Buzz
Hacker collectives are now among the most rapidly expanding threats to national security—not the so-called 'hacktivists' we often hear about, but highly organized and skilled groups working on behalf of governments that remain largely unseen. State-backed hacker groups have the power to infiltrate networks belonging to the media, major corporations, defense agencies, and even governments, causing significant disruption. Even cybersecurity firms aimed at combating these attacks can fall victim to infiltration.
The threat has grown so dire that it's being likened to a new kind of 'cold war'—one that is truly global and mostly hidden. Corporate brands have become targets of nation-states seeking a competitive economic advantage over other nations. As hacking tactics to bypass computer defenses are becoming increasingly easy, the allure of offensive cyber capabilities grows stronger. Eventually, the world may witness cyber warfare as a recognized act of war—a shift the US is already approaching. Groups like the ominously named 'Guardians of Peace' have already issued threats of violent acts and have curtailed freedom of speech, especially within Hollywood.
Here are 10 of the most influential participants in this high-stakes game of espionage, sabotage, and cyber warfare.
10. The Syrian Electronic Army (SEA)Syria
The SEA was responsible for a series of successful cyberattacks on CNN, The Washington Post, and Time in 2013. One of their most notable pranks was spreading false reports that an explosion had occurred at the White House, injuring President Obama. This hoax briefly shook the stock market, causing the Dow Jones index to drop by a full percentage point.
SEA hackers have also been known to participate in more sinister activities, such as targeting and intimidating those who oppose Assad or don’t share their political views. While they portray themselves as patriots, they openly admit to providing the government with valuable intelligence, blurring the lines between hacktivists and state-sponsored cybercriminals. The SEA primarily employs 'spear-phishing'—a tactic that uses social engineering to trick users into revealing passwords or sensitive data, typically by luring them to fake websites designed for that purpose.
In November 2014, the SEA returned with a vengeance, compromising several websites via a content delivery network. A pop-up message appeared on these sites, reading: 'You have been hacked by the Syrian Electronic Army.'
9. Tarh AndishanIran
In 2009, Iran’s computer infrastructure suffered a severe blow following the high-profile Stuxnet worm attack. In response, Iran escalated its cyber capabilities from simple website defacements to engaging in full-scale cyber warfare. As a result, a state-sponsored hacking group known as 'Tarh Andishan' ('Thinkers' or 'Innovators' in Farsi) emerged.
The group rose to prominence with 'Operation Cleaver,' an ongoing campaign that has been active since 2012, targeting over 50 organizations worldwide across military, commercial, educational, environmental, energy, and aerospace sectors. Alarmingly, they have even targeted major airlines, gaining 'complete access' to airline gates and control systems, which could potentially allow them to falsify gate credentials. Cybersecurity company Cylance released an early report on Tarh Andishan, expressing concerns that Operation Cleaver poses a 'serious threat to global physical safety.'
Cylance’s report included evidence such as hacker handles, Iranian domain names, hosting infrastructure, and other key indicators. The firm believes that the scale of Tarh Andishan’s operations, which require a large infrastructure, suggests it is not the work of a single individual or small group. The group uses advanced techniques such as SQL injection, sophisticated exploits, automated worm-like propagation, backdoors, and more. It is thought to consist of about 20 members, mainly based in Tehran, with additional members in Canada, the UK, and the Netherlands. Its targets include the US, Central America, parts of Europe, South Korea, Pakistan, Israel, and multiple Middle Eastern regions.
8. Dragonfly / Energetic BearEastern Europe
A hacker group referred to as 'the Dragonfly gang' by Symantec and 'Energetic Bear' by other cybersecurity firms has been operating from Eastern Europe, primarily targeting energy companies since around 2011. Before focusing on energy, the group targeted the airline and defense sectors, particularly in the US and Canada. Symantec notes that the group displays the hallmarks of a state-sponsored operation, with significant technical expertise. It was first discovered by the Russian security company Kaspersky Labs.
Dragonfly deploys remote access Trojans (RATs), such as their own Backdoor.Oldrea and Trojan.Karagany malware, to monitor targets in the energy sector. These tools can also be used for industrial sabotage. Typically, the malware is delivered via phishing emails, but the group has recently shifted to using 'watering hole' attacks—compromising trusted websites that their targets frequently visit. Victims are then redirected through a series of links until the Oldrea or Karagany malware is introduced into their systems. Later in their campaign, they even managed to infect legitimate software, causing it to be downloaded and installed alongside the unwanted malware.
Similar to Stuxnet, Dragonfly’s operation was one of the first significant attempts to directly target industrial control systems. However, unlike Stuxnet, which focused solely on Iran's nuclear program, Dragonfly's efforts were much broader, aiming at long-term espionage and access. The group also possessed the ability to carry out serious sabotage, although this was more of a potential threat than a primary goal. An optional but terrifying capability remained at their disposal.
7. Tailored Access Operations, NSAUSA
In the wake of Stuxnet, the United States was determined not to fall behind in the cyber warfare and espionage race. The country has reserved the right “to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law.” America's own state-sponsored hacking group, Tailored Access Operations (TAO), is operated by the National Security Agency. This group became widely known after Edward Snowden's revelations, published in German magazine Der Spiegel, exposed TAO’s activities, including the NSA's secret collection of telephone data from thousands of Americans and international intelligence targets.
Since at least 2008, TAO has intercepted PC shipments, inserting spying software into the computers before they reach their destination. The group has exploited hardware and software vulnerabilities, and even successfully hacked major corporations such as Microsoft, allegedly through Microsoft's crash report dialogue boxes, alongside a range of other advanced cyber warfare techniques.
The organization has become less secretive over time, with employees now listing themselves on LinkedIn, though it remains just as active—presumably working against foreign adversaries this time around. Its primary headquarters, with 600 employees, is located in the main NSA complex in Fort Mead, Maryland. For an idea of their current work, one can ask Dean Schyvincht, a self-identified TAO Senior Computer Network Operator from the Texas office. He claims that 'over 54,000 Global Network Exploitation (GNE) operations in support of national intelligence agency requirements' had been carried out by 2013, with a team of just 14 people under his leadership. One can only wonder what operations are being handled at Fort Mead now.
6. Ajax Security Team / Flying KittenIran
Ajax began in 2010 as a collective of 'hacktivists' and website defacers from Iran. However, over time, their focus shifted from activism to cyber espionage, targeting political dissidents. While they deny state sponsorship, many suspect that they were eventually recruited by the Iranian government—a common trend where a group's public activities attract the attention of state actors, leading to state-backed support.
Ajax attracted the attention of cybersecurity firms like CrowdStrike after a series of missteps (including one where a member’s real email address was exposed) revealed their attempts to target the US defense sector and Iranian dissidents. FireEye believes that Ajax was behind 'Operation Saffron Rose'—a string of phishing attacks and efforts to spoof Microsoft Outlook Web Access and VPN pages to steal information and credentials from within the US defense industry. The group also exposed dissidents by enticing them with malicious anti-censorship tools.
Groups like this highlight a growing 'grey area' between the cyber espionage activities of Iran’s hacker factions and any direct involvement from the Iranian government or military. This blurring of lines between hacker groups and state entities is likely to become more pronounced in the future.
5. APT28Russia
'APT' stands for 'advanced persistent threat,' a label used by security firms to classify particularly dangerous hacker groups. In some cases—especially when little concrete information is available—these groups are named after these reports. One such group is 'APT28,' which is believed to be operating from Russia. They have been conducting advanced cyber espionage since at least 2007.
Although Russia is recognized as one of the global leaders in cyber warfare, finding irrefutable proof connecting APT28 directly to the Russian government remains elusive. However, according to FireEye's vice president of threat intelligence, their report indicates that the malware and tools employed by APT28 strongly suggest 'Russian language speakers working during business hours aligned with the time zones of Russia’s key cities, including Moscow and St. Petersburg.'
The group used a range of tactics and attacks targeting military and political entities in the US and Eastern Europe, with particular focus on valuable assets for Russia, such as Georgia. NATO was also a target, and a White House official later confirmed that the group infiltrated unclassified White House networks and may have also targeted Ukraine.
4. Unit 61398 / Comment Crew / Putter PandaChina
In 2013, Mandiant released a report that alleged China had been caught in the act of cyber espionage. The report claimed that a group associated with the Chinese military’s elite Unit 61398 had stolen hundreds of terabytes of data from at least 141 organizations across English-speaking countries. Mandiant based its accusations on evidence like Shanghai-based IP addresses, computers with Simplified Chinese language settings, and clues suggesting that many individuals, not automated systems, were behind the attacks.
China denied the allegations, arguing that the report 'is not based on facts' and lacks 'technical proof.' However, Brad Glosserman, executive director of the Center for Strategic and International Studies’ Pacific Forum, disagreed, asserting that the evidence—when considered with the types of stolen information—does not support such a denial. Mandiant even tracked the attacks to a 12-story building near Shanghai, where the hackers had access to advanced fiber-optic networks.
There are about 20 prominent hacker groups thought to be based in China, with many of them believed to report to the People’s Liberation Army (PLA). This includes Comment Crew and Putter Panda, a group active since 2007 and reportedly operating from PLA-controlled buildings. They were instrumental in prompting a long-running US indictment of five individuals in 2014.
3. Hidden LynxChina
Symantec coined the name 'Hidden Lynx' for this highly active and well-equipped hacker group, which is described in a 2013 report as exceptionally organized and skilled, with a team of about 50–100 members. The group has significant resources at its disposal and demonstrates impressive patience in deploying them. They are known for utilizing, and sometimes even creating, cutting-edge hacking techniques, including their signature strategy of using 'watering holes.' This technique was employed in 2013 to infiltrate Bit9, a cloud-based security firm, in an effort to compromise their clients.
Hidden Lynx isn’t just involved in trivial activities like stealing gaming credentials, targeting peer-to-peer users, or committing identity theft (although they do engage in all of that). Their primary targets are some of the most secure entities in the world, including defense contractors, high-profile corporations, and governments of major nations. Their attacks have been concentrated in regions like the US, China, Taiwan, and South Korea. They epitomize the kind of mercenary hacker group often depicted in Hollywood films.
While the group’s operations appear to be primarily based in China, it remains unclear whether Hidden Lynx is a state-backed entity or operates as an independent, highly capable mercenary group. Their advanced techniques and infrastructure—along with the fact that their command and control servers all trace back to China—strongly suggest that the group is not operating in isolation or without some form of support.
2. Bureau 121Pyongyang, North Korea
By now, most people are aware of the hack on Sony Pictures by a group calling themselves the 'Guardians of Peace' (GOP). The group claimed to be protesting The Interview, an upcoming film that depicted the fictional assassination of North Korea's leader, Kim Jong-un. GOP even issued threats of terrorist attacks similar to 9/11 against Sony facilities and theaters if the film were released, along with targeting the actors and executives involved. In a statement, the GOP wrote: “Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment. All the world will denounce the SONY.”
The alleged North Korean connection has sparked accusations that the country itself may be responsible for at least some of the attacks, drawing attention to Bureau 121. Bureau 121 is a group of North Korean hackers and cyber specialists working for the country's General Bureau of Reconnaissance, its military intelligence agency. This group is known for carrying out state-sponsored cyber attacks and sabotage on behalf of the North Korean government, particularly against South Korea and nations like the US. In 2013, Bureau 121 was blamed for an attack on 30,000 PCs in South Korean banks and media organizations. Some sources claim the group includes about 1,800 members who are treated as elite operatives, receiving generous salaries and the privilege of bringing their families to live in Pyongyang. Defector Jang Se-yul, who studied with Bureau 121 at North Korea’s military computer science college, stated that the group has international divisions embedded in legitimate businesses.
But is North Korea's government truly behind these attacks? A spokesperson for the country declined to provide any clear answers, simply stating: “The hostile forces are relating everything to the DPRK (North Korea). I kindly advise you to just wait and see.” Meanwhile, the White House told CNN that they “have found linkage to the North Korean government,” and were “considering a range of options in weighing a potential response.” Regardless of the truth, Sony eventually gave in to the threats. After multiple theaters withdrew the film from its planned Christmas release, Sony pulled the film indefinitely—an action that raised concerns about the impact on freedom of speech, especially in a world where cyber threats can force companies into submission. Note: Since the time of writing, Sony has released the movie in a limited capacity.
1. AxiomChina
A collaboration of security organizations, including Bit9, Microsoft, Symantec, ThreatConnect, Volexity, and others, has identified a highly dangerous group named 'Axiom.' This group is known for its expertise in corporate espionage and the targeting of political dissidents, with suspicions that it was behind the 2010 cyber attack on Google. Though Axiom is believed to operate out of China, its exact location remains unclear. According to a report from the coalition, Axiom’s activities appear to coincide with the responsibilities attributed to Chinese government intelligence agencies, a conclusion also supported by an FBI alert distributed to Infragard.
The report further suggests that Axiom could be a faction of a larger, unnamed entity that has been active for over six years, primarily focusing on private industries with significant economic influence. Their tactics range from basic malware attacks to highly advanced hacking techniques, some of which take years to fully materialize. In addition to targeting private enterprises, Western governments, pro-democracy groups, and dissidents both within and outside of China have also been affected. In response, Chinese Embassy spokesman Geng Shuang stated that “judging from past experience, these kinds of reports or allegations are usually fictitious,” and that the government in Beijing “has done whatever it can to combat such activities.”
