Top 5 cyber actors of 2023

Top 5 cyber actors of 2023

Image provided by pixabay

This post is also available in: heעברית (Hebrew)

A brief summary of five highly active and impactful threat actors that have made a noticeable impact across the first half of 2023, with some still going strong at the time of writing.


Active since 2021, they publicly name their victims and those who refuse to pay on both a Telegram channel and a leak site. Medusa is known to post victim data well in advance of ransom payment deadlines expiring.

It occasionally works with other APT groups in specialized capacities to carry out its cybercrime operations. It favors SMS-based phishing attacks and is also known to try and attack common remote access solutions like VPN portals, or use brute force to guess valid credentials.

Fighting Ursa

Believed to be a Russian Military operating unit, it has been active since 2007, with more directly attributable activity being observed in 2018. This APT group is focused solely on attacking and exploiting NATO member countries or countries like Ukraine seeking NATO membership.

Fighting Ursa mainly uses social engineering attacks like spear-phishing campaigns to harvest credentials and deliver malware. It seeks to infect traditional devices like workstations, but some of its malware infections have been observed on mobile devices as well. After gaining an initial foothold, the group seeks to maintain and spread its influence throughout compromised networks through ‘Command and Control’ (C2) channels, with repeat infection.

Aquatic Panda

This group is suspected to be a Chinese nation-state actor, which seeks to perform highly specific missions involving both intelligence gathering and industrial espionage. Operating since May 2020, this threat actor is believed to operate under the Chinese Ministry of State Security (MSS), helping to enhance regional security, promote economic stability, and advance technological development efforts.

Aquatic Panda seeks to broaden its Command and Control (C2) Infrastructure by establishing new nodes and compromising active GlassFish servers and Cloudflare. The group can also create expansive command and control infrastructure, creating new nodes between campaigns.

Sea Turtle

Like Aquatic Panda, Sea Turtle is assumed to be a nation-state actor with a similar method of performing intelligence-gathering operations for the regional government it originates from. The group has been active since 2017 and gained momentum in the first half of 2023, when they altered their primary exploitation tactic from DNS hijacking to full-blown organization compromise against targeted victims. The group has recently shifted to attacking international telecommunications agencies.

Arid Viper

The group has been active since 2014 and appears to confine its primary operations across parts of the Middle East, North Africa and into targeted regions of Asia.

It targets all flavors of operating systems, spanning across Windows, Mobile and iOS devices. Arid Viper mainly performs espionage and compromises its victims through social engineering (namely fake dating websites or applications), or through the use of custom malware kits.

This information is provided by Cybernews.