APT Groups, Naming Conventions, and State-Sponsored Campaigns

Nation-state threat actors operate with resources, patience, and objectives that set them apart from financially motivated cybercriminals. Rather than a single smash-and-grab intrusion, these groups, commonly called Advanced Persistent Threats or APTs, pursue long-term access for espionage, intellectual property theft, or strategic pre-positioning ahead of a potential future conflict. Critical infrastructure, defence, and technology sectors consistently receive the highest targeting frequency.

This page explains how APT groups are tracked and named, and profiles the specific state-sponsored campaigns that current public advisories and research have documented in detail.

Why the Same Group Has Multiple Names

One of the most confusing aspects of nation-state threat reporting is that different security vendors independently track and name overlapping or identical threat activity. Microsoft assigns names using a weather-family taxonomy tied to assessed country of origin: Typhoon indicates China, Sleet indicates North Korea, Sandstorm indicates Iran, and Blizzard indicates Russia. Groups within the same family receive a distinguishing adjective (Volt Typhoon, Salt Typhoon) based on distinct tactics or objectives.

Other vendors use entirely different schemes: CrowdStrike uses animal names tied to country (Panda for China, Chollima for North Korea, Bear for Russia), Mandiant uses numbered APT designations (APT28, APT41). A joint August 2025 CISA/NSA/FBI advisory on Chinese state-sponsored activity explicitly noted the underlying activity overlapped with groups tracked commercially as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, without endorsing any single naming convention.

Source: Microsoft Learn, “How Microsoft names threat actors”; CISA Advisory AA25-239A, August 27, 2025.

Salt Typhoon, Volt Typhoon, and Lazarus Group

Salt Typhoon and Volt Typhoon are both assessed as linked to China, but pursue meaningfully different objectives. Salt Typhoon, linked to China’s Ministry of State Security, is a sustained espionage operation: the FBI confirmed in August 2025 the group had compromised 200+ organisations across 80 countries, focused on telecommunications providers, accessing call metadata and in some cases wiretap audio. The FBI reconfirmed in February 2026 that activity remains ongoing.

Volt Typhoon, assessed as linked to the People’s Liberation Army, has a different mission: pre-positioning inside US critical infrastructure (energy, water, communications) for potential future disruptive use. CISA confirmed persistent access for at least five years before disclosure; a February 2026 supplementary advisory noted intensified activity consistent with pre-conflict positioning. Both groups rely heavily on living-off-the-land techniques using legitimate administrative tools rather than custom malware.

Lazarus Group (APT38), North Korea-linked, is distinguished by an explicitly financial mission: UN investigators link the group to approximately $6.7 billion in stolen cryptocurrency since 2018, funds reportedly funneled into North Korea’s ballistic missile program and AI research.

A nation-state cyber attack is a cyber operation conducted or sponsored by a national government, typically pursuing espionage, intellectual property theft, or strategic infrastructure pre-positioning rather than direct financial gain. These operations are commonly called Advanced Persistent Threats (APTs).

An APT is a sophisticated, typically state-sponsored threat actor that gains and maintains long-term unauthorised access to a target network for espionage, data theft, or strategic positioning, as opposed to a single opportunistic intrusion.

Security vendors, government agencies, and researchers each independently track and attribute threat activity, developing their own naming conventions (Microsoft's weather-family names, CrowdStrike's animal names, Mandiant's numbered APT designations). The same underlying group is frequently given several different names across the industry.

Both are Chinese state-linked APT groups, but Volt Typhoon (linked to the PLA) focuses on pre-positioning inside US critical infrastructure for potential future disruption, while Salt Typhoon (linked to the MSS) conducts sustained espionage, particularly against telecommunications providers, on an ongoing basis.

Living-off-the-land (LOTL) techniques use legitimate administrative tools already present on a target system, such as PowerShell, rather than custom malware, to carry out an intrusion. Because the tools used are legitimate, LOTL techniques are significantly harder to detect with traditional signature-based security tools.