The group, also called StrongPity3, has been operating since 2012 but it has been notoriously difficult to track down or attribute to a single actor. Cybersecurity researchers believe that the attacks are state-backed for two reasons — the group keeps coming back even after being exposed and the compromise happens at the level of the internet service provider.