Threat Actor Profiles

Named threat actors in the dataset, their state nexus, attributed operations, and behavioural patterns.

Sandworm Team (GRU Unit 74455)

Russia, GRU (Main Intelligence Directorate), assessed to be Unit 74455

6 cases

DestructiveEnergyTelecommunicationsCritical Infrastructure2015–2023

Lazarus Group (RGB, North Korea)

North Korea, Reconnaissance General Bureau (RGB)

3 cases

DestructiveFinanceMediaHealthcare2014–2017

SVR / APT29 / Cozy Bear

Russia, SVR (Foreign Intelligence Service)

2 cases

EspionageGovernmentTechnologyDefense2020–2024

Hafnium / PRC MSS-Linked Groups

China, Ministry of State Security (MSS) and affiliated entities (including MSS contractors such as Sichuan Juxinhe Network Technology designated in January 2025 for Salt Typhoon)

7 cases

EspionageGovernmentTechnologyTelecommunications2015–2024

People's Liberation Army Cyber Units (PLA Unit 61398 / 3PLA Successor)

China, People's Liberation Army (PLA), formerly Third Department of the General Staff Department (3PLA) including Unit 61398; reorganised under the PLA Strategic Support Force (SSF) in 2015 and subsequent restructurings

1 case

EspionageDefenseTechnologyEnergy2013

Scattered Spider

Non-state: loosely organized English-speaking individuals (US/UK)

1 case

RansomwareTechnologyFinanceMultiple2023

Iranian State-Linked Actors (IRGC/MOIS)

Iran, Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS)

2 cases

DestructiveEnergyGovernment2012–2022

Unknown / Contested Attribution

Various, includes cases where attribution is contested, unconfirmed, or points to non-state or negligence-based incidents

14 cases

EspionageMultiple2010–2024