Threat Actor Profiles
Contact Us
Browse cybersecurity research, threat data, attack techniques, statistics, and compliance guides on CyberSanso. Free to use, updated regularly.
Threat Actor Profiles: Nation-State Groups, Ransomware Gangs, and Hacktivists
Knowing which threat actors target your industry and geography is the starting point for building a threat-informed defense. Generic security posture assumes the same adversary model for all organizations – which leads to misallocated controls and detection gaps against the specific groups most likely to attack you. CyberSanso’s Threat Actor Profiles document the TTPs, targets, infrastructure patterns, and motivation profiles of the most significant threat actors operating in 2026.
Profiles are organized by threat actor category: nation-state APT groups (Advanced Persistent Threats operating under government direction), ransomware-as-a-service (RaaS) operations and their affiliates, financially motivated criminal organizations, and hacktivist collectives. Each profile documents the actor’s known aliases across security research firms, attributed country of origin (where established), primary targeting sectors, signature techniques mapped to MITRE ATT&CK, and links to authoritative public research from Mandiant, CrowdStrike, Microsoft, and government advisories.
Attribution in cybersecurity is probabilistic, not absolute. This database follows the confidence conventions used by major threat intelligence firms: high-confidence attribution is supported by technical evidence, operational security failures, and government indictments; medium-confidence attribution is based on technical evidence alone; low-confidence attribution reflects preliminary assessment pending further corroboration. Attribution disputes across vendors are noted where they exist.
Nation-State APT Groups: The Highest-Sophistication Threat
Nation-state APT (Advanced Persistent Threat) groups represent the most sophisticated category of threat actors. They are distinguished from criminal groups by three characteristics: they have extensive resources (government funding, intelligence support, dedicated technical teams), they operate with strategic patience (conducting months-long reconnaissance campaigns before acting), and their primary motivation is espionage, sabotage, or geopolitical disruption rather than financial gain.
Russia-attributed APT groups: Russia’s threat actor ecosystem is the most thoroughly documented in Western intelligence reporting. APT29 (Cozy Bear, Midnight Blizzard, NOBELIUM) – attributed to Russia’s SVR intelligence service – is responsible for the SolarWinds supply chain compromise and the 2024 Microsoft executive email access campaign. APT28 (Fancy Bear, Forest Blizzard) – attributed to Russia’s GRU military intelligence – is associated with election interference operations, NATO member targeting, and the 2016 DNC breach. Sandworm (Voodoo Bear, ELECTRUM) – also GRU-attributed – is responsible for destructive attacks on Ukrainian critical infrastructure including the NotPetya wiper malware (estimated $10 billion in global damage) and ongoing attacks against energy and industrial systems.
China-attributed APT groups: China’s APT ecosystem is the largest by actor count. APT41 (Winnti Group, Double Dragon) conducts both state-sponsored espionage and financially motivated cybercrime – an unusual dual mandate that allows it to blend into criminal threat reporting. Volt Typhoon has been active in pre-positioning campaigns within US critical infrastructure since at least 2021, focusing on living-off-the-land techniques specifically chosen to avoid detection and persist undetected for years. Salt Typhoon conducted significant intrusions into US telecommunications providers’ network interception systems in 2024-2025, reportedly accessing lawful intercept infrastructure used by federal agencies.
North Korea-attributed groups: The Lazarus Group (APT38, Hidden Cobra) is North Korea’s most active and destructive APT. Unlike most nation-state groups, Lazarus operates with significant financial motivation alongside espionage goals – funding North Korea’s weapons programs through cryptocurrency theft, estimated at over $3 billion between 2017 and 2024. Lazarus conducts watering hole attacks against cryptocurrency platforms, supply chain compromises targeting financial institutions, and military intelligence collection operations.
Iran-attributed groups: APT33 (Elfin, Refined Kitten) targets aerospace and energy sectors in the US, Saudi Arabia, and South Korea. APT34 (OilRig, Helix Kitten) focuses on government, financial, and energy organizations across the Middle East. Iranian groups have demonstrated destructive capabilities alongside espionage, including the Shamoon disk-wiping malware that destroyed tens of thousands of Saudi Aramco workstations in 2012.
- Nation-state APT profiles with TTPs and documented campaigns
- Ransomware group profiles with RaaS affiliate structure documentation
- MITRE ATT&CK technique mapping for each documented threat actor
- Government advisory and public research citation for all attributions
Ransomware Groups and Cybercriminal Organizations in 2026
Ransomware operations have evolved into sophisticated criminal enterprises with organizational structures resembling legitimate businesses. The ransomware-as-a-service (RaaS) model separates ransomware development from deployment: core groups develop and maintain the ransomware platform and negotiation infrastructure; affiliates license access and conduct the actual attacks; both parties split the ransom payment (typically 70-80% to affiliates, 20-30% to the core group).
Active ransomware groups in 2026: Active ransomware groups increased 49% year-over-year per IBM X-Force 2026. The most prolific groups as of mid-2026 include RansomHub (the largest by victim count following LockBit’s disruption), LockBit 4 (operational despite significant law enforcement actions in 2024 that disrupted LockBit 3 infrastructure and led to indictments of key operators), and Cl0p (responsible for the MOVEit supply chain exploitation affecting over 2,700 organizations). ALPHV/BlackCat was effectively disrupted in late 2024 following a law enforcement operation and internal payment dispute between the core team and its affiliates.
Scattered Spider (UNC3944): A notable exception to the predominantly Eastern European ransomware ecosystem, Scattered Spider is primarily English-speaking and conducts sophisticated social engineering against IT help desks – impersonating employees to reset MFA and gain legitimate access credentials. The group targeted MGM Resorts (reportedly causing $100 million in losses) and Caesars Entertainment in 2023, then continued operations against financial, insurance, and retail organizations.
Law enforcement impact: The disruption of major ransomware infrastructure has not reduced overall attack volume. When LockBit was disrupted in early 2024 and BlackCat was disrupted in late 2024, their affiliates migrated to competing platforms rather than ceasing operations. Active ransomware group count increased to its highest recorded level despite these enforcement actions, reflecting the resilience of the RaaS business model.
How to Identify Which Threat Actors Target Your Organization
Not every threat actor is equally relevant to every organization. Effective threat intelligence prioritizes depth on relevant actors over breadth across all documented groups. The following approach identifies your most relevant threat actor exposure:
Industry-based targeting: Threat actors specialize by sector. Nation-state groups typically target sectors with strategic value to their governments: defense contractors (espionage on weapons programs), energy companies (sabotage capability pre-positioning), and financial institutions (sanctions evasion, currency manipulation intelligence). Ransomware groups target sectors with operational urgency (healthcare, where downtime directly impacts patient care creates payment pressure) or high-value data (financial services, law firms). Your sector determines your baseline threat actor exposure.
Geography-based targeting: Nation-state threat actors target geographies aligned with their government’s strategic interests. Russian APT groups concentrate on NATO member nations, Ukraine, and Eastern European governments. Chinese APT groups prioritize the United States, Taiwan, South Korea, Japan, and Australia alongside Belt and Road Initiative partner nations. Understanding your organization’s geographic profile and customer base helps identify which nation-state groups are relevant to your threat model.
Size and supplier relationships: Opportunistic criminal groups target small businesses because they are easier to compromise. Sophisticated RaaS operators increasingly target mid-market organizations ($50 million to $1 billion revenue) that are too large for commodity attacks to ignore but too small for the enterprise-grade security programs that add friction to attacks. Supply chain attacks mean your security posture also needs to account for your customers and suppliers: if you serve as a managed service provider or software supplier to larger targets, you may be targeted as a stepping stone.
Information sharing resources: The relevant ISAC (Information Sharing and Analysis Center) for your sector provides confidential threat actor intelligence sharing among member organizations. FS-ISAC (financial services), H-ISAC (healthcare), E-ISAC (energy), MS-ISAC (state and local government), and sector-specific equivalents are the primary confidential threat sharing channels for their respective industries.
Threat Actor Attribution: Methods and Limitations
Attributing a cyberattack to a specific threat actor is a structured analytical process, not a binary determination. Security researchers and intelligence agencies use multiple lines of evidence to build attribution assessments, each with different confidence implications:
Technical indicators: Malware code similarities (shared code modules, compilation artifacts, development language patterns), command-and-control infrastructure patterns (shared hosting providers, domain registration patterns, SSL certificate reuse), and operational security failures (language artifacts in malware comments, time zone patterns in compilation timestamps, attacker credentials left in samples). Technical indicators support attribution at medium confidence when consistent across multiple incidents but can be deliberately planted to mislead researchers.
Operational patterns: Targeting consistency (same actor repeatedly hitting the same sector or geography), timing patterns (attacks consistently occurring during the business hours of a specific country), and TTP stability (same techniques, tools, and procedures across incidents despite infrastructure changes). Operational patterns are harder to fake deliberately across multiple incidents.
Intelligence and government confirmation: Government indictments, Five Eyes joint advisories, and declassified intelligence assessments provide the highest-confidence attribution because they typically combine technical evidence with classified human intelligence sources that private researchers cannot access. When CISA, NSA, and international partners jointly attribute an attack to a named nation-state group, this represents high-confidence assessment incorporating multiple evidence streams.
Vendor naming conventions: Different security vendors use different naming conventions for the same groups. Microsoft uses weather-themed names (Midnight Blizzard, Volt Typhoon, Salt Typhoon, Scattered Spider). Mandiant uses APT number designations (APT29, APT41). CrowdStrike uses animal names (Cozy Bear, Fancy Bear, Scattered Spider). MITRE ATT&CK uses common aliases and cross-references vendor names. When reading threat reports, check MITRE ATT&CK’s Groups database for the cross-reference mapping between vendor naming conventions.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.
Suspendisse ut ultricies augue. Sed at leo vitae tempus. Quisque a vel nulla vestibulum eleifend at id augue. Nullam volutpat justo eget justo finibus mattis. Nam, massa sit amet euismod fermentum.