Following an alleged cyber attack on Elon Musk's platform X this week, speculation over the perpetrators has been rife and generated a renewed interest in hacker and cyber threat groups around the world.
Mr Musk said the IP addresses that caused X to be offline for almost an entire day originated near Ukraine but has not elaborated on that accusation.
Morey Haber, a chief security adviser at cybersecurity firm BeyondTrust, said while he does not have strong feelings about Mr Musk's Ukraine claims, determining where cyber attacks originate is complicated. “I would advise caution when blaming the attack on Ukraine, simply based on source IP address,” he said.
“Threat actors typically use bots, virtual private networks and bastion hosts to conduct attacks and obfuscate their identity, so the cyberattack of X/Twitter, if true, should have easily been defendable against an attack based on IP address or geolocation.”
Associating a potential cyber attack with an IP address should never be used in a public statement without additional indicators or proof, Mr Haber added.
Though it might be tempting to name and shame hackers and cyber threat actors, Mr Haber told The National that by the time the groups become widely known, they've already caused a lot of damage.
“Crime syndicates perform the most damage when they are unnamed, unknown and can operate from the deep shadows of the internet,” he said.
Once they have been found and details around their operations leaked, Mr Haber added, their strength and ability to hack diminishes substantially. “This doesn’t negate their threat, but once indicators of compromise, methods of attack and malware become publicly documented, that should allow organisations to strengthen cybersecurity defences.”
Mr Haber pointed out that hacking attracts a wide spectrum, with some perpetrators fuelled by politics and others by financial gain, some state-sponsored and others working alone.
Here's a look at five of some of the more prominent groups currently on cybersecurity experts' radar and that have made headlines around the world:
Silk Typhoon
“I only believe one cybersecurity syndicate poses the biggest threat worldwide,” said Mr Haber. “Silk Typhoon, also known as APT27 and has been linked to the US Treasury Department breach in late 2024.”
According to the US Cybersecurity and Infrastructure Security Agency and the FBI, Silk Typhoon has been linked to the Chinese government. Microsoft has also echoed that notion.
“Silk Typhoon is an espionage-focused Chinese state actor whose activities indicate that they are a well-resourced and technically efficient group with the ability to quickly operationalise exploits for discovered zero-day vulnerabilities in edge devices,” Microsoft's threat intelligence group has said.
China has repeatedly denied the accusations.
Anonymous
According to cybersecurity risk-mitigation company Cobalt, Anonymous is perhaps the most well-known hacking group.
It first made headlines during the Occupy Wall Street protests in 2011, and Cobalt notes Anonymous has “targeted PayPal, Visa and MasterCard”.
“Authorities have arrested hackers who claim to be part of Anonymous over the years, but the group's decentralised nature makes tracking down or prosecuting members challenging,” Cobalt wrote on its website.
The group has also been known to use distributed denial-of-service (DDoS) attacks that have led to massive website disruptions.
Morpho
Both Norton and Cobalt list Morpho, a group of hackers dedicated to financially motivated cyber attacks, as a worrisome entity.
The geographic origins of the group are largely unknown but, according to Norton, Morpho has previously targeted X, Meta, Microsoft and Apple to try to steal confidential information.
There are some clues that Morpho has left behind in the cyber mess it causes.
“It’s said that they may be of English-speaking origin because the code is entirely composed of English and their encryption keys are named after memes in American pop culture,” Norton said on its website.
According to Cobalt, Morpho has also been known to seek intellectual property from health care and technology companies.
Darkside
Cybersecurity firms and technology analysts routinely list Darkside as one of the more prominent hacking groups.
It rose to prominence in 2021 when it claimed responsibility for the Colonial Pipeline cyber attack that caused fuel shortages and price increases across the US.
Darkside has also been known to run affiliate programmes to help other hacker groups in infiltration attempts.
It has been known to use a “ransomware-as-a-service model”, meaning it sells or leases ransomware to others to carry out attacks.
According to cybersecurity firm Norton, Darkside likely originates in Eastern Europe.
“This group is known for targeting high-profile corporations worldwide with stolen credentials and manual jacking with testing tools,” Norton said.
Mint Sandstorm
Though it doesn't necessarily have the same history or name recognition of other hacking groups or cyber threat actors, Mint Sandstorm is quickly stoking fears in the technology security world.
Microsoft's threat intelligence group said that Mint Sandstorm is an Iran-affiliated group “known to primarily target dissidents protesting the Iranian government, as well as activist leaders, the defence industrial base, journalists, think tanks, universities, and multiple government agencies and services, including targets in Israel and the US”.
It has been widely speculated that Mint Sandstorm was behind the attempted hack and potential breach of communications within Donald Trump's 2024 presidential campaign.
“Also uses credential harvesting to obtain access to official work accounts as well as personal accounts,” said Microsoft.
