The 10 most dangerous cyber threat actors

These are the most notorious global cybercriminal and state-sponsored groups according to security researchers.

1 2 Page 2
Page 2 of 2

Fancy Bear is best known for breaking into the Democratic National Committee and Hillary Clinton's campaign in 2016, allegedly influencing the outcome of the presidential elections. It is believed that Fancy Bear was behind the Guccifer 2.0 persona. Another Russian-speaking Group, the Cozy Bear, was also inside the Democratic Party's computer networks, independently stealing passwords, according to CrowdStrike. Yet, apparently, the two bears were not aware of each other.

Fancy Bear targets its victims mostly through spear-phishing messages typically sent on Mondays and Fridays. On several occasions, it registered domains that looked similar to legitimate ones, building up fake websites to harvest credentials.

LuckyMouse (a.k.a. Emissary Panda, Iron Tiger, APT27)

This Chinese-speaking actor has been active for more than a decade, targeting foreign embassies and organizations across different industries including aerospace, defense, technology, energy, healthcare, education, and government. It has conducted operations in North and South America, Europe, Asia, and the Middle East.

The group has high skills in penetration testing, usually using publicly available tools such as the Metasploit framework, Kaspersky’s Jungheit says. "In addition to spear-phishing as a delivery method, the actor also uses SWC (strategic web compromise) in their operations to target a set of victims with notable success," he adds.

Researchers at Trend Micro noticed that the group can update and modify its tools quickly, making it difficult for researchers to detect them.

REvil (a.k.a. Sodinokibi, Pinchy Spider—related to GandCrab)

The REvil gang, which takes its name from the Resident Evil movie and video game series, runs some of the most prolific ransomware-as-a-service (RaaS) operations and is based in the Russian-speaking world. The group was first seen in April 2019, soon after the shutdown of the notorious GandCrab, and its business seems to be blooming since. Among its victims are Acer, Honda, Travelex, and the makers of Jack Daniels whiskey, Brown-Forman.

"REvil operators have demanded the highest ransoms of 2021," says Jungheit. "For distributing ransomware, REvil cooperates with affiliates who are hired on cybercriminal forums. Affiliates earn between 60% to 75% of the ransom."

Developers regularly update the REvil ransomware to avoid detection of ongoing attacks. "The group informs about all major updates and new available positions in the partner program in their threads on cybercriminal forums," Jungheit says.

REvil differs from other groups because of how business-focused its developers are, Kujawa of Malwarebytes Labs says. "One of the members of this group gave an interview last year, describing that they have brought in $100 million in ransom payments and threats to release data, and they plan on expanding their extortion capabilities in the future by using DDoS attacks," he says.

Wizard Spider

The Russian-speaking Wizard Spider group was first spotted in 2016, but it has become increasingly sophisticated in recent years, building several tools used for cybercrime. At first, Wizard Spider was known for its commodity banking malware TrickBot, but it later expanded its toolset to include Ryuk, Conti, and BazarLoader. The gang continuously fine-tunes its arsenal to make it more lucrative.

"Wizard Spider's corpus of malware is not openly advertised on criminal forums indicating that they likely only sell access to, or work alongside, trusted criminal groups," says Meyers of CrowdStrike Intelligence. The group has run different types of operations, including some very specific ones, having a propensity for the very targeted, high-return ransomware campaigns known as "big game hunting."

Wizard Spider calculates the ransom it requests based on the value of its targets, and no industry seems off-limits. During the COVID-19 crisis, it attacked dozens of healthcare organizations in the US with Ryuk and Conti. Hospitals from different parts of the world have also been affected.

BONUS: Winnti (a.k.a. Barium, Double Dragon, Wicked Panda, APT41, Lead, Bronze Atlas)

Winnti is probably a set of linked Chinese-based subgroups that have performed both cybercriminal activities and state-sponsored attacks. Its cyberespionage campaigns have targeted healthcare and technology companies, often stealing intellectual property. Meanwhile, its financially motivated cybercrime arm attacked the video game industry, manipulated virtual currency, and attempted to deploy ransomware.

"The difficulty in defining this group mostly stems from overlaps we see between campaigns attributed to Winnti and other Chinese-speaking APT groups, for example, a set of tools and malware shared between multiple Chinese-speaking actors," Jungheit says.

Winnti has been observed using dozens of different code families and tools, and it often relies on spear-phishing emails to penetrate an organization. "In a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits," according to Mandiant Threat Intelligence. "APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems."

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)