--- url: "https://xcademia.com/courses/nation-state-threat-actor-profiles" title: "Nation-State Threat Actor Profiles" description: "Two-day practitioner training profiling APT28, Lazarus, Volt Typhoon, and 12 active nation-state groups. Aligned with MITRE ATT&CK group profiles and live 2026 " publishedAt: "2026-04-13T05:44:00.200975+00:00" updatedAt: "2026-04-14T06:41:48.02707+00:00" type: course code: "CYB-0154" level: Foundation duration_days: "2" track: "Cyber Warfare & Advanced Threat Defence" category: "Cybersecurity & Ethical Hacking" credential_tier: tier1 price_gbp: "2195" --- # Nation-State Threat Actor Profiles > A practitioner-led deep dive into the 12 most active nation-state threat groups across Russia, China, Iran, and North Korea, covering their tools, targets, doctrine, and 2025-2026 campaign activity. Develop the profiling skills to prioritise defences by specific actor, produce threat briefings for leadership, and apply MITRE ATT&CK group profiles operationally. ## Overview Not all cyber threats are equal, and not all nation-state actors are the same. Understanding which threat group is most likely to target your sector, with which specific toolset, at which stage of the geopolitical cycle, is the foundation of effective defence prioritisation. This two-day programme provides a structured, practitioner-built profile of the 12 most active nation-state threat groups across Russia, China, Iran, and North Korea. Through mentor-led case study sessions, participants examine the distinct operational doctrines of each adversary nation, map their tools and infrastructure to specific targeting patterns, and apply that knowledge directly to their own sector's exposure. Case studies from 2025 and 2026 campaigns bring each profile to life, and the day two attribution exercise develops the analytical skill to link indicators of compromise to specific actor groups under time pressure. By the close of day two, participants will have produced a structured threat actor briefing for non-technical leadership and completed an IoC-to-actor attribution exercise using a real campaign dataset. This course is aligned with MITRE ATT&CK group profiles, NCSC threat reporting, and intelligence community analytical standards. ## Prerequisites - Basic understanding of cybersecurity concepts including malware, phishing, and network security fundamentals. - Some professional experience in a cybersecurity operations, security management, or intelligence role. - Completion of Cyber Warfare Foundations (X-CWF-F) or equivalent landscape awareness recommended. ## What you will learn - Profile the 12 most active nation-state threat groups by tools, infrastructure, targeting, and operational doctrine. - Distinguish between Russian, Chinese, Iranian, and North Korean cyber operational objectives and methodologies. - Apply threat actor knowledge to prioritise defensive measures appropriate to your specific sector. - Use MITRE ATT&CK group profiles to map actor-specific techniques to detection engineering requirements. - Attribute a campaign from a set of indicators of compromise using structured analytical methodology. - Produce a threat actor briefing for non-technical leadership audiences at professional standard. - Assess the current 2025-2026 campaign landscape and its specific relevance to your organisation. ## Skills you will gain - Nation-state threat actor profiling - MITRE ATT&CK group navigation - IoC-to-actor attribution - Diamond Model intrusion analysis - Campaign analysis and comparison - Threat intelligence briefing production - Sector-specific defence prioritisation - Live campaign assessment methodology ## Career progression - Threat Intelligence Analyst - SOC Analyst - Security Manager - Government Security Professional - CISO - Incident Responder ## Curriculum 1. **Module 1: Getting Ready** - Pre-reading: NCSC threat actor guidance and MITRE ATT&CK Groups overview - Introduction to the Diamond Model of intrusion analysis and its application to actor profiling - Setting up MITRE ATT&CK Navigator and accessing course campaign intelligence datasets - Course objectives, participant role mapping, and threat actor knowledge baseline self-assessment 2. **Module 2: Framework for Threat Actor Profiling** - The Diamond Model applied to nation-state actor profiling: adversary, capability, infrastructure, victim - MITRE ATT&CK Groups: structure, navigation, and sourcing of intelligence from group profiles - Profiling dimensions: toolsets, infrastructure patterns, targeting preferences, and operational timing - Distinguishing espionage-focused, disruption-focused, and financially motivated operations - How to maintain and update actor profiles as campaigns evolve and attribution confidence grows 3. **Module 3: APT28 and APT29: Russian Espionage Groups** - APT28 (Fancy Bear): targeting of political institutions, military organisations, and election infrastructure - APT29 (Cozy Bear): cloud intrusion tradecraft, credential theft, and the SolarWinds supply chain operation - Distinguishing APT28 from APT29 by operational objective, toolset, and infrastructure signature - 2025-2026 activity: NATO member targeting, diplomatic credential theft, and media manipulation operations - MITRE ATT&CK technique mapping for both groups: detection coverage priorities 4. **Module 4: Sandworm, Turla, and Gamaredon** - Sandworm: destructive malware doctrine, power grid targeting, and the Ukraine operations timeline - NotPetya and Industroyer: how Sandworm permanently changed the critical infrastructure threat landscape - Turla: long-dwell espionage, satellite communication exploitation, and modular implant architecture - Gamaredon: persistent access focused on Ukrainian government, military, and NGO targeting - Comparing destructive versus espionage-focused doctrine within the same nation-state apparatus 5. **Module 5: APT40, APT41, and Volt Typhoon: Chinese Groups** - APT40: maritime sector, defence research, and academic institution targeting; COVID-era vaccine data theft - APT41: dual-purpose operations blending state espionage with financially motivated ransomware campaigns - Volt Typhoon: pre-positioning in US critical infrastructure using living-off-the-land for strategic activation - Living-off-the-land as a defining characteristic of Chinese state actor tradecraft in 2025-2026 - Current targeting: semiconductor supply chains, defence contractors, and telecommunications infrastructure 6. **Module 6: MuddyWater, APT34, and Charming Kitten: Iranian Groups** - MuddyWater: intelligence collection targeting government, telecommunications, and defence sectors - APT34/OilRig: energy and financial sector targeting with custom implant infrastructure and spearphishing - Charming Kitten: academic institution, dissident community, and healthcare credential harvesting campaigns - IRGC-CEC current pre-positioning assessment in energy and finance sectors as of 2026 - 2026 aviation and telecommunications targeting within the broader Iranian APT threat landscape 7. **Module 7: Lazarus, Kimsuky, and Andariel: North Korean Groups** - Lazarus Group: the unique operational blend of state espionage and large-scale financially motivated crime - The Bybit theft: £1.2 billion from one cryptocurrency operation funding state weapons programmes - Kimsuky: targeted intelligence collection operations against government officials, think tanks, and academia - Andariel: manufacturing and supply chain attacks, financially motivated ransomware as state revenue generation - North Korean doctrine: how financial motivation and strategic espionage objectives coexist within one actor 8. **Module 8: Live Campaign Analysis: 2025-2026** - APT41 dual-purpose campaign: linking espionage and ransomware activity to a single actor with confidence - Volt Typhoon exposure in US water and power systems: timeline, indicators, and defensive implications - Lazarus cryptocurrency theft operations: methodology, laundering infrastructure, and attribution chain - Sandworm pre-positioning in European energy infrastructure following Ukraine conflict escalation - Cross-actor comparison: identifying targeting overlap and indicators of potential collaborative operations 9. **Module 9: Attribution Practical and Threat Actor Briefing** - Practical exercise: receive a real campaign IoC set and attribute to actor group with stated confidence levels - Apply the Diamond Model and relevant ATT&CK group profiles to the attribution dataset - Produce a structured threat actor briefing for a non-technical senior leadership audience - Group debrief: instructor-led feedback on attribution methodology and briefing quality - Personal action planning: next pathway step and organisational threat intelligence programme design recommendations ## Exam & certification You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations. ## Delivery options - **Live Online** — Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible. - **Onsite Training** — We come to you. Training delivered at your workplace for teams of 6 or more. - **Venue-Based** — Classroom training at a professional venue. Ideal for focused, immersive learning. - **Blended** — Combine online and in-person learning for maximum flexibility and impact. ## Frequently asked questions **Who is this course designed for?** SOC analysts, threat intelligence analysts, security managers, and government security teams who need to understand specific nation-state adversaries and apply that knowledge operationally in their defensive work. **How does this differ from Cyber Warfare Foundations?** This programme goes significantly deeper into individual actor group profiles, toolsets, and live campaigns. Where Foundations provides landscape awareness, this course develops analytical profiling skills used by professional threat intelligence teams. **How current is the content?** Content is updated continuously to reflect the live campaign landscape. Instructors draw on current intelligence reporting, MITRE ATT&CK updates, and sector-specific threat feeds to ensure operational relevance. **What do I leave with?** A Certificate of Completion, a completed threat actor attribution exercise with confidence-rated assessments, a structured leadership briefing document from the capstone, and a personal action plan. **Does this course need an exam?** No. Assessment is through the attribution practical and the executive briefing exercise on Day 2. Completion requires full attendance and active participation across both days. ## Course at a glance | Field | Value | | --- | --- | | Code | CYB-0154 | | Duration | 2 days | | Level | Foundation | | Track | Cyber Warfare & Advanced Threat Defence | | Category | Cybersecurity & Ethical Hacking | | Credential tier | tier1 | | Price (GBP) | £2195 | --- ## About this content This Markdown course profile is the citation-grade twin of [Nation-State Threat Actor Profiles](https://xcademia.com/courses/nation-state-threat-actor-profiles). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite. When citing or quoting, please attribute *Xcademia* and link back to the source URL above. - Source: https://xcademia.com/courses/nation-state-threat-actor-profiles - Publisher: Xcademia — https://xcademia.com - Catalogue index: https://xcademia.com/llms-full.txt