Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

Active APT groups in Germany

Active APT groups that attack targets in Germany

10.03.2025

Cyber attacks that are not financially motivated but pursue strategic goals are usually not isolated individual events. Instead, there are long-term, persistent threat actors who repeatedly attack specific targets. The threat actors thus shape the threat situation. Since these attacker groups pursue certain strategic goals, the threat situation becomes to a certain extent easier to explain than if it were purely opportunistic random events. Knowing the threat actors and their current targets allows IT security teams to better assess the risk profile of their own company or institution.

On this page, the BSI presents the threat actor groups that have been active against targets in Germany in the last two years, or that have attacked targets in other European countries that could also have been attacked in Germany in a similar manner. The following table lists the threat actors‘ name with aliases, the sectors in which the thret actor is active and, if relevant, special characteristics that can facilitate detection or incident handling.

Institutions that have already implemented basic IT security measures can use this list to prioritize their own threat intelligence research.

The sources for the list are diverse, for example detections in government networks, incidents from BSI incident handling, as well as reports from partners and victims. The list is not necessarily complete, for example if confidentiality agreements exist at the request of victims or sources. In addition, there should be a certain number of unreported cases, the more professional and secretive the threat actors are. Especially in the case of advanced attackers, detection can be made more difficult and attribution to a named threat actor can remain unclear, which means that the corresponding attacks do not appear in the list.

Since the strategic goals and missions of threat actors change over time, the list is not static, but will be updated depending on the BSI's assessment.

Threat actor and aliasSectors, according to German WZ 2008Characteristics
APT15 / Vixen Panda / Mirage / Ke3chang / Nylon Typhoon
  • Administration of the State and the economic and social policy of the community
The threat actor uses its own relay network of compromised routers and VPN servers.
APT28 / Fancy Bear / Sofacy / Forest Blizzard
  • Provision of services to the community as a whole
  • Administration of the State and the economic and social policy of the community
  • Computer programming, consultancy and related activities
  • Service activities incidental to air transportation
  • Activities of political organisations

APT28 uses a variety of attack vectors, e. g.

  • Outlook-vulnerability CVE-2023-23397 (via email)
  • WinRAR-vulnerability CVE-2023-38831 (via email-attachment)
  • Bruteforcing and password-spraying against internet-facing serversOutlook-Schwachstelle CVE-2023-23397 (via E-Mail)
APT29 / Cozy Bear / Nobelium / Midnight Blizzard
  • Provision of services to the community as a whole
  • Administration of the State and the economic and social policy of the community
  • Activities of political organisations
  • Computer programming, consultancy and related activities
APT29 often uses legitimate cloud services as control servers, in order to blend into legitimate network traffic.
APT43 / Velvet Chollima / Kimsuky / Emerald Sleet
  • Research and experimental development on social sciences and humanities
  • Administration of the State and the economic and social policy of the community
  • Higher education
  • Manufacture of weapons and ammunition
  • Manufacture of air and spacecraft and related machinery
The threat actor engages in social engineering and initially sends several emails without malicious code until the recipient has built up trust. Only then will malicious code or a phishing link be delivered.
APT44 / Sandworm / Seashell Blizzard / Voodoo Bear
Bitter / Hazy Tiger
  • Provision of services to the community as a whole
Attack vector usually are CHM- or RAR-attachments.
Contagious Interview / Beaver Tail / Invisible Ferret / Famous Chollima
  • Activities auxiliary to financial services, except insurance and pension funding
The threat actors pretend to be job applicants or IT-freelancers to get access to the target environment.
Cosmic Wolf / Sea Turtle / Marbled Dust
  • Computer programming, consultancy and related activities
The threat actor may compromise a supply-chain entity first, in order to gather information for follow-up attacks on the intended targets.
Dark Hotel
  • Administration of the State and the economic and social policy of the community
Earth Estries
  • unknown
Ghostwriter / UNC1151 / Storm-0257
  • unspecific
The threat actor targets private email-accounts at commercial webmail-providers via spearphishing.
Labyrinth Chollima /
Lazarus / Diamond Sleet
  • Computer programming, consultancy and related activities
The threat actor often uses emails with malicious documents about supposed job offers as an attack vector.
Mirage Tiger
  • Administration of the State and the economic and social policy of the community
Muddy Water / Static Kitten / Mango Sandstorm
  • Administration of the State and the economic and social policy of the community
Mustang Panda
  • Administration of the State and the economic and social policy of the community
Outrider Tiger
Fishing Elephant
  • Administration of the State and the economic and social policy of the community
Red Dev 61 / UTA0178 / UNC5221
  • Administration of the State and the economic and social policy of the community
The attacks are usually targeted against VPN- and other internet-facing systems.
Rezet / Rare Wolf / Librarian Ghouls
  • Sea and coastal freight water transport
The attackers send password-protected RAR-archives that contain executables with double file-endings.
RomCom / Storm-0978
  • Administration of the State and the economic and social policy of the community
Salted Earth / Sturgeon Fisher / Yoro Trooper
  • unknown
Salt Typhoon
  • several sectors
The threat actors compromises unsecured or outdated perimeter systems. The strategic intent and target selection in Germany is unclear.
Sharp Panda
  • Administration of the State and the economic and social policy of the community
Sidewinder / Razor Tiger
  • Administration of the State and the economic and social policy of the community
Snake / Venomous Bear / Turla / Secret
Blizzard
  • Administration of the State and the economic and social policy of the community
Storm-0558
  • Research and experimental development on social sciences and humanities
The threat actor uses their own VPN-networks in order to obfuscate their attack traffic.
Viceroy Tiger / Donot
  • Provision of services to the community as a whole
  • Administration of the State and the economic and social policy of the community
Winter Vivern / TAG-70
  • Research and experimental development on social sciences and humanities
UAC-0050
  • Provision of services to the community as a whole
The threat actor sends ZIP-archives as email attachments, containing the publicly available malware Remcos.

Furthermore, BSI observes the following threat actors because of their activity in partner countries:

  • APT30 / Naikon / Raspberry Typhoon
  • APT31 / Judgment Panda / Violet Typhoon
  • Gallium / Softcell / Phantom Panda / Alloy Taurus / Granite Typhoon

Similar topics

Back to Threat Intelligence