Beyond individual hackers, the most sophisticated and dangerous cyber operations are conducted by government-backed groups with virtually unlimited resources, political objectives, and legal protection from their own governments. These are not hackers in the traditional sense — they are intelligence agencies conducting warfare through digital means.
APT28 — Fancy Bear
// RUSSIA — GRU (Military Intelligence)
One of Russia's most active cyber espionage groups, attributed to the GRU's 85th Main Special Service Center. Responsible for election interference operations across multiple countries, the 2016 DNC hack, and attacks on NATO members. Uses sophisticated spear-phishing and zero-day exploits. Has been active since at least 2004.
Known for: DNC hack, Macron campaign breach, German Bundestag attack
APT29 — Cozy Bear
// RUSSIA — SVR (Foreign Intelligence)
Russia's SVR foreign intelligence service cyber arm, known for extremely patient, stealthy long-term espionage operations. Unlike the noisier Fancy Bear, Cozy Bear prefers to stay silent and collect intelligence over months or years. Responsible for the SolarWinds supply chain attack — their most sophisticated operation to date.
Known for: SolarWinds Orion, 2016 DNC breach (alongside APT28), COVID-19 vaccine research theft
Lazarus Group
// NORTH KOREA — RGB (Reconnaissance General Bureau)
North Korea's primary cyber warfare unit, unique among nation-state actors because their operations are financially motivated as much as politically. North Korea uses Lazarus Group to generate revenue for the regime through cryptocurrency theft, bank heists, and ransomware — having stolen an estimated $3 billion in crypto between 2017-2023.
Known for: Sony Pictures hack, WannaCry, $81M Bangladesh Bank heist, $625M Ronin Network theft
APT41 — Double Dragon
// CHINA — MSS (Ministry of State Security)
Unusual among state-sponsored groups because they conduct both espionage on behalf of the Chinese government and financially motivated cybercrime for personal gain — sometimes simultaneously. Targets span healthcare, telecoms, technology, and gaming. Known for supply chain attacks and exploiting public-facing applications within hours of CVE disclosure.
Known for: CCleaner supply chain attack, COVID research theft, gaming industry fraud
Equation Group
// USA — NSA (Tailored Access Operations)
Believed to be the NSA's elite Tailored Access Operations unit — the most technically sophisticated threat actor ever documented. Their toolkit, partially leaked by the Shadow Brokers in 2016-2017, included zero-days for virtually every major platform, firmware-level implants that survive disk wipes, and the EternalBlue exploit later weaponized in WannaCry and NotPetya.
Known for: Stuxnet (with Unit 8200), EternalBlue development, firmware-level implants
Sandworm
// RUSSIA — GRU Unit 74455
Russia's most destructive cyber unit, responsible for attacks that caused real-world physical damage and civilian harm. They took down Ukraine's power grid twice, deployed NotPetya (the most destructive cyberattack in history), and targeted the 2018 Winter Olympics. Unlike espionage-focused groups, Sandworm's goal is disruption and destruction.
Known for: Ukraine power grid attacks, NotPetya, Olympic Destroyer, Viasat hack (2022)