary has adopted new tools and rebranded several tools to avoid the sanctions that were introduced by the US Department of Treasury which would prevent victims from paying the ransom demands,” says Adam Meyers, SVP of CrowdStrike Intelligence. “This actor continues to thrive despite active indictments against individuals associated with the group and sanctions against their operations.”

Fancy Bear (a.k.a. APT28, Sofacy, Sednit, Strontium)

This Russian-speaking group has been around since the mid-2000s, targeting government and military organizations as well as energy and media companies in the US, Western Europe and the South Caucasus. Its victims likely include the German and Norwegian Parliaments, the White House, NATO, and the French TV station TV5.

Fancy Bear is best known for breaking into the Democratic National Committee and Hillary Clinton’s campaign in 2016, allegedly influencing the outcome of the presidential elections. It is believed that Fancy Bear was behind the Guccifer 2.0 persona. Another Russian-speaking Group, the Cozy Bear, was also inside the Democratic Party’s computer networks, independently stealing passwords, according to CrowdStrike. Yet, apparently, the two bears were not aware of each other.

Fancy Bear targets its victims mostly through spear-phishing messages typically sent on Mondays and Fridays. On several occasions, it registered domains that looked similar to legitimate ones, building up fake websites to harvest credentials.

LuckyMouse (a.k.a. Emissary Panda, Iron Tiger, APT27)

This Chinese-speaking actor has been active for more than a decade, targeting foreign embassies and organizations across different industries including aerospace, defense, technology, energy, healthcare, education, and government. It has conducted operations in North and South America, Europe, Asia, and the Middle East.

The group has high skills in penetration testing, usually using publicly available tools such as the Metasploit framework, Kaspersky’s Jungheit says. “In addition to spear-phishing as a delivery method, the actor also uses SWC (strategic web compromise) in their operations to target a set of victims with notable success,” he adds.

Researchers at Trend Micro noticed that the group can update and modify its tools quickly, making it difficult for researchers to detect them.

REvil (a.k.a. Sodinokibi, Pinchy Spider—related to GandCrab)

The REvil gang, which takes its name from the Resident Evil movie and video game series, runs some of the most prolific ransomware-as-a-service (RaaS) operations and is based in the Russian-speaking world. The group was first seen in April 2019, soon after the shutdown of the notorious GandCrab, and its business seems to be blooming since. Among its victims are Acer, Honda, Travelex, and the makers of Jack Daniels whiskey, Brown-Forman.

“REvil operators have demanded the highest ransoms of 2021,” says Jungheit. “For distributing ransomware, REvil cooperates with affiliates who are hired on cybercriminal forums. Affiliates earn between 60% to 75% of the ransom.”

Developers regularly update the REvil ransomware to avoid detection of ongoing attacks. “The group informs about all major updates and new available positions in the partner program in their threads on cybercriminal forums,” Jungheit says.

REvil differs from other groups because of how business-focused its developers are, Kujawa of Malwarebytes Labs says. “One of the members of this group gave an interview last year, describing that they have brought in $100 million in ransom payments and threats to release data, and they plan on expanding their extortion capabilities in the future by using DDoS attacks,” he says.

Wizard Spider

The Russian-speaking Wizard Spider group was first spotted in 2016, but it has become increasingly sophisticated in recent years, building several tools used for cybercrime. At first, Wizard Spider was known for its commodity banking malware TrickBot, but it later expanded its toolset to include Ryuk, Conti, and BazarLoader. The gang continuously fine-tunes its arsenal to make it more lucrative.

“Wizard Spider’s corpus of malware is not openly advertised on criminal forums indicating that they likely only sell access to, or work alongside, trusted criminal groups,” says Meyers of CrowdStrike Intelligence. The group has run different types of operations, including some very specific ones, having a propensity for the very targeted, high-return ransomware campaigns known as “big game hunting.”

Wizard Spider calculates the ransom it requests based on the value of its targets, and no industry seems off-limits. During the COVID-19 crisis, it attacked dozens of healthcare organizations in the US with Ryuk and Conti. Hospitals from different parts of the world have also been affected.

BONUS: Winnti (a.k.a. Barium, Double Dragon, Wicked Panda, APT41, Lead, Bronze Atlas)

Winnti is probably a set of linked Chinese-based subgroups that have performed both cybercriminal activities and state-sponsored attacks. Its cyberespionage campaigns have targeted healthcare and technology companies, often stealing intellectual property. Meanwhile, its financially motivated cybercrime arm attacked the video game industry, manipulated virtual currency, and attempted to deploy ransomware.

“The difficulty in defining this group mostly stems from overlaps we see between campaigns attributed to Winnti and other Chinese-speaking APT groups, for example, a set of tools and malware shared between multiple Chinese-speaking actors,” Jungheit says.

Winnti has been observed using dozens of different code families and tools, and it often relies on spear-phishing emails to penetrate an organization. “In a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits,” according to Mandiant Threat Intelligence. “APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems.”