Double Dragon / APT41 (China, linked to MSS state-sponsored activity)APT41 is unique for running both espionage and financially motivated operations (e.g., video-game currency theft) in parallel. They are masters of supply-chain compromises. https://cloud.google.com/blog/topics/threat-intelligence/apt41-dual-espionage-and-cyber-crime-operation
CozyBear (APT29 – Russia, linked to SVR foreign intelligence)CozyBear specializes in long-term, stealthy espionage against governments, diplomatic entities, and high-value research targets.
- 2014: Breached unclassified email systems of the U.S. State Department, White House, and Joint Chiefs of Staff using spear-phishing. Remained undetected for months, exfiltrating sensitive communications.
Lazarus Group / Hidden Cobra (North Korea, linked to Reconnaissance General Bureau)Lazarus blends destructive attacks, financial theft, and espionage. They are responsible for some of the largest cyber-heists and ransomware incidents ever seen.
OilRig / APT34 (Iran, linked to MOIS intelligence)OilRig focuses on persistent espionage against Middle Eastern governments, energy, telecom, and financial sectors. They rely heavily on custom backdoors and spear-phishing (often fake job offers).
Thus we are connecting the 4 countries’ efforts in Cyber attack APT area. Even if they are not actively helping each other which they likely are, the hackers are learning from each other and deciding where to attack depending on the success or failures of the other organizations.
China – Russia – Iran – NorthKorea or CRINK is an acronym but also a willing alliance of sorts.