Natto Thoughts: Untangling the Aliases

Beyond the Aliases: Decoding Chinese Threat Group Attribution and the Human Factor

Natto Team — Wed, 22 Oct 2025 16:02:27 GMT

Since March 2025, the U.S. government has exposed Chinese hackers and entities linked to threat groups publicly tracked as APT27, HAFNIUM, Silk Typhoon, and other threat group monikers. Among these named Advanced Persistent Threat (APT) groups, technical analysis and observed intrusion activities from the cybersecurity community have provided group tracking criteria and measures to mitigate harm and to eradicate malware from systems and networks. Because cybersecurity firms often use different threat models, have their own standards for clustering intrusions, and closely guard their telemetry data—often not sharing with others—we see threat groups labeled with a number of “a.k.a.” (also known as) group names. For example, the profile of APT27 on Malpedia, a community-curated online malware encyclopedia and resource, lists 16 a.k.a. group names. How do these a.k.a. groups overlap? How are they different from one another? The answers are not always clear.

Additionally, when law enforceme…

Chinese Threat Groups That Use Ransomware and Ransomware Groups That Use Chinese Names

Natto Team — Wed, 02 Oct 2024 16:00:42 GMT

Security experts have observed that the line between financially motivated criminal activities and politically motivated nation-state threat activities grows increasingly blurred. Some cybercrime operations mix state and criminal cyber threat activity; for example, North Korean state-sponsored threat actors launched cryptocurrency heists to “illicitly generate revenue for the country.” Further blurring the lines between states and criminals, the cybercriminal ecosystem is complex and constantly evolving. The Natto Team and others have explored this ecosystem, particularly in relation to ransomware. Various threat actors can be found on online underground discussion forums and marketplaces: cybercriminals who offer an array of specialized services, from pentesters and initial access brokers, to malware developers, to translators, ransom negotiators, and even government relations specialists. A thriving market in hackers-for-hire and ransomware-as-a-service makes it possible for even un…

Intrusion Truth Methods: How Can They Get It Right Again and Again?

Natto Team — Wed, 10 Apr 2024 16:01:41 GMT

Photo by Ahmed Zayan on Unsplash

In late March 2024 the United States Department of Justice (US DoJ) unsealed an indictment alleging that seven Chinese hackers operated as part of Advanced Persistent Threat (APT)31 group “in support of China’s Ministry of State Security’s transnational repression, economic espionage and foreign intelligence objectives.” At the same time, the US Department of the Treasury imposed sanctions on APT31-affiliated company Wuhan Xiaoruizhi Science and Technology Company (武汉晓睿智科技有限公司) (Wuhan XRZ) and on two of the seven hackers. Many of us who follow the whereabouts of Chinese threat actors had an aha moment; we recalled that Intrusion Truth, an anonymous group that hosts a blog unmasking the real identities of Chinese threat actors, identified some of those hackers and WuhanXRZ back in May 2023. Wow, Intrusion Truth was right (again)! Since its first post in April 2017, Intrusion Truth has revealed actors and companies associated with four Chinese APT groups…