The named threat groups
Threat-intel reporting and SOC alerts use these handles. Knowing which group is which — what they target, what their tradecraft looks like, who their state sponsor is — is foundational CTI and SOC knowledge. Each entry is sourced from public US government attribution, DOJ indictments, vendor research, and reputable journalism.
Public attribution only. Defensive education frame. No operational tradecraft.
State-sponsored APTs
01
Russia · GRU Unit 26165
Aliases: FANCY BEAR, STRONTIUM, PAWN STORM, Sednit
Targets: Defense, government, political organizations · Western Europe + US
Spear-phishing with X-Tunnel and X-Agent malware. Targeted the DNC in 2016 (DOJ indictment July 13, 2018). Olympic Games hack (2018). Bundestag (2015).
Sources: DOJ indictment July 13, 2018 · Mueller Report · US Treasury sanctions
02
Russia · SVR Foreign Intelligence Service
Aliases: COZY BEAR, THE DUKES, MIDNIGHT BLIZZARD, IRON HEMLOCK
Targets: Government, think tanks, healthcare, energy · long-term espionage focus
SolarWinds Orion compromise (SUNBURST backdoor, 2020). Microsoft Exchange supply chain attacks. State Department + DNC (2015-2016). Highly disciplined operational security.
Sources: Joint statement from FBI/CISA/ODNI/NSA Jan 5, 2021 · UK NCSC attribution
03
Russia · GRU Unit 74455
Aliases: VOODOO BEAR, TELEBOTS, BLACKENERGY group
Targets: Ukraine + critical infrastructure globally · destructive operations
Ukrainian power-grid attacks 2015-2016 (BlackEnergy, Industroyer). NotPetya 2017 ($10B+ damage). Olympic Destroyer 2018. Industroyer2 (April 2022 attempt on Ukraine power). Six GRU officers indicted by DOJ October 19, 2020.
Sources: DOJ indictment Oct 19, 2020 · CISA advisories · UK NCSC attribution
04
China · MSS-attributable per US joint advisory
Aliases: VANGUARD PANDA, BRONZE SILHOUETTE
Targets: US critical infrastructure pre-positioning · telecommunications, transportation, water, energy
Living-off-the-land techniques (LOLBins, legitimate admin tools). Sustained presence rather than data exfiltration. Publicly assessed as positioning for sabotage rather than espionage. Disclosed by joint CISA/NSA/FBI advisory May 24, 2023.
Sources: CISA Advisory AA23-144A May 24, 2023 · Microsoft Threat Intelligence May 24, 2023 · FBI Director Wray testimony Jan 31, 2024
05
China · MSS-attributable per US reporting
Aliases: EARTH ESTRIES, GhostEmperor
Targets: US telecommunications carriers · lawful-intercept systems
Long-running compromise of major US telcos (AT&T, Verizon, Lumen confirmed publicly). Accessed lawful-intercept infrastructure used for court-authorized wiretaps. Government communications affected including phones of senior officials per public reporting.
Sources: Joint FBI + CISA statement late 2024 · WSJ + WaPo investigative reporting 2024
06
China · MSS contractor with criminal moonlighting
Aliases: BARIUM, BRONZE ATLAS, WICKED PANDA
Targets: Healthcare, telecommunications, technology, gaming · espionage + financial crime hybrid
Unique dual-use group. State-sponsored espionage by day, criminal financial operations by night. Five Chinese nationals indicted by DOJ September 16, 2020. SolarWinds-adjacent activity. Targets gaming platforms for virtual currency theft.
Sources: DOJ indictment Sep 16, 2020 · Mandiant APT41 reports · CrowdStrike WICKED PANDA reports
07
North Korea · Reconnaissance General Bureau
Aliases: HIDDEN COBRA, ZINC, LABYRINTH CHOLLIMA, APT38 (financial sub-group)
Targets: Banks (especially SWIFT), cryptocurrency exchanges, entertainment industry · revenue generation for DPRK
Bangladesh Bank heist 2016 ($81M via SWIFT). WannaCry 2017. Sony Pictures 2014. Multiple $100M+ cryptocurrency heists (Axie Infinity $620M in March 2022). Treasury OFAC sanctioned.
Sources: DOJ indictment Park Jin Hyok Sep 6, 2018 · DOJ indictment three DPRK nationals Feb 17, 2021 · Treasury OFAC designations
08
Iran · MOIS Ministry of Intelligence
Aliases: OILRIG, HELIX KITTEN, CRAMBUS
Targets: Middle East government + financial + energy · gradual expansion to Western targets
DNS-based command-and-control. Custom backdoors (Helminth, Quadagent). Long-term reconnaissance focus. Aramco-related activity (2017). Active 2014-present.
Sources: FireEye/Mandiant APT34 reports · Microsoft Threat Intelligence
09
Iran · IRGC-attributable per multiple sources
Aliases: ELFIN, REFINED KITTEN, MAGNALLIUM
Targets: Saudi aerospace + petrochemicals + Western energy
Spear-phishing with malicious Excel attachments. Destructive Shamoon and StoneDrill malware history (with related/overlapping groups). Industrial control systems targeting.
Sources: FireEye APT33 reports · Symantec Elfin reports · CISA advisories
10
US-attributable per public researcher consensus and Shadow Brokers leak
Aliases: (no public alternate handles)
Targets: Foreign intelligence + counterintelligence operations
Most technically sophisticated public threat actor. Pre-Stuxnet ancestor of Olympic Games. EternalBlue exploit (later leaked by Shadow Brokers and weaponized into WannaCry / NotPetya). Firmware-level persistence on hard drives. Identified by Kaspersky research 2015.
Sources: Kaspersky Equation Group reports 2015 · Shadow Brokers leaks 2016-2017 · Snowden NSA documents
Criminal crews + ransomware operations
The criminal vs state-actor line is increasingly blurry — multiple ransomware crews have Russian state tolerance or implicit protection. Six groups every cyber professional should recognize.
01
Ransomware-as-a-Service · primary operator and affiliate network
Targets: Manufacturing, healthcare, government, professional services · global
Most prolific ransomware operation 2022-2024. RaaS model with disciplined affiliate program. Operation Cronos (international LE takedown Feb 2024) seized infrastructure but operations continued. Russian-language ecosystem.
Sources: UK NCA Operation Cronos Feb 20, 2024 · DOJ indictments Dmitry Khoroshev May 7, 2024 · CISA #StopRansomware advisories
02
Ransomware-as-a-Service · Rust-based ransomware
Targets: Healthcare (Change Healthcare 2024 was their work), critical infrastructure, energy
First major Rust-language ransomware. Change Healthcare attack ($22M ransom confirmed paid). Vanished March 2024 in apparent exit scam after Change Healthcare payment. Members may have re-emerged in other RaaS operations.
Sources: FBI/CISA #StopRansomware ALPHV advisory · UnitedHealth congressional testimony 2024
03
Ransomware + data-extortion · zero-day exploitation specialty
Targets: Mass-exploitation of file-transfer software vulnerabilities · global
MOVEit Transfer mass-exploitation 2023 (~2,500 organizations). GoAnywhere MFT 2023. Accellion FTA 2020. Strategy is zero-day on widely-used software, then mass-data-extraction-and-extortion (sometimes without encryption).
Sources: CISA #StopRansomware Cl0p advisory June 7, 2023 · Mandiant FIN11 reports · DOJ indictments
04
Ransomware-as-a-Service · disrupted but ancestor of multiple successors
Targets: Managed service providers (MSPs), large enterprises · Kaseya VSA July 2021
Kaseya VSA supply-chain ransomware July 2021 affecting 1,500+ downstream organizations. JBS Foods ransom $11M paid June 2021. Russian authorities announced arrests of REvil members January 2022 (subsequent proceedings unclear).
Sources: FBI Kaseya advisory · DOJ press release ransom recovery · Russian FSB statement Jan 14, 2022
05
Financial cybercrime · POS targeting · ransomware pivot
Targets: Hospitality, retail, restaurants · POS systems and payment data
Sophisticated multi-year fraud operation. Operated front company Combi Security as fake penetration-testing firm to recruit unwitting attackers. Multiple convictions 2018-2022. Pivoted to ransomware affiliates including (allegedly) DarkSide/BlackMatter.
Sources: DOJ indictments and convictions multiple, 2018-2022 · FBI press releases · Mandiant FIN7 reports
06
Social engineering + ransomware · English-speaking · younger operator profile
Targets: Las Vegas casinos (Caesars, MGM, Sep 2023), telecommunications, BPO services
Sophisticated social engineering of IT help desks. SIM-swapping. Native English speakers — significant departure from Russian-language ecosystem norm. MGM Resorts 2023 ($100M cost). Caesars 2023 ($15M ransom paid).
Sources: Microsoft Threat Intelligence Octo Tempest reports · FBI press releases · Mandiant UNC3944 reports