Resources to help security professionals and teams succeed


Top Threat Actors and Their Tactics, Techniques, Tools, and Targets

May 16, 2017   |   Team Komand   |   Security Deep Dive

With new threats emerging every day (over 230,000 new malware strains are released into the wild daily), it's tough to stay on top of the the latest ones, including the actors responsible for them.

A threat actor is an individual or group that launches attacks against specific targets. These actors usually have a particular style they prefer to focus on. In this post, we will do a deep dive into some top threat actors, and provide you with insight on how to prevent and respond if encountered.

A Few Well Known Threat Actors


APT10 is a Chinese group that has been around since early 2009. Their primary mission seems to be targeting defense contractors around the world. Some other names they go by are Potassium and Red Apollo.


Turla is a popular Russian group most known for targeting government agencies around the world. Turla may indeed be one of the oldest APT groups to date. Alternative alias include waterbug, Krypton and wipbot.


A popular Russian hacker who seems obsessed with earning his street cred; he can be found in online Russian forums where he has been spotted selling the infamous Nuke Bot.


This well rounded actor conducts its malicious acts around the globe, but mostly stays in the Asia region. They obtained their name from compromising hotel Wifi systems, but have recently switched to the bittorrenting sector. They also go by the alias Tapaoux.

Mr. Po Panda

This actor's primary focus has been to deface company websites. He has a Youtube channel where he posts his “how tos” around website defacement, thus proving his abilities through his knowledge.


This actor is a member of a hacktivist group called Turk Hack. They try to claim themselves as researchers but have been known to conduct website defacements unexpectedly.

Tactics, Techniques, Tools, and Targets



Cyber Espionage is no easy feat, thus this actor is categorized as an expert-level actor. APT10 has an arsenal of skills at their disposal including creating and maintaining malicious tools containing malware.


Typical with cyber espionage at a global level, APT10 is very capable of gathering a great deal of network information through reconnaissance. Once in, they are very silent with lateral movements, and sending data out of the network.


Some techniques used for recon and initial compromise include advanced spear phishing from a known email domain (spoofed), and creating fake video game advertising emails as well.


Popular tools used by APT10 include Haymaker backdoor, Scanbox, and the Bug Juice backdoor 


Main targets for APT 10 are any government entities, defense contractors, healthcare and U.S. Lobby groups,  agencies or groups in major countries including the US, France and Germany being of the largest.


Another big name cyber espionage group, Turla has been a big advocate of different government agencies around the world.


PDF exploits and fake flash player downloads are still in high volume with targeted phishing attacks. They have even been known to pull off social engineering attempts to gain initial recon information. Lastly, they have attributed to zero day attacks like CVE-2013-3346.


Turla has mastered the art of satellite hijacking. This allows them to attack from anywhere on the planet, and remain anonymous. Turla is one of the first groups to really master this technique, and have become very efficient with it.


Some of the more popular tools used by the infamous Turla include Snake (a Urbororos rootkit), and unnamed tools used to bypass air gaps in proxy networks. Turlas main focus is to remain as unseen as possible.


Middle East government agencies along with their militaries have been their sole focus, but they have been known to come after North America and South America, as well. Their main focus seems to be intelligence-based targets that would give them an advantage with government agencies (ex. pharmaceutical , education, embassies).


As stated above, Dark Hotel is known for compromising hotel networks to target high profile individuals.


Since there are many easy ways to compromise a hotel network, Darkhotel has a field day when it comes to choosing which tool to use. Between using a keylogger, installing a strain of malware on the guest computer, USB rubber ducky in the back of the printer, or connecting directly to the in-room routers.


Keyloggers are mostly used for initial compromise, as hotels have computers publically accessible to the general public. If that doesn't do anything, a simple malware downloader could be installed to gather system information to further supplement the recon stage of a hotel compromise.


The main purpose for attacking hotels is to target any high profile people that may stay or have stayed there. They were known to be responsible for the zero day CVE-2010-0188;  which used a redirect from internet explorer (which could be easily installed on a public computer). Lastly, once enough recon data is collected on said target, they like to deliver spear phishing attacks based around the targets input compromised hotel data.


Mostly offshore automotive, chemical and cosmetic companies have been targeted. They have also been recently thought to go after law enforcement  and NGO’s (non-governmental organizations), as well. Most of these companies have been located in Japan, Taiwan, Korea, and China.

Recommendations for Monitoring or Mitigation

For APT10 and other similar actors, increasing your events searches and alerts will help you detect any potential breaches.

With APT10 specifically, setting up a search or alert to display any .DLL files executed (event id: 4688) as this is the file that delivers their main payload. Then set up RC4 encryption monitoring for the following phrase SORRY.i_have_to_do_this. This is the RC4 string they have chosen. Once discovered you will be compromised but it will be much better to catch this sooner than later.


Turla can be a little more tricky to find and catch as they utilize satellite hijacking to remain anonymous. Below is one example of a way to detect possible compromise from Turla.

IP addresses to look for:


Popular MD5 hashes used:

  • 0328dedfce54e185ad395ac44aa4223c
  • 18da7eea4e8a862a19c8c4f10d7341c0

Lastly, verdicts used by antivirus to detect the group:

  • Backdoor.Win32.Turla.(enter country here, ex. ck)

The full list of popular sources from Turla can be found here.


Dark Hotel will be the trickiest of all to identify. You will need some type of analysis software running on your computer or network to set up trends to look for possible malware related to Darkhotel. Some keys factors around what the malware will look like are as follows:

  • the .exe name is 32 characters long
  • The program is executed from the C drive as root
  • If the filename ends with .MD5 anywhere in its name
  • Specific folders like \EXE\ and \SAMROOT\ are potential launching spots as well for this malware.

From this point on, you are checking for any file that meets the above criteria. You are watching its behavior, and what other files it is interacting with. Below are some examples of select events to look for:

  • The malware is checking module paths for possible sandbox situations but at the same time is giving itself away. Locations like \SANDBOX\ and \CUCKOO\ are a couple on its list that it will look for in your system.
  • Keep an eye on your antivirus .exe files as Darkhotel malware will compare these to its hardcoded list to try and identify if you are running any antivirus that it cannot compete with. An example would be looking for snxhk.dll if you are running Avast antivirus.
  • There are a slew of other programs this malware will try to cross check including windows processes, exported functions, user and file systems names as well. For a full list of these example visit here for more information.

Whether you are an executive CSO at a fortune 500 company or the front desk worker in charge of internet privileges at the local hotel, it is important to not only know the current threats out there, but also understand which ones may directly affect your industry.

As a security professional, you only have so much time in the day, and by narrowing your focus to these threat actors that are most concerning, you will not only be more efficient at security, but you will be able to sleep better at night, too.

For more security deep dives, check out a few of our other articles:

Team Komand

About Team Komand

We are the spirited team working behind the scenes to build and grow Komand. We're engineers, designers, marketers, sales professionals, and more!