Show Mobile Navigation
Technology |

10 Ominous State-Sponsored Hacker Groups

by Lance David LeClaire
fact checked by Jamie Frater

Hacker groups are the fastest-growing threat to nations today—not so much the “hacktivists” that we hear about but extremely professional groups working for governments that we don’t hear about. State-sponsored hacker groups have the ability to worm into the networks of the media, major corporations, defense departments, and—yes—governments and wreak havoc. Even security firms designed to stop them may be infiltrated.

The situation is so bad, it’s being described as another “cold war,” and this one is truly global and largely invisible. Even corporate brands are targeted by states seeking an economic edge over competing nations. Since computer defenses are laughably easy for hackers to compromise, offensive capabilities become more tempting, until eventually everyone is attacking each other. It’s only a matter of time before cyber attacks are considered an act of actual war (a stance that the US is already veering toward). Hacker groups like the ill-named “Guardians of Peace” have already threatened violent terror attacks and curtailed freedom of speech in Hollywood.

Here are 10 of the key players in this new cat-and-mouse game of espionage, sabotage, and warfare.

10The Syrian Electronic Army (SEA)

Syrian Electronic Army: Their Methods and Your Responses

The Syrian Electronic Army (SEA) enjoyed fame and a sort of love–hate relationship with the media in 2011–2013. The group is mostly composed of university students in Syria or its allies who often deliver propaganda for Syrian President Bashar al-Assad. Their high-profile hacks of major media outlets included the New York Times, various Twitter accounts, and even the Onion (whose retort was rather memorable), which gained them a reluctant respect among security companies.

The SEA also orchestrated successful attacks on CNN, The Washington Post, and Time in 2013. Finally, the group once convinced the public that an explosion had gone off in the White House, injuring president Obama. This briefly upset the stock market, bringing the Dow Jones index down by a full percent.

The SEA hackers have also been known to engage in darker endeavors, such as targeting and intimidating individuals they don’t agree with or who do not support Assad. While they claim to be simple patriots, they also admit to relaying relevant information to the state, illustrating the murky line between hacktivists and state-sponsored hackers. The SEA works mainly through the use of “spear-phishing,” a partly socially engineered method where a user is tricked into giving out passwords or other sensitive information, often by being directed to a fake website set up for that purpose.

In November 2014, the SEA returned and “hacked” a number of sites using a content delivery network, displaying a pop-up that read: “You have been hacked by the Syrian Electronic Army.”

9Tarh Andishan


In 2009, Iran was left with a badly compromised and diminished computer infrastructure after the widely publicized Stuxnet worm attack. Iran responded by elevating its hacking capabilities from simple website defacement to full-blown cyber warfare. Thus, a state-sponsored hacker group dubbed “Tarh Andishan” (“Thinkers” or “Innovators” in Farsi) was born.

The group gained prominence with “Operation Cleaver,” a campaign that has been active since around 2012 and has targeted at least 50 organizations throughout the world in the military, commercial, educational, environmental, energy, and aerospace fields. Chillingly, they have also targeted major airlines and in some cases even gained “complete access” to airline gates and control systems, “potentially allowing them to spoof gate credentials.” Cyber security firm Cylance, who has yet to reach a conclusion as to the group’s long-term goals, released an early report on Tarh Andishan (which represents only a fraction of the group’s activities) because of fears that Operation Cleaver already poses a “grave risk to the physical safety of the world.”

The report presents evidence such as known hacker handles, Iranian domain names, infrastructure hosting, and other indicators. Cylance believes the infrastructure available to Tarh Andishan is too large to be the work of an individual or a small group. Tarh Andishan uses advanced techniques ranging from SQL injection, advanced exploits and automated worm-like propagation systems, backdoors, and more. They are thought to have about 20 members, mostly from Tehran with auxiliary members in Canada, the UK, and the Netherlands. Its victims include the US and Central America, parts of Europe, South Korea, Pakistan, Israel, and several other Middle Eastern regions.

8Dragonfly / Energetic Bear
Eastern Europe

Dragonfly & Energetic Bear: APT Groups – AT&T ThreatTraq: Episode 101 (Part 3 of 6)

A group that Symantec calls “the Dragonfly gang” and other security firms have called “Energetic Bear” has been operating out of Eastern Europe and targeting mostly energy companies since around 2011. Before that, it was targeting airline and defense sectors, usually in the US and Canada. Symantec says that the hacker group “bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.” It was first discovered by the Russian-based security firm Kaspersky Labs.

Dragonfly uses remote access Trojans (RATs) such as their own Backdoor.Oldrea and Trojan.Karagany malware tools to spy on energy industry targets, although the methods could also be used for industrial sabotage. The malware is usually attached to phishing e-mails, although the hackers have recently upgraded to “watering hole” methods of targeting: compromising sites that a target is known to frequent. The targets are then sent on a series of redirects until Oldrea or Karagany can be introduced into a victim’s system. In the later stages of their campaign, they even managed to infect legitimate software, which would be downloaded and installed as usual along with unwanted malware.

Like Stuxnet before it, Dragonfly’s campaign was one of the first major efforts to directly target industrial control systems. Unlike Stuxnet, which targeted only Iran’s nuclear program, Dragonfly’s campaign was widespread, with long-term espionage and access as its primary goal and the ability to commit serious sabotage as an optional but terrifying capability.

7Tailored Access Operations, NSA

How the NSA’s Secret Elite Hacking Unit Works | FRONTLINE

In the aftermath of Stuxnet, the US wasn’t going to be left behind in the cyber warfare and espionage game. The country reserves the right “to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law.” America’s state-sponsored hacking group is Tailored Access Operations (TAO) run by the National Security Agency. It’s the group responsible for making Edward Snowden famous after the German magazine Der Spiegel leaked details revealing TAO and the fact that the NSA had collected telephone data from thousands of Americans and overseas intelligence targets.

Since at least 2008, TAO was also able to intercept PC deliveries (where it would intercept the computer and place spying software inside), exploit hardware and software vulnerabilities, and hack corporations as sophisticated as Microsoft (which TAO allegedly did via Microsoft’s crash report dialogue boxes along with the usual range of ultra-sophisticated cyber warfare techniques).

The organization isn’t quite so secretive these days, and employees even list themselves on LinkedIn, but it’s just as busy—hopefully against foreign enemies this time. Their 600-employee-strong primary headquarters is housed in the main NSA complex in Fort Mead, Maryland. To get an idea of their current operations, just ask Dean Schyvincht, who claims to be a TAO Senior Computer Network Operator from the Texas office. He says that “over 54,000 Global Network Exploitation (GNE) operations in support of national intelligence agency requirements” have been carried out as of 2013 with a staff of just 14 people under his management. We can only imagine what Fort Mead is up to.

6Ajax Security Team / Flying Kitten


Ajax started out in 2010 as a group of “hacktivists” and website defacers from Iran, but they went from activism to cyber espionage and outing of political dissidents. They deny being state sponsored, but many believe that they were hired by the Iranian government—an increasingly common pattern where a group gains the attention of a government through its public activities in order to gain state sponsorship.

Ajax came to the attention of security firms and groups like CrowdStrike when a series of mistakes (one of which gave investigators a member’s real e-mail address) exposed attempts to target the US defense industry and Iranian dissidents. The firm FireEye believes that Ajax was responsible for “Operation Saffron Rose”—a series of phishing attacks and attempts to spoof Microsoft Outlook Web Access and VPN pages in order to gain information and credentials within the US defense industry. The group also exposed dissidents by luring them in with corrupt anti-censorship tools.

Groups like this demonstrate a growing “grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement.” This blurring line between groups and governments will probably become more pronounced in the future.



“APT” stands for “advanced persistent threat,” a designation used in reports on hacker groups by security firms. Sometimes—when there is little else to go on—such groups are named after these reports. Such is the case with a dangerous group called “APT28” and believed to be operating out of Russia. It has been engaging in advanced cyber espionage since at least 2007.

Russia is considered one of the world’s leaders in cyber warfare, but it’s hard to find conclusive evidence linking APT28 to Moscow. According to FireEye’s vice president of threat intelligence, their report shows that the malware and tools used and created by APT28 consistently indicate “Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg.”

The group utilized an array of methods and attacks against military and political targets in the US and Eastern Europe, including specifically valuable targets for Russia such as Georgia. It’s even targeted NATO, and in a different report, a White House official has confirmed that the group hacked its way into unclassified White House networks and may have targeted Ukraine.

4Unit 61398 / Comment Crew / Putter Panda

In 2013, Mandiant released a report that claimed to have caught China with its hand right in the information cookie jar. Mandiant concluded that a group working for the Chinese military’s elite Unit 61398 stole hundreds of terabytes of data from at least 141 organizations in English-speaking nations. Mandiant based this allegation on evidence such as Shanghai IP addresses, computers using Simplified Chinese language settings, and indications that numerous individuals rather than automated systems were behind the attacks.

China rejected the claims, saying that the report “is not based on facts” and “lacks technical proof.” Brad Glosserman, executive director of the Center for Strategic and International Studies’ Pacific Forum refuted this, pointing out that the evidence—when taken together with the type of information stolen—doesn’t support a rejection. Mandiant even knew where most of the attacks were coming from: a 12-story building just outside of Shanghai where the hackers had access to high-powered fiber optic cables.

About 20 high-profile hacker groups are reported to come from China, and at least some of them are thought to report to the People’s Liberation Army (Chinese military). This includes Comment Crew and Putter Panda, a hacker group active since 2007 that has allegedly worked out of PLA-owned buildings. They helped trigger an ongoing US indictment against a group of five individuals in 2014.



A coalition of security-related groups including Bit9, Microsoft, Symantec, ThreatConnect, Volexity, and others have identified another dangerous group, which they have dubbed “Axiom.” The group specializes in corporate espionage and targeting of political dissidents, and it may have been behind the 2010 attack on Google. Axiom is believed to come out of China, but no one has yet been able to identify where in mainland China the group operates. A report from the coalition stated that Axiom’s activities overlapped with “the area of responsibility” attributed to the Chinese government’s intelligence agencies, a judgment also supported by an FBI flash released to Infragard.

The report goes on to describe Axiom as a possible subgroup of a larger unnamed group in operation for more than six years, targeting mostly private industries that are influential in the economic sphere. They use techniques ranging from generic malware attacks to sophisticated hacking exploits that can take years to manifest. Western governments, pro-Democracy institutions, and dissidents inside and outside of China have also been targeted. Chinese Embassy spokesman Geng Shuang stated that “judging from past experience, these kinds of reports or allegations are usually fictitious,” and that the government in Beijing “has done whatever it can to combat such activities.”

2Bureau 121
Pyongyang, North Korea

Bureau 121: North Korea has secret cyberwar network

By now, most people have heard about the attacks on Sony Pictures by hackers calling themselves “Guardians of Peace” (GOP). The group claimed to be upset because of The Interview—an upcoming movie that depicts the graphic assassination of North Korea’s leader Kim Jong-un. Guardians of Peace even threatened 9/11–style terrorist attacks against Sony facilities and movie theaters if The Interview was released, along with attacks against the actors and executives involved. The GOP wrote: “Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment. All the world will denounce the SONY.”

The ties to North Korea have led to accusations that the nation itself was responsible for at least some of the attacks. This has pushed a group known as Bureau 121 into the media. Bureau 121 is a cyber warfare cadre of North Korean hackers and computer experts. Defectors have claimed that the group belongs to the General Bureau of Reconnaissance, North Korea’s military spy agency. It engages in state-sponsored hacks and sabotage on behalf of the Pyongyang government against South Korea and perceived enemies like the US. In 2013, an attack on 30,000 PCs inside South Korean banks and broadcasting companies was attributed to the group. According to some, Bureau 121 comprises some 1,800 members who are treated as elites and provided with plentiful incentives such as rich salaries and the ability to bring their families with them when they are allocated living spaces in Pyongyang. Defector Jang Se-yul, who claims to have studied with the group at North Korea’s military college for computer science (University of Automation), told Reuters that overseas divisions of the group exist, embedded into legitimate businesses.

But is North Korea’s government really behind the attacks? A spokesperson refused to clarify it, only saying: “The hostile forces are relating everything to the DPRK (North Korea). I kindly advise you to just wait and see.” The White House told CNN that they “have found linkage to the North Korean government,” and were “considering a range of options in weighing a potential response.” Whatever the case, Sony caved in to the threats. After many theaters dropped the film’s Christmas opening, the corporation pulled it indefinitely—a move that doesn’t look good for freedom of speech in a world where any cyber bully with enough hacking skills can get away something like with this. Note: Since the time of writing, Sony has released the movie in a limited capacity.

1Hidden Lynx

Symantec Discovers Hacker Group in China

“Hidden Lynx” (a name given by Symantec) is one of the newest active groups. A 2013 report describes them as an extremely organized and experienced team of hackers (about 50–100 of them) with a large amount of resources at their disposal and the patience to use them. They regularly make use of—if not create—the latest hacking techniques including their signature use of “watering holes.” This was one of the methods used in 2013 to infiltrate the cloud-based security firm Bit9 in an attempt to gain access to their clients.

These people don’t just engage in obtaining gaming credentials, targeting peer-to-peer users, or identity theft (although they do all of that, too). They go after some of the most secure targets in the world including defense industries, high-level corporations, and governments of major nations, with attacks concentrated on the US, China, Taiwan, and South Korea. They are the quintessential Hollywood-style mercenary hacker organization.

All indications seem to point to China as Hidden Lynx’s main base of operations, but it isn’t certain whether it is some sort of a state-sponsored entity or a powerful mercenary group. Their advanced skills and techniques—as well as the fact that their infrastructure and command and control servers all originate in China—make it highly unlikely that the group is unsupported.

Lance LeClaire is a freelance artist and writer. He writes on subjects ranging from science and skepticism, atheism, and religious history and issues, to unexplained mysteries and historical oddities, among other subjects. You can look him up on Facebook, or keep an eye out for his articles on Listverse. Now you can follow him at his satirical atheist blog, Christians and Atheists Against Creeping Agnosticism.

fact checked by Jamie Frater