These state-sponsored cyber-sleuths are behind many of the world’s biggest hacks.
Hacking has come a long way from the days of maladjusted teenagers wreaking digital havoc from their basements. As Fortune explains in the cover story of our Jul. 1 issue, today the biggest and baddest hacker groups are backed by nation-states. They’re called “advanced persistent threats” or APTs, in the cyber jargon, a phrase meant to convey their supreme and underlying quality: ferocity. Below are a few of the most notorious—and feared—state-affiliated hacking groups around. (Links to specific hacks below are based on leading theories put forward by top computer forensic firms.)
Fancy Bear (a.k.a. Sofacy, Pawn Storm) / Cozy Bear (a.k.a. CozyDuke, Office Monkeys)
Rival agencies in the Russian spy services, the two “Bears” were thrust into the spotlight during last year’s U.S. presidential election for their roles in allegedly breaching the Democratic National Committee’s system. Fancy Bear, which comes out of the GRU, Russia’s military intelligence agency, has been meddling in European elections since then. Cozy Bear, which represents the FSB, Russia’s successor to the Soviet-era KGB, has hit U.S. think tanks.
Lazarus Group (a.k.a. DarkSeoul, Guardians of Peace)
Widely believed to be associated with North Korea, this gang refuses to die. Lazarus got its start by pummeling American and South Korean websites with denial-of-service attacks in 2009. Five years later, it perpetrated a massive hack of Sony Pictures Entertainment. In 2016, Lazarus stole $81 million in a heist targeting Bangladesh’s central bank and the SWIFT financial network. And it has been linked to the WannaCry ransomware worm that ground businesses around the globe to a halt in May.
This is the nickname given by Russian antivirus firm Kaspersky to a team believed to be associated with the U.S. National Security Agency—specifically the NSA’s Tailored Access Operations unit, or TAO. They’re the good guys, right? Not in everyone’s eyes. Many experts believe the Equation Group successfully attacked Iran’s nuclear program in the mid-aughts. But recently a selection of the squad’s hacking tools were stolen and leaked by the Shadow Brokers, another mysterious hacker group (believed to be Russia-affiliated), and are now being used to cause mayhem.
Comment Crew (a.k.a. APT1, Shanghai Group)
China sponsors a plethora of hacking groups. One of the most notorious, believed to be part of the People’s Liberation Army, came to be known as Comment Crew for its habit of hiding comments on web pages. Exposed by forensic investigators at Mandiant, the group has been linked to intrusions at big name companies such as Coca-Cola ko , RSA, and Lockheed Martin lmt . Chinese industrial espionage has been on the decline since former U.S. President Barack Obama and Chinese President Xi Jinping agreed to cool it on the cyber front last year.
Sandworm (a.k.a. Electrum)
Named for allusions to the sci-fi classic Dune found in its code, Sandworm is another group believed to be associated with the Russians. The crew has hacked people affiliated with NATO and the Ukrainian government, presumably to gather intelligence. Sandworm is also known for breaking into companies that deal with critical infrastructure. Last year the group shut down a power grid in Ukraine.
Correction: An earlier version of this article erroneously associated APT1/Comment Crew with Operation Aurora, an attack that targeted Google and others.
A version of this article appears in the Jul. 1, 2017 issue of Fortune as part of the feature titled “Hacked.”