The 7 Worst Hacking Groups in the World

Kate O’Flaherty embarks on a mission to discover the seven worst hacking groups in the world, questioning their aims and analysing which businesses they target

In a world where cyber attacks are part of everyday business, it’s easy to forget about the perpetrators. But that’s a mistake: As we’ve said before, knowing your enemy can help you shore up your defences to prevent and mitigate breaches.

Now we will delve a bit deeper into who that enemy is by asking: Who are the worst hacking groups in the world? What are their aims? And which sectors do they target?

No Assured Intelligence article is complete without a valuable takeaway, so we’ve included specific advice on what firms can do to protect themselves against these formidable adversaries.

1: Lazarus Group

The Lazarus Group has been in the headlines for years, responsible for the infamous 2014 attack on Sony and the 2017 Wannacry cyber assault. It’s a safe bet that you’ve probably heard of the Lazarus Group, the North Korean hacking collective.

Its reputation alone makes it worthy of a place on this list, but the group is also a stealthy adversary. Lazarus Group uses social engineering techniques, including spear phishing attachments and links, to trick victims into being compromised with malware, says Beatriz Pimenta Klein, KrakenLabs threat intelligence analyst at Outpost24.

“They aim to cause disruption and conduct cyber-espionage against the country’s geopolitical adversaries”Jovana Macakanja

While Lazarus targets organisations across industries, the state-sponsored group focuses on the financial sector, including large-scale attacks on cryptocurrency to steal cash to fund the regime.

The group also focuses on government, military, aerospace, and media, says Jovana Macakanja, an analyst at Cyjax. “They aim to gain information valuable to North Korea, as well as cause disruption and conduct cyber-espionage against the country’s geopolitical adversaries.”

• Who? North Korean hacking collective
• Target? Financial sector, government, military, media
• Claim to fame? Sony breach (2014), WannaCry (2017)

2: LockBit

The LockBit ransomware group first appeared in September 2019 but received little attention until a year later when it partnered with another adversary, Maze, to form Ransom Cartel (a ransomware-as-a-service operation).

“Soon after this, the group gained more traction on underground forums, and it has since become one of the most active and notorious ransomware groups in existence,” says Macakanja.

LockBit is prolific and dangerous because it operates ransomware-as-a-service (RaaS). This sees recruited affiliates pay either a fixed fee or a percentage of each ransom for access to malware and support during negotiations.

LockBit is responsible for several large-scale attacks, with victims including the UK’s Royal Mail, the Japanese Port of Nagoya and the California Department of Finance.

The supply chain is also a significant target. Most recently, LockBit leaked data obtained from the British Ministry of Defence after an attack on databases belonging to Zaun, a company responsible for protecting high-security government sites in the UK.

If companies refuse to pay the ransom, LockBit is true to its word. “Those who refuse to pay the ransom will be publicly named on LockBit’s leaks site and will eventually have their stolen data leaked,” says Macakanja.

• Who? A Russian-speaking ransomware group.
• Target? Supply chain.
• Claim to fame? Royal Mail (2023), California Department of Finance (2022)

3: Sandworm

Russia-based cyber-adversary Sandworm mainly targets neighbouring countries such as Ukraine, Estonia and Georgia. Believed to be part of the GRU Russian military intelligence unit, the group uses several malware and ransomware strains to perpetrate information theft and major disruption. It is known for the 2017 NotPetya attack against thousands of organisations in more than 65 countries in government, transportation, banking and energy sectors.

In 2015, Sandworm targeted Ukraine’s electric power grid, causing a blackout in Kyiv. Since the start of the Russia-Ukraine war, the group has been observed carrying out attacks on Ukrainian entities such as telecom providers and the military. “Most attacks aim to compromise and exfiltrate sensitive information,” says Macakanja.

Pimenta Klein explains how Sandworm has exploited the high-severity Follina vulnerability (CVE-2022-30190) against Ukrainian targets in 2022. “Social engineering techniques are often employed, such as spear phishing attachments,” she warns.

• Who? A Russian cyber espionage group.
• Target? Critical national infrastructure, government.
• Claim to fame? NotPetya (2017), Ukraine power grid hack (2015).

4: GOLD NIAGARA (FIN7)

Notorious Russia-linked hacking group FIN7 is so advanced that it even has a front company to run a portion of its operations, so it’s no wonder it’s considered one of the most dangerous hacking outfits in the world.

FIN7 has knowingly hacked over 100 US companies, deploying malware that collected millions of customer payment card details to be sold on hacking forums. After some group members were arrested in 2018, FIN7 evolved from targeting point-of-sale operations to conducting ransomware attacks to become a major player on the ransomware scene. Indeed, the group has worked as an affiliate for ransomware groups, including Maze, REvil, and Egregor and has launched two RaaS offerings.

The group employs stealthy tactics, sending fake Amazon or Best Buy gift cards and a USB drive to encourage victims to ‘plug in’ to view the items they can claim. Everyone knows you shouldn’t do this, but it’s an easy mistake to make. Those who plugged in the drive were also downloading malware onto their computers.

Today, the group targets transport, education, and the financial industry, where it has been accused of stealing millions of dollars.

• Who? Russian criminal APT group
• Target? The United States. Retail and hospitality, but more recently, transport and education.
• Claim to fame? Saks Fifth Avenue, Lord & Taylor (2018)

5: Wicked Panda/Double Dragon (APT41)

APT41 is a Chinese state-sponsored group that attacks for espionage and financial gain. Active since 2012, ATP41 targets a “highly diverse” set of organisations globally, says Pimenta Klein. “APT41 often relies on supply chain attacks to reach a higher number of victims, but the group later selects targets of interest to conduct further post-exploitation activities.”

“APT41 often relies on supply chain attacks to reach a higher number of victims” Pimenta Klein 

APT41 leverages publicly available tools and shares some of its arsenal with other Chinese threat groups. This makes attribution harder for security analysts, says Pimenta Klein.

The group also takes advantage of firms that haven’t patched their systems. APT41 has been connected with exploiting the vulnerability Log4Shell, tracked as CVE-2021-44228. As a result, the group breached the systems of six US state governments in March 2022, Pimenta Klein warns.

• Who? Chinese state-sponsored cyber espionage group
• Target? Healthcare, telecommunications, supply chains.
• Claim to fame? Log4Shell ( 2021)

6: APT 29 (Cozy Bear)

The name sounds cute, but the Cozy Bear hacking group is anything but. This group is believed to be a proxy for Russia’s Foreign Intelligence Service (SVR) and was accused of hacking into the Democratic National Committee’s email servers during the 2016 US presidential election.

Since then, Cozy Bear has continued to be active, perpetrating supply chain and other attacks targeting sectors including military, government, energy and telecoms. Russia’s SVR is also thought to be responsible for the SolarWinds breach that hit hundreds of organisations across multiple industries.

In July 2020, it was accused of stealing Covid-19 vaccine data and more recently, it has targeted Microsoft Office365 accounts to snatch information. The adversary is also evolving to infiltrate other cloud services, including DropBox and Google Drive, while covering its tracks to avoid detection.

• Who? Russian state-sponsored cyber espionage group
• Target? Military, government, energy, and telecoms.
• Claim to fame? Alleged Democratic National Committee email hack (2016), Alleged SolarWinds (2020)

7: Vice Society

It’s only been around for a couple of years. Still, Vice Society has become one of the most prominent and prolific ransomware groups, responsible for hundreds of cyber attacks globally.

Believed to be Russian-speaking, the group is opportunistic and financially motivated, aiming to profit from victims by demanding high ransoms of up to $1m. “They typically engage in double extortion, encrypting victim data and leaking it if their ransom demands are not met,” says Anna Rozehnalova, director of customer success at Silobreaker.

“They typically engage in double extortion, encrypting victim data and leaking it if their ransom demands are not met” Anna Rozehnalova

Initially, the group maintained a low profile by targeting smaller and medium-sized organisations. However, over the past year, it has moved to larger targets, such as the LA Unified School District or CommScope.

Many of its victims are educational organisations, but it also targets sectors including healthcare, government, professional and legal services, manufacturing and retail, says Rozehnalova.

Vice Society has used commercial software to scan target networks to gather information on potential victims. “Upon identifying an interesting target, they deploy PowerShell scripts to collect data, focusing their attention on information that will enable them to establish initial access,” says Rozehnalova.

• Who? A Russian-speaking ransomware group.
• Target? Education, healthcare, government, legal services.
• Claim to fame? LA Unified School District (2022)

 

And that list just scratches the surface.

So there you have it, the worst hacking groups in the world right now, according to experts. But these only scratch the surface of the groups out there, so keeping up with what’s going on in cyberspace is important.

Ensure you have all the latest threat intelligence data and always remember the security basics such as robust password policies, staff training and patching to keep your organisation safe.