“The mayor of Goma notes that, despite the ban on trucks transporting sand imported from Rwanda , these trucks continue to unload into third-party enclosures and construction sites deep in the different districts of the city” (press release)
With countless covert cyber espionage and sabotage attacks launched to steal sensitive data and cripple an opponent’s infrastructure and defense systems, state-sponsored hacking operations are now regarded as the biggest threat to government institutions and organizations alike.
Attacks by state-sponsored actors are not made exclusively against servers in dusty government offices, nuclear facilities, and military bases, however. Dissidents, political opponents, and nonprofits, as well as private companies that include public institutions as their clients, are just as likely to be targeted by state-backed hacker groups.
These are some of most dangerous groups that have been a major headache for both policymakers and security researchers.
State-sponsored hacker groups are generally referred to as advanced persistent threats (APTs) by security researchers. Some companies simply assign them a number. Others have different naming conventions, referring to groups backed by different states as different animals, e.g. Iran’s calling card is a kitten.
As a consequence, one threat actor group can go by several nicknames: for example, FireEye calls Cozy Bear ‘APT29’, while other companies refer to the group as Cozy Bear, CozyDuke, or The Dukes.
So, with that in mind, let’s take a look at the world's most dangerous bears, dragons, and kittens.
Cozy Bear (APT29)
Lazarus Group (APT38)
Double Dragon (APT41)
Fancy Bear (APT28)
Helix Kitten (APT34)
Cozy Bear (APT29)
Allegiance: Russia
Active since: 2008
Best known for: 2015 attack on the Pentagon, FireEye hack (allegedly), SolarWinds hack (allegedly), COVID-19 vaccine data theft
Cozy Bear (not to be confused with Fancy Bear, Venomous Bear, or Voodoo Bear) is a name that is widely known among both security experts and the media.
What makes Cozy Bear special? Well, allegedly playing a key part in Russian attempts to influence the 2016 US presidential elections, for one. From its suspected inception back in 2008, the group has targeted many organizations, including governments, think tanks, telcos, energy companies, even cybersecurity firms, in patterns that likely point towards methods of operation mainly employed by state security services. After all, Cozy Bear is one of two state-sponsored hacker groups that researchers have long since believed is linked to GRU, Russia’s premier military intelligence service.
In fact, if expert suspicions are correct, Cozy Bear might prove the most dangerous state-sponsored hacker group to wreak havoc on companies and government institutions in 2020.
The group's second (alleged) massive hit last year was FireEye - a leading security company that counts multiple US federal agencies and the better part of the Forbes Global 2000 list among its clients.
In December 2020, the security firm confessed that it had been hacked by undisclosed assailants, with its proprietary adversary simulation toolkit stolen. Officially, FireEye is still mum about who is to blame for the intrusion. However, sources say it was a Russia-backed hacker outfit. Namely, Cozy Bear. The impact of the FireEye hack is difficult to understate, showing that state-sponsored attackers, given enough time and resources, can breach any organization, even those previously thought unassailable.
But as with most of 2020’s nasty surprises, that wasn’t the end of it.
Shortly after the FireEye hack, news hit that the Texas-based IT giant SolarWinds was the subject of a cyberattack. It appears that the attackers broke into SolarWinds’ systems and injected malicious code into an update for the company's software system "Orion," which spread to more than half of Solarwinds’ 33,000 clients, including Fortune 500 companies and multiple US government departments (Department of Treasury, Commerce, and Homeland Security among them).
What’s even worse, the breach went undetected for months, and the attackers could have exfiltrated data in the highest echelons of the US government, including the US military and the White House.
According to the Washington Post, Cozy Bear was identified as the hacker group responsible for the attack. Its impact even prompted the US Cybersecurity and Infrastructure Security (CISA) agency to issue an emergency directive about the breach.
So, is Cozy Bear the most dangerous state-sponsored hacker group of all time? Maybe. Was it the scariest in 2020? Definitely.
Lazarus Group (APT38)
Allegiance: North Korea
Active since: 2010
Best known for: Operation Troy, WannaCry attack, COVID-19 vaccine data theft
Lazarus, also known as Zinc, Hidden Cobra, and North Korea’s sole profitable enterprise, is a notorious hacker group backed by the Pyongyang regime. North Korea has been investing significant resources in its cyberwarfare capabilities, and it shows. Lazarus Group has been linked to some of the most high-profile cyberattacks in recent years, including the infamous WannaCry ransomware attack in 2017 that infected more than 300,000 devices across the planet, making untold amounts of money in ransoms for the rogue state regime.
Since the unit’s inception in 2010, Lazarus’ cyberattacks have become increasingly sophisticated and destructive, mostly targeting financial institutions such as banks and fintech companies.
According to security experts, the state-sponsored group is being run akin to an espionage operation, carefully infiltrating targets over time, learning the ins and outs of the systems they compromise, and striking from the shadows when the victims least expect it.
The group’s latest large-scale raid involved attacks on a pharmaceutical company and a government health ministry in an attempt to steal COVID-19 vaccine data. Experts at Kaspersky suspect that the hackers stole the data from the pharmaceutical firm by deploying the Bookcode malware in a supply-chain attack via another company, while the ministry’s servers were compromised by installing wAgent, a sophisticated fileless malware program that fetches additional malicious payloads from a remote server.
This level of sophistication leads experts to believe that the North Korean hacking group will continue to evolve and pose even more danger in 2021 and beyond.
Double Dragon (APT41)
Allegiance: China
Active since: 2012
Best known for: Massive global hacking campaign in 2020
Double Dragon, aka Cicada, is a Chinese state-sponsored espionage group by day that’s also known to dabble in financially motivated cybercrime for personal gain by night. The group’s activities have been traced back to 2012 and have included espionage operations against 14 different countries, including the US and the UK.
Since its first sightings by security experts, Double Dragon has been observed conducting a wide range of operations. These include supply-chain attacks and data exfiltration, as well as the use of complex proprietary tools.
The group’s highly sophisticated targeting techniques and particularly offensive methods of operation distinguish them from other state-sponsored groups, making them a double (dragon) threat to contend with.
Apart from directly attacking government institutions, Double Dragon is also targeting private companies in the travel and telecommunications industries in order to access data they can use for surveillance operations.
For example, the group will steal reservation information, call data recordings and text messages to track high-ranking foreign government officials, as well as dissidents closer to home.
However, espionage is not the group’s only forte: it’s not called Single Dragon for a reason.
According to FireEye, Double Dragon “also conducts explicit financially motivated activity, which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests." In other words, the group uses top-notch espionage tools to steal money for themselves “outside of their normal day jobs.”
In 2020, Double Dragon was one of the most prolific hacker groups, attempting to exploit vulnerabilities in hardware, as well as continuing to target government institutions in multiple countries and companies across dozens of industries.
However, it seems that the group’s ‘quantity over quality’ approach could be its downfall.
APT 41 members picture in an FBI wanted poster
In September 2020, the US identified and charged 5 members of the group in a case that was part of a larger US crackdown against Chinese cyber-espionage efforts.
Did this operation hurt the state-sponsored group? Definitely. Will this spell the end of Double Dragon? Probably not.
Fancy Bear (APT28)
Allegiance: Russia
Active since: 2005
Best known for: 2016 DNC and Podesta leaks, attacks on anti-doping agencies in 2019
Fancy Bear (not to be confused with Cozy Bear, Venomous Bear, or Voodoo Bear) gained notoriety following reports of the group’s involvement in the Great DNC Hack of 2016, as well as a series of cyberattacks on Emmanuel Macron's campaign websites in the run-up to the 2017 French Presidential elections. Ever since, the cybersecurity community has been observing the group’s attacks far beyond the US and Western Europe.
Fancy Bear has a long history of committing sophisticated phishing attacks against high-value targets in the news media, dissident movements, the defence industry, and foreign political parties.
Their usual MO involves using email domains to trick their would-be victims into believing that the elaborate phishing emails produced by the group are coming from legitimate sources.
For example, when trying to hack Macron’s presidential campaign, the group used email domains that looked almost identical to that of his party’s official website, en-marche.fr. Fancy Bear used these domains to launch phishing campaigns similar to those that tricked senior officials in the US Democratic Party into giving away their email account credentials to the hackers.
The group’s extensive operations against victims in the political and defense sectors seem to mirror the strategic interests of the Russian government, which strongly points to an affiliation with the country’s military intelligence service, GRU.
According to CrowdStrike, Fancy Bear “has dedicated considerable time to developing their primary implant known as XAgent, and to leverage proprietary tools and droppers such as X-Tunnel, WinIDS, Foozer and DownRange.” And judging from the results, it seems that their implant has been rather effective.
In 2020, the group has allegedly conducted dozens of cyberattacks against multiple US federal agencies. While seemingly less successful than their counterparts from Cozy Bear, Fancy Bear remains a constant thorn in the backside for many cybersecurity firms and government institutions across the world.
Helix Kitten (APT34)
Allegiance: Iran
Active since: 2007
Best known for: The 2013 New York Dam hack, attacks on the Australian Parliament House in 2019
Contrary to the other countries in this list, Iran seems to be increasingly utilizing contract hackers to conduct the regime’s offensive operations. Such ‘freelancers’ can hail from different countries and backgrounds, and may or may not be ‘true believers’ of the regime they’re working for.
Helix Kitten (also known as OilRig and APT34), however, is suspected to be one of the few groups of dedicated local operators working on behalf of the Iranian government.
Security experts believe that the group conducts most of its operations in the Middle East, targeting financial, energy, chemical, telecom, and other industries, as well as government institutions in countries seen by Iran as competitors to its regional dominance, such as Saudi Arabia and the UAE.
The use of communications infrastructure in Iran, as well as the “timing and alignment with the national interests” of the Iranian regime also lead experts to assess that Helix Kitten is not a bunch of freelancers from all over the world.
However, just like Double Dragon, the group also seems to be running projects ‘on the side’ by launching independent cybercrime campaigns by using attack toolkits provided by their employer.
In April 2019, Helix Kitten was dealt a major blow after a series of leaks on Telegram that exposed the names, tools, and activities of the hacker group. In the leak, ten individuals from Helix Kitten were publicly named, with three employed by Iran’s Ministry of Intelligence, and the others working at the Iranian cybersecurity company Rahacrop. This was seen as a coup de grĂ¢ce to the notorious group, with its activities seemingly ceasing for the remainder of the year.
However, the rumors of Helix Kitten’s death appear to have been exaggerated, as the group seemed to continue its attacks well into 2020, wreaking havoc across the Middle East and South Asia.
Let us all team up to fight terrorism.
Ethiopia is trying to resolve the conflict by reaching out to the two warring parties to engage in peaceful dialogue. Sudan's war impacted the Horn of Africa.
.png)
In 2016, the U.S. declared him a specially designated global terrorist, saying that he posed a significant risk of committing acts of terrorism that threaten the security of U.S. nationals or the national security, foreign policy, or economy of the U.S
Several sources claim that the Congolese journalist, Magloire Paluku may have joined the M23 rebellion. This information is also confirmed by the movement of M23 : "He is here with us, like many other Congolese who are joining us", declared Willy NGOMA , military spokesperson of M23 . Shortly before, the journalist was advisor to the National Minister of Culture and Arts, Furaha Katungu of the UNC.
CLICK ON THE LINK BELOW TO READ OUR EARLIER INTELLIGENCE STORY BELOW,MANY MAY HAVE JOINED M23
M23 dedicated the whole of June for the search of key figures in support of their rebellion
The beneficiaries were thankful for the support of ATMIS KDF troops. The medicamp forms part of ATMIS’ Civil-Military Cooperation (CIMIC) Initiatives to strengthen relations between the military and local communities.
Photo late Major Opio(RIP)
In a
statement released on Monday, ATMIS said, "a joint ATMIS-UPDF and SNAF,
logistics convoy was hit by a command wire, Improvised Explosive Device (IED)
on Sunday along the Mogadishu-Buffow-Barawe route."
"The attack
claimed two lives and injured personnel from both ATMIS and SNAF. All
casualties have been evacuated to medical facilities."
ATMIS offered a
heartfelt condolences to the families of the deceased and prayed for a quick
recovery to the injured.
"The incident
strengthens our resolve to support peace and security efforts in Somalia,"
ATMIS stated.
The deceased include
Maj Opio Awany, ;brother of the ruling National Resistance Movement (NRM)
Secretary General, Richard Todwong.
Captain Ibrahim
Ssekito, the UPDF Battle Group Information Officer, confirmed Maj. Patrick Opio
Awany's death and said three UPDF soldiers were injured in the attack which
occurred at 1:00pm on Sunday, July 7, 2024 between Buulo Nagad and Ceel
Wareego, Lower Shabelle in Somalia.
“He was a convoy
commander. Al-Shabaab laid an Improvised Explosive Device (IED) against his
convoy which hit his vehicle and killed him,” Capt. Ssekito said.”
He said the ill-fated
convoy was carrying logistics and that Maj. Awany who was part of the Motorised
Infantry Brigade of the UPDF, died on the spot.
On Monday, Todwong who
is currently attending a public Service Leaders' introspection retreat for
Ministers, Permanent Secretaries, and NRM top leadership, at the National
Leadership Institute (NALI) in Kyankwanzi, took to X-platform to mourn his
brother.
“I celebrate my
brother, Maj. Opio Patrick Awany. Your dedication to protecting our country was
your code and you approached your duty with unmatched passion. You bravely
faced countless battles in the Central African Republic, Eastern Democratic
Republic of Congo (DRC) and Somalia,” Todwong said.
He revealed his
brother’s life, “was tragically cut short on Sunday morning as you served our
continent Africa. May your legacy endure to inspire more heroes. We will
forever hold you in our hearts, Patrick. You were a true patriot.”
This attack comes in the wake of a directive by the ATMIS that the troop contributing countries engage in a drawdown that will see the numbers of soldiers deployed to back up Somali National Force reduced and some operations handed back to Federal Government of Somalia Forces.
LET US ALL TEAM UP TO FIGHT TERRORISM
