The World's Most Dangerous Hacking Teams: A Guide to Nation-State APT Groups

In February 2026, a group of hackers stole $1.5 billion in cryptocurrency in a single afternoon. No guns, no getaway cars — just a compromised software update and a developer’s infected laptop. The money vanished into a laundering network spanning dozens of shell companies across Southeast Asia. The perpetrators were sitting in Pyongyang, working for the North Korean government.

This is what Advanced Persistent Threat (APT) groups do. They are the world’s most capable, best-funded, and most dangerous hackers — and unlike the lone criminal looking for a quick payday, they operate with nation-state resources, long-term objectives, and near-unlimited patience.

This guide introduces the major players: who they work for, what they’re after, and how they operate.

TL;DR

APT groups are state-sponsored hacking teams with government backing, long-term missions, and sophisticated capabilities

The major players are North Korea (money), China (espionage + infrastructure), Russia (disruption + chaos), and Iran (regional influence)

Their techniques range from supply chain compromise and spear-phishing to zero-day exploits and wiper malware

In 2026, the fastest APT campaigns move from initial access to data exfiltration in just 72 minutes

You don’t need to be a government to be a target — any organization with valuable data or infrastructure is fair game

What Is an APT Group, Exactly?

APT stands for Advanced Persistent Threat. The name captures three things that make these groups different from ordinary cybercriminals:

Advanced — they have sophisticated tools, custom malware, and zero-day exploits (previously unknown vulnerabilities worth hundreds of thousands of dollars each)
Persistent — they stay inside compromised networks for months or years, quietly collecting intelligence rather than smashing and grabbing
Threat — they have real objectives: steal military secrets, destabilize elections, fund weapons programs, cripple infrastructure

Think of the difference between a pickpocket and a spy. The pickpocket wants your wallet and disappears. The spy wants to understand everything about you — and stay invisible while doing it.

APT groups operate like professional intelligence agencies, because most of them are professional intelligence agencies — or military units that function as one.

Why This Matters to You

Most organizations assume they’re too small or too obscure to attract state-sponsored hackers. This assumption is increasingly wrong.

APT groups target supply chains: if you can’t attack a government agency directly, you compromise a software vendor that the agency trusts. That vendor might be a ten-person company in a Finnish industrial park. APT41 compromised a gaming company’s servers specifically because one government employee played that game on their work laptop.

Hospitals, universities, energy companies, logistics providers, and defense subcontractors are all regularly targeted — not always for what they know, but for who they’re connected to.

The Major Players

Russia: Chaos, Disruption, and Intelligence

Russia runs some of the most operationally aggressive APT groups in the world. Where Chinese APTs tend to collect quietly, Russian groups frequently cause visible damage — and sometimes seem to want to be seen.

APT28 — Fancy Bear (GRU Unit 26165)

Who they work for: Russia’s military intelligence agency (GRU)
Primary targets: NATO governments, political parties, military contractors, journalists, think tanks
Active since: ~2004

APT28 is Russia’s most prolific espionage group — and the one most associated with election interference. They are the group that hacked the Democratic National Committee in 2016, stole emails from Emmanuel Macron’s campaign in 2017, and compromised the World Anti-Doping Agency to retaliate against the Russian doping scandal.

Their signature technique is spear-phishing — highly personalized emails targeting specific individuals. They research their targets extensively before sending anything, crafting emails that reference real colleagues, real projects, and real concerns. The email looks completely legitimate until you click the link.

In 2026, APT28 exploited CVE-2026-21509 in Microsoft Office via malicious DOC files, targeting Ukrainian government ministries. They also maintain a toolset called X-Agent — custom malware that’s been evolving for over fifteen years.

MITRE ATT&CK profile: T1566 (Phishing), T1203 (Exploitation for Client Execution), T1071 (Application Layer Protocol for C2)

How to recognize their footprint:

Spear-phishing emails referencing very specific internal details
Malicious Office documents exploiting recent CVEs
C2 traffic disguised as legitimate web traffic to Dropbox or Google Drive

APT29 — Cozy Bear (SVR)

Who they work for: Russia’s Foreign Intelligence Service (SVR)
Primary targets: Governments, diplomatic missions, pharmaceutical companies, COVID-19 research
Active since: ~2008

If APT28 is the aggressive soldier, APT29 is the patient spy. Cozy Bear specializes in long-term access — they infiltrate networks and watch for years without doing anything that might expose them.

They are responsible for the SolarWinds supply chain attack in 2020, which compromised 18,000 organizations including the US Treasury, the Pentagon, and dozens of Fortune 500 companies — all through a single malicious software update pushed to SolarWinds’ customers. Nobody noticed for nine months.

APT29’s technical hallmark is living off the land — using tools that already exist on compromised systems (Windows built-in utilities, PowerShell, legitimate cloud services) rather than deploying custom malware that might be detected. They look like normal network traffic because they mostly are normal network traffic.

For more on living-off-the-land techniques, see our LOLBins guide.

MITRE ATT&CK profile: T1195 (Supply Chain Compromise), T1078 (Valid Accounts), T1027 (Obfuscated Files or Information)

Sandworm — APT44 (GRU Unit 74455)

Who they work for: GRU — Russia’s military intelligence
Primary targets: Critical infrastructure, industrial control systems, Ukraine
Active since: ~2009

Sandworm is in a category of its own. While other APT groups steal information, Sandworm breaks things. They are the only known group to have caused real-world power outages through cyberattacks.

In December 2015, Sandworm cut power to 230,000 Ukrainian homes in the middle of winter — the first confirmed cyberattack to cause a physical blackout. They repeated it in 2016. In 2017, they unleashed NotPetya, a destructive wiper disguised as ransomware, which caused $10 billion in global damages and is considered the most destructive cyberattack in history. FedEx, Maersk, and Merck were among the companies crippled.

NotPetya’s design was instructive: it looked like ransomware (demanding Bitcoin payment), but the decryption mechanism was deliberately broken. There was no intention of allowing recovery. The goal was pure destruction.

Sandworm continues to deploy wiper malware — software designed to permanently destroy data — against Ukrainian targets. AcidRain, CaddyWiper, HermeticWiper, and WhisperGate are all attributed to this group.

MITRE ATT&CK profile: T1485 (Data Destruction), T1489 (Service Stop), T1561 (Disk Wipe)

China: Long-Game Espionage and Infrastructure Positioning

China’s APT groups operate with extraordinary patience and scale. Their objectives are primarily intelligence collection and industrial espionage — building economic and military advantages over decades, not quarters.

APT41 — Double Dragon

Who they work for: China’s Ministry of State Security (MSS)
Primary targets: Healthcare, telecoms, technology, gaming, government — globally
Active since: ~2012

APT41 is unique: they conduct both state-sponsored espionage and financially motivated cybercrime, sometimes in the same week. They’ve stolen pharmaceutical research by day and deployed ransomware by night.

Their most audacious operation targeted the global video gaming industry. By compromising game publishers’ servers, they manipulated in-game currency and items — generating millions of dollars in digital goods they then sold on grey markets. They also stole source code from gaming companies as intellectual property.

APT41 was one of the first groups to widely adopt ClickFix — a technique where victims are tricked into running malicious commands through fake “fix this error” browser prompts. This technique has since spread across multiple APT groups. See our ClickFix explainer.

Charged by the US Department of Justice in 2020 — five members indicted, still operating from China.

MITRE ATT&CK profile: T1566 (Phishing), T1190 (Exploit Public-Facing Application), T1486 (Data Encrypted for Impact)

Volt Typhoon

Who they work for: Chinese military (PLA)
Primary targets: US critical infrastructure — power grids, water systems, telecommunications, ports
Active since: ~2021 (publicly disclosed 2023)

Volt Typhoon doesn’t steal data. They position themselves for future destruction.

US government agencies have found Volt Typhoon pre-positioned inside American critical infrastructure — power grids, water treatment facilities, communications networks — without doing anything. They appear to be establishing persistent access that could be activated to cause widespread disruption if geopolitical tensions escalate into open conflict, particularly over Taiwan.

This is cyber warfare in the preparation phase: planting sleeper access before a conflict begins, so it can be weaponized at a critical moment.

Their defining technique is extreme stealth via legitimate tools. They use netsh, wmic, ntdsutil, and other Windows built-in utilities for every step of their operations. They generate no suspicious network traffic because they route through compromised SOHO routers (home and small office devices) to obscure the source.

In 2026, Volt Typhoon expanded operations to South American telecommunications networks.

MITRE ATT&CK profile: T1078 (Valid Accounts), T1036 (Masquerading), T1571 (Non-Standard Port)

Salt Typhoon

Who they work for: Chinese intelligence
Primary targets: Telecommunications companies, ISPs, wiretap systems
Active since: ~2022

Salt Typhoon made headlines in late 2024 for one of the most disturbing espionage operations ever disclosed: they compromised US telecommunications companies’ lawful intercept systems — the very infrastructure that the government uses to conduct authorized wiretaps.

In effect, they tapped the wiretappers.

They gained access to call records and real-time communications of senior US government officials and political figures. The full scope of what was collected is still classified.

In 2026, Salt Typhoon introduced new implants including TernDoor, PeerTime, and BruteEntry, expanding operations to South American telecom networks. We covered this operation in depth in our Salt Typhoon analysis.

North Korea: Hacking as a Revenue Stream

North Korea’s APT groups operate under a different mandate than their Chinese and Russian counterparts. Under crushing economic sanctions, the Kim regime uses cyberattacks as a primary revenue generation mechanism — stealing cryptocurrency and financial assets to fund the government and its weapons programs.

Lazarus Group (Bureau 121)

Who they work for: North Korea’s Reconnaissance General Bureau
Primary targets: Cryptocurrency exchanges, banks, defense contractors, anyone with accessible money
Active since: ~2009

Lazarus Group is responsible for the largest financial theft in human history — repeatedly. In February 2026, they stole $1.5 billion from the Bybit cryptocurrency exchange through a supply chain compromise of the Safe{Wallet} developer environment. The attack was precise: they compromised a developer’s laptop, waited for the right moment, and modified a routine transaction in transit.

The Bybit theft followed $600 million stolen from Ronin Network in 2022, $80 million from Axie Infinity, $100 million from Harmony Bridge, and hundreds of millions more across a decade of operations. By 2025, Lazarus had stolen an estimated $2 billion in cryptocurrency in that year alone.

They also conducted the Sony Pictures hack in 2014, destroying 70% of the company’s data after Sony announced plans to release a movie mocking Kim Jong-un.

Lazarus operates with a recognizable pattern: patient reconnaissance, supply chain compromise, precision financial theft, and immediate laundering through a network of mixing services and shell companies.

MITRE ATT&CK profile: T1195 (Supply Chain Compromise), T1496 (Resource Hijacking), T1041 (Exfiltration Over C2 Channel)

Kimsuky

Who they work for: North Korea’s RGB
Primary targets: Think tanks, academics, policy researchers, nuclear experts, South Korean government
Active since: ~2012

Where Lazarus steals money, Kimsuky steals intelligence — specifically, intelligence about policy positions, sanctions negotiations, and nuclear discussions that the North Korean government needs to understand the world’s intentions toward them.

Their technique is almost charming in its simplicity: they pose as journalists, academics, or policy researchers and send personalized emails asking for interviews or feedback on “draft papers.” When the target engages, Kimsuky builds a relationship over weeks, then delivers a malicious document disguised as the promised content.

They’ve successfully impersonated staff from Harvard’s Belfer Center, the Council on Foreign Relations, and various European think tanks. The targets never realize they’ve been compromised.

Iran: Regional Dominance and Retaliation

Iran’s APT groups focus on regional influence — intelligence collection on political opponents, sabotage of rivals (particularly Israel and Saudi Arabia), and retaliatory operations when Iran is publicly embarrassed.

APT35 — Charming Kitten (IRGC)

Who they work for: Iran’s Islamic Revolutionary Guard Corps
Primary targets: Journalists, dissidents, human rights activists, nuclear researchers, US government
Active since: ~2014

Charming Kitten runs what might be the most aggressive social engineering campaigns of any APT group. They create elaborate fake personas — complete with LinkedIn profiles, publication histories, and social media activity — and spend weeks building relationships before attempting to compromise targets.

They’ve impersonated BBC journalists to target Iranian dissidents, created fake academic conferences to harvest researcher credentials, and deployed malware hidden in interview invitations. In 2026, they adopted ClickFix techniques for initial access.

Their primary interest is tracking individuals that Iran considers threats: dissidents, journalists covering Iran, nuclear negotiators, and activists working on human rights issues.

APT33 — Refined Kitten (IRGC)

Who they work for: IRGC
Primary targets: Aerospace, defense, petrochemical — particularly Saudi Arabia and the US
Active since: ~2013

APT33 focuses on industrial sabotage against Iran’s regional rivals. Their most notable campaign targeted Saudi Arabia’s national oil company, Aramco, and petrochemical facilities, deploying destructive malware designed to damage industrial control systems.

In 2026, Iranian APT actors have targeted US critical infrastructure including water treatment facilities and energy systems, interacting directly with SCADA and HMI control systems — moving beyond data collection toward the kind of infrastructure manipulation previously associated only with Sandworm.

Comparison: The Four Nations at a Glance

Country	Primary Objective	Signature Technique	Known For
Russia	Disruption, disinformation, sabotage	Wiper malware, election interference	NotPetya, Ukraine power grid, SolarWinds
China	Long-term espionage, infrastructure positioning	Living off the land, supply chain	Volt Typhoon sleeper access, Salt Typhoon wiretaps
North Korea	Revenue generation	Supply chain, financial theft	$2B+ crypto stolen in 2025 alone
Iran	Regional intelligence, retaliation	Social engineering, industrial sabotage	Charming Kitten, Shamoon wiper

How They Actually Get In

Despite the sophisticated toolkits, most APT intrusions begin with surprisingly simple techniques:

Spear-phishing is still king. A personalized email with a malicious attachment or link remains the most reliable initial access vector. APT groups invest heavily in reconnaissance before sending anything — they know the target’s projects, colleagues, and interests before the first email arrives.

Supply chain compromise is the high-value play. Compromise a trusted software vendor, and you get access to every one of their customers. Lazarus used this to steal $1.5 billion. APT29 used it to get inside 18,000 organizations at once.

Exploiting edge devices. VPN gateways, firewalls, and email servers are constantly targeted because they sit on the network perimeter, are often unmonitored, and have privileged access to internal systems. We covered why in our Enterprise VPN Vulnerability analysis.

Valid credentials. Once an APT group has credentials (from phishing, data breaches, or purchasing them from criminal markets), they log in — there’s no exploit needed. This is the most detection-resistant technique available.

How to Recognize APT Activity

APT groups leave patterns. You won’t catch them in real time without mature detection capabilities, but you can recognize the aftermath:

Indicators of APT intrusion:

Unusual authentication at odd hours from unexpected locations
Large, staged data exfiltration over extended periods (not smash-and-grab)
Use of built-in Windows tools (wmic, netsh, certutil) for unusual operations
Scheduled tasks or services created with randomized names
Outbound connections to cloud storage (Google Drive, Dropbox, OneDrive) from servers that shouldn’t use them
Certificate requests for high-privilege accounts (see ADCS attacks)

The 72-minute rule. Unit 42’s 2026 research shows the fastest APT campaigns now move from initial access to data exfiltration in just 72 minutes — four times faster than the year before. Speed of detection and response matters more than ever.

What You Can Do

You’re probably not the primary target of a nation-state. But you might be a path to one — and that’s enough to make you a target.

Prioritize these defenses:

Phishing-resistant MFA. Hardware security keys (FIDO2) or Windows Hello for Business eliminate the most common initial access vector. Regular SMS or app-based MFA can be bypassed — see our AiTM phishing breakdown.
Software supply chain awareness. Audit what third-party software your organization runs. Monitor for unexpected updates. Gate can help scan Python dependencies for supply chain risks.
Patch externally-facing systems immediately. VPN gateways, mail servers, and remote access tools are the first attack surface. APT groups weaponize CVEs within hours of public disclosure.
Assume breach, look for dwell time. APT groups are patient. Run threat hunts looking for anomalous behavior over long time windows — months, not days. Look for accounts that authenticated at 3 AM, or servers that suddenly started talking to cloud storage.
Know your crown jewels. What data in your organization would interest a foreign intelligence service? That’s your highest-priority asset to protect and monitor.

Salt Typhoon: Inside the Telecom Hack That Tapped America’s Wiretaps — deep dive on one of the most significant Chinese APT operations
The Digital Parasite: How Attacker Tradecraft Evolved in 2026 — how modern attackers (including APTs) prioritize stealth and persistence
ClickFix and PasteJacking: The Social Engineering Technique APTs Adopted — the phishing evolution now used by APT35, APT41, and Kimsuky
LOLBins: Living Off the Land in Windows 2026 — the technique that makes APT29 and Volt Typhoon nearly invisible
AiTM Phishing and MFA Bypass — why standard MFA doesn’t stop determined nation-state attackers