While widely known advanced persistent threat (APT) groups emanating from Russia and China grab most of the spotlight, an array of other nation-state and adjacent threat actors are increasingly launching cyberattacks around the globe. At this year\u2019s Cyberwarcon conference, nearly 20 of the world\u2019s top cybersecurity researchers presented their thoughts on these less visible and complex groups, outlining their latest strategies and developments.Iran\u2019s APT33 gaining strength, global reachIran, which is rapidly emerging as one of the most destructive of the nation-state cyberwarfare actors, has a threat group known as APT33, one of the country\u2019s most malicious cyber actors. APT33 has targeted aerospace, defense, and energy organizations. For the most part, the group is regionally focused, targeting Saudi-owned and -operated entities, according to Saher Naumaan, a threat intelligence analyst at BAE Systems Applied Intelligence.APT33, also called Refined Kitten, Magnallium, Holmium and Alibaba, has been around since 2014 and is best known for its data wiping malware called Shamoon, which erased at least 30,000 computers belonging to Saudi Aramco in 2012. Since then, APT33 has been implicated in campaigns against industrial players in the Middle East and Europe.However, in 2019, APT33 conducted a campaign that was \u201cpretty narrow in scope and pretty targeted in a kind of a purpose-built set of domains and IP that they were using specifically for US political targets,\u201d Naumaan said.One of the most interesting aspects of APT33 is its timeline correlation with geopolitical events taking place in the Gulf of Oman, according to Naumann. In May and June of 2019, in the aftermath of oil tankers targeted with explosive attacks in the Gulf, APT33 launched a series of spear-phishing campaigns to dovetail with those assaults.Another aspect of APT33 is its rising level of power given a series of reforms in the Iranian intelligence and security apparatus following the implementation of a maximum pressure campaign by the US against Iran. The reorganization saw the Iranian Revolutionary Guard Corps elevated in terms of rank and prestige, with more hawkish officials put into place.With these changes, APT33 could get bolder, backed by new authority, power and resources, Naumann suggested. Another dynamic worth paying attention to in terms of APT33 over the coming months is a possible shift in Chinese investment and possible Russian cooperation.Ned Moran, principal program manager at the Microsoft Threat Intelligence Center, shared some of the insights his company has gained into APT33 derived from telemetry. One key take-away is the group\u2019s fondness for password spray attacks, which use user account names combined with a few commonly used passwords to break into online accounts.Another critical observation about APT33 is that \u201ca lot of people take them as a sloppy group. They\u2019re loud or noisy. Their spear phishes are relatively easy to attack,\u201d Moran said. In studying their telemetry \u201cthey are operationally very sophisticated, and they pay careful attention to opsec. They might not care that their phishes get detected,\u201d he said. \u201cWhat they care about is the ability to forensically link them back to Iran.\u201dSaudis hack to surveil and use bots for social media influenceNathan Patin, an independent researcher and private investigator at Bellingcat, offered details on Saudi Arabia\u2019s Saud al-Qahtani, once a high-level adviser to the crown prince of Saudi Arabia, Mohammed bin Salman (MBS). He is also considered the mastermind behind the murder and dismemberment of Saudi Arabian journalist Jamal Khashoggi. Al-Qahtani ran social media and surveillance operations for the Royal Court and was nicknamed \u201cLord of the Flies\u201d for his extensive use of bots, which are also called \u201cflies,\u201d in trying to control the narrative on Twitter, particularly Arabic-speaking Twitter.Patin tracked the activity of al-Qahtani online, starting with email addresses from a Motherboard report on how al-Qahtani tried to buy surveillance tools from controversial spyware vendor Hacking Team. What he discovered was years\u2019 worth of posts on popular hacking site Hack Forums that revealed al-Qahtani\u2019s intrusion and spying methods. On Hack Forums, al-Qahtani sought help from hackers on a wide array of subjects and sought help in installing Trojans. He admitted to using at least 24 different remote access tools or RATs, of which his favorite was one called Hack Shades.At one point, al-Qahtani partnered with a user on Hack Forums called \u201cLassie\u201d in perfecting a surveillance solution to record all voices in a room. At another point, he tried to hire a hacker to manage his botnet for $500 per month. He also had a massive social media influence operation, purchasing 525 accounts on YouTube and hiring hundreds of young men in and around Riyadh to staff his troll farms.At another point, al-Qahtani sought to freeze or ban specific Twitter accounts only to be informed on Hack Forums that he could only do so if he gained access to internal Twitter operations. It\u2019s no surprise, then, that just last month the US Department of Justice brought criminal charges against a Saudi mole who worked inside Twitter but has now gone back to Saudi Arabia.Despite his high-level role in the Royal Court, al-Qahtani had terrible operational security. On at least three separate occasions, he posted on Hack Forums--by his own admission--when he was drunk, a startling confession in a country where alcohol is officially banned and heavily frowned upon by Saudi rulers. All but three domains that al-Qahtani personally registered since 2009 contained personally identifiable information, including his full name, email address and phone number.A Saudi dissident tweeted in August 2019 that al-Qahtani was dead, having been poisoned by the Saudi regime. This assertion hasn\u2019t been confirmed and seems suspect given other indications that al-Qahtani is alive and still working for the royal family.Russia\u2019s Wagner Group focuses on physical disruptionOne of Russia\u2019s most curious new information operation threat groups is a collection of entities affiliated with E. Prigozhin, including the Wagner Group, a paramilitary organization previously focused mostly on physical, kinetic operations, according to Renee Diresta, technical research manager at the Stanford Internet Observatory.\u00a0Researchers do not yet know to what extent this group cooperates or competes with other Russian operations such as the GRU or its influence and propaganda arm, the Internet Research Agency.North Korean APT groups have military and commercial objectivesAnother major powerhouse in the global APT arena is North Korea, which has a series of unique groups conducting cyber operations that blend the country\u2019s previous models of attacks and targets, Crowdstrike\u2019s Senior Analyst Katie Blankenship said. These groups are called Silent Chollima, Velvet Chollima, Ricochet Chollima, Stardust Chollima and Lab Chollima.In 2015 all the Chollima groups started to advance their capabilities. Around 2017 they began to shift gears as North Korean leader Kim Jong Un changed his country\u2019s intelligence policy focus from strictly military to a blend of military and economic objectives. Although most of the targets were still in North Korea\u2019s favorite target area, South Korea, the groups began to expand their focus and efforts around the globe, branching out from their previous sole focus of espionage to conducting criminal and destruction campaigns.North Korea is a well-known player in the financial crimes business, being linked to a number of large-scale digital bank heists and cryptocurrency thefts. Blankenship said that the Chollima groups have \u201creally started to become a new avenue\u201d for currency thefts. They have started to become what Kim Jon Un himself has called an \u201call-purpose sword\u201d to support North Korea\u2019s goals.\u201cWhat we found under the criminal mission has not only been those large-scale currency theft operations aimed at likely supporting the state, but we're also starting to see lower scale currency-backed operations within each of the groups themselves. It's possible that these are aimed at supporting the state but are also actually a mechanism for a self-funding\u201d to keep the individual groups operational, she said.