APT Group
What is APT Group?
APT GroupA named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors.
APT (Advanced Persistent Threat) groups are persistent, well-resourced adversaries identified by a numeric or thematic label and tracked over years by vendors and governments. Examples include APT1 / Comment Crew (China, PLA Unit 61398), APT28 / Fancy Bear (Russia GRU), APT29 / Cozy Bear (Russia SVR), APT41 (China dual espionage/financial), Lazarus Group / APT38 (North Korea), and Equation Group (US-linked). Each profile is built from consistent TTPs, malware families, infrastructure, victimology, and code reuse. APT campaigns commonly chain spear-phishing, supply-chain compromises, zero-days, custom implants, and stealthy lateral movement. Mandiant's APT, CrowdStrike's adversary names, Microsoft's weather names, and Recorded Future's TAGs all reference overlapping clusters under different conventions.
● Examples
- 01
APT28 (GRU 26165) was linked to the 2016 DNC hack, the WADA leaks, and multiple campaigns against political organisations.
- 02
APT41 was indicted by US authorities in 2020 for espionage and financially motivated intrusions across more than 14 countries.
● Frequently asked questions
What is APT Group?
A named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors. It belongs to the Defense & Operations category of cybersecurity.
What does APT Group mean?
A named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors.
How does APT Group work?
APT (Advanced Persistent Threat) groups are persistent, well-resourced adversaries identified by a numeric or thematic label and tracked over years by vendors and governments. Examples include APT1 / Comment Crew (China, PLA Unit 61398), APT28 / Fancy Bear (Russia GRU), APT29 / Cozy Bear (Russia SVR), APT41 (China dual espionage/financial), Lazarus Group / APT38 (North Korea), and Equation Group (US-linked). Each profile is built from consistent TTPs, malware families, infrastructure, victimology, and code reuse. APT campaigns commonly chain spear-phishing, supply-chain compromises, zero-days, custom implants, and stealthy lateral movement. Mandiant's APT, CrowdStrike's adversary names, Microsoft's weather names, and Recorded Future's TAGs all reference overlapping clusters under different conventions.
How do you defend against APT Group?
Defences for APT Group typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for APT Group?
Common alternative names include: Advanced Persistent Threat group.
● Related terms
- attacks№ 017
Advanced Persistent Threat (APT)
A stealthy, well-resourced threat actor — typically state-sponsored — that gains long-term, undetected access to a target network to steal data or pre-position for disruption.
- defense-ops№ 714
Nation-State Actor
A government-sponsored or government-aligned threat actor that conducts cyber operations to pursue strategic, intelligence, military, or economic objectives.
- defense-ops№ 1145
Threat Actor
An individual or group that intentionally causes or attempts to cause harm to information systems, organisations, or people through cyber operations.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
- defense-ops№ 1131
Tactics, Techniques and Procedures (TTPs)
A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.