APT, Cyber Threat Actors – Who’s who

APT40
Suspected attribution: China

Target sectors: APT40 is a Chinese cyber espionage group that typically targets countries strategically important to the Belt and Road Initiative.

Associated malware: APT40 has been observed using at least 51 different code families. Of these, 37 are non-public. At least seven of these non-public tools (BADSIGN, FIELDGOAL, FINDLOCK, PHOTO, SCANBOX, SOGU, and WIDETONE) are shared with other suspected China-nexus operators.

APT39
Suspected attribution: Iran

Target sectors: While APT39’s targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.

Associated malware: The group primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor.

APT39
Suspected attribution: Iran

Target sectors: While APT39’s targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.

Associated malware: The group primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor.

APT38
Suspected attribution: North Korea

Target sectors: Financial institutions world-wide

APT38 reveals that they are responsible for conducting the largest observed cyber heists.

Associated malware: This large and prolific group uses a variety of custom malware families, including backdoors, tunnelers, dataminers, and destructive malware to steal millions of dollars from financial institutions and render victim networks inoperable.

APT37
Suspected attribution: North Korea

Target sectors: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.

Group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware.

Associated malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware.

APT34
Suspected attribution: Iran

Target sectors: This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East

APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014.

Associated malware: POWBAT, POWRUNER, BONDUPDATER

APT33
Suspected attribution: Iran

Target sectors: Aerospace, energy

APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea.

Associated malware: SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE, ALFA Shell

APT32
Also known as: OceanLotus Group

Suspected attribution: Vietnam

Target sectors: Foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors

Recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business, manufacturing or preparing to invest in the country.

Associated malware: SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, KOMPROGO

APT30
Suspected attribution: China

Target sectors: Members of the Association of Southeast Asian Nations (ASEAN)

APT30 is noted not only for sustained activity over a long period of time but also for successfully modifying and adapting source code to maintain the same tools, tactics and infrastructure since at least 2005

Associated malware: SHIPSHAPE, SPACESHIP, FLASHFLOOD

APT29
Suspected attribution: Russian government

Target sectors: Western European governments, foreign policy groups and other similar organizations

APT29 is an adaptive and disciplined threat group that hides its activity on a victim’s network, communicating infrequently and in a way that closely resembles legitimate traffic.

Associated malware: HAMMERTOSS, TDISCOVER, UPLOADER

APT28
Also known as: Tsar Team

Suspected attribution: Russian government

Target sectors: The Caucasus, particularly Georgia, eastern European countries and militaries, North Atlantic Treaty Organization (NATO) and other European security organizations and defense firms

APT28 is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues—intelligence that would be useful only to a government.

Associated malware: CHOPSTICK, SOURFACE

APT19
Also known as: Codoso Team

Suspected attribution: China

Target sectors: Legal and investment

Associated malware: BEACON, COBALTSTRIKE

APT18
Also known as: Wekby

Suspected attribution: China

Target sectors: Aerospace and Defense, Construction and Engineering, Education, Health and Biotechnology, High Tech, Telecommunications, Transportation

Associated malware: Gh0st RAT

APT17
Also known as: Tailgator Team, Deputy Dog

Suspected attribution: China

Target sectors: U.S. government, and international law firms and information technology companies

Associated malware: BLACKCOFFEE

Attack vectors: The threat group took advantage of the ability to create profiles and post in forums to embed encoded CnC for use with a variant of the malware it used.

Source : https://www.fireeye.com/current-threats/apt-groups.html