Join the CyberIntelMatrix Free Membership Program today and be part of a constantly evolving CTI community
APT list
Name
Description
Target countries
Target sectors
Aliases
APT1
China
APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)
Singapore, Canada, South Africa, USA, Switzerland, Norway, Taiwan, Israel, Luxembourg, United Arab Emirates, United Kingdom, Belgium, France, India, Japan
Operation Siesta, Group 3, Shanghai Group, BrownFox, Comment Panda, Comment Group, Operation Oceansalt, Operation Seasalt, PLA Unit 61398, Comment Crew, Byzantine Candor, ShadyRAT, Byzantine Hades, TG-8223, Brown Fox, GIF89a
APT10
China
Red Apollo (also known as APT 10 (by Mandiant), MenuPass (by Fireeye), Stone Panda (by Crowdstrike), and POTASSIUM (by Microsoft)) is a Chinese cyberespionage group. A 2018 Indictment by the Federal Bureau of Investigation claimed that they were a State-sponsored group linked to the Tianjin Field Office of the Ministry of State Security, operating since 2006. (https://en.wikipedia.org/wiki/Red_Apollo)
Wekby was described by Palo Alto Networks in a 2015 report as: ‘Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero – day exploit.’ (https://malpedia.caad.fkie.fraunhofer.de/actor/wekby)
APT28 is a threat group that has been attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. APT28 has been active since at least 2004. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)
Ukraine, South Africa, Lebanon, China, Norway, Mongolia, Thailand, Israel, Kazakhstan, Pakistan, France, Afghanistan, Germany, Russia, Poland, Montenegro, Lithuania, Turkey, Romania, Slovakia, Switzerland, Mexico, Malaysia, Spain, Luxembourg, Sweden, UK, Uganda, Croatia, Portugal, United States, Belarus, Ireland, Tajikistan, Latvia, Chile, Azerbaijan, Netherlands, Jordan, Armenia, Chechnya, Iraq, Iran, Japan, Georgia, United Arab Emirates, Canada, Australia, Bulgaria, Kyrgyzstan, Czech Republic, New Zealand, Slovenia, Cyprus, South Korea, Uzbekistan, Hungary, Belgium, Brazil, India
APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)
Belgium, Brazil, China, Georgia, India, Japan, Kazakhstan, Mexico, New Zealand, Portugal, Romania, South Korea, Turkey, Ukraine, United States
government-national, pharmaceuticals, retail
Dukes, Group 100, Cozy Duke, CozyDuke, EuroAPT, CozyBear, CozyCar, Cozer, Office Monkeys, OfficeMonkeys, Cozy Bear, The Dukes, Minidionis, SeaDuke, Hammer Toss, YTTRIUM, Iron Hemlock, Grizzly Steppe
APT31
China
FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting. (https://malpedia.caad.fkie.fraunhofer.de/actor/apt31)
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors. (source: https://malpedia.caad.fkie.fraunhofer.de/actor/apt35)
China, Israel, Pakistan, France, Germany, Kuwait, Turkey, Mexico, United Kingdom, United States, Netherlands, Qatar, United Arab Emirates, Canada, South Korea, Saudi Arabia, India
Newscaster Team, Magic Hound, TEMP.Beanie, Tarh Andishan, TG-2889, Ghambar, Group 41, Operation Cleaver, Rocket_Kitten, Cobalt Gypsy, Cutting Kitten, Phosphorus, Ajax Security, NewsBeef, Turk Black Hat, Charming Kitten, Parastoo, iKittens
APT38
North Korea
APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)
China, Thailand, Ecuador, Philippines, Israel, France, Germany, Poland, Hong Kong, Russia, Taiwan, Mexico, United Kingdom, United States, Chile, Guatemala, Japan, Bangladesh, Canada, Australia, South Korea, Vietnam, Brazil, India
aerospace, construction, government-national, retail, technology, financial-services, entertainment
Operation VANXATM, Zinc, Operation Troy, T-APT-15, Operation Flame, Operation BLACKMINE, Appleworm, Hastati Group, Operation DarkSeoul, Lazarus Group, Operation North Star, Operation DESERTWOLF/Phase 3, Operation Mayday, Operation Blockbuster: Breach of Sony Pictures Entertainment, Dark Seoul, Operation FASTCash, Operation INITROY/Phase 2, Group 77, Operation In(ter)caption, Operation BLACKSHEEP/Phase 3., Bureau 121, ATK 117, ITG03, APT-C-26, SectorA01, Operation GhostSecret, Nickel Academy, NewRomanic Cyber Army Team, Operation Troy, Operation GhostSecret, Subgroup: Bluenoroff, Andariel, Stardust Chollima, Operation INITROY/Phase 1, Operation GoldenAxe, Bluenoroff, Silent Chollima, Operation Ten Days of Rain / DarkSeoul, Operation Sharpshooter, Unit 121, Operation AppleJeus sequel, Operation AppleJeus, Hidden Cobra, Operation AppleJeus, ATK 3, Labyrinth Chollima, Operation GHOSTRAT, Operation XEDA, Whois Hacking Team, Guardians of Peace, HIDDEN COBRA, Zinc
APT40
China
Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe. (https://malpedia.caad.fkie.fraunhofer.de/actor/leviathan)
United States, United Kingdom, Norway, Germany, Saudi Arabia, Cambodia, Indonesia
Leviathan, TEMP.Periscope, TEMP.Jumper, APT 40, BRONZE MOHAWK, GADOLINIUM, Kryptonite Panda
APT41
China
APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)
Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States, South Korea, Taiwan, Vietnam, Pakistan, Chile, Indonesia, Thailand
Evil Corp is the Russia-based cybercriminal organization responsible for the development and distribution of the Dridex malware. The Dridex malware is a multifunctional malware package that is designed to automate the theft of confidential information, to include online banking credentials from infected computers. Dridex is traditionally spread through massive phishing email campaigns that seek to entice victims to click on malicious links or attachments embedded within the emails. Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group. As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses. In particular, Evil Corp heavily targets financial services sector organizations located in the United States and the United Kingdom. Through their use of the Dridex malware, Evil Corp has illicitly earned at least $100 million, though it is likely that the total of their illicit proceeds is significantly higher. As a result of this activity, Evil Corp is being designated pursuant to E.O. 13694, as amended, for engaging in cyber-enabled activities that have the effect of causing a significant misappropriation of funds or economic resources for private financial gain. (https://home.treasury.gov/news/press-releases/sm845)
United States, United Kingdom, Europe
financial-services, technology
unkown
Turla
Russia
Turla has been in operation since the early 2000s. The group focuses on espionage, targeting government entities and embassies in up to 100 countries. Turla is believed to be behind attacks on the U.S. State Department, NASA, U.S. Central Command (CENTCOM) and various embassies located in European countries. (source: https://www.bluvector.io/threat-report-turla-apt-anti-detection/) The NCSC has observed the Turla group using the Neuron and Nautilus malicious tools designed to operate on Microsoft Windows platforms, primarily targeting mail servers and web servers. These tools are being used to maintain persistent network access and to conduct operations that compromise networks for the purposes of intelligence collection. (source: https://www.ncsc.gov.uk/news/turla-group-malware)
United Kingdom, United States, Russia, Kazakhstan, Poland, China, Vietnam, Ukraine, Germany, India, France, Iran, Latvia, Belarus, Algeria, Brazil, Equador, Spain, Mexiko, Saudi Arabia, Serbia, Iraq, Uzbekistan, Romania, Tajikistan, Armenia, Netherlands