What is a threat actor?

Types of threat actors

There are many types of threat actors. Any of the categories below could be responsible for the next cyber-attack against your company network:

Nation states

Groups affiliated with nation-states may launch attacks against other states or connected companies. For example, China has been accused of using cyber-attacks to steal intellectual property. American actors were most likely behind the Stuxnet attacks on Iranian nuclear research facilities.

Nations often use advanced persistent threats (APTs) to evade detection and operate over long periods.

Criminal collectives

Criminal groups use cyber-attacks to breach corporate network security measures. Groups may then hold companies to ransom, demanding payment to restore functionality or return data. They may also extract customer data for sale.

Until recently, criminal collectives tended to organize and mount attacks in-house. Now, cheaply available ransomware-as-a-service kits enable less-skilled cyber threat actors to attack company targets, increasing the frequency and risk connected to criminal threat actors.

Terrorists

Terrorists use cyber-attacks to disrupt digital operations, spread disorder, and create fear within target populations.

Terror groups tend to use social engineering attacks to extract data about targets. For example, Russian groups have used phishing methods to extract data about Ukrainian conscripts to use in intimidation campaigns.

Terrorists also use denial-of-service (DoS) attacks to take down critical infrastructure. Organizations in the health sector are common targets and should implement strict security policies to mitigate DoS attacks.

Hacktivists and script kiddies

Hacktivists are individuals or groups who use cyber-attacks to further political causes or expose security vulnerabilities. These threat actors often use code exploits to deface company websites and propagate slogans.

Script kiddies are usually individuals experimenting with cyber-attack techniques. This type of threat actor is motivated by the thrill of success and the desire to prove the attacker's skills.

Insider threats

Malicious insider threats attack organizations from within. Insiders may be disgruntled current or former employees with grudges against bosses or company policies. They may seek to damage network assets or steal data to sell or hand to rival companies.

Insider threats also include users with extensive privileges who are not directly employed by a company. Insider types of threat actors could be contractors, freelancers, or third-party vendors.

Corporate actors

Rival companies seeking to steal confidential information about employees, products, or business strategies also pose network security threats. These threat actors tend to use social engineering to target high-value employees.

Threat actor targets

Security policies should consider risks related to different threat actor categories. However, they should also assess potential cyber-attack targets. This enables security teams to protect data containers, servers, and work devices against the most probable attack types.

Personally identifiable information (PII)

PII is often the primary target for criminal threat actors. This data category identifies individuals and allows malicious actors to build in-depth target profiles. In turn, profiles enable phishers to create plausible emails or fake websites, prompting targets to take desired actions.

Attackers often steal PII to sell on the dark web. Monitoring data suggests that compromised LinkedIn accounts sell for $45 on the dark web, although criminals routinely sell millions of bulk emails for a few hundred dollars.

Financial data

Financial data is usually heavily guarded but is far more valuable for threat actors. Credit card PINs retail for around $20 each, while online bank login details range from $35 to $65 depending on the account balance.

Protected health information (PHI)

PHI is a high-value target for cyber-attackers due to its financial value and scope for identity theft and fraud. PHI includes identifiable information and health data related to insurance claims, treatment, and conditions.

Intellectual property

Cyber threat actors target intellectual property for re-sale or private use. Attackers may steal development code to share with rival companies. They may also extract images of product designs before they reach the market, providing a competitive advantage to the attacker's client.

Network infrastructure

Many threat actors focus on critical network infrastructure to make websites and workloads unavailable. DDoS attacks take out web servers, resulting in downtime and losses for target companies.

Infrastructure attacks are also routinely linked to ransomware gangs. Criminal groups take infrastructure offline until the target pays a specific ransom.

Cloud infrastructure

Around 44% of companies using the cloud have experienced a cybersecurity breach. Common targets include cloud management infrastructure, SaaS applications, and cloud storage.

A cloud-related cyber threat can be devastating as companies generally store large amounts of aggregated data in cloud containers. API exploits, credential stuffing attacks, and misconfiguration issues can lead to massive data breaches.

State assets

Some threat actors focus their attacks on strategic defense or government assets. These attacks could target military logistics, targeting systems, or contractors serving the government supply chain.

Cyber threat actor tactics

A threat actor has many ways to inflict harm, and potential cyber threats are continually evolving. Examples of threat actor tactics include:

Phishing/social engineering

Attackers use stolen personal data or publicly available information to write targeted emails, SMS messages, social media posts, or written letters.

Phishing emails are the most common type of cyber-attack, and every organization must prepare to detect and neutralize them. These emails mislead recipients, encouraging them to take risky actions such as clicking malicious links or downloading attachments containing malware.

When the target takes the desired action, attackers can implant malware, harvest data, and launch secondary cyber-attacks.

Ransomware

Ransomware is a malware variant that locks critical systems until targets pay a ransom. Ransomware can hit any economic sector but is most common in manufacturing or healthcare organizations. These organizations cannot afford extended downtime or data breaches.

Threat actors often use email phishing to launch ransomware attacks. However, a sophisticated threat actor could use exploit kits or unsecured Wi-Fi or Remote Desktop Protocol (RDP) connections.

Exploits

Exploits target vulnerable code in apps connected to the public internet. Targets could include operating systems, web apps, browsers, or collaboration tools—anything accessible via an internet connection is potentially vulnerable.

Bad actors constantly discover new security flaws in the apps we use. Leveraging these flaws allows them to implant malware or gain network access to exfiltrate data. States also use exploits as delivery mechanisms for advanced persistent threats (APTs) for surveillance or network sabotage.

Many exploits arise from unpatched applications. As a result, security policies should require regular updates.

Distributed denial-of-service (DDoS) attacks

DDoS attacks overwhelm targeted networks with web traffic. This leads to extensive downtime and may expose the network to secondary attacks.

Threat actors generally use “distributed” tactics to mount DoS attacks. Threat actors take control of devices and connect them via botnets. Botnets pool computing resources and help conceal the origin of DoS attacks. This makes them more powerful and harder to detect.

Threats from within

Insider threats leverage user privileges to access sensitive resources and steal data. Companies often assign excessive permissions to users and fail to roll back temporary privilege escalations. Users can exploit this situation to access resources that should be off-limits.

Password attacks

Authentication systems are a critical point of access for threat actors. Many times, threat actors steal or purchase credentials to access network resources. More sophisticated attacks use credential stuffing to guess passwords.

Credential stuffing works because almost 80% of people re-use the same password on multiple accounts. Many also use minor password variations. Threat actors can try thousands of permutations until they find the right variant.

Supply chain attacks

Some threat actors exploit the digital supply chain to achieve maximum impact. Supply chain attacks focus on cloud vendors that deal with many corporate clients. They have been increasing in line with cloud usage.

For example, in 2024 cloud storage vendor Snowflake reported a series of attacks on customer databases. Eventually, clients as diverse as Santander, Advance AutoParts, and Ticketmaster admitted being affected.

Examples of threat actors

What do threat actors look like in real life? The situation is complicated, as the Snowflake attacks show.

Security officials believe the Snowflake attacks were launched by a single man. Alexander Moucka exploited Snowflake accounts with misconfigured authentication. He then used widely available InfoStealer software to extract customer data from 165 accounts.

Moucka worked solo but was part of a wider community active on Telegram and Discord called "the Com." The Com is a loose criminal collective responsible for an array of cybercrimes.

Other threat actors are more organized. For example, the North Korean group Lazarus is thought to be part of the General Staff Bureau of the DPRK Korean People's Army. Lazarus most likely carried out the 2017 WannaCry attacks and continues to exploit Chrome vulnerabilities to launch global attacks.

Then there are self-interested insider threats. These threat actors almost always act alone. For instance, in 2022, departing Yahoo employee Qiang Sang stole 570,000 pages of the company's IP when leaving for a direct competitor.

How to prevent threat actor cyber-attacks

Defeating threat actor cyber-attacks requires a proactive cybersecurity strategy.

Reactive security waits for attempted or successful attacks before taking action. Proactive security continuously monitors network access and activity. Security teams update apps, research threat intelligence, and enforce strict security policies.

Essential cybersecurity measures include:

• Staff training. Educate staff about common phishing techniques. Teach them to identify suspicious email headers or embedded links. Employees must know how to act when they detect potential threats (and what not to do).
• Multi-factor authentication (MFA). MFA requires more than one authentication factor when accessing network resources. This could be a one-time passcode delivered to a mobile device or biometrics. MFA blocks many threat actor tactics such as credential stuffing or brute-forcing attacks.
• Secure the perimeter. Prevent man-in-the-middle attacks by using a Virtual Private Network (VPN) to encrypt remote connections. Put in place robust firewall filters to block unauthorized access.
• Proactively scan for threat actors. Network monitoring tools should scan for malware and persistent threats. Use up-to-date threat databases including the latest data, and extend virus scanning to all connected devices.
• Regular updates. Robust patching protects apps against exploits like SQL injection attacks. They make networks less susceptible to blended threats that seek exploits to deliver malware payloads.
• Access management. Insider threats often use their privileges to access sensitive resources. Role-based privileges management and network segmentation apply the principle of least privilege. Users can only access resources related to their tasks. This limits harm from disgruntled insiders.
• Remember physical threats. Stolen or lost devices can contain confidential data and credentials. Implement security policies to safeguard work devices. Protect data servers and other infrastructure with physical access controls and surveillance tools.

Preventing threat actor cyber-attacks requires proactive defense, regular updates, and user training. To reduce exposure to cyber threats, employ MFA, secure perimeters, monitor networks, manage access, and address physical risks.