Threat Actor Profiles

aka UNC3944, Octo Tempest, Star Fraud, 0ktapus

English-speaking group specializing in social engineering against enterprises. Evolved from SIM swapping to sophisticated ransomware operations. Responsible for MGM Resorts and Caesars breaches.

aka GhostEmperor, FamousSparrow, Earth Estries

Chinese MSS-linked group behind the largest telecom breach in US history. Compromised 12+ US telecom providers and accessed lawful intercept systems.

aka LockBit Black, LockBit 5.0, LockBit Green

Most prolific RaaS operation globally despite multiple law enforcement disruptions. Version 5.0 features AI-assisted target selection and automated lateral movement.

aka Cozy Bear, The Dukes, Midnight Blizzard, Nobelium

Russian SVR-linked group conducting espionage against Western governments. Pioneered OAuth consent phishing and cloud-focused intrusion techniques. Responsible for SolarWinds compromise.

aka Hidden Cobra, ZINC, Diamond Sleet, APT38

North Korean state-sponsored group focused on financial theft and crypto heists to fund the regime. Also conducts espionage and destructive attacks. Responsible for $1.5B Bybit hack.

aka IRIDIUM, Voodoo Bear, Seashell Blizzard, APT44

Russian GRU Unit 74455. Most destructive cyber threat actor globally. Responsible for NotPetya, Ukraine power grid attacks, and ongoing cyber operations against Ukrainian infrastructure.

aka Fancy Bear, Sofacy, Pawn Storm, Forest Blizzard

Russian GRU Unit 26165. Targets NATO governments, military, and media. Known for hack-and-leak operations and zero-day exploitation. Active in disinformation campaigns.

aka BRONZE SILHOUETTE, Vanguard Panda, Insidious Taurus

Chinese state-sponsored actor pre-positioned in US critical infrastructure. Confirmed access to water, energy, transportation, and telecom systems. Uses exclusively living-off-the-land techniques.

aka PlayCrypt, Balloonfly

Ransomware group exploiting FortiOS and Microsoft Exchange vulnerabilities. Known for rapid encryption and targeting managed service providers for downstream access.

aka TA505, FIN11, Lace Tempest

Financially motivated group specializing in mass exploitation of file transfer appliances. Responsible for MOVEit, GoAnywhere, Accellion, and Cleo campaigns affecting thousands of organizations.

aka Storm-1811, Cardinal

Ransomware group believed to include former Conti members. Known for using Microsoft Teams social engineering and Quick Assist for initial access. Targets large enterprises.

aka MedusaLocker

Ransomware group operating a leak site with countdown timers. Targets healthcare and education with increasing sophistication. Offers data deletion for additional payment.

China-nexus espionage actor targeting network edge devices and hypervisors. Exploits zero-days in Fortinet, VMware, and Juniper. Deploys firmware-level implants for persistence.

aka Ethereal Panda, RedJuliett

Chinese state-sponsored group operating a massive IoT botnet of compromised routers and cameras for espionage proxy networks. Targets Taiwan, Southeast Asia, and US entities.

aka Vice Society

Ransomware group targeting healthcare, education, and government. Known for auctioning stolen data. Linked to former Vice Society operators.

aka BlackCat, Noberus, Cicada3301

Sophisticated RaaS group that pioneered Rust-based ransomware. After apparent exit scam in 2024, affiliates regrouped under Cicada3301 and RansomHub brands.