What are Advanced Persistent Threat Groups?

Advanced Persistent Threat List

List of Advanced Persistent Threat Groups. The hackers behind some of the most successful and well-known cyber attacks in the world

Advanced Persistent Threat (APT) groups are organized hacking and cyber intelligence actors, including individuals or groups. APT groups infiltrate companies and governments, engaging in espionage and sometimes hack financial institutions to fund their activities and those of their sponsoring organization. APT groups are frequently state-sponsored hacking groups, but not always. As the name implies, the attacks occur slowly over long periods of time.

The name, advanced persistent threat, is believed to have originated in the US Air Force around 2006. APT groups demonstrate long-term patterns of skilled computer network exploitation focused on governments, companies, and geopolitical issues. Not all malware campaigns are APT attacks.

APT groups are named with a number, such as APT28. They are also given other names invented by cyber security researchers, like Cozy Bear or Gothic Panda. Because cyber security companies operate in multiple countries. cyber security firms use pseudonyms to talk about the hacking groups to avoid offending the government agency behind the APT group.

Major powers are involved in hacking and cyber espionage. Although they don’t have an APT name, the first and the most skilled group of hackers is under the behest of the US federal government and is known as the Equation Group.

Heimdel Malware Protection
Heimdel Malware Protection

What Are the Characteristics of an Advanced Persistent Threat?

Advanced Persistent Threats are always targeted attacks that work slowly to avoid detection. APT attacks go after the data of governments, police organizations, or military organization. The multi-phase effort can involve any attack vector on an organization’s network or personnel. The goal of APT attacks are typically espionage, collecting information, possibly for future attacks, stealing money to fund activities or to steal or sabotage technology.

APT cyber attacks are selective. They hack aerospace contractors, aviation companies, the energy sector, healthcare firms, national defense organizations, defense contractors, government officials, embassies, technology, and large financial firms.

What is the Difference Between APTs and Malware?

APT attacks are costly, highly skilled, and occur over a period of years to avoid detection. Malware attacks are generally fast to bombard IT systems with obvious attacks. There is a significant level of coordinated human involvement by APT hackers which are always highly skilled and coordinated. Malware attacks are usually automated and work as an automation. Although something like a spear phishing attack is targeted at a small group of people, it is not necessarily an APT attack, but it can be. Social engineering is used in the majority of APT cyber attacks.

Advanced Persistent Threat List

Equation Group – The name for the United States National Security Agency hacking group. Equation Group is responsible for the development of Eternal Blue exploit which was used in the WannaCry cyber attack on Europe.

Linux Training


APT3 is one of China’s state-sponsored hacking groups. This group uses generic phishing emails and web browser exploits to obtain user credentials. APT3 is one of the Chinese hacking groups that uses the NSA exploit, EternalBlue, and is associated with SHOTPUT, COOKIECUTTER, and SOGU malwares.

Buckeye, Gothic Panda, and UPS Team are other names for APT3.


APT16 is a Chinese hacking group that focuses on political issues with Japan and Taiwan. The group uses spear phishing emails and is associated with IRONHALO, ELMER malware.


APT28, also known as the Tsar team or Fancy Bear, collects intelligence on defense and geopolitical issues. They focus on geopolitical issues in Georgia, eastern European, North Atlantic Treaty Organization (NATO), and other European security organizations. Tsar team is believed to be funded by the Russian government. They use SOURFACE downloader, EVILTOSS backdoor, and CHOPSTICK.


APT29 is associated with the Russian government and considered one of the most sophisticated hacking groups. APT29 uses social media sites such as Twitter or GitHub, as well as cloud storage services to communicate. Traffic closely mimics legitimate web traffic making it difficult to discover network infiltration.


APT32 is a Vietnamese hacking group. APT32, also known as OceanLotus Group, targets companies trying to invest in Vietnam. The group uses social engineering attacks and spear phishing emails as attack vectors. APT32 is associated with SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, and KOMPROGO.


APT33 is an Iranian hacking group that targets aerospace, aviation, and petrochemical industries. The group uses spear phishing emails and is associated with SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE, ALFA Shell attack vectors.


APT34 is another Iranian hacking group active since 2014. They are focused on espionage in the financial, government, energy, chemical, and telecommunications industries. APT34 uses POWBAT, POWRUNER, and BONDUPDATER.


APT37 are North Korean hackers that appear to be sponsored by the North Korean government. Pseudonyms include Scarcruft and Group123. The hacking group uses zero-day vulnerabilities and wiper malware. Social engineering attacks and torrent sites are used to distribute malware. It is most recently associated with ELECTRICFISH malware.


APT38 is another North Korean state-sponsored hacking group. Pseudonyms include Hidden Cobra and Lazarus group. APT38 has attacked sixteen organizations in at eleven countries typically stealing money from financial organizations. This group has a history of destroying victim’s networks and data during the cyber attacks.


APT39 is an Iranian hacking group that focuses on telecommunications and travel industries in the middle east. APT39 uses spoofed websites and spear phishing campaigns with malicious email attachments. It is associated with SEAWEED, CACHEMONEY, and POWBAT backdoors.

Other North Korean Advance Persistent Threat Groups are APT37 which tagets South Korea, Japan, Vietnam, and the Middle East.


APT40 is a Chinese cyber espionage APT group that targets countries important to China’s Belt and Road Initiative. This APT group has been operational since 2013. The goal of APT40 is espionage aimed at stealing technology from maritime, defense, aviation, chemicals, universities, governments, and technology organizations. APT40 uses spear phishing campaigns. Code used is from BADSIGN, FIELDGOAL, FINDLOCK, PHOTO, SCANBOX, SOGU, and WIDETONE.

Other Chinese advanced persistent threat groups include APT3, APT10 ( Menupass Team), APT12 (Calc Team), APT19 (Codoso Team), APT18 (Wekby), APT17 (Tailgator Team, Deputy Dog).

Source: FireEye, Inc.