The world’s most dangerous state-sponsored hacker groups
As conventional conflicts between great powers have been deterred by the threat of mutually assured nuclear holocaust, cyber warfare has been slowly taking their place in the global arena. Now, some groups of state-sponsored threat actors are coming into the spotlight.
With countless covert cyber espionage and sabotage attacks launched to steal sensitive data and cripple an opponent’s infrastructure and defense systems, state-sponsored hacking operations are now regarded as the biggest threat to government institutions and organizations alike.
Attacks by state-sponsored actors are not made exclusively against servers in dusty government offices, nuclear facilities, and military bases, however. Dissidents, political opponents, and nonprofits, as well as private companies that include public institutions as their clients, are just as likely to be targeted by state-backed hacker groups.
In this article, I’ll be looking at some of the most dangerous groups that have been a major headache for both policymakers and security researchers.
What’s the deal with the cute names, anyway?
State-sponsored hacker groups are generally referred to as advanced persistent threats (APTs) by security researchers. Some companies simply assign them a number. Others have different naming conventions, referring to groups backed by different states as different animals, e.g. Iran’s calling card is a kitten.
As a consequence, one threat actor group can go by several nicknames: for example, FireEye calls Cozy Bear ‘APT29’, while other companies refer to the group as Cozy Bear, CozyDuke, or The Dukes.
So, with that in mind, let’s take a look at the world's most dangerous bears, dragons, and kittens.
- Cozy Bear (APT29)
- Lazarus Group (APT38)
- Double Dragon (APT41)
- Fancy Bear (APT28)
- Helix Kitten (APT34)
Cozy Bear (APT29)
- Allegiance: Russia
- Active since: 2008
- Best known for: 2015 attack on the Pentagon, FireEye hack (allegedly), SolarWinds hack (allegedly), COVID-19 vaccine data theft
Cozy Bear (not to be confused with Fancy Bear, Venomous Bear, or Voodoo Bear) is a name that is widely known among both security experts and the media.
What makes Cozy Bear special? Well, allegedly playing a key part in Russian attempts to influence the 2016 US presidential elections, for one. From its suspected inception back in 2008, the group has targeted many organizations, including governments, think tanks, telcos, energy companies, even cybersecurity firms, in patterns that likely point towards methods of operation mainly employed by state security services. After all, Cozy Bear is one of two state-sponsored hacker groups that researchers have long since believed is linked to GRU, Russia’s premier military intelligence service.
In fact, if expert suspicions are correct, Cozy Bear might prove the most dangerous state-sponsored hacker group to wreak havoc on companies and government institutions in 2020.
The group's second (alleged) massive hit last year was FireEye - a leading security company that counts multiple US federal agencies and the better part of the Forbes Global 2000 list among its clients.
In December 2020, the security firm confessed that it had been hacked by undisclosed assailants, with its proprietary adversary simulation toolkit stolen. Officially, FireEye is still mum about who is to blame for the intrusion. However, sources say it was a Russia-backed hacker outfit. Namely, Cozy Bear. The impact of the FireEye hack is difficult to understate, showing that state-sponsored attackers, given enough time and resources, can breach any organization, even those previously thought unassailable.
But as with most of 2020’s nasty surprises, that wasn’t the end of it.
Shortly after the FireEye hack, news hit that the Texas-based IT giant SolarWinds was the subject of a cyberattack. It appears that the attackers broke into SolarWinds’ systems and injected malicious code into an update for the company's software system "Orion," which spread to more than half of Solarwinds’ 33,000 clients, including Fortune 500 companies and multiple US government departments (Department of Treasury, Commerce, and Homeland Security among them).
What’s even worse, the breach went undetected for months, and the attackers could have exfiltrated data in the highest echelons of the US government, including the US military and the White House.
According to the Washington Post, Cozy Bear was identified as the hacker group responsible for the attack. Its impact even prompted the US Cybersecurity and Infrastructure Security (CISA) agency to issue an emergency directive about the breach.
So, is Cozy Bear the most dangerous state-sponsored hacker group of all time? Maybe. Was it the scariest in 2020? Definitely.
Lazarus Group (APT38)
- Allegiance: North Korea
- Active since: 2010
- Best known for: Operation Troy, WannaCry attack, COVID-19 vaccine data theft
Lazarus, also known as Zinc, Hidden Cobra, and North Korea’s sole profitable enterprise, is a notorious hacker group backed by the Pyongyang regime. North Korea has been investing significant resources in its cyberwarfare capabilities, and it shows. Lazarus Group has been linked to some of the most high-profile cyberattacks in recent years, including the infamous WannaCry ransomware attack in 2017 that infected more than 300,000 devices across the planet, making untold amounts of money in ransoms for the rogue state regime.
Since the unit’s inception in 2010, Lazarus’ cyberattacks have become increasingly sophisticated and destructive, mostly targeting financial institutions such as banks and fintech companies.
According to security experts, the state-sponsored group is being run akin to an espionage operation, carefully infiltrating targets over time, learning the ins and outs of the systems they compromise, and striking from the shadows when the victims least expect it.
The group’s latest large-scale raid involved attacks on a pharmaceutical company and a government health ministry in an attempt to steal COVID-19 vaccine data. Experts at Kaspersky suspect that the hackers stole the data from the pharmaceutical firm by deploying the Bookcode malware in a supply-chain attack via another company, while the ministry’s servers were compromised by installing wAgent, a sophisticated fileless malware program that fetches additional malicious payloads from a remote server.
This level of sophistication leads experts to believe that the North Korean hacking group will continue to evolve and pose even more danger in 2021 and beyond.
Double Dragon (APT41)
- Allegiance: China
- Active since: 2012
- Best known for: Massive global hacking campaign in 2020
Double Dragon, aka Cicada, is a Chinese state-sponsored espionage group by day that’s also known to dabble in financially motivated cybercrime for personal gain by night. The group’s activities have been traced back to 2012 and have included espionage operations against 14 different countries, including the US and the UK.
Since its first sightings by security experts, Double Dragon has been observed conducting a wide range of operations. These include supply-chain attacks and data exfiltration, as well as the use of complex proprietary tools.
The group’s highly sophisticated targeting techniques and particularly offensive methods of operation distinguish them from other state-sponsored groups, making them a double (dragon) threat to contend with.
Apart from directly attacking government institutions, Double Dragon is also targeting private companies in the travel and telecommunications industries in order to access data they can use for surveillance operations.
For example, the group will steal reservation information, call data recordings and text messages to track high-ranking foreign government officials, as well as dissidents closer to home.
However, espionage is not the group’s only forte: it’s not called Single Dragon for a reason.
According to FireEye, Double Dragon “also conducts explicit financially motivated activity, which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests." In other words, the group uses top-notch espionage tools to steal money for themselves “outside of their normal day jobs.”
In 2020, Double Dragon was one of the most prolific hacker groups, attempting to exploit vulnerabilities in hardware, as well as continuing to target government institutions in multiple countries and companies across dozens of industries.
However, it seems that the group’s ‘quantity over quality’ approach could be its downfall.
In September 2020, the US identified and charged 5 members of the group in a case that was part of a larger US crackdown against Chinese cyber-espionage efforts.
Did this operation hurt the state-sponsored group? Definitely. Will this spell the end of Double Dragon? Probably not.
Fancy Bear (APT28)
- Allegiance: Russia
- Active since: 2005
- Best known for: 2016 DNC and Podesta leaks, attacks on anti-doping agencies in 2019
Fancy Bear (not to be confused with Cozy Bear, Venomous Bear, or Voodoo Bear) gained notoriety following reports of the group’s involvement in the Great DNC Hack of 2016, as well as a series of cyberattacks on Emmanuel Macron's campaign websites in the run-up to the 2017 French Presidential elections. Ever since, the cybersecurity community has been observing the group’s attacks far beyond the US and Western Europe.
Fancy Bear has a long history of committing sophisticated phishing attacks against high-value targets in the news media, dissident movements, the defence industry, and foreign political parties.
Their usual MO involves using email domains to trick their would-be victims into believing that the elaborate phishing emails produced by the group are coming from legitimate sources.
For example, when trying to hack Macron’s presidential campaign, the group used email domains that looked almost identical to that of his party’s official website, en-marche.fr. Fancy Bear used these domains to launch phishing campaigns similar to those that tricked senior officials in the US Democratic Party into giving away their email account credentials to the hackers.
The group’s extensive operations against victims in the political and defense sectors seem to mirror the strategic interests of the Russian government, which strongly points to an affiliation with the country’s military intelligence service, GRU.
According to CrowdStrike, Fancy Bear “has dedicated considerable time to developing their primary implant known as XAgent, and to leverage proprietary tools and droppers such as X-Tunnel, WinIDS, Foozer and DownRange.” And judging from the results, it seems that their implant has been rather effective.
In 2020, the group has allegedly conducted dozens of cyberattacks against multiple US federal agencies. While seemingly less successful than their counterparts from Cozy Bear, Fancy Bear remains a constant thorn in the backside for many cybersecurity firms and government institutions across the world.
Helix Kitten (APT34)
- Allegiance: Iran
- Active since: 2007
- Best known for: The 2013 New York Dam hack, attacks on the Australian Parliament House in 2019
Contrary to the other countries in this list, Iran seems to be increasingly utilizing contract hackers to conduct the regime’s offensive operations. Such ‘freelancers’ can hail from different countries and backgrounds, and may or may not be ‘true believers’ of the regime they’re working for.
Helix Kitten (also known as OilRig and APT34), however, is suspected to be one of the few groups of dedicated local operators working on behalf of the Iranian government.
Security experts believe that the group conducts most of its operations in the Middle East, targeting financial, energy, chemical, telecom, and other industries, as well as government institutions in countries seen by Iran as competitors to its regional dominance, such as Saudi Arabia and the UAE.
The use of communications infrastructure in Iran, as well as the “timing and alignment with the national interests” of the Iranian regime also lead experts to assess that Helix Kitten is not a bunch of freelancers from all over the world.
However, just like Double Dragon, the group also seems to be running projects ‘on the side’ by launching independent cybercrime campaigns by using attack toolkits provided by their employer.
In April 2019, Helix Kitten was dealt a major blow after a series of leaks on Telegram that exposed the names, tools, and activities of the hacker group. In the leak, ten individuals from Helix Kitten were publicly named, with three employed by Iran’s Ministry of Intelligence, and the others working at the Iranian cybersecurity company Rahacrop. This was seen as a coup de grâce to the notorious group, with its activities seemingly ceasing for the remainder of the year.
However, the rumors of Helix Kitten’s death appear to have been exaggerated, as the group seemed to continue its attacks well into 2020, wreaking havoc across the Middle East and South Asia.
More great CyberNews stories:
Subscribe to our monthly newsletter