“Advanced Persistent Threats” (APTs) have emerged over the past decade as a central term for particularly potent, persistent, and state-affiliated, if not state-integrated, cyber actors.
We, therefore, present the most prominent APTs in the form of compressed profiles in a standardised, continuously-updated, and expanded process.
Listed below according to the countries the APTs are associated with, the profiles are based on
- key aspects of the group’s conflict activity (quantitative & qualitative)
- its description within the framework of political, technical, and legal attribution processes
- and countermeasures already initiated (e.g., indictments, confiscations, sanctions, etc.).
To address the often-unambiguous description of the groupings, we identify controversies of the attributions made by different actors. This may facilitate the debate on contested responsibility attribution that also occur on an actor-level.
We have also developed a Threat Level Index for assessing the overall intensity, frequency, and scope of the attacks on specific APT groups. This index is derived from our data; see more details on our methodology below.
"There are only two types of companies - those that know they have been compromised and those that do not" (Dimitri Alperovitch, 2011). This quote is used repeatedly to describe the extent of Chinese cyber espionage against companies worldwide. Few countries have developed a cyber operations portfolio as clearly economically motivated as China. Nevertheless, the APTs and their activities presented below also largely fit into the Communist Party's foreign and domestic policy objectives on a geopolitical level. Thus, in recent years, Chinese cyber actors have also conducted increasingly military-oriented, disruptive cyber operations, especially with regard to regional conflicts.
The steady development and expansion of Iranian capabilities to conduct offensive cyber activities are particularly justified by its own experience as a victim of serious cyber attacks, most notably the Stuxnet computer worm. Since 2010, a wide variety of Iranian-origin cyber activities have been detected with increasing frequency, with the focus of the operational profile gradually changing from initially low-sophisticated DDoS and defacement operations to more complex, regionally-oriented cyber espionage operations. This is attributed to a growing number of APTs competing for government hacking contracts in a national cyber ecosystem, according to public findings (Gundert et al. 2018).
In cyberspace, North Korea is increasingly living up to its analogue world reputation of being a “rogue state.” North Korean APTs, especially since 2016, have increasingly turned to financial activities, such as redirecting financial transactions or "robbing" crypto exchanges. Despite its own isolation at the digital level, the country has thus far managed to exploit the vulnerabilities of many other states to its own advantage. Due to the high degree of state control over the national intranet, (domestic) North Korean APTs can therefore also be assumed to have a maximum degree of state responsibility.
Hardly any country has caused as much attention in cyberspace in recent years as the Russian Federation. Whether classic cyber espionage against rival states, domestic opposition members, or foreign media institutions; electoral influence by hack-and-leak operations; or sabotage by disruptive cyber attacks on critical infrastructures, Russian APTs have so far displayed a wide range of forms of operation in the digital space, not least in the current Ukraine War. Due to the growing interrelationship between political and criminal cyber activities, Russia not only deals with classic APTs, but also cybercrime groups, which are known to have close ties to government agencies.
The U.S. is considered the most powerful country in cyberspace with the greatest capabilities and resources. Both the technologically leading private sector and government agencies have extensive offensive as well as defensive capabilities in cyberspace. Even though disruptive forms of cyber operations have so far been made public, mainly by U.S. actors themselves, the extensive cyber espionage activities of the NSA and CIA have attracted considerable attention, not least since Edward Snowden's revelations in 2013, which IT companies have also attributed in part to the APTs presented below.