APT Intelligence Directory
A project of the Institute for Critical Infrastructure Cybersecurity (ICIC)
A comprehensive, searchable knowledge base of Advanced Persistent Threats (APTs) and hacker groups, featuring Wikipedia-style profiles with quantitative risk assessments, MITRE ATT&CK mappings, and actionable defensive recommendations.
About the Institute
The Institute for Critical Infrastructure Cybersecurity (ICIC) is an independent, internationally focused research institute. We study the adversaries who compromise power grids, water systems, hospitals, transport networks, and government institutions.
Our work combines traditional threat intelligence with advanced analytical frameworks to produce rigorously verified profiles, campaign reconstructions, and strategic briefings on the world's most consequential hacker groups and APTs.
What We Do
Research, not remediation
ICIC does not sell tools or manage networks. Instead, we operate as an academic think tank and intelligence lab devoted to understanding the adversary. Our internal analytical stack (built on ARCS, ARCF, OmniSynth, the V Framework, and a superior APT and hacker profiling template) transforms open source intelligence, technical telemetry, and historical incident data into evidence-driven research outputs.
Research Outputs
Who We Serve
Built for decision makers under attack
ICIC's research is designed for organizations and individuals who need adversary-centric insights they cannot easily obtain from vendor marketing or incident after-action reports:
Why ICIC
Methodology that matches nation-state tradecraft
Multimodal Evidence
Every major conclusion must be supported by more than text, drawing on code artifacts, network telemetry, datasets, images, diagrams, or audio where available.
Crossmodal Corroboration
Claims that cannot be corroborated across modalities are explicitly flagged as provisional and routed into audit workflows.
Risk-Tiered Consensus
High-impact assessments require supermajority consensus under mathematically calibrated thresholds, with dissent preserved in a minority appendix.
Full-Spectrum Provenance
All analytic steps are mapped to machine-readable provenance schemas and cryptographically hashchained logs for auditability.
Directory Features
Comprehensive Coverage
Detailed profiles of 50+ APT groups and threat actors from major nation-state sponsors and criminal organizations.
MITRE ATT&CK Mapping
Full TTP mapping to MITRE ATT&CK framework for standardized threat analysis and defensive alignment.
Quantitative Assessment
Rigorous risk scoring using ARCS, ARCF, and Composite Risk Score frameworks for objective threat prioritization.
Wikipedia-Style Format
Encyclopedic, well-referenced profiles following academic standards for clarity and credibility.
Profile Structure
Each threat actor profile follows a standardized 12-section format ensuring comprehensive coverage and consistency across all entries:
Intelligence Sources
Our threat intelligence is synthesized from authoritative sources including government advisories, leading threat intelligence vendors, academic research, and legal documentation. All profiles are cross-referenced and validated against multiple independent sources.
Legal Notice
ICIC publications and briefings are provided for educational and awareness purposes only. They are based on publicly available information and ICIC's internal analytical frameworks as of the time of writing. They do not constitute operational, legal, or security advice, and ICIC does not accept liability for decisions made based on this material.
© 2026 Institute for Critical Infrastructure Cybersecurity. All rights reserved.