Cyber Security Basics 📂 Foundation · 13 of 15 48 min read

Threat Actors Explained: Hacktivists and Advanced Persistent Threats

Hacktivists and Advanced Persistent Threats (APTs) dominate today's cyber landscape—but their goals and tactics differ greatly. This tutorial compares groups like Anonymous, LulzSec, IT Army of Ukraine, KillNet, APT29, APT41, Lazarus, and Salt Typhoon through real-world cases including SolarWinds, Sony Pictures, the Bybit crypto heist, and the Ukraine cyber war, with attack chains, detection methods, and defensive strategies.

Section 01

The Two Faces of Modern Cyber Adversaries

June 2011 — A Tale of Two Hackers
On June 15, 2011, a group calling itself LulzSec tweets a taunt. Minutes later, the public website of the Central Intelligence Agencycia.gov — goes offline. It is a simple flood of traffic, held offline for a couple of hours. LulzSec calls it "for the lulz." Every newspaper on the planet writes about it the next morning.

That same week, in a network far quieter than CIA.gov, a Russian intelligence operator sits inside a US defence contractor's systems. He has been there for eleven months. Nobody has noticed. He is not there for laughs. He is copying documents — quietly, slowly, one file at a time — to servers halfway around the world.

Both are called "hackers" by the press. Neither is remotely the same species of threat.

Understanding that difference is the beginning of modern cybersecurity.

This tutorial breaks down the two threat actor categories that occupy opposite ends of the cyber spectrum: Hacktivists — the noisy, ideological, public-facing disruptors — and Advanced Persistent Threats (APTs) — the silent, patient, state-backed operators who represent the highest tier of cyber adversary in the world.

🎮
The Guiding Metaphor

A hacktivist is a protester with a megaphone: loud, visible, symbolic. An APT is a spy behind the drapes: silent, invisible, strategic. A protester wants you to know they were there. A spy wants you to never find out. Every defensive control you build should distinguish which one you're facing — because you cannot defend against both with the same playbook.


Section 02

Threat Actor Taxonomy — Placing the Two Groups on the Map

Before diving in, it helps to see where hacktivists and APTs sit relative to every other type of adversary. Threat intelligence analysts typically map actors on two axes: motivation (why they attack) and capability (how sophisticated they are).

🎖
Script Kiddies
Motivation: ego
Low skill, low resources. Use tools built by others. Notoriety-driven. Often teenagers experimenting. Broad-target opportunistic attacks.
🔫
Hacktivists
Motivation: ideology
Political, social, or moral causes. Publicity is the point. Skill varies wildly. Attacks are noisy and claim-of-responsibility is intentional.
💰
Cybercriminals
Motivation: money
Ransomware operators, fraud rings, banking trojan crews. Increasingly professional. Some as sophisticated as APTs but profit-driven, not state-directed.
🕵️
Advanced Persistent Threats
Motivation: strategy
Nation-state or state-sponsored. Espionage, sabotage, geopolitical influence. Effectively unlimited resources. Stealth is mission-critical.
📜
The Overlap Problem

These categories are not watertight. Nation-states sometimes disguise operations as hacktivism (Russia's alleged use of KillNet is the textbook case). Cybercriminal groups sometimes claim political motives to muddy attribution. And some hacktivists become so skilled they blur into criminal or state-sponsored territory. Attribution is genuinely hard — always treat it as a probabilistic claim, not a fact.


Section 03

Hacktivists — Definition, Origin, and Modus Operandi

The word hacktivism is a portmanteau of "hack" and "activism", coined in 1996 by a member of the hacker collective Cult of the Dead Cow writing under the handle Omega. The idea was simple: transpose the tactics of civil disobedience — sit-ins, protest marches, leaflet drops — into cyberspace. A DDoS attack is a digital sit-in. A website defacement is a digital protest banner. A data dump is a whistleblower moment writ large.

The Digital Protest March
Imagine ten thousand people showing up outside a corporate headquarters. They don't break windows or steal anything — they just stand there in numbers so large that customers cannot enter the lobby and employees cannot get to their desks. The building keeps existing. Nothing is stolen. But for a day, business stops.

That is a DDoS attack. That is the fundamental logic of hacktivism: use collective action to make a target's public presence uninhabitable for long enough to attract media attention to your cause. It is protest theatre with a keyboard.

Defining Characteristics of Hacktivist Groups

🔑 What Makes a Threat Actor "Hacktivist"
Trait 1
Ideological motivation. The goal is a message, not money or data. Causes range from free speech and civil liberties to nationalism, religion, and specific geopolitical conflicts.
Trait 2
Public claim of responsibility. Anonymity of individuals, but not of the operation. Attacks come with press releases, Telegram announcements, or defacement banners that demand attribution.
Trait 3
Decentralised, fluid membership. No org chart. No HR department. Members recruit via forums, IRC, or Telegram. Anyone can join by helping in an operation.
Trait 4
Preference for symbolic targets. Government portals, financial institutions, high-visibility corporate sites. The point is not damage, it is visibility.
Trait 5
Common toolkit, variable skill. Most operations use freely available tools like LOIC, HOIC, or booter services. A small elite core does the actual intrusion work.
Trait 6
Short mission lifecycle. Operations named "Op-Something" run for days or weeks. Once media attention fades, the operation ends and members regroup for the next cause.

Section 04

Case Study — Anonymous, the Blueprint Hacktivist Collective

Every discussion of hacktivism begins with Anonymous. Emerging in 2003 from the imageboard 4chan, Anonymous is not a group in any conventional sense — it is a brand that any collection of hackers can operate under. The Guy Fawkes mask from V for Vendetta became its symbol; a distorted voice-changer became its signature.

2008
Project Chanology — Anonymous vs the Church of Scientology
The Church of Scientology forced YouTube to remove a leaked Tom Cruise recruitment video. Anonymous responded with DDoS attacks on Scientology websites and coordinated in-person protests in over 90 cities. This was Anonymous's transition from online mischief to organised activism.
2010
Operation Payback — WikiLeaks & PayPal
After PayPal, Visa, and MasterCard cut off donations to WikiLeaks, Anonymous launched coordinated DDoS attacks against all three. Reports cited by The Guardian put PayPal's mitigation cost at roughly £3.5 million. This established DDoS as a hacktivist protest weapon in the mainstream public consciousness.
2011
HBGary Federal — Turning the Tables on a Security Firm
HBGary Federal CEO Aaron Barr publicly boasted he had identified top Anonymous operatives and would unveil them at a security conference. Anonymous responded by breaching HBGary's website, seizing tens of thousands of internal emails, and posting them online — exposing schemes to discredit WikiLeaks and journalist Glenn Greenwald. Barr resigned within weeks.
2011
Operation Tunisia — Arab Spring Involvement
Anonymous participants (including future LulzSec members) helped Tunisian dissidents by building browser-protection scripts, DDoS-ing government sites, and hosting videos of the uprising. Anonymous framed itself explicitly as a pro-democracy tool during the Arab Spring.
2022
#OpRussia — The Ukraine War Return
Days after Russia's full-scale invasion of Ukraine, Anonymous publicly declared "cyber war" on the Kremlin. In the months that followed, Anonymous claimed leaks of Russian state surveillance data, defacements of Russian state TV, and coordinated actions with the IT Army of Ukraine. Whether every claim was true is disputed — but Anonymous had reactivated as a wartime brand.
🚩
The Attribution Problem

Because anyone can act under the Anonymous banner, "Anonymous did X" is a nearly meaningless statement without further evidence. A single teenager with a botnet can put out a video claiming responsibility for an attack that ten thousand strangers actually carried out. Treat Anonymous claims like you would treat any anonymous internet claim — with a heavy dose of "prove it".


Section 05

Case Study — LulzSec and the "50 Days of Lulz"

If Anonymous is the movement, LulzSec was the elite splinter cell. Founded in May 2011 by six core members — Sabu, Topiary, Kayla, Tflow, AVunit and Pwnsauce — LulzSec ran for exactly 50 days before disbanding. In that window they conducted some of the highest-profile hacks in history, and were then rapidly dismantled by law enforcement.

Date (2011) Target What They Did
May 7Fox.comLeaked LinkedIn profiles and names of 73,000 X Factor US contestants.
May 30PBS.orgRetaliation for a WikiLeaks documentary. Posted a fake story that Tupac Shakur was alive in New Zealand.
June 2Sony PicturesExfiltrated data on ~1 million user accounts including plain-text passwords. Costs to Sony estimated in tens of millions.
June 13US SenateBreached senate.gov, released internal file listings. Reported by The Wall Street Journal.
June 15CIA.govDDoS took the public CIA website offline for roughly two hours. Reported by The Washington Post.
June 20SOCA (UK)Attack on the UK Serious Organised Crime Agency site as opening move of Operation AntiSec.
June 23Arizona DPSLeaked home addresses of law enforcement officers in retaliation for Arizona SB 1070.
June 26DisbandedLulzSec announced end of operations after 50 days.
🚫
How LulzSec Actually Ended

LulzSec leader Hector Monsegur, known as Sabu, was arrested by the FBI on June 7, 2011 — days before the CIA hack. Facing decades in prison and responsible for two children, he agreed to cooperate. For nearly nine months he continued to lead LulzSec as an FBI informant, feeding evidence against every other core member. By March 2012, coordinated raids across the US, UK, and Ireland dismantled the group. Reuters reported at least four core members were arrested, including Topiary (Jake Davis) and Kayla (Ryan Ackroyd).


Section 06

Modern Hacktivism — The Ukraine War Era

Hacktivism entered a new phase on February 26, 2022, when Ukraine's Vice Prime Minister and Minister of Digital Transformation, Mykhailo Fedorov, publicly called on volunteers to form an IT Army of Ukraine. Within days, over 300,000 people had joined a coordinating Telegram channel receiving daily target lists. The pro-Russian side responded with its own ecosystem. For the first time in history, hacktivism became a state-endorsed operational element of an active war.

🗺 Pro-Ukraine Hacktivists
GroupFocus
IT Army of UkraineDDoS Russian gov sites
Anonymous #OpRussiaState TV leaks/defacement
Cyber RegimentIntel gathering ops
Ukrainian Cyber AllianceData exfiltration
Hack Your MomKharkiv-based ops
InformNapalmOSINT publication
🔴 Pro-Russia Hacktivists
GroupFocus
KillNetDDoS on NATO targets
NoName057(16)Crowdsourced DDoS
XakNetUkrainian infrastructure
Anonymous RussiaSupport to KillNet ops
SolntsepekLinked to GRU / Sandworm
Cyber Army of RussiaMulti-target DDoS
🌐
The Line Between Hacktivism and State Cyber Warfare Is Vanishing

Google's Mandiant reported in 2024 that pro-Russian group Solntsepek claimed responsibility for the December 2023 attack on Ukrainian telco Kyivstar that knocked out service to 24 million users. Ukraine's SBU later attributed the attack to Russian military intelligence (Sandworm / APT44) — meaning "hacktivists" were the public front for a GRU cyber operation. This is the new normal: hacktivist branding is now a plausible-deniability layer for state cyber operations.


Section 07

Hacktivist Techniques — What They Actually Do

For all the mythology, hacktivist tradecraft is surprisingly consistent. Five techniques account for the vast majority of operations across two decades.

🌅
DDoS (Denial of Service)
Flood a target with traffic until it collapses. Tools like LOIC (Low Orbit Ion Cannon) and HOIC made this accessible to anyone. Modern groups use rented botnets or reflection attacks amplifying via misconfigured DNS/NTP servers.
tool: LOIC, HOIC, Mirai
🔧
Website Defacement
Compromise a web server (often via SQL injection or unpatched CMS) and replace the homepage with a protest message. Zone-h.org has tracked over 13 million defacements since 2000 — most political.
tactic: SQLi, CMS exploits
📁
Data Dumps & Leaks
Exfiltrate internal documents and publish them on paste sites, Telegram, or torrent networks. The HBGary Federal email dump is the classic — 70,000 emails exposing corporate malfeasance in one release.
venue: Pastebin, DDoSecrets
👤
Doxxing
Publish real-world identities — names, addresses, phone numbers — of individuals the group has decided are enemies. LulzSec doxxed police officers in Arizona, Missouri, and Alabama during AntiSec.
target: individuals, not orgs
🔁
Account Hijacking
Take over social media accounts of media outlets or celebrities to broadcast messages. The Syrian Electronic Army famously hijacked the Associated Press Twitter account in 2013, tweeting a false Obama assassination story that briefly crashed the Dow Jones.
technique: phishing + reuse
📩
Coordination via Telegram
Modern hacktivism runs on Telegram channels — target lists, tool distribution, victory claims. IT Army of Ukraine and NoName057(16) both push daily target rosters to hundreds of thousands of followers.
since 2022: primary platform

The Classic Hacktivist Tool — LOIC

# The Low Orbit Ion Cannon (LOIC) is a simple stress-testing tool
# that Anonymous famously repurposed for DDoS attacks in Operation Payback.
# It is public knowledge — documented in every security textbook — and
# reproduced here only for defensive awareness. Using it against a target
# without permission is a criminal offence in every major jurisdiction.

TOOL:       LOIC (Low Orbit Ion Cannon)
AUTHOR:     Praetox Technologies (originally, 2010)
PROTOCOL:   TCP / UDP / HTTP flood
MODE:       Manual target entry OR "Hivemind" IRC-controlled swarm
EFFECT:     Each user sends thousands of requests per second
FLAW:       Does NOT anonymise. Source IP is fully visible to the target.
RESULT:     Dozens of Anonymous participants were arrested after Operation
              Payback because LOIC gave the FBI their home IP addresses on
              PayPal's server logs. Reported by Wired and The Guardian.
⚠️
Why LOIC Backfired So Badly

LOIC did not route through Tor or any anonymising proxy. Every packet sent by every Anonymous participant during Operation Payback landed on PayPal's servers with the participant's home IP address. Subpoenas to ISPs followed. Fourteen people were charged in the US alone — several served jail time. This is the persistent hacktivist paradox: the willingness to be seen doing the deed makes hacktivists the easiest threat actor to prosecute.


Section 08

Advanced Persistent Threats — Definition and Anatomy

An Advanced Persistent Threat (APT) is not a piece of malware or a specific attack. It is a description of an adversary: a well-resourced, patient, highly skilled actor — almost always state-sponsored — who conducts long-duration campaigns against specific strategic targets. The three words in the name are each doing serious work.

🏆
Advanced
Skill + Resources
Custom malware, zero-day exploits, multi-stage tooling, dedicated developers. Not off-the-shelf. When needed, APTs write their own operating-system-level implants. They also employ intelligence tradecraft — social engineering, physical infiltration, HUMINT.
Persistent
Long dwell time
Research suggests APT campaigns last ~137 days on average, with some running for years. APT29 sat inside the DNC network for nearly a full year before detection. Persistence is the point — one-and-done attacks are not APT behaviour.
💩
Threat
Strategic targeting
Not opportunistic. A specific ministry, a specific defence contractor, a specific research institution. Targets are chosen for their strategic value — military intelligence, IP theft, dissident surveillance, financial theft to fund state programmes.
💼
The Business Analogy

A hacktivist attack is a one-week protest. A ransomware attack is a bank robbery. An APT campaign is a foreign intelligence service that has quietly hired a friend of your CFO's cousin who now works for you — and has been there for two years, taking a photo of every quarterly report before it's published. That is the tempo and posture defenders are up against.


Section 09

The Major APT Groups — A Field Guide

The intelligence community tracks hundreds of APT groups, but the vast majority of high-impact operations come from a handful of nation-state ecosystems. Vendors give them different names — APT29 to Mandiant is Cozy Bear to CrowdStrike is Midnight Blizzard to Microsoft — but they refer to the same operators.

Attribution Group (aliases) Known For Primary Target Sectors
Russia APT29 (Cozy Bear, SVR, Midnight Blizzard, NOBELIUM, The Dukes) SolarWinds (2020), DNC hack (2016), Microsoft breach (2024), COVID vaccine espionage Government, diplomatic, think tanks, technology supply chain
APT28 (Fancy Bear, GRU, Sofacy, Sednit, STRONTIUM) DNC hack (2016), TV5Monde attack (2015), Bundestag breach (2015), Olympics interference NATO governments, media, election infrastructure, defence contractors
Sandworm (APT44, Voodoo Bear, GRU Unit 74455) Ukraine power grid attacks (2015, 2016), NotPetya (2017), Kyivstar (2023) Critical infrastructure, energy, telecoms, Ukrainian government
China APT41 (Double Dragon, Winnti, Wicked Panda, BARIUM) Video game industry theft, healthcare espionage, COVID exploitation of RDP flaws Healthcare, telecoms, high-tech, video games, 14+ countries since 2012
Salt Typhoon (GhostEmperor, FamousSparrow) 2024 breach of 9 US telecom carriers, compromise of CALEA lawful-intercept systems, 600+ orgs across 80 countries Telecommunications, US government surveillance systems
Volt Typhoon Pre-positioning in US critical infrastructure — power, water, transportation — for potential future disruption US critical infrastructure (energy, water, transport)
North Korea Lazarus Group (APT38, HIDDEN COBRA) Sony Pictures (2014), Bangladesh Bank SWIFT heist (2016), WannaCry (2017), Bybit theft (2025 — $1.5 B) Financial institutions, cryptocurrency exchanges, defence contractors
Kimsuky (APT43, Velvet Chollima) Credential harvesting of foreign-policy researchers, sanctions-relief intelligence Think tanks, academics, NGOs, South Korean government
Iran APT34 (Helix Kitten, OilRig) Long-running Middle East espionage. Tools were leaked in 2019 by hacktivist group Lab Dookhtegan. Energy, telecoms, government in Gulf region
APT35 (Charming Kitten, Phosphorus) Targeting of journalists, dissidents, US election staff, and academic researchers on Iran Journalists, dissidents, academic institutions
📋
The Naming Convention

Mandiant uses APT##. CrowdStrike uses animals — Bear for Russia, Panda for China, Chollima for North Korea, Kitten for Iran, Spider for criminal groups. Microsoft uses weather patterns — Blizzard for Russia, Typhoon for China, Sleet for North Korea, Sandstorm for Iran. Cross-referencing names is a daily task for threat intelligence analysts.


Section 10

The APT Kill Chain — How a Nation-State Attack Actually Unfolds

Lockheed Martin's Cyber Kill Chain, first published in 2011, remains the clearest way to visualise an APT operation. It breaks a campaign into seven ordered phases, each of which is a defender's opportunity to detect and disrupt.

01
Reconnaissance
Target selection. Passive intelligence gathering — LinkedIn scraping to identify sysadmins, DNS enumeration, Shodan queries for exposed services, review of public breach dumps for reused passwords. Weeks to months.
02
Weaponisation
Build the payload. Combine an exploit (often a zero-day) with a delivery mechanism. APT29's SolarWinds implant SUNBURST was crafted to blend with legitimate Orion telemetry — that took months of dedicated development.
03
Delivery
Get the payload to the target. Spear phishing is still the #1 vector — a personalised email to a named employee. Also: supply-chain compromises, watering-hole websites, USB drops, VPN vulnerability exploitation.
04
Exploitation
The payload executes. The target clicks a link, opens a document, or the trojanised update installs itself. Code now runs inside the victim's network under a legitimate user's context.
05
Installation
Persistence is established. Registry keys, scheduled tasks, WMI subscriptions, OAuth application registrations. The goal is to survive reboots, patches, and password resets. APT29 famously deploys multiple redundant implants so removing one still leaves the attacker in.
06
Command & Control (C2)
The implant beacons out to attacker infrastructure for instructions. Modern APTs increasingly use legitimate cloud services (Google Drive, Dropbox, Microsoft Graph API) so the traffic looks normal. C2 can go dormant for weeks between check-ins.
07
Actions on Objectives
The mission itself: data exfiltration, credential harvesting, lateral movement to higher-value systems, deployment of destructive wipers (Sandworm's specialty), or financial theft (Lazarus's specialty). Everything before was setup — this is the payoff.
📈
Break One Link, Break the Chain

Lockheed's central insight is elegant: the defender needs to succeed only once, at any single phase, to stop the attack. The attacker must succeed at every phase. This is a rare cybersecurity dynamic that actually favours defence — but only if the defender is monitoring every phase, not just the perimeter.


Section 11

Case Study — SolarWinds / SUNBURST (APT29, 2020)

If Muni was the definitive ransomware case study, SolarWinds is the definitive APT case study. It is the operation that made every CISO on the planet rethink the trust boundary between their organisation and its software vendors.

What Happened

In early 2020, APT29 operators quietly compromised the software build system at SolarWinds, a Texas-based network monitoring vendor. They injected a backdoor — dubbed SUNBURST by FireEye — into legitimate updates of the SolarWinds Orion product. Because the compromised binary was signed with SolarWinds's own valid code-signing certificate, it passed every trust check and was distributed to roughly 18,000 organisations as a routine software update between March and June 2020.

🛠️ SUNBURST — The Backdoor's Anatomy
Stealth 1
After installation, the malware sleeps for up to two weeks before making any network activity. Sandboxes and forensic analysis rarely run that long.
Stealth 2
C2 traffic masquerades as the legitimate Orion Improvement Program (OIP) protocol. Even DNS queries used domain-generation algorithms that looked like normal SolarWinds telemetry.
Stealth 3
The malware checked a blocklist of forensic and antivirus tools. If any were running, it went dormant. This is anti-anti-malware behaviour.
Stealth 4
Once active, the attackers pivoted from on-prem to cloud using Golden SAML — stealing the private key from an on-prem Active Directory Federation Services (ADFS) server and using it to forge authentication tokens for Microsoft 365 and Azure.
Stealth 5
Once inside cloud environments, they read mailboxes and documents using API calls that looked like the victim's own legitimate SSO traffic.
Stealth 6
The attackers deployed a second-stage loader called TEARDROP only on the very small subset of high-value victims they actually wanted to compromise. Of 18,000 downloads, only a much smaller subset were followed up on.

Who Was Hit

CategoryVictims Publicly Confirmed
US Federal AgenciesDepartments of State, Treasury, Homeland Security, Commerce, Energy, Justice. The Pentagon, National Institutes of Health, and the National Nuclear Security Administration were all breached.
Security VendorsFireEye (which discovered the attack when its own red-team tools were stolen), Microsoft, Malwarebytes, Mimecast, CrowdStrike (probed but not compromised).
Big TechMicrosoft's source code repositories were accessed; Intel, Cisco, VMware, Nvidia all downloaded compromised binaries.
Global GovernmentsUK, EU institutions, NATO — the full extent still not publicly known.

How It Was Discovered

# Timeline of discovery — reconstructed from FireEye,
# Microsoft, SolarWinds, and CISA public reporting.

Mar 2020    APT29 compromises SolarWinds build system.
              Malicious code shipped in Orion updates 2019.4 HF 5 through 2020.2.1

Apr–Nov 2020    Attackers operate inside 18,000 environments,
                     harvest data from a small chosen subset. No detection.

Early Dec 2020    FireEye's own SOC notices an anomaly:
                       a new device enrolled in MFA for an employee who
                       never travels. This ONE alert broke the case.

Dec 8, 2020    FireEye discloses its own red-team tools were stolen.
                    # Reported by Reuters, The New York Times, WSJ.

Dec 13, 2020    FireEye's Kevin Mandia publishes SUNBURST analysis.
                     SolarWinds confirms Orion compromise.

Dec 17, 2020    The New York Times (Sanger & Perlroth) publishes
                     the definitive early account: "grave risk" to US gov.

Apr 15, 2021    The Biden administration formally attributes the
                     attack to Russia's SVR (APT29 / Cozy Bear).
                     Announces sanctions and diplomatic expulsions.
SCALE — WHAT MAKES SOLARWINDS UNIQUE
Vendor: SolarWinds (Texas, USA) Product compromised: Orion network monitoring platform Backdoor name: SUNBURST Second-stage loader: TEARDROP Time from insertion to discovery: ~9 months Total organisations receiving trojaned update: ~18,000 Organisations actively exploited follow-on: Estimated dozens to low hundreds Perpetrator: Russian SVR (APT29 / Cozy Bear) Attribution date: April 15, 2021 (White House, formal) Long-term impact: US Executive Order 14028 on cybersecurity, global rethink of software supply chain trust
🚫
The Enduring Lesson

Every organisation implicitly trusts its software vendors' update mechanisms. SolarWinds proved that trust is a single point of failure at civilisation scale. Modern defensive doctrine — Zero Trust, Software Bill of Materials (SBOM), signed reproducible builds, vendor risk management as a Board-level topic — is largely a response to SolarWinds.


Section 12

Case Study — Lazarus Group (North Korea)

Lazarus is unique among APTs: it is a state-sponsored espionage group that also functions as a bank-robbing organisation to fund the North Korean regime under crippling international sanctions. Its combination of intelligence and financial motives makes it arguably the most impactful APT of the past decade in raw dollar terms.

Year Target Outcome
2014 Sony Pictures Retaliation for the film The Interview. ~100 TB exfiltrated, wiper malware deployed. Reported globally. Sony executives resigned; internal salaries and unreleased films leaked. Attribution to North Korea confirmed by FBI.
2016 Bangladesh Bank Attempted $951 million SWIFT heist. Roughly $81 million actually stolen and laundered through Philippine casinos. Prevented from stealing the rest by a typo in a transfer request ("fandation" instead of "foundation"). Reported by Reuters and Bloomberg.
2017 WannaCry (global) Ransomware worm using leaked NSA EternalBlue exploit. Infected 200,000+ systems in 150 countries. Crippled the UK's National Health Service. Attributed to Lazarus by US, UK, Australia. TechTarget notes ongoing supply chain attacks by Lazarus continue through 2024–2025.
2022 Harmony Horizon Bridge Cryptocurrency bridge attack. $100 million stolen. Attributed to Lazarus by FBI in June 2022.
2025 Bybit Supply-chain compromise of Safe{Wallet}, a wallet infrastructure provider. ~$1.5 billion in Ethereum stolen on February 21, 2025 — the largest single cyber theft in history. Attribution to North Korea's TraderTraitor cluster confirmed by FBI and corroborated by Japanese authorities.
💵
Cyber Operations as State Revenue

A UN Security Council panel of experts estimates that DPRK cyber theft has generated several billion dollars for the regime, with the take increasing sharply after 2020 as sanctions tightened. This is a genuinely novel category in the APT world: a nation-state whose cyber operations are, in significant part, a revenue-generating business unit. Every other APT ecosystem is primarily driven by intelligence goals; Lazarus is driven by a treasury shortfall.


Section 13

Hacktivist vs APT — Side-by-Side

A defender's mental model is only useful if it produces different decisions for different actors. This is the reference table you should be able to reconstruct from memory.

Dimension Hacktivist Advanced Persistent Threat
Motivation Ideology, publicity, protest Intelligence, sabotage, state revenue
Sponsor Self-organising, sometimes crowd-funded Nation-state or state-adjacent
Skill ceiling Low to moderate; a few skilled elites Highest tier — zero-days, custom malware, HUMINT
Duration Days to weeks Months to years
Attribution posture Public claim of responsibility Denial. Plausible deniability engineered in.
Primary techniques DDoS, defacement, data dumps, doxxing Spear phishing, supply chain, zero-days, living-off-the-land
Typical targets Websites, social accounts, symbolic infra Government, defence, R&D, critical infrastructure
Detection difficulty Low — they announce themselves Extreme — designed to be invisible
Cost of incident Reputational + short outage Strategic loss, national-security implications
Primary defensive control DDoS mitigation, WAF, patched public services Zero Trust, EDR, MFA, threat hunting, SBOM
Time-to-detect (avg) Minutes to hours ~137 days
Prosecution likelihood Higher — they leave a signature Near-zero — protected by their state

Section 14

Practical Defence — Different Playbooks for Different Enemies

Because the two threat actor types operate on fundamentally different tempos, defending against them requires distinct control sets. This section walks through what a mature organisation should have in place for each.

Defending Against Hacktivists — Absorb the Noise, Deny the Symbolism

🛡️
DDoS Mitigation
Cloudflare, Akamai, AWS Shield or equivalent in front of every public-facing service. Volumetric attacks are the #1 hacktivist weapon; absorbing them is table stakes.
provider: Cloudflare/Akamai
🔒
Web Application Firewall (WAF)
Blocks SQL injection, XSS, and CMS exploits that hacktivists use for defacement. Configure to log and block, not just log.
managed rulesets, updated weekly
👤
Public Face Hardening
Corporate social media accounts on MFA. WordPress and CMS admin pages behind VPN. Third-party plug-ins minimised. Any exposed admin interface is a hacktivist target.
no /wp-admin on the public internet
📡
Reputation Monitoring
Watch Telegram, X, and paste sites for mentions of your brand. Hacktivist target lists are usually published before the attack. Threat intelligence services will alert on this.
pre-warning window: hours to days
👥
Incident Communications
Have a pre-drafted holding statement ready. Hacktivist attacks are theatre; the media coverage is often more damaging than the technical impact. Silence in the first 24 hours amplifies the story.
comms plan tested quarterly
👥
Employee & Exec Protection
Doxxing is real. Executives and controversial staff should have personal accounts on MFA, home-address scrubbed from data brokers, and a documented process for takedown requests.
DeleteMe, Kanary, Optery

Defending Against APTs — Assume Breach, Detect Movement

🕵️ The Nine Controls Every APT-Facing Org Should Have
1
Zero Trust Architecture. Perimeter security assumes trust after entry. Zero Trust assumes the opposite: every request is authenticated and authorised, every time, regardless of source. This is the single largest architectural response to SolarWinds.
2
Phishing-resistant MFA everywhere. Not SMS. Not push. Hardware keys (FIDO2 / WebAuthn) or platform authenticators. Unit 42 reports identity was material in ~90% of 2025 APT investigations.
3
EDR on every endpoint. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint. Antivirus is obsolete against APTs — behavioural detection is mandatory. Configure telemetry to ship to a SIEM for cross-host correlation.
4
Network segmentation and lateral-movement detection. Domain controllers isolated. Service accounts audited. Any use of legitimate admin tools (PsExec, PowerShell Remoting, WMI) across host boundaries generates an alert.
5
Supply chain security. Software Bill of Materials (SBOM) for every vendor. Signed, reproducible builds. Vendor risk assessments that go beyond checkbox questionnaires. Continuous monitoring of dependencies for known vulnerabilities.
6
Cloud identity hardening. APT29 shifted almost entirely to cloud identity attacks after 2020. Monitor OAuth application consents, service principal creation, conditional-access bypasses, and unusual token issuance patterns.
7
Threat hunting, not just alerting. A hunt team proactively searches for indicators of compromise assuming the network is already breached. Alerts catch what tools are configured to catch; hunts catch what nobody thought to look for.
8
Deception technology. Honeytokens, canary files, decoy accounts. An APT that touches a canary is announcing itself. This is one of the highest-value-for-effort controls available and shockingly underused.
9
Executive threat awareness. APTs target specific individuals — CEOs, CFOs, general counsel, R&D leads. These people need dedicated protection: managed personal devices, physical security review, awareness training tuned to their threat model.

Section 15

Detection Recipe — Spotting APT29-Style Behaviour

Below is a compact YARA-style ruleset and SIEM query pattern that a SOC would use to hunt for APT29's post-SolarWinds cloud tradecraft. It illustrates what "behavioural detection" actually looks like — no signatures of specific binaries, only patterns of behaviour.

// APT29 CLOUD IDENTITY ATTACK — DETECTION LOGIC
// Based on CISA advisory AA24-057A and MITRE ATT&CK G0016.

rule APT29_Golden_SAML_Suspected
{
    meta:
        author      = "SOC threat hunt team"
        description = "Detects likely Golden SAML token forgery"
        reference   = "SolarWinds, APT29 / SVR"
        severity    = "critical"

    strings:
        $adfs_export   = "Export-PfxCertificate"       ascii wide
        $adfs_dkm      = "ADFS DKM master key"          ascii wide
        $saml_forge_1  = "AADInternals"                 ascii wide
        $saml_forge_2  = "Set-AADIntSAMLToken"          ascii wide

    condition:
        2 of them
}

# === Splunk-style SIEM query — high-value APT29 patterns ===

index=azure_signin
| where ResultType=0
    AND UserAgent LIKE "%python-requests%"
    AND ConditionalAccessStatus="notApplied"
| stats count by UserPrincipalName, IPAddress, UserAgent

# Explanation: legitimate users don't sign in with programmatic user-agents,
# AND normal SAML flows should always trigger conditional access.
# Both conditions together = high-fidelity APT29 fingerprint post-SolarWinds.

index=o365_audit
| where Operation="Add service principal."
    OR Operation="Consent to application."
| where Actor NOT IN (approved_admin_list)
| table _time, Actor, Application, IPAddress

# Explanation: OAuth application registration is APT29's preferred cloud
# persistence technique in 2024-2026. Watch it like a hawk.
HUNTING NOTES
Priority-1 signals to hunt for weekly: 1. Service principal creation outside change windows 2. OAuth consent grants to first-party apps by non-admins 3. Sign-ins from Tor exit nodes or residential proxies 4. Impossible-travel authentications (LAX -> Moscow in 20 min) 5. ADFS token-signing certificate export events 6. Mailbox rules that auto-forward or delete 7. Newly registered devices for accounts that never travel 8. Failed conditional-access bypass attempts Any single one of these merits investigation. Two together = active APT29-style intrusion until proven otherwise.

Section 16

Newspaper and Reference Coverage

Every case cited in this tutorial is drawn from public reporting. Below is a curated list of the primary sources — for anyone building on this material for academic work, executive briefings, or their own threat modelling.

Topic Publication / Source Contribution
Hacktivism Wired (Kevin Poulsen) "Hacktivists Scorch PBS in Retaliation for WikiLeaks Documentary" — May 30, 2011
The Washington Post (Ellen Nakashima) "CIA Web site hacked; group LulzSec takes credit" — June 15, 2011
The Wall Street Journal (Andrew Morse) "LulzSec Hacker Group Claims Attack on US Senate Website" — June 13, 2011
Parmy Olson — "We Are Anonymous" (Little, Brown, 2012) Definitive book-length account with interviews of all six LulzSec core members.
Ukraine War Hacktivism NPR (Jenna McLaughlin) "Ukrainian hacktivists fight back against Russia as cyber conflict deepens" — November 21, 2023
The Washington Times (Ryan Lovelace) Recorded Future analysis: ~100 pro-Russian hacktivist groups active in first year of war — February 23, 2023
Flashpoint / KELA Cyber Long-form tracking of KillNet, NoName057(16), Anonymous Russia leadership disputes and evolution 2022–2024
SolarWinds / APT29 The New York Times (Sanger & Perlroth) "More Hacking Attacks Found as Officials Warn of 'Grave Risk' to U.S. Government" — December 17, 2020
Reuters (Joseph Menn) "Microsoft says it found malicious software in its systems" — December 18, 2020
Wired (Lily Hay Newman) "No One Knows How Deep Russia's Hacking Rampage Goes" — December 14, 2020
FireEye / Mandiant December 13, 2020 technical advisory — the first public disclosure of SUNBURST
Lazarus Group Reuters and Bloomberg Bangladesh Bank SWIFT heist coverage — 2016. Attribution to North Korea confirmed by US Justice Department 2018.
The New York Times Sony Pictures hack coverage — December 2014. FBI attribution to North Korea.
Bloomberg / Nikkei Asia Bybit $1.5 billion crypto theft coverage — February 2025. FBI TraderTraitor attribution.
Salt Typhoon Wall Street Journal / New York Times 2024–2025 coverage of Chinese compromise of nine US telecom carriers including CALEA lawful-intercept systems
CISA advisory Joint federal advisory documenting Salt Typhoon TTPs across 600+ orgs in 80 countries
Government advisories CISA AA24-057A "SVR Cyber Actors Adapt Tactics for Initial Cloud Access" — the definitive government reference on modern APT29 tradecraft
MITRE ATT&CK Groups G0016 (APT29), G0007 (APT28), G0032 (Lazarus), G0096 (APT41) — canonical technique catalogues

Section 17

Golden Rules — What to Take Away in Ten Lines

🏆 Threat Actor Fundamentals — Non-Negotiable Takeaways
1
"Hacker" is not a threat model. The word covers everyone from bored teenagers to Russian foreign intelligence officers. Refuse to accept it as an actionable term. Always ask: which actor? which motive? which capability?
2
Hacktivists want to be seen. APTs want to disappear. If an attack comes with a press release, it is not an APT. If a breach was found six months after the fact through a stray log entry, it might be.
3
Attribution is probabilistic, not deterministic. Even the best-resourced governments require months of technical and human intelligence to make a public attribution. Any tweet naming a specific attacker within hours of an attack should be treated as speculation.
4
Perimeter defence is not enough against APTs. They will get in. Design your architecture on the assumption that at least one of your endpoints is already compromised. Detect movement, not entry.
5
Supply chain is the new perimeter. SolarWinds proved that trusted vendor updates are a viable APT vector at civilisation scale. If you do not have a Software Bill of Materials programme, start one.
6
Identity is the new endpoint. Nearly 90% of 2025 APT investigations involved identity compromise, and 65% of initial access is now identity-driven. Phishing-resistant MFA and conditional access are load-bearing controls, not optional extras.
7
The line between hacktivist and APT is blurring. Sandworm has hidden behind Solntsepek. GRU officers seed KillNet target lists. If you defend a target likely to draw hacktivist attention, expect a state-backed actor to piggyback on the noise.
8
Threat intelligence is not optional at scale. Feeds from Mandiant, CrowdStrike, Microsoft, government CERTs, and open-source communities like MITRE are how you know which actors care about your sector this quarter. Consume them, don't just subscribe.
9
Detection speed is the metric that matters. The industry median dwell time is measured in months. In the fastest observed 2026 cases, initial access to exfiltration is 72 minutes. Whichever of those numbers you optimise for defines whether you have a chance.
10
Defence is a team sport. Share indicators of compromise with your ISAC. Cooperate with law enforcement. Read the public post-mortems of others' breaches. Every SolarWinds, every Muni, every Sony teaches lessons that make everyone stronger — if we choose to learn them.
🌟
Closing Thought

Hacktivists remind us that cybersecurity is fundamentally about power — who has it, who wields it, and who tries to take it back. APTs remind us that every organisation now operates in a threat environment that includes actors with the resources of nation-states. Neither category is going away, and neither can be defeated — only detected, contained, and made expensive. The job of a modern security professional is to raise the cost of both, every day, until the adversary moves on to easier targets.