This repository tracks public statements by Governments on the attribution of state-sponsored hacking incidents or groups.
Also known as: Group 74, Iron Twilight, PawnStorm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, and Tsar Team.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| Estonia | Foreign Intelligence Service | APT28 is the 6th Directorate of the GRU | 2018 | valisluureamet.ee |
| United States | Department of Justice | GRU unit 26165 is located at 22 Kirova Street in Moscow and targeted the 2016 US Presidential election. | 13 July 2018 | justice.gov |
| United Kingdom | National Cyber Security Centre | APT28 is almost certainly the GRU. | 3 October 2018 | ncsc.gov.uk |
| United Kingdom | Foreign, Commonwealth and Development Office | APT28 is GRU military unit 26165. | 4 October 2018 | gov.uk |
| United States | National Security Agency, Federal Bureau of Investigation | APT28 is the GRU 85th Main Special Service Center (GTsSS), military unit 26165. | 13 August 2020 | defense.gov |
Also known as: Cozy Bear, CozyDuke, Dark Halo, The Dukes, NOBELIUM, NobleBaron, StellarParticle, UNC2452, and YTTRIUM.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| Estonia | Foreign Intelligence Service | APT29 is linked to the Russian government. | 2016 | valisluureamet.ee |
| Estonia | Foreign Intelligence Service | APT29 is linked to the FSB and the SVR. | 2018 | valisluureamet.ee |
| Estonia | Foreign Intelligence Service | APT29 is linked to the SVR. | 2019 | valisluureamet.ee |
| United Kingdom | National Cyber Security Centre | "APT29 is... almost certainly part of the Russian intelligence services". | 16 July 2020 | ncsc.gov.uk |
| Canada | Communications Security Establishment | "APT29 is... almost certainly part of the Russian intelligence services". | 16 July 2020 | ncsc.gov.uk |
| United States | National Security Agency | "APT29 is... almost certainly part of the Russian intelligence services". | 16 July 2020 | ncsc.gov.uk |
| United Kingdom | Foreign, Commonwealth and Development Office | "SVR cyber actors are known and tracked in open source as: APT29[,] Cozy Bear[, and] The Dukes." | 15 April 2021 | gov.uk |
| United States | White House | "The Russian Foreign Intelligence Service (SVR), [is] also known as APT 29, Cozy Bear, and The Dukes" | 15 April 2021 | whitehouse.gov |
| United States | Cybersecurity and Infrastructure Security Agency | "Russian Foreign Intelligence Service (SVR) cyber actors... also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium. | 26 April 2021 | cisa.gov |
Also known as: Snake and Uroburos.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| Estonia | Foreign Intelligence Service | Turla is "tied to the federal security service FSB". | 2018 | valisluureamet.ee |
| Finland | Foreign Intelligence Service | Turla is linked to the Russian security authorities. | 2019 | supo.fi |
| Estonia | Foreign Intelligence Service | Turla is "tied to the Federal Security Service (FSB)". | 2019 | valisluureamet.ee |
| United States | National Security Agency | Turla is "widely reported to be associated with Russian actors". | 18 October 2019 | media.defense.gov |
| United Kingdom | National Cyber Security Centre | Turla is "widely reported to be associated with Russian actors". | 18 October 2019 | media.defense.gov |
| United States | Cybersecurity and Infrastructure Security Agency | Turla is "widely reported to be Russian". | 21 October 2019 | cisa.gov |
| United Kingdom | National Cyber Security Centre | Turla is "suspected to be Russia-based". | 21 October 2019 | ncsc.gov.uk |
Also known as: BlackEnergy Group, ELECTRUM, Iron Viking, Quedagh, Sandworm Team, Telebots, and Voodoo Bear.
| Attributing Country | Attributing Organisation | Attribution Narrative | Attribution Date | Source |
|---|---|---|---|---|
| United States | Department of Justice | "Unit 74455 was located at 22 Kirova Street, Khimki, Moscow" and targeted the US Presidential election when it "assisted in the release of stolen documents through the DCLeaks and Guccifer 2.0 personas, the promotion of those releases, and the publication of anti-Clinton content on social media accounts operated by the GRU". | 13 July 2018 | justice.gov |
| Estonia | Estonian Foreign Intelligence Service | The "GRU’s cyber espionage groups [include] Sandworm" | 2019 | valisluureamet.ee |
| United Kingdom | National Cyber Security Centre and Foreign, Commonwealth and Development Office | Sandworm "is operated by the GRU’s Main Centre of Special Technologies, often referred to by the abbreviation “GTsST” or its field post number 74455... This Unit of the GRU was responsible for... BlackEnergy... Industroyer... NotPetya... BadRabbit". | 20 February 2020 | gov.uk |
| United States | National Security Agency | "The GRU Main Center for Special Technologies (GTsST), field post number 74455... are known publicly as Sandworm team." | 28 May 2020 | defense.gov |
| United Kingdom | Foreign & Commonwealth Office | Sandworm is the GRU. | 16 July 2020 | Link Pending |
| European Union | European Union | The GRU Main Centre for Special Technologies (GTsST) has an active role in the cyber‐activities undertaken by Sandworm and can be linked to Sandworm. The GTsST is responsible for NotPetya and cyber attacks against the Ukrainian power grid. | 30 July 2020 | europa.eu |
| United States | Department of Justice | Unit 74455 of the GRU is tracked by security researchers as "Sandworm Team", "Telebots", "Voodoo Bear", and "Iron Viking". | 19 October 2020 | justice.gov |
Also known as: Blue Alpha, Blue Otso, Callisto, Gamaredon, Iron Tiden, Primitive Bear, SectorC08, and Winterflouder.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| Ukraine | Security Service of Ukraine | ARMAGEDON is "an FSB special project, which specifically targeted Ukraine", "coordinated by the FSB’s 18th Center (Information Security Center) based in Moscow". | 4 November 2021 | ssu.gov.ua |
| Ukraine | Security Service of Ukraine | ARMAGEON is "a specially created structural unit of the Federal Security Service of the Russian Federation", part of the "Office of the FSB of Russia in the Republic of Crimea and the city of Sevastopol". | 4 November 2021 2021 | ssu.gov.ua |
Also known as: Berserk Bear, Crouching Yeti, Energetic Bear, and Temp.Isotope.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United States | Department of Justice | "Military Unit 71330 or “Center 16” of the FSB" is "known among cybersecurity researchers as “Dragonfly,” “Berzerk Bear,” “Energetic Bear,” and “Crouching Yeti.”. | 24 March 2022 | justice.gov |
| United Kingdom | Foreign Commonwealth and Development Office | "It is almost certain that the FSB’s Centre 16 are also known by their hacker group pseudonyms of ‘Energetic Bear’, ‘Berserk Bear’ and ‘Crouching Yeti’" | 24 March 2022 | gov.uk |
| United States | Cybersecurity and Infrastructure Security Agency | "BERSERK BEAR (also known as Crouching Yeti, Dragonfly, Energetic Bear, and Temp.Isotope) [...] is almost certainly FSB’s Center 16, or Military Unit 71330" | 26 April 2022 | cisa.gov |
Also known as: XENOTIME.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United States | Cybersecurity and Infrastructure Security Agency | The "Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics" (or "TsNIIKhM") is also known as "Temp.Veles, XENOTIME”. | 24 March 2022 | justice.gov |
Also known as: SEABORGIUM, Callisto Group, TA446, COLDRIVER, TAG-53, BlueCharlie.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United Kingdom | National Cyber Security Centre | SEABORGIUM is "Russia-based". | 26 January 2023 | ncsc.gov.uk |
| United Kingdom | National Cyber Security Centre | "Star Blizzard [...] is almost certainly subordinate to Centre 18 of Russia’s Federal Security Service (FSB)" | 7 December 2023 | ncsc.gov.uk |
| United States | Cybersecurity and Infrastructure Security Agency | "Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18" | 7 December 2023 | ncsc.gov.uk |
| United States | Cyber Command | Star Blizzard is "linked to Russian Federal Security Service Center 18" | 7 December 2023 | cybercom.mil |
| United States | National Security Agency | Star Blizzard "is an organization with links to the Russian Federal Security Service (FSB)" | 7 December 2023 | nsa.gov |
| Australia | National Security Agency | Star Blizzard "is an organization with links to the Russian Federal Security Service (FSB)" | 7 December 2023 | cyber.gov.au |
| New Zealand | National Cyber Security Centre | "Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18" | 8 December 2023 | ncsc.govt.nz |
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United States | Department of Justice | APT1 is Unit 61398 of the Third Department of the Chinese People’s Liberation Army. | 19 May 2014 | justice.gov |
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United Kingdom | National Cyber Security Centre and Foreign, Commonwealth and Development Office | APT10 "has an enduring relationship with the Chinese Ministry of State Security, and operates to meet Chinese State requirements". | 20 December 2018 | gov.uk |
| United States | Department of Justice | APT10 is Huaying Haitai Science and Technology Development Company (Huaying Haitai) and linked with the Chinese Ministry of State Security’s Tianjin Bureau. | 20 December 2018 | justice.gov |
| Australia | Minister for Foreign Affairs | APT10 is "acting on behalf of the Chinese Ministry of State Security". | 21 December 2018 | foreignminister.gov.au |
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| Belgium | Minister for Foreign Affairs | "Advanced Persistent Threat 27" is one of a number of "Chinese Advanced Persistent Threats" targeting Belgium. | 18 July 2022 | diplomatie.belgium.be |
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| Belgium | Minister for Foreign Affairs | "Advanced Persistent Threat 30" is one of a number of "Chinese Advanced Persistent Threats" targeting Belgium. | 18 July 2022 | diplomatie.belgium.be |
Also known as: Judgement Panda, Red Keres, Zirconium.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United Kingdom | National Cyber Security Centre and Foreign, Commonwealth and Development Office | "NCSC judge it is almost certain that APT31 is affiliated to the Chinese State and likely that APT31 is a group of contractors working directly for the Chinese Ministry of State Security." | 19 July 2021 | gov.uk |
| Belgium | Minister for Foreign Affairs | "Advanced Persistent Threat 31" is one of a number of "Chinese Advanced Persistent Threats" targeting Belgium. | 18 July 2022 | diplomatie.belgium.be |
Also known as: BRONZE, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MOHAWK, Mudcarp, Periscope, TEMP.Periscope and TEMP.Jumper.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| Canada | Global Affairs Canada | "APT 40 almost certainly consists of elements of the Hainan State Security Department’s regional MSS office." APT40 is "also publicly reported as Kryptonite Panda, TEMP.Periscope, TEMP.Jumper, Bronze Mohawk, Leviathan, Mudcarp." | 19 July 2021 | canada.ca |
| United Kingdom | National Cyber Security Centre and Foreign, Commonwealth and Development Office | "NCSC judge it is highly likely that APT40 is linked to the Chinese Ministry of State Security and operates to key Chinese State Intelligence requirements. NCSC judge that APT40 is highly likely sponsored by the regional MSS security office, the MSS Hainan State Security Department (HSSD)." | 19 July 2021 | gov.uk |
| Unites States | Department of Justice | Activity by "Officers in the Hainan State Security Department (HSSD), a provincial arm of China’s Ministry of State Security (MSS)... had been previously identified by private sector security researchers, who have referred to the group as Advanced Persistent Threat (APT) 40, BRONZE, MOHAWK, FEVERDREAM, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope and Temp.Jumper." | 19 July 2021 | justice.gov |
Also known as: UNC2814, GALLIUM, SOFTCELL
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| Belgium | Minister for Foreign Affairs | "UNC 2814/GALLIUM/SOFTCELL" is one of a number of "Chinese Advanced Persistent Threats" targeting Belgium. | 18 July 2022 | diplomatie.belgium.be |
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United Kingdom | National Cyber Security Centre and Foreign, Commonwealth and Development Office | "NCSC judge it highly likely that HAFNIUM is associated with the Chinese state." | 19 July 2021 | gov.uk |
Also known as: Insidious Taurus, Bronze Silhouette
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United States | Cybersecurity and Infrastructure Security Agency | Volt Typhoon is "People’s Republic of China (PRC) state-sponsored". | 24 May 2023 | cisa.gov |
| Australia | ACSC | Volt Typhoon is "People’s Republic of China (PRC) state-sponsored". | 25 May 2023 | cyber.gov.au |
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United States | Department of the Treasury | "APT39 is... owned or controlled by the Iranian government's MOIS" | 17 September 2020 | treasury.gov |
Also known as: Earth Vetala, Static Kitten, Seedworm, TEMP.Zagros, Yellow Nix.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United States | US Cyber Command | "MOIS hacker group MuddyWater..." | 12 January 2022 | twitter.com |
| United States | Cybersecurity and Infrastructure Security Agency | "MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS)" | 12 January 2022 | cisa.gov |
Also known as: APT42, Charming Kitten, Yellow Garuda, ITG18
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United Kingdom | National Cyber Security Centre | TA453 IS "Iran-based" | 26 January 2023 | ncsc.gov.uk |
Also known as: APT38.
| Attributing Country | Attributing Organisation | Attribution Narrative | Date | Source |
|---|---|---|---|---|
| United States | Department of Justice | "units of the Reconnaissance General Bureau (RGB) [...] are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38)" | 17 February 2021 | justice.gov |