In the Crosshairs: Understanding Threat Actor Groups

Advanced Persistent Threat Actors are always advancing their methods and we will always need to improve our defenses to keep up. The line of thinking of “I don’t need need to worry about security, Why would anyone want to hack me?” makes as much sense as thinking “I don’t need to wear a seat belt because I am a good driver.” This article series will go through some of the more commonly-known threat actors, what they have done, and their techniques and possible motivations.

What is a Threat Actor?

Cyber threat actors have different motivations. Some of these threat actors are hacktivist groups, some may be nation-state sponsored cyber espionage groups, some are cybercrime groups, and some are simply individuals with their own personal agenda. Motivations depend may depend on the actor and we never truly understand what the goals of specific threat actors are.

Hacktivist organizations are crowd-funded cyber terrorist groups that present themselves as quasi-military and solicit cryptocurrency donations from social media channels. They are politically-motivated and use techniques such as Distributed Denial of Service (DDoS) to render the websites of their targets unusable.

Cybercriminal organizations are run like small companies. They advertise their services, recruit members, and use small teams to bring in moderate revenues. Small cybercrime groups typically have 1-5 members and bring in less than $500k revenue. Larger cybercrime organizations have more than 50 members, multiple management layers and bring in revenues more than $50M. As most cybercriminal organizations are financially motivated, they take part in things like ransomware, cryptocurrency theft, and selling stolen data.

If you’ve ever said to your self, “I don’t need that much security, Why would anyone want to hack me?” you may be the prime target for Advanced Persistent Threat (APT) groups. These groups have significant skills, capabilities, and resources, and they have been known to attack small home routers to use as part of their infrastructure for masking their actions and location. APT groups are nation-state threat actors who perform cyber espionage or sabotage operations. They also enlist the help of non-state actors like hacktivist or ransomware groups to help mask their true identities and act as a force multiplier. The typical APT group has very specific targets and are motivated by access to information. Their attacks are long-term, maintaining access into targeted systems for at least 6 months, up to many years.

Different organizations use different naming conventions to identify the threat actors. Most threat actors are resilient and are able to recover form law enforcement disruptions or indictments.

sources

  • “Threat Trend Report on APT Groups.” AhnLab Security Emergency Response Center, Aug. 08, 2023. [Online]. Available: https://asec.ahnlab.com/wp-content/uploads/2023/09/ATIP_2023_Jul_Threat-Trend-Report-on-APT-Groups.pdf
  • R. Mathenge, “The 41 Hacking Statistics and Facts You Should Know in 2024,” The 41 Hacking Statistics and Facts You Should Know in 2024. [Online]. Available: https://privacysavvy.com/security/safe-browsing/hacking-statistics/
  • “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology,” IC3, AA22-047A, Feb. 2022. [Online]. Available: https://www.ic3.gov/CSA/2022/220217.pdf
  • “VPS Exploitation by Threat Actors.” CYFIRMA, Dec. 30, 2022. [Online]. Available: https://www.cyfirma.com/research/vps-exploitation-by-threat-actors/
  • “The largest-ever crypto hack: everything we know so far,” Cybernews, Mar. 20, 2025. [Online]. Available: https://cybernews.com/cybercrime/bybit-hack-lazarus-group/
  • “Microsoft Threat Intel Podcast.”

Common TTPs

TTP stands for Tactics, Techniques, and Procedures. Most of the techniques used by threat actors boil down to 2 categories, getting the access/data that they want to, and not getting caught. All of the techniques and procedures of the threat actors can loosely be associated with one of these categories. For an extensive listing and categorization, visit the MITRE ATT&CK framework Enteprise Matrix.

Not Getting Caught

Most threat actors only host the minimum data necessary to reach the victim on public servers and keep sensitive information locally to be able to physically destroy the evidence if needed, and they use Virtual Private Servers (VPS) to mask their locations and reach their victims. Threat actors also use the Tor network to provide anonymity for their operations, or DNS proxy registration on their website domains to hide their true identity.

VPS servers are used as a proxy to obscure the true location of a threat actor. Nation-state APT groups use foreign hosting companies that are friendly to them to provide the proxy infrastructure for their operations. These proxies act as hop-points to connect to cybercriminal infrastructure to their targets. VPS servers are used to host criminal infrastructure including phishing pages, or botnet control panels. They also help the attackers mask their IP address, and allow them to get a “clean” trustworthy IP address from anywhere in the world. Legitimate servers and their free trials are often abused to host malicious content. VPS can also host proxies and VPN gateways to mask the location of Command and Control (C2) servers. Most threat actors use VPS servers for an extended period of time as long as they believe that they are not being tracked.

One way threat actors maintain persistence is to use bulit-in tools and services to perform malicious actions rather than installing custom malware onto a victim machine. This can be known as “Living off the Land” (LOTL) techniques. Persistent attacks using these techniques are much more difficult to perform than snatch-and-grab ransomware attacks of simple data theft. By using the native tools, the malware can bypass traditional security measures. These file-less methods can execute code directly in memory and keep the malware from leaving a detectable footprint on the disk. Hence, fileless malware bypasses traditional antivirus software that looks for indicators of compromise that reside on the system disk. Powershell scripts or Windows Management Instructions are used to execute the code directly in memory. Fileless malware is used to steal sensitive data, install backdoors or carry out malicious activities. Advanced malware checks for indicators of virtualization. These would indicate that the malware is likely on a fake computer used by security researchers, and typically causes the malware to delete itself.

Registry Resident Malware installs itself in the windows registry to remain persistent. One of the many possible techniques is to add a Cobalt Strike beacon executable to the run registry key for persistence. After infection, The initial dropper program uses powershell commands to write the malware directly into the Windows registry, and uses registry run keys to re-install themselves even after a system reboot. The threat actors that use this achieve persistence by adding a program to the startup folder or referencing it with a registry run key. When a program is added to the startup folder or a registry key, the program is executed when the user logs in, therefore any programs will be executed under the context of the user. These persistence method allows the attacker to escalate privileges to run other commands

ORB networks are a recent development in the threat actor landscape. They are proxies of large numbers of machines that act like a botnet. ORB networks are made up of rented VPS machines and compromised Internet of Things (IoT) devices, including internet routers. This network is used as a constantly evolving mesh network that can conceal espionage operations by disguising traffic between C2 servers and victims. Any vulnerable edge devices such as small home and office (SOHO) routers may be exploited by zero-day vulnerabilities and be used in these networks. These infrastructure networks that are not controlled by a single APT actor, allowing multiple threat actors to conceal their operations within a single ORB network. ORB networks have a short lifespan ( with IPV4 addresses as low as 31 days) and some Chinese ORB networks can cycle large percentages of the infrastructure on a monthly basis. This makes their operations more difficult to defend against as you can’t just focus on blocking specific IP addresses. This also makes it more difficult to link a specific attack through the network to a specific threat actor. Nodes in an ORB network are usually distributed geographically to allow for proximity to target machines that blends in with local traffic. ORB networks allow the weaponization phase of the cyber kill chain to be administered by third-party providers rather than the threat actors themselves. Network administrators rely on Autonomous System Number (ASN) providers to reduce exposure and make the network robust enough to not rely on infrastructure in a single nation. The State-sponsored threat actors typically use provisioned ORB networks of leased devices, while other threat actors use non-provisioned networks of compromised devices. Due to the use of ORB networks, we are seeing a defensive cybersecurity shift from tracking specific espionage C2 infrastructure to tracking the network itself it as an entity with distinct Tactics, Techniques, and Procedures (TTPs).

Getting the Goods

The core objective of any cybercrime or cyber-espionage operation is to obtain access to some digital information. This data is then stolen, or exfiltrated, from the target system to an attacker controlled server, network, or computer.

Cybersecurity researchers sometimes upload proof-of-concept exploits to their GitHub Pages when a new vulnerability is discovered. Threat actors have scripts that scrape GitHub sources for Common Vulnerabilities and Exposures (CVEs) based on the name of the repository and use them to attack vulnerable machines. Even if a CVE has been patched, not every device is updated and they may be able to use the exploits for their own purposes. The MITRE organization also maintains a authoritative list of CVEs that are used worldwide to compare cyber threat intelligence.

A Remote Access Trojan (RAT) can gain access to a system through a malicious spearphishing email attachment. RATs are persistent and attempt to sit around and collect new data that comes on the system. When these RATs gain access to a router, they can gain information about the Local Area Network (LAN) that resides behind the router as well as track any network activity on the router. This data is then sent back to the C2 server controlled by the threat actor.

Once access to a network is achieved by a malicious actor, they tend to pivot to different parts of the network. Password spraying tools are used to brute-force guess passwords to other user accounts, and services like Remote Desktop Protocol (RDP) are frequently used to access other machines on the network to spread the malware. This type of pivoting is why it is important for everyone to focus on security, one individual may not be of interest to an attacker, but someone in their network/contact list might be.

Persistent malware may be modular, and include some type of backdoor shell to a C2 server. A shell is a type of backdoor that gives attackers an invisible portal into the companies network. Some threat actors install multiple shells on different victim addresses so that they can continue operating if some of them are discovered. They can be used for Remote Access Trojans, Persistence, and Pivoting. These shells are frequently used for data exfiltration, once the desired information is located on a target system.

Web Shells do not require a high level of technical skill to install or use. A web shell runs at the same permission and limitations as the web server therefore escalation techniques are often used in conjunction with the web shell. Web Shells can be disguised as legtimate files, inserted into legitimate files, or appear as random executables. A web shell allows an attacker to perform remote code execution on a compromised web server by simply visiting a web page. Webshells can also be used with a web form or an interactive application without requiring a backdoor to the vulnerable server.

Some of the most common data exfiltration techniques are HTTP requests, mail, and FTP transfers. For example, an HTTP GET request will blend in very well with the large amount of web traffic moving out from a system. Information could be obfuscated and placed in the request which is sent to a legitimate-looking threat-actor-controlled website. For large amounts of data, APT groups usually distribute the data to not raise red flags. Some other actors may only use a certain protocol to blend in with normal traffic and remain stealthy. Some data exfiltration methods use use a basic TCP or UDP tunnel and ends in cloud-based services like Gmail, twitter, or google docs. Data is typically encrypted before transport and can use randomly-timed and sized data bursts to blend in with normal network traffic.

sources:

  • “Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications,” US Congress, IF12789, Jan. 2025. [Online]. Available: https://www.congress.gov/crs-product/IF12798
  • “China State-Sponsored Cyber Threat: Advisories,” China State-Sponsored Cyber Threat: Advisories. [Online]. Available: https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/china/publications
  • “Living off the Land (LOTL),” Oct. 17, 2024. [Online]. Available: https://www.hhs.gov/sites/default/files/living-off-land-attacks-tlpclear.pdf
  • P. Eubanks, “De-anonymizing ransomware domains on the dark web,” De-anonymizing ransomware domains on the dark web. [Online]. Available: https://blog.talosintelligence.com/de-anonymizing-ransomware-domains-on/
  • C. Brazzell, “Hoeysploit: Exploiting the Exploiters,” Hoeysploit: Exploiting the Exploiters. [Online]. Available: https://curtbraz.medium.com/exploiting-the-exploiters-46fd0d620fd8
  • “VPS Exploitation by Threat Actors.” CYFIRMA, Dec. 30, 2022. [Online]. Available: https://www.cyfirma.com/research/vps-exploitation-by-threat-actors/
  • A. Kaushik, “The War on Ukraine: A Look at (Underemphasised) Russian Cyber Operations.” GLOBSEC, Oct. 02, 2023. [Online]. Available: https://www.globsec.org/what-we-do/publications/war-ukraine-look-underemphasised-russian-cyber-operations
  • C. Raghuprasad, “Unmasking the new persistent attacks on Japan,” Unmasking the new persistent attacks on Japan. [Online]. Available: https://blog.talosintelligence.com/new-persistent-attacks-japan/
  • “The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation,” The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
  • “IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders,” IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
  • “Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection,” Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/chinese-espionage-tactics

Future Articles

The world of cyber threat intelligence is a deep as it is wide. Some future articles will look at specific nation-state actors, their organization, their techniques, and some of their known operations including: