Chapter 22: Threat Actor Encyclopedia¶
Overview¶
Understanding adversaries — their motivations, capabilities, infrastructure, and behavioral patterns — transforms security from reactive to proactive. This chapter is a comprehensive encyclopedia of major threat actors organized by geopolitical origin, motivation, and sector targeting. Each profile covers the actor's TTPs mapped to MITRE ATT&CK, known tooling, infrastructure signatures, historical operations, and detection opportunities. Whether defending critical infrastructure, financial services, healthcare, or government networks, understanding your adversary is the first step toward defeating them.
Learning Objectives¶
By the end of this chapter, students SHALL be able to:
- Distinguish nation-state actors, cybercriminal groups, hacktivists, and insider threats
- Profile the top 20 advanced persistent threat (APT) groups with their TTPs and targeting
- Map threat actor tooling to MITRE ATT&CK techniques for detection engineering
- Use threat intelligence to prioritize defensive controls based on likely adversaries
- Recognize infrastructure signatures (C2 patterns, malware families) of specific actors
Prerequisites¶
- Completion of Chapter 7 (Threat Intelligence & Context)
- Familiarity with MITRE ATT&CK framework
- Basic understanding of nation-state geopolitical dynamics
Why This Matters
Defenders who don't know their adversaries fight blindly. When APT29 compromised SolarWinds' build pipeline in 2020, they implanted a backdoor in software updates used by 18,000 organizations including the US Treasury, State Department, and Microsoft. The attack went undetected for 9 months. Had defenders known APT29's infrastructure signatures and SolarWinds' risk profile, earlier detection was possible. Intelligence-driven defense reduces dwell time and improves detection accuracy.
22.1 Threat Actor Classification¶
graph TD
A[Threat Actors] --> B[Nation-State / APT]
A --> C[Cybercriminal\nGroups]
A --> D[Hacktivists]
A --> E[Insider Threats]
A --> F[Script Kiddies /\nOpportunistic]
B --> B1[Intelligence Collection\nSpy / Steal IP]
B --> B2[Destructive /\nSabotage]
B --> B3[Financial Crime\nSanction Evasion]
C --> C1[Ransomware\nAs a Service]
C --> C2[Banking Trojans /\nFraud]
C --> C3[BEC / Wire Fraud]
D --> D1[Defacement /\nDDoS]
D --> D2[Data Leak /\nEmbarrassment]
style B fill:#e63946,color:#fff
style C fill:#f4a261,color:#000
style D fill:#1d3557,color:#fff22.2 Russian Threat Actors¶
22.2.1 APT28 / Fancy Bear (GRU Unit 26165)¶
Sponsor: Russian Military Intelligence (GRU) Active Since: 2004 Primary Targets: Government, defense, political organizations, NATO/EU member states Motivation: Intelligence collection, influence operations, election interference
| Attribute | Details |
|---|---|
| Aliases | Fancy Bear, STRONTIUM, Sofacy, Sednit, Pawn Storm |
| Notable Operations | DNC hack (2016), WADA hack (2016), Bundestag hack (2015), Emmanuel Macron campaign (2017) |
| Primary Malware | X-Agent (Sofacy), X-Tunnel, CHOPSTICK, GAMEFISH, JHUHUGIT |
| C2 Infrastructure | Dynamic DNS, compromised routers, HTTPS to legitimate services |
| Techniques | Spearphishing (T1566), credential harvesting, LSASS dumping, network scanning |
| Unique Fingerprint | Reuses infrastructure; registers typosquatting domains days before targeting |
ATT&CK Mapping: - T1566.002: Spearphishing Link (primary initial access) - T1078: Valid Accounts (credential reuse) - T1036.005: Match Legitimate Name or Location - T1071.001: Web Protocols (HTTPS C2) - T1003.001: LSASS Memory
22.2.2 APT29 / Cozy Bear (SVR / FSB)¶
Sponsor: Russian Foreign Intelligence Service (SVR), possibly FSB Active Since: 2008 Primary Targets: Government, think tanks, healthcare, SolarWinds supply chain Motivation: Long-term intelligence collection; highly patient and stealthy
| Attribute | Details |
|---|---|
| Aliases | Cozy Bear, The Dukes, Office Monkeys, NOBELIUM, Midnight Blizzard |
| Notable Operations | SolarWinds SUNBURST (2020), COVID-19 vaccine research theft (2020), Microsoft Executive Email Compromise (2024), DNC (simultaneous with APT28, 2016) |
| Primary Malware | SUNBURST, TEARDROP, SUNSPOT, MiniDuke, CozyDuke, CloudDuke, WellMess, GraphAgent |
| C2 Infrastructure | Legitimate cloud services (OneDrive, GitHub, Dropbox), Tor, compromised website proxies |
| Techniques | Supply chain compromise (T1195), cloud service C2, living off the land, very long dwell times |
| Unique Fingerprint | Months-to-years dwell time; uses legitimate cloud services as C2; extremely patient enumeration |
Detection Opportunities:
- Unusual outbound connections to OneDrive/Dropbox from non-user processes
- SolarWinds Orion processes making DNS queries to avsvmcloud.com subdomains
- OAuth token requests from anomalous applications
- SUNBURST DGA pattern: base32-encoded victim organization name in subdomain
22.2.3 Sandworm (GRU Unit 74455)¶
Sponsor: Russian GRU Active Since: 2009 Primary Targets: Ukraine, critical infrastructure, media, Olympic Games Motivation: Destructive attacks aligned with geopolitical objectives
| Attribute | Details |
|---|---|
| Aliases | Sandworm, VOODOO BEAR, TeleBots, ELECTRUM |
| Notable Operations | Ukraine power grid 2015/2016 (BlackEnergy/CRASHOVERRIDE), NotPetya 2017, Olympic Destroyer 2018, Industroyer2 2022 |
| Primary Malware | BlackEnergy, Industroyer/CRASHOVERRIDE, NotPetya, Olympic Destroyer, Industroyer2, Prestige ransomware |
| Most Dangerous | NotPetya caused ~$10 billion in global damages — history's most costly cyberattack |
22.3 Chinese Threat Actors¶
22.3.1 APT41 / Double Dragon (MSS / PLA overlap)¶
Sponsor: Chinese Ministry of State Security (MSS) Active Since: 2012 Primary Targets: Healthcare, biotech, telecom, video game industry, government Motivation: Dual: state espionage + financial crime (unique dual-mission actor)
| Attribute | Details |
|---|---|
| Aliases | APT41, Double Dragon, BARIUM, Winnti Group, LEAD |
| Notable Operations | Pharmaceutical IP theft during COVID-19, video game currency theft, telecom espionage, supply chain via software updaters |
| Primary Malware | HIGHNOON, LOWKEY, DEADEYE, Poison Ivy, ShadowPad, Winnti, DUSTPAN |
| Techniques | Supply chain compromise (gaming software), SQL injection, web shell deployment, living-off-the-land |
22.3.2 Volt Typhoon (BRONZE SILHOUETTE)¶
Sponsor: Chinese People's Liberation Army Active Since: 2021 (identified) Primary Targets: US critical infrastructure (power, water, telecom, transportation) — pre-positioning Motivation: Pre-position for destructive attacks in case of Taiwan conflict
| Attribute | Details |
|---|---|
| Aliases | Volt Typhoon, BRONZE SILHOUETTE |
| Notable Operations | US military bases Guam compromise (2023), 5-year pre-positioning in US critical infrastructure (2024 CISA advisory) |
| Primary Techniques | Living-off-the-land exclusively (no custom malware), SOHO router compromise as proxy |
| Unique Fingerprint | Zero custom malware — uses only built-in Windows tools (ntdsutil, netsh, wmic, powershell); extremely hard to detect |
| CISA Advisory | AA23-144A — joint advisory from US, UK, Australia, Canada, NZ |
22.3.3 APT10 / Stone Panda¶
Sponsor: MSS (Tianjin State Security Bureau) Active Since: 2009 Primary Targets: Managed Service Providers (MSPs), cloud, aerospace, healthcare, defense Motivation: Technology theft, IP espionage, targeting via MSP supply chain
Cloud Hopper Operation: Compromised 45+ MSPs to gain access to 45+ countries simultaneously — among the most impactful supply chain attacks in history.
22.4 North Korean Threat Actors¶
22.4.1 Lazarus Group (RGB Unit 180)¶
Sponsor: Reconnaissance General Bureau (RGB) Active Since: 2009 Primary Targets: Financial sector, cryptocurrency exchanges, defense, media Motivation: Financial theft to fund WMD programs; revenge/espionage
| Attribute | Details |
|---|---|
| Aliases | Lazarus Group, HIDDEN COBRA, Guardians of Peace, ZINC |
| Notable Operations | Bangladesh Bank heist ($81M, 2016), WannaCry (2017), Sony Pictures hack (2014), $620M Ronin Bridge hack (2022), $100M Harmony Bridge hack (2022) |
| Total Stolen | Estimated $3+ billion in cryptocurrency 2017–2024 |
| Primary Malware | HOPLIGHT, BISTROMATH, HARDRAIN, FatBoy, AppleJeus, BLINDINGCAN |
22.4.2 APT38 (Bluenoroff)¶
Sponsor: RGB (financial operations branch) Active Since: 2014 Primary Targets: Banks, SWIFT network, cryptocurrency Motivation: Generate revenue for North Korean state
SWIFT Network Attacks: APT38 has compromised 16+ banks across 11+ countries using the SWIFT interbank messaging system to initiate fraudulent wire transfers.
22.5 Iranian Threat Actors¶
22.5.1 APT33 / Elfin¶
Sponsor: IRGC (Iranian Revolutionary Guard Corps) Active Since: 2013 Primary Targets: Aerospace, petrochemical, energy, government Motivation: Espionage, destructive attacks against adversaries
| Attribute | Details |
|---|---|
| Aliases | APT33, Elfin, HOLMIUM, Refined Kitten |
| Notable Operations | Saudi Aramco targeting, US defense contractor espionage, destructive Shamoon campaigns |
| Primary Malware | SHAPESHIFT, DROPSHOT, TURNEDUP, StoneDrill |
| Techniques | Spearphishing with LinkedIn, custom malware dropper, scheduled task persistence |
22.5.2 APT34 / OilRig¶
Sponsor: Iranian Ministry of Intelligence (MOIS) Active Since: 2014 Primary Targets: Middle East governments, energy, financial, telecom Motivation: Regional intelligence collection; persistence in strategic organizations
| Attribute | Details |
|---|---|
| Aliases | APT34, OilRig, HELIX KITTEN, IRN2 |
| Primary Malware | QUADAGENT, OopsIE, Remexi, DNSExfil, ISMAgent |
| Unique Technique | DNS tunneling for C2 (base64-encoded data in DNS TXT records) |
22.6 Major Ransomware Groups¶
22.6.1 LockBit¶
Active: 2019–present (LockBit 3.0 / LockBit Black) Model: Ransomware-as-a-Service (RaaS) — most prolific ransomware 2022–2024 Notable Victims: Royal Mail UK, Boeing, ICBC Bank, Fulton County Georgia, City of Oakland
| Attribute | Details |
|---|---|
| Initial Access | RDP brute force, phishing, exploit vulnerabilities (Citrix Bleed, PaperCut) |
| Lateral Movement | Cobalt Strike, AnyDesk, legitimate admin tools |
| Exfiltration | StealBit custom exfil tool |
| Encryption | AES-256 + RSA-2048; fastest encryptor tested |
| Unique Features | Bug bounty program, "Self-Spreading" module for network propagation |
| Law Enforcement | Operation Cronos (Feb 2024) disrupted infrastructure; rebuilt within days |
22.6.2 ALPHV / BlackCat¶
Active: 2021–2024 (FBI seized in Dec 2023; group disbanded Mar 2024) Language: Rust (cross-platform Win/Linux/VMware ESXi) Notable Victims: MGM Resorts ($100M impact), Caesar's Entertainment, Change Healthcare ($22M ransom)
Change Healthcare Attack: Most impactful healthcare ransomware attack in US history — disrupted prescription processing for 6,000+ pharmacies for weeks.
22.6.3 Cl0p¶
Active: 2019–present Unique Model: Mass exploitation of zero-days for bulk victim acquisition Notable Campaigns: Accellion FTA (2021), GoAnywhere MFT (2023), MOVEit Transfer (2023)
MOVEit Campaign: Exploited CVE-2023-34362 in MOVEit Transfer software — compromised 1,000+ organizations including Shell, US government agencies, airlines, universities in weeks without deploying ransomware (data theft extortion only).
22.7 Hacktivists and Ideologically Motivated Actors¶
| Actor | Origin | Primary Methods | Notable Operations |
|---|---|---|---|
| Anonymous | Decentralized | DDoS, doxxing, defacement | Operation Payback (2010), #OpRussia (2022) |
| KillNet | Russia-affiliated | DDoS against NATO/West | NATO websites, US airports, healthcare |
| NoName057(16) | Russia-affiliated | DDoS pro-Russian | EU government sites |
| GhostSec | Evolving | DDoS → ransomware | ICS attacks, claimed |
| IT Army of Ukraine | Ukraine-sponsored | DDoS against Russia | Russian media, banks, infrastructure |
| Cyber Av3ngers | Iran-affiliated | PLC attacks | US water utilities (Aliquippa, PA - 2023) |
22.8 Threat Actor Detection Matrix¶
| Actor | High-Fidelity Detection Opportunity |
|---|---|
| APT29 | SUNBURST DGA pattern; OAuth app registrations from service accounts; unusual OneDrive API calls |
| APT28 | X-Agent network beacon (specific HTTP headers); NTLMv1 downgrade attacks |
| Lazarus | AppleJeus process spawning unusual children; cryptocurrency wallet software targeted |
| Volt Typhoon | SOHO router proxy chains; LOLBins only (no 3rd-party tools) combined with DC enumeration |
| LockBit | StealBit network patterns; vssadmin delete shadows; ransom note filename .lockbit |
| ALPHV/BlackCat | Rust binary characteristics; intermittent encryption (even/odd bytes skipped) |
| Cl0p | MOVEit/GoAnywhere web shell patterns; CLOP ransom note extensions |
| APT41 | ShadowPad DLL sideloading; gaming process injection; dual espionage+crime timing |
22.9 Intelligence Platforms for Threat Actor Tracking¶
| Platform | Type | Strength |
|---|---|---|
| MITRE ATT&CK Groups | Free | Definitive TTP mapping; 130+ groups |
| Mandiant Advantage | Commercial | Industry-leading APT research |
| CrowdStrike Adversary Intelligence | Commercial | Nation-state naming convention |
| Recorded Future | Commercial | Real-time intelligence, dark web |
| VirusTotal Intelligence | Commercial | Malware attribution, sandbox |
| Threat Connect | Commercial | ISAC integration, playbooks |
| OpenCTI | Open source | STIX-native threat intelligence platform |
| MISP | Open source | Community sharing, IOC management |
22.10 Benchmark Controls¶
| Control ID | Title | Requirement |
|---|---|---|
| Nexus SecOps-TA-01 | Adversary Profiling | Annual threat actor assessment for org's industry/geography profile |
| Nexus SecOps-TA-02 | ATT&CK-Based Detections | Detection rules mapped to TTPs of likely adversaries |
| Nexus SecOps-TA-03 | Threat Intelligence Feed | Subscription to at least one commercial or ISAC threat feed |
| Nexus SecOps-TA-04 | Actor Tracking | Monitoring of threat actor forums and dark web for org-specific mentions |
| Nexus SecOps-TA-05 | TTP-Informed Purple Team | Annual exercise specifically emulating top 2 likely adversary profiles |
Exam Prep & Certifications¶
Relevant Certifications
The topics in this chapter align with the following certifications:
Key Terms¶
APT (Advanced Persistent Threat) — A prolonged and targeted cyber attack, typically nation-state sponsored, that aims to steal data or surveil a target over months or years while remaining undetected.
Double Extortion — Ransomware tactic of exfiltrating data before encrypting, then threatening to publish it if the ransom isn't paid — first used by Maze ransomware (2019).
Living-off-the-Land (LotL) — Using legitimate system tools (PowerShell, WMI, certutil) for malicious purposes, making detection harder as these are not classified as malware.
RaaS (Ransomware-as-a-Service) — Criminal business model where ransomware developers lease their malware and infrastructure to affiliates who conduct attacks and share revenue (typically 70-80% to affiliate, 20-30% to developer).
TTPs (Tactics, Techniques, Procedures) — The behavior patterns of a threat actor — how they operate. TTPs are more durable indicators than IOCs because actors can change IPs and domains but habits persist.