Guide to Finding the Best APT and Nation-State Threat Intelligence News

Decryption Digest covers active nation-state campaigns as a primary editorial focus, with daily coverage of newly disclosed APT operations, TTP evolution across named threat groups, targeting pattern shifts, and the specific detection opportunities that allow security teams to identify APT activity before it results in data exfiltration.

For security teams that need to track APT activity without dedicated CTI analysts reading 10 research reports per week, Decryption Digest provides the curated synthesis. Each APT-related item includes the threat actor attribution (using standard industry naming conventions), the specific ATT&CK techniques observed, the targeted sectors, and the defensive actions that address the campaign.

Coverage spans the major nation-state programs: China-nexus actors (APT41, APT40, Volt Typhoon, Salt Typhoon), Russia-nexus actors (APT28, APT29, Sandworm), North Korea-nexus actors (Lazarus Group, BlueNoroff, Kimsuky), and Iran-nexus actors (MuddyWater, APT34, Charming Kitten). Free daily delivery at decryptiondigest.com/newsletter.

Mandiant (Google Threat Intelligence) is the authoritative source for named APT group attribution. The company's two-decade history of responding to nation-state intrusions provides ground-truth attribution data — actual forensic evidence from compromised environments — that most intelligence vendors cannot replicate from telemetry alone.

Mandiant's publicly available APT profiles at mandiant.com document each group's history, TTPs, targeting patterns, and known malware families with the supporting technical evidence. For security architects who need to understand which threat actors are most likely to target their organization given its sector, geography, and data holdings, the Mandiant APT catalog is the reference standard.

The free public Mandiant blog publishes major campaign disclosures and TTP analyses. The full depth of Mandiant's APT intelligence is available in commercial tiers, but the free content remains valuable for organizations without commercial threat intelligence budgets.

When U.S. government agencies publish joint cybersecurity advisories attributing activity to specific nation-state actors, the intelligence underlying those advisories reflects classified sources that no commercial vendor can access. CISA, NSA, FBI, and international partner joint advisories (often with UK NCSC, Australian ASD, Canadian CCCS) represent the highest-confidence public attribution available.

These advisories typically include the specific TTPs used in the attributed campaign, comprehensive IOC lists built from actual victim environments, and detection guidance validated against real intrusion data. For organizations in critical infrastructure sectors — the primary APT targeting priority — CISA joint advisories are the most operationally relevant public intelligence available.

Subscribe to CISA advisory alerts at cisa.gov. Establish a process to ingest IOCs from joint advisories into your SIEM within four hours of publication. These advisories are rare enough (a few per month) that manual processing is feasible, and the intelligence value is too high to automate without review.

Microsoft's Threat Intelligence Center (MSTIC) and Google's Threat Analysis Group (TAG) both publish APT intelligence derived from their unique visibility into email platforms, cloud infrastructure, and operating systems used by billions of people globally. This telemetry provides detection and attribution advantages that traditional security vendors cannot replicate.

Microsoft MSTIC's public blog and the Microsoft Security blog publish campaign disclosures covering APT activity that exploits Microsoft products (Exchange, Teams, Windows, Azure AD). For organizations running Microsoft infrastructure, MSTIC disclosures frequently include detection guidance specifically applicable to Microsoft security products.

Google TAG focuses on APT campaigns that use Google products for targeting (Gmail phishing, YouTube account takeovers) and provides regular updates on campaigns targeting high-risk users (journalists, dissidents, political campaigns). Both MSTIC and TAG blogs are free and publish significant original research.

APT intelligence requires multiple complementary sources: Decryption Digest for daily campaign coverage with defensive action focus, Mandiant for deep attribution research and group profiling, CISA and NSA joint advisories for government-intelligence-informed guidance on active campaigns, and Microsoft MSTIC or Google TAG for platform-specific campaign disclosures. Subscribe to Decryption Digest free at decryptiondigest.com/newsletter to track nation-state campaign activity daily without monitoring dozens of separate research blogs.