Cybersecurity Internet Security & Defense Technology & Innovation

New Atlanticist

December 15, 2020

Which hacker group is most like your astrological sign?

By Safa Shahwan Edwards and June Lee

Sometimes you just have to ask the question no one else is asking: Which cyber Advanced Persistent Threat (APT) is most like your astrological sign?

Whether you believe in astrology or think it’s bogus, astrological signs and the placement of planets and stars have been used for thousands of years in an attempt to make sense of human experiences. But for those who do enjoy astrology or believe Valentine’s Day is just a ploy to produce more Scorpios (the most controversial sign of the zodiac duh), astrology may have a lot to say about our cyber landscape. After all, behind every cyber operation is a human, led by his or her values and decisions, which can be shaped by one’s astrological sign. These APT-sign pairings provide a guide to some of the most dangerous cyber threat actors and perhaps even a forecast of their prospects for success.

An APT is a threat actor operating in cyberspace as a nation-state actor, state-sponsored actor, hacker-for-hire, and/or organized cybercriminal group. What remains constant across APTs is that these threat actors have both the capabilities and resources to conduct highly targeted attacks over long periods of time. While the vast number of names assigned to APT groups often makes one wonder if there is any method to this madness, for the purposes of this blog, we use Crowdstrike’s naming conventions for cyber APTs. Let’s put a name to the face, or an astrological personality to the digital adversaries lurking in your stars.  

Aries (March 21 – April 19)

The Aries sign is audacious, bold, ambitious, and even a little aggressive. It’s this boldness that makes Aries most like the APT Cobalt Spider (also known as Cobalt Gang), a financially motivated criminal group that has targeted financial institutions in Russia, Central Asia, and Eastern Europe. Cobalt Spider sends spear-phishing emails that attack corporations and generate revenue—and infamy—by compelling ATMs to spit out money. In short, imagine Charlotte’s Web, only way darker and monetizing Wilbur’s newfound fame.

Taurus (April 20 –May 20)

Taurus is renowned for its patience, indulgence, pragmatism, and frugality. Stardust Chollima (aka APT 38), known for its intense focus on revenue generation, comes closest to this astrological sign. This cyber APT is associated with the Democratic People’s Republic of Korea and procures liquid funds for the North Korean regime. Stardust Chollima’s operations are characterized by long timelines and carefully executed attacks. Cash rules everything around me Stardust Chollima.

Gemini (May 21 – June 20)

Gemini is adaptable, whimsical, and possesses varied interests. Rumor has it that Geminis even wish they could clone themselves to better pursue their varied interests. These traits closely mirror the tactics and techniques of Wicked Spider, also known as Winnti Group or Wicked Panda. Wicked Spider is believed to be a China-based criminal group whose members also serve as hackers for hire. This APT accordingly specializes in financially motivated activity, while also contracting out its services for targeted intrusion operations against organizations in the engineering, manufacturing, and technology  sectors on behalf of the Chinese government. The  next time someone wants to talk to you about the implications of Chinese economic espionage, here’s a fun fact to trot out: Blame the problem on Xi Jinping—a Gemini.

Cancer (June 21 – July 22)

Cancer exists in multiple realms (water and land), is highly emotional (kind of like a human mood ring), and picks up easily on the energies of others. Cozy Bear (aka APT 29), linked to the Russian Foreign Intelligence Service, is similarly known for its flexibility and ability to adapt its toolset to different realms. This APT casts a wide net in its attacks, sending phishing emails to thousands of targets, including US think tanks, NGOs, and foreign governments. Cozy Bear has seen great success by sending emails containing Super Bowl ads and links to videos on “YovTube.com,” and played an active role in the 2016 DNC hack. Any APT willing to take on the high passion surrounding America’s favorite past time(s) must be pretty attuned to the energies of its targets, if we do say so ourselves.

Leo (July 23 – August 22)

Leo is theatrical, attention-seeking, ambitious, and determined. Much like this dramatic sign, Fancy Bear  (APT 28) seeks with panache to sow discord and intimidate those perceived as hostile to Russian interests. Believed to be affiliated with Russia’s military intelligence unit (GRU), Fancy Bear was responsible for several high-profile attacks, including the 2016 hacking of the US Democratic National Committee and the targeting of the 2017 French election. Fancy Bear is known for engaging in extensive reconnaissance operations against its targets, even sifting through their social media and LinkedIn profiles in order to customize attacks on governments and political organizations around the world. If you thought you were skilled at social-media stalking of college friends and exes, imagine applying the digital resources of Russian military intelligence to the task. Some might say that Fancy Bear’s use of cheap, unsophisticated techniques to penetrate high-profile targets perfectly suits the daring yet theatrical nature of this astrological sign.

Virgo (August 23 – September 22)

Virgo is known for being logical, practical, systematic, and always seeking to improve. These traits provide a surprisingly close description of  Venomous Bear (sometimes called Turla). This Russia-based APT employs novel and complex tools (e.g. trojanized software, infection of removable storage devices), supported by a network of sophisticated signals intelligence (SIGINT) capabilities. Venomous Bear is believed to have launched increasingly sophisticated attacks against targets in the government, aerospace, NGO, defense, cryptology, and education sectors. Such a broad portfolio of targets highlights Venomous Bear’s overachieving nature…which probably makes it unpopular among its Russian APT peers.

Libra (September 23 – October 22)

Libra seeks balance, harmony, and symmetry in relationships with others. While not as conflict-averse as this peacemaker sign, Pakistan-based Mythic Leopard is just as skilled in sensing and manipulating the relationships of its targets and seeks to create a geopolitical power balance with Pakistan’s rival India. This espionage group uses social engineering and spear-phishing to target Indian military and defense entities, though its attacks demonstrate low technical sophistication. During the pandemic, this group used a decoy health advisory to spread the Crimson RAT (remote administration tool) malware in India. Taking advantage of an international crisis to gain the upper hand in cyberspace? Nobody will *ever* see it coming!

via GIPHY

Scorpio (October 23 – November 21)

Scorpio is known for its power, psychic and emotional personality, highly calculating nature, and control-freak tendencies. In much the same way, Refined Kitten (aka APT 33 or Elfin)—with likely ties to Iran’s Islamic Revolutionary Guard Corps—executes carefully planned espionage operations against Iranian state adversaries in Saudi Arabia, the UAE, and the United States. The group is also suspected of having been involved in the destructive Shamoon malware attacks against Saudi Arabia, displaying its penchant for vengeance. In the case of a future clash between the United States and Iran, American companies may find traces of this APT’s persistent and strategic pawprints across their networks.

Sagittarius (November 22 – December 21)

Sagittarius is a sign that seeks knowledge, adventure, and admiration. It’s this drive for popularity that makes Sagittarius most like Charming Kitten (APT35 or Phosphorus), an Iranian espionage group that targets political dissidents, human rights activists, academics, journalists, and other threats to authoritarianism. Charming Kitten specifically leverages its targets’ social networks, not unlike a DC social climber, to collect information before breaching their accounts.

Capricorn (December 22 – January 19)

Capricorn is renowned for its discipline, skilled navigation, and steadfastness. Just like Capricorn, Helix Kitten (also known as APT 35 or OilRig) is a skilled navigator of vast online networks, maneuvering deftly across an array of organizations, including those in aerospace, energy, finance, government, hospitality, and telecommunications. Steadfast in its work and objectives, Helix Kitten has a consistent track record of developing meticulous spear-phishing attacks.

Aquarius (January 20 – February 18)

Aquarius is a progressive sign that loves innovation and humanitarianism. It’s this willingness to innovate that makes Aquarius most like Mustang Panda, an APT that often targets NGOs, US-based think tanks (*gulp*), and minority groups in China for intelligence collection. Mustang Panda has demonstrated an ability to rapidly assimilate new strategies into its operations and even mix malware with legitimate tools. While this group doesn’t quite hit the mark on humanitarianism, it has recently focused on accessing the communications of the Vatican. Could this be a coincidence? We think not!

Pisces (February 19 – March 20)

Pisces, the last sign of the zodiac, divides its attention between fantasy and reality and is considered a mixed bag of a sign. This divided attention makes Pisces similar to Voodoo Bear, also known as Sandworm, which has employed tools to manipulate energy industrial control systems (ICS) and supervisory control and data acquisition (SCADA). Believed to be behind the 2015 power outages in Ukraine, Voodoo Bear leverages zero-day vulnerabilities to target Ukrainian organizations. Embracing this sign’s love for fantasy, Voodoo Bear’s malware often includes references to the novel Dune by Frank Herbert.

Safa Shahwan Edwards is an associate director in the Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative.

June Lee is a former intern at the Atlantic Council’s Cyber Statecraft Initiative and a senior at Stanford University, pursuing a BA in international relations and a minor in computer science, with honors in international security studies.

Further reading

Related Experts: Safa Shahwan Edwards

Image: REUTERS/Samantha Sais