A number of major cyberattacks have entered the public consciousness in the past decade, with several major consumer data breaches since 2015 leaving millions of victims—high-profile financial companies, retail chains, social media sites and even the Democratic National Convention—in their wake. But who or what actors are behind these cyber attacks?

Twingate collected information from official and expert industry sources about the groups responsible for major cyberattacks. 

The U.S. government, including the Justice Department and GSA, the Council on Foreign Relations think tank, and other prominent sources have given the American public context for some of the world’s most important hacker collectives, or Advanced Persistent Threat groups. All of these groups are believed to be state-sponsored, whether by China, Russia, Iran, North Korea or the U.S. Most APTs hack their targets to find and steal information; but some groups are also hacking to extort money or steal cryptocurrencies from their targets. Some teams use custom-made cyber scripts to break into computer networks, while others rely on classic hacking tactics, such as phishing and social engineering.

Many hackers are sitting at laptops and computers against the background of the Russian flag
Anelo // Shutterstock

APT 29 (Cozy Bear)

The GSA categorizes APT 29, or Cozy Bear, as a state-sponsored group based in Eastern Europe and Russia. The group targets European and other Western governments and organizations. Cozy Bear hackers like to lurk on existing networks, making fake traffic that its members can conceal as legitimate. From there, exploiting those networks is much easier. APT 29 members are adept at using social media sites or cloud storage as ways to share instructions via clever means like corrupted image files.

Fancy Bear is seen on a computer during a session in the plenary hall of the German parliament
Sean Gallup // Getty Images

APT 28 (Fancy Bear)

CFR categorizes APT 28, or Fancy Bear and other names, as a group sponsored by Russia with targets around the world. APT 28’s hackers target disparate groups in the government, military, and private sectors. Their suspected targets include the World Anti-Doping Agency and the International Association of Athletics Federations. Russia’s team was banned from international athletics for years after a 2019 WADA ruling, but clean-testing Russian athletes were allowed to continue competing under an international flag. Russia has repeatedly tussled with these anti-doping organizations, accusing them of banning Russian athletes at Washington’s behest. In October 2018, the Justice Department indicted several individuals in Russia it alleged were members of a Russian military intelligence unit on multiple charges, including hacking the WADA.

Female hacker using keyboard to type up malware
DC Studio // Shutterstock

APT 14 (Anchor Panda)

The GSA categorizes APT 14, or Anchor Panda, as a state-sponsored group based in East Asia. APT 14 targets governments, communications, construction, and engineering firms with large-scale brute force attacks. A brute force attack is when, for example, a hacker tries to force a user’s password by attempting every possible combination. These hackers may also do some social engineering by seeking clues like the user’s pets’ names, family names, and other guessable facts to narrow down their brute-force password search.

The GSA says Anchor Panda specializes in trying to find and steal data, like spreadsheets and reports, as well as the confidential specifications of government or defense equipment for the benefit of the Chinese military.

A coder sits in a darkened room looking at several screens

Equation Group

The CFR categorizes Equation Group as a state-sponsored group likely linked to the U.S. intelligence community or its Five Eyes allies (U.K., Canada, Australia, and New Zealand). The group was discovered by researchers at Moscow-based anti-virus maker Kaspersky Lab and is believed to date back to 2001. Although Kaspersky Lab stopped short of directly implicating U.S. intelligence agencies, it claimed that Equation  Group targeted more than 500 organizations and programs worldwide; and that its targets included foreign governments, militaries, and media organizations. Equation Group’s long history and rich target list make it one of the world’s most sophisticated presumedly-state-directed or sponsored hacking groups.

Back view of hacker working at computer
Gorodenkoff // Shutterstock

APT 41 (Double Dragon)

APT 41, also known as Double Dragon, is a state-sponsored hacking group based in China whose members are wanted by the FBI. Mandiant shares that APT 41 is unusual, partly because of the financial aspect of its state-sponsored activities. Although many other hacking groups may use ransomware and other kinds of attacks that seek to extort or steal money as a major goal, such cyber piracy or privateering is less common among more sophisticated groups that target governments and militaries. It’s usually easier for hackers to find and exploit smaller or localized targets that are likely to have access to money—while also having relatively lax network security—than to go after adversary governments.

Rear view of a hacker using multiple computers
Andrey_Popov // Shutterstock

APT 33 (Elfin)

APT 33, or Elfin, is believed by cybersecurity firm Mandiant to be a state-sponsored group based in Iran. The group’s activities reportedly date back to at least 2013. It has targeted the neighboring Kingdom of Saudi Arabia as well as democratic nations such as South Korea and the U.S. APT 33 is known to rely on phishing and spyware, which form a potent combination in the world of information security. Employees at victimized firms may click on links in phishing messages that, in turn, install spyware that monitors activities on and creates vulnerabilities in their networks.

Close-up of Caucasian man hands typing data on a keyboard
husjur02 // Shutterstock

APT35 (Charming Kitten)

APT 35, or Charming Kitten, is a state-sponsored group based in Iran. The CFR reports the group’s activities are believed to date back to at least 2014, following the defection of a former U.S. Air Force intelligence officer to Iran. The officer, Monica Elfriede Witt, has since been indicted for espionage, with the Justice Department alleging she cooperated with the four state-directed Iranian hackers named in the DOJ indictment. Witt is accused of providing the Iranian hackers with details enabling them to target her former colleagues in the U.S. intelligence community. One of the hackers named in the Witt indictment, Behzad Mesri, was also charged with targeting HBO in a ransomware attempt.

⏩ Read today’s top stories on wkrn.com

APT 35 relies primarily on social engineering, which is an umbrella term for forms of attack like calling and imitating a targeted victim’s bank in order to request their account information. In addition to the Witt-linked attempts at social engineering, APT 35 has reportedly targeted academics who study Iran, as well as several U.S.-allied governments in the Middle East.

A young male programmer in front of a window
Ivanova Ksenia // Shutterstock

APT 37 (Reaper)

The CFR categorizes APT 37, or Reaper, as a state-sponsored group acting in the interest of North Korea. Once described as the Hermit Kingdom, North Korea’s internet usage has increased 300% over the last several years. The New York Times reports that restrictions on internet access do not apply to North Korean elites associated with the government or the nation’s highly restricted universities. The Justice Department indicted three North Korean hackers in 2021, alleging they attacked Sony Pictures, crypto exchanges and banks in multiple countries.

This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.