Attribution
This page is designed to be a one-stop resource for finding public attribution made by government organizations (or private sector) linking state-sponsored Advanced Persistent Threats to specific individuals, companies and entities. Some of these links were shamelessly stolen from Gabriel Currie, who runs their own APT Group Attribution page. If you can't find what you're looking for here, visit Gabriel's repo!
APTs with a large number of links might get a collapsed list.
Work in progress! Page updated January 17, 2025.
China
APT1 (PLA Unit 61398)
- February 17, 2022: U.S.-China Economic and Security Review Commission Link
- May 19, 2014: U.S. Department of Justice Link (Note: does not use “APT1”)
- February 19, 2013: Mandiant Link
APT2 (PLA Unit 61486)
- June 09, 2014: CrowdStrike Link
- May 19, 2014: U.S. Department of Justice Link (Note: does not use “APT2”)
APT3 (Chinese National University of Defence and Technology, Guangzhou Bo Yu Information Technology Company Limited (Boyusec), MSS contractor)
- May 01, 2022: The Hague Centre for Strategic Studies Link (PDF)
- February 17, 2022: U.S.-China Economic and Security Review Commission Link
- November 27, 2017: U.S. Department of Justice Link (Note: does not use “APT3”)
- May 17, 2017: Recorded Future Link
- May 09, 2017: Intrusion Truth Link
APT10 (MSS Tianjin State Security Bureau)
- February 17, 2022: U.S.-China Economic and Security Review Commission Link
- December 20, 2018:
APT17 (MSS Jinan State Security Bureau. Jinan Quanxin Technology, Jinan Anchuang Information Technology, Jinan Fanglang Information Technology, RealSOI)
- May 01, 2022: The Hague Centre for Strategic Studies Link (PDF)
- February 17, 2022: U.S.-China Economic and Security Review Commission Link
- July 24, 2019: Intrusion Truth Link
APT26 (MSS Jiangsu State Security Department)
- May 01, 2022: The Hague Centre for Strategic Studies Link (PDF)
- February 17, 2022: U.S.-China Economic and Security Review Commission Link (PDF)
- October 18, 2019: CrowdStrike Link (PDF, archived copy)
APT31 (MSS Hubei State Security Department)
- March 25, 2024:
- July 19, 2021: UK Government Link
APT40 (MSS Hainan State Security Department)
- July 19, 2021:
APT41 (Chengdu 404, MSS Contractor)
Flax Typhoon (IntegrityTech)
- September 18, 2024:
Salt Typhoon
Volt Typhoon
- February 07, 2024: U.S. CISA Link
- January 31, 2024:
- May 24, 2023:
BlackTech
- September 27, 2023: U.S. CISA Link
Hafnium (MSS)
- January 17, 2025:
- July 19, 2021:
RedFoxtrot (PLA Unit 69010)
- June 16, 2021: Recorded Future Link
- November 14, 2022: U.S.-China Economic and Security Review Commission Link (PDF)
Tick (PLA Unit 61419)
- May 01, 2022: The Hague Centre for Strategic Studies Link (PDF)
- February 17, 2022: U.S.-China Economic and Security Review Commission Link (PDF)
- May 05, 2021: Recorded Future Link
- April 20, 2021: Tokyo Metropolitan Police Department Link
Tonto Team (3rd PLA, Shenyang TRB, Unit 65016/65017)
- November 14, 2022: U.S.-China Economic and Security Review Commission Link (PDF)
- May 01, 2022: The Hague Centre for Strategic Studies Link (PDF)
- February 17, 2022: U.S.-China Economic and Security Review Commission Link (PDF)
Iran
MuddyWater (MOIS)
- July 30, 2024: U.S. New Jersey CCIC Link
- July 18, 2024: U.S. New Jersey CCIC Link
- November 03, 2022: U.S. HHS Link (PDF)
- September 09, 2022: U.S. Treasury Link
- February 24, 2022: U.S. CISA Link
- January 12, 2022: U.S. Cyber Command Link
APT39 (MOIS)
- September 09, 2022: U.S. Treasury Link
APT34/Oilrig (MOIS)
CyberAv3ngers (IRGC-CEC)
Cotton Sandstorm (Emennet Pasargad)
Charming Kitten (IRGC-IO)
- May 10, 2024: New Jersey Cybersecurity & Communications Integration Cell Link
- July 06, 2023: Proofpoint Link
- September 14, 2022: U.S. Treasury Link
- September 07, 2022: Mandiant Link
- July 22, 2022: PwC Link
North Korea
Lazarus (RGB)
- October 10, 2023: Mandiant Link
- April 20, 2022: U.S. CISA Link
- February 17, 2021: U.S. Department of Justice Link
- September 13, 2019: U.S. Treasury Link
- September 06, 2018: U.S. Department of Justice Link
Andariel (RGB 3rd Bureau)
- July 25, 2024:
- October 10, 2023: Mandiant Link
- March 23, 2022: Mandiant Link
- March 25, 2021: U.S. Health and Human Services Link (PDF)
- September 13, 2019: U.S. Treasury Link
BlueNoroff (RGB)
Kimsuky (RGB)
- May 02, 2024:
- November 30, 2023: U.S. Treasury Link
- June 01, 2023: U.S. Department of Defense Link (PDF)
- March 28, 2023: Mandiant Link
- March 23, 2022: Mandiant Link
- March 25, 2021: U.S. Health and Human Services Link (PDF)
APT37 (MSS)
Scarcruft/Reaper
- March 25, 2021: U.S. Health and Human Services Link (PDF)
Russia
APT28 (GRU Unit 26165)
- February 15, 2024: U.S. Department of Justice Link
- April 18, 2023: U.S. CISA Link
- April 18, 2023: U.S. NSA Link
- April 18, 2023: UK NCSC Link
- February 02, 2023: European Repository of Cyber Incidents Link (PDF)
- May 09, 2022: U.S. CISA Link
- July 01, 2021: U.S. Department of Defense Link (PDF)
- August 13, 2020: U.S. FBI Link
- October 04, 2018: UK GCHQ Link
- May 23, 2018: U.S. Department of Justice Link
- October 04, 2018: Netherlands Ministry of Defense Link
APT29 (SVR)
- February 26, 2024: U.S. CISA Link
- December 13,2023: U.S. CISA Link
- May 07, 2021:
- April 15, 2021:
- July 16, 2020: UK NCSC Link
Callisto Group (FSB Center 18)
- October 03, 2024: U.S. Department of Justice Link
- December 07, 2023:
Ember Bear (GRU Unit 29155)
- September 05, 2024:
Sandworm (GRU Unit 74455)
- April 17, 2024: Mandiant Link
- August 31, 2023: U.S. CISA Link
- April 06, 2022: U.S. Department of Justice Link
- October 19, 2022: U.S. Department of Justice Link
- February 23, 2022: U.S. CISA Link
- July 30, 2020: European Union Link (PDF)
- May 28, 2020: U.S. NSA Link (PDF)
- February 20, 2020: UK Government Link
- May 24, 2018: U.S. Department of Justice Link (PDF)
Gamaredon (FSB Centers 16, 18)
- June 24, 2024 – European Union: COUNCIL DECISION (CFSP) 2024/1779 of 24 June 2024 amending Decision (CFSP) 2019/797 concerning restrictive measures against cyberattacks threatening the Union or its Member States (PDF)
- August 28, 2023: National Security and Defense Council of Ukraine Link (PDF)
- November 04, 2021:
Turla (FSB Center 16)
Berserk Bear (FSB)