Nation-State APT Tracking — Russia, China, Iran, North Korea Cyber Threats

Tracked Nation-State Actors 国家脅威

Ingested from MITRE ATT&CK, government advisories (CISA, NCSC, ANSSI, BSI), OSINT research, and proprietary infrastructure scanning.

🇷🇺 Russia — GRU, SVR, FSB

APT28 / Fancy BearGRU Unit 26165 — espionage, election interference, destructive ops (Olympic Destroyer)
APT29 / Cozy BearSVR — SolarWinds, diplomatic espionage, cloud service abuse, Microsoft 365 targeting
SandwormGRU Unit 74455 — critical infrastructure destruction, NotPetya, Industroyer, Ukraine power grid
Turla / Venomous BearFSB — satellite C2, snake malware, government espionage, hijacking other APTs
GamaredonFSB-linked — Ukrainian government targeting, high-volume low-sophistication
Star BlizzardCredential phishing — academics, defense, NGOs, journalists covering Russia

🇨🇳 China — PLA, MSS

Volt TyphoonCritical infrastructure pre-positioning — living off the land, routers, water, energy
Salt TyphoonTelecom targeting — ISP infrastructure, lawful intercept systems, metadata collection
APT41 / Wicked PandaDual espionage + financial — supply chain attacks, game industry, pharmaceuticals
Flax TyphoonIoT botnets — routers, cameras, NAS devices as operational relay infrastructure
APT40 / LeviathanMSS Hainan — maritime, defense, universities, COVID research theft
Mustang PandaSoutheast Asia focus — USB propagation, government espionage, PlugX malware

🇮🇷 Iran — IRGC, MOIS

APT33 / ElfinIRGC — energy sector, aerospace, Shamoon wiper, destructive operations
APT34 / OilRigMOIS — Middle East governments, DNS tunnelling, custom implants
APT35 / Charming KittenIRGC-IO — credential harvesting, journalists, researchers, dissidents
MuddyWaterMOIS — Middle East telecom, government, MSP targeting for downstream access
Moses StaffHacktivist front — destructive attacks on Israel, data leaks, propaganda
CyberAv3ngersIRGC — ICS/SCADA targeting, Unitronics PLCs, water systems

🇰🇵 North Korea — RGB, Bureau 121

Lazarus GroupRGB — cryptocurrency theft ($2B+), destructive attacks, Sony Pictures, WannaCry
KimsukyMilitary intelligence — think tanks, academia, nuclear/defense policy espionage
AndarielLazarus subgroup — defense industry, ransomware (Maui), healthcare targeting
APT43 / Emerald SleetCredential theft — cryptocurrency theft funding WMD programs

ORIGAMI Attribution Engine

Multi-source evidence fusion for threat actor attribution. Infrastructure tracing, temporal clock analysis, TTP fingerprint matching (weighted Jaccard), Diamond Model correlation, and contradiction penalty scoring.

Confidence capped at 0.80 — because honest attribution acknowledges uncertainty. Four scenario weight presets. Evidence chains persisted to graph for audit trail.

Seen suspicious infrastructure?

Check any IP, domain, or hash against 245+ tracked APT groups. Instant attribution context. Free.

Free Threat Check →

Related Intelligence

Ransomware Intelligence — state-affiliated ransomware operations and their APT links
Critical Infrastructure Threats — ICS/OT targeting by nation-state actors
Cyber Warfare Intelligence — active conflict cyber operations
Live SITREP — daily geopolitical intelligence briefing (free, no login)
ninjaTONE — predictive sentiment and geopolitical early warning