Dark Reading reports on the most active threat actor groups from the calendar year 2017:

The busiest threat actor groups of 2017 were Sofacy (otherwise known as Fancy Bear or APT28) and the Lazarus Group, security experts report. As these groups ramped up activity, threat actors operating out of China became quiet.

Analysts at AlienVault leveraged data from its Open Threat Exchange (OTX) threat intelligence sharing platform to take a broad look at threat patterns from last year. They found the most frequently referenced threat group in 2017 was Sofacy.

Ten years ago, Sofacy primarily targeted NATO and defense ministries. Over the past three years its operations have expanded to target businesses, individuals, and elections in the United States and France. Leaked information from the US government, and an official report from the German government, indicate the threat group is associated with Russian military intelligence.

The second most active group was Lazarus, which is believed to operate out of North Korea (or Democratic People’s Republic of Korea, DPRK).

It really is striking how quiet China was in 2017 compared to previous years. It could potentially be that Russian and North Korean threat actors are creating so much noise, that China is merely slipping under the radar.

It is hard to believe China has slowed down their cyber operations to the degree they are almost irrelevant for an entire calendar year. I suspect they have grown more sophisticated, and their exploits have yet to be discovered. In due time we will know.