Hacker elites: how the most dangerous APT groups operate

Forget the cliché of a hooded hacker. Today’s real threats come from well-organized groups acting on behalf of nation-states. They steal data, influence elections, and disrupt infrastructure — systematically and with political intent. This article presents five of the most active APT groups today, their methods, targets, and the environments in which they operate.

28 Jul 2025 Natalia Peterková Threats

Today, we’re focusing on attackers who don’t act alone. These aren’t lone hackers, but professionally organized groups backed by nation-states. Advanced Persistent Threats (APTs) operate under the command of militaries, intelligence agencies, or government bodies. Their targets include government networks, the defense industry, healthcare, research, and energy sectors. Instead of grenades, they deploy malware. Instead of spies, they use exploit code. In this digital bestiary, we introduce five elite groups that carry out the most dangerous cyber operations on behalf of the state.

Skupina lidí v tmavém prostředí s obličeji osvětlenými neónovými barvami, které tvoří vzory připomínající lebky.

How do APT groups attack?

Cyberattacks don’t happen randomly. Every attack method serves a specific purpose — some groups rely on manipulating people, others exploit technical vulnerabilities or move stealthily through networks. Recognizing these "skills" is key to cyber defense: it helps us understand what a particular adversary is after, how they operate — and why they’re dangerous.

	Social engineering	Exploit mastery	Stealth mode	Supply chain attack
Type	Psychological, manipulating people instead of computers.	Technical attack on unknown vulnerabilities.	Stealthy intrusion, long-term infiltration without detection.	Indirect attack through a third party or supplier.
Goal	People, email inboxes, login credentials.	Unpatched systems, applications.	Victim’s networks, systems, and data — without triggering alarms.	Software updates, IT services, trusted software, hardware.
Method	Uses the victim’s psychology and trust to gain access. Tactics include phishing (fraudulent emails), pretexting (fake identities), and baiting (luring the victim into unintended action).	Uses so-called zero-day exploits — security flaws that have no patch yet. Hackers discover them before defenses can react. Tactics include developing malware and launching targeted intrusions.	The infection disguises itself as a normal part of the network and can remain invisible for months. It uses rootkits, backdoors, and lateral movement to quietly collect data and maintain control of the system.	The hacker doesn’t attack the organization directly but infects a supplier (e.g., a software provider). Once an update is deployed or synchronization occurs, the target is infected — without raising suspicion.

Key environments of cyber operations

Attacks don’t happen in a vacuum. Hacker groups carefully choose the environment in which they operate — and each of these environments comes with different demands, unique vulnerabilities, and specific types of risk. Attacking a data center is very different from targeting a power plant. The more sensitive the target, the more calculated and sophisticated the attack tends to be.

Level 1 / Data centers: the backbone of the internet — servers, cloud services, storage. A common target for phishing campaigns, malware distribution, and initial network breaches. Easily exploited as an entry point to more valuable targets.

Level 2 / Government Networks: complex, multi-layered systems that protect sensitive state information. Hackers seek strategic data, diplomatic communications, or footholds for long-term espionage. These environments demand advanced techniques.

Level 3 / Critical infrastructure: energy, transportation, healthcare. Here, attacks aren’t just about data loss — they can endanger lives. Attackers use ransomware, system vulnerabilities, and DDoS attacks to disrupt essential services.

Level 4 / Global digital space: this is where the most dangerous games are played — cyber espionage and disinformation campaigns take center stage. These attacks influence political leadership, international conflicts, and technological development.

Dvě masky nasvícené černým světlem s křídovým kreslením ve tmavé místnosti.

One hacker group, countless names. Why?

Hacker groups often go by dozens of different names — and that’s no coincidence. Each cybersecurity company uses its own naming system, which means the same group can have multiple “identities” depending on who’s tracking them. For example, the notorious APT28 is also known as APT-C-20, ATK5, Blue Athena, BlueDelta, FROZENLAKE, Fancy Bear, Fighting Ursa, Forest Blizzard, G0007, or Grey-Cloud. The result? Confusion and miscommunication between security teams and partners.

To better understand this, companies like Microsoft, CrowdStrike, and Mandiant (Google Cloud) have launched an initiative to map names for targeted groups [1]. They don’t aim to enforce a single label, but instead track each other’s naming to make it easier to compare analyses and share threat intelligence. Each company, however, keeps its own style:

Microsoft uses weather-themed names (e.g., Blizzard for Russia, Typhoon for China) [2].
CrowdStrike names groups after animals (e.g., Panda for China, Bear for Russia) [3].
Google Cloud (Mandiant) uses formats like APT[number] and UNC[number].

Targets of APT groups

Their objective might be a classified document, a technology with military potential, or insight into an enemy’s strategic decision-making. Their missions are neither chaotic nor random. These are strategically orchestrated operations with long-term goals:

TO GATHER INFORMATION

TO DISRUPT STRUCTURES

TO INFLUENCE OPINION

TO WEAKEN KEY SECTORS

Portrét pandy v kybernetickém obleku se zářícími červenými očima na temném pozadí.

STONE PANDA (APT10): the silent panda from the middle kingdom

"If you want to know everything, you must not be heard at all."

Motive: Cyber espionage on behalf of the Chinese state, targeting industry, healthcare
Territory: USA, Japan, Europe
Specialization: Exploiting IT service providers, data warehouses, healthcare systems

STONE PANDA, directly Linked to the Chinese State. Stone Panda doesn’t aim to sabotage — its mission is silent data collection. The group exists to secure access to technological innovations and industrial data deemed strategically important to China. Its most notorious operation, Cloud Hopper (2017), saw the group infiltrate hundreds of companies and institutions worldwide by compromising IT service providers. This gave it access not only to commercial data, but also to sensitive government and military information. Targets included cloud infrastructure, data centers, and strategic technology sectors. Stone Panda also turned its focus to healthcare — in 2016 and 2017, it launched multiple attacks on pharmaceutical companies and research institutions, stealing data on drug development and biotechnology. It deployed RedLeaves malware, designed to remain undetected for years. Stone Panda’s operations are quiet and low-noise, making them highly effective — and dangerous.

Digitální ilustrace černého hada s červenými očima na temně modrém pozadí s mřížkou.

TURLA (ATK13): the snake that gets under your skin

"Our attacks aren’t just fast — they’re inevitable."

Motive: Strategic cyber espionage for the Russian state
Territory: Government agencies, diplomatic missions, defense organizations, embassies
Specialization: Military intelligence, long-term cyclical infiltrations

TURLA, under Russian command, is known for its philosophy of persistence. Each of its operations is part of a broader strategic plan focused on political and military espionage. The group specializes in infiltrating government offices, defense organizations, and embassies, primarily targeting Europe and the Middle East. In 2014, it successfully attacked NATO networks and several European government agencies. TURLA is characterized by sophisticated use of custom malware such as Snake (Uroburos), Gazer, and Kazuar, which enable long-term access to compromised systems with minimal risk of detection. This long-term infiltration is key to its strategy, inspired by the symbol of the Uroboros — a snake eating its own tail. One example is the Turla Watering Hole operation from 2014, in which TURLA used compromised websites aimed at African diplomats to infiltrate their networks and collect sensitive information. Another was Operation Agent BTZ, which targeted the U.S. military and its internal systems, leading to the exposure of classified military documents. TURLA also used the “web shell” technique to infiltrate and spread malware via compromised web servers. The group doesn’t attack for immediate gain, but to achieve broader geopolitical goals and military dominance.

Digitální umělecké zobrazení medvěda s červeným a černým zbarvením a žhnoucíma červenýma očima na tmavě červeném pozadí s mřížkou.

FANCY BEAR (APT28): Russia’s geopolitical bear

"Geopolitics is our chessboard — in their shadows, we’re always one move ahead."

Motive: State-sponsored cyber espionage
Territory: NATO, EU, USA
Specialization: Elections, government institutions, think tanks

FANCY BEAR is a predator that doesn’t roar — it crosses borders silently. Backed by Russia’s military intelligence agency GRU, its hunting ground includes political institutions, election systems, and military servers across the West. Fancy Bear doesn’t steal money — it steals trust, stability, and sometimes even election results. Its most visible footprint came in 2016, during the U.S. presidential election, when it breached the Democratic National Committee’s email accounts and leaked sensitive communications. But that was only the beginning. It meddled in French elections, infiltrated the German Bundestag, and targeted NATO structures. Its style? Silent infiltration — military discipline in digital form. It doesn’t need noise when it can quietly harvest data for months. Fancy Bear uses tailored phishing campaigns and tools like X-Agent, allowing it to stay inside systems as long as needed — or until something explodes. Fancy Bear is more than just a hacker group. It’s a geopolitical instrument. If trust in elections collapses, political talks fall apart, or secret documents leak — look into the shadows. You might find bear tracks there.

Digitální ilustrace červeného chobotnice s červenými očima na tmavě modrém mřížkovém pozadí.

LAZARUS GROUP (APT38): The Octopus with Tentacles in Cryptocurrency

"Cash flow is our main engine — every hack is an investment in state power."

Motive: State-sponsored cyber espionage and financial crime
Territory: Asia, USA, South Korea, EU
Specialization: Banks, crypto exchanges, critical infrastructure, healthcare

LAZARUS is like a deep-sea octopus — calm, yet everywhere. Its tentacles stretch from banks in Bangladesh to crypto exchanges in Japan. The group functions as the cyber banking vault of the North Korean regime: it steals, destroys, and funds the country’s nuclear program. In 2016, it nearly drained the Bangladeshi Central Bank’s account at the U.S. Federal Reserve — only a typo in one transaction prevented a billion-dollar loss. In 2017, it unleashed the devastating WannaCry ransomware, crippling hospitals, businesses, and transport systems across more than 150 countries. Lazarus strikes as a unified group, but each tentacle has its own specialization: espionage, ransomware, network intrusions, and supply chain abuse. It targets crypto exchanges, banks, developers — anywhere money or sensitive data flows. Unlike other APT groups, Lazarus doesn’t hide its motives. It needs money — for the state, for the military, for the regime’s survival. That’s why it doesn’t hesitate to destroy systems, loot critical infrastructure, or attack nuclear programs.

Ilustrace pandy s červenými očima na neonově modro-červeném pozadí s mřížkou.

CHARMING KITTEN (APT35): the Iranian cat with claws

"We catch victims with words, not code."

Motive: Espionage on behalf of Iran, targeting dissidents, journalists, and academics
Territory: Middle East, Europe, USA
Specialization: Account compromise, targeted campaigns against regime opponents

CHARMING KITTEN is a group that relies more on deception and manipulation than brute-force intrusions. Instead of malware, it uses fake identities, trust, and psychology — like a cat that first wins attention before showing its claws. The group often impersonates journalists, academics, or cybersecurity researchers to lure its targets — dissidents, journalists, researchers, or government employees — into opening phishing emails or visiting fake login pages. Its goal is long-term access to emails, calendars, and communications that the Iranian regime can use to suppress opposition or monitor foreign relations. In 2018, it compromised accounts of members of the Chatham House think tank and several U.S. universities. It also targeted U.S. government employees using convincing phishing pages mimicking Google or Microsoft. The group attempted to breach presidential campaign emails in the U.S. (2020) and sent fake invitations to UN conferences. Charming Kitten may not be the most technically sophisticated group, but its ability to reach sensitive data through trust and illusion makes it one of the most dangerous players in Iranian cyber espionage.

What to take away from this bestiary?

Fancy Bear, Lazarus, Turla, Stone Panda, and Charming Kitten aren’t your average hackers — they are state-backed units executing targeted operations with geopolitical impact. They're not after publicity, but influence. They infiltrate, collect intelligence, and pursue goals that align with their governments' interests. This first part of the bestiary introduced elite APT groups acting on behalf of nation-states. But this is only the beginning. In part two, we’ll dive into a very different world — one of cyber mercenaries, extortionists, and anarchists who strike for profit, fame, chaos — or simply because they can.