Threat actor

Last updated

A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. [1] The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. [2] Threat actors have different educational backgrounds, skills, and resources. [1] The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. [3] These threat actors all have distinct motivations, techniques, targets, and uses of stolen data. [4]



The development of cyberspace has brought both advantages and disadvantages to society. While cyberspace has helped further technological innovation, it has also brought various forms of cyber crime. [2] Since the dawn of cyberspace, individual, group, and nation-state threat actors have engaged in cyber related offenses to exploit victim vulnerabilities. [2] There are a number of threat actor categories who have different motives and targets.

Financially motivated actors

Cyber criminals have two main objectives. First, they want to take infiltrate a system to access valuable data or items. Second, they want to ensure that they avoid legal consequence after infiltrating a system. Cyber criminal can be broken down into three sub-groups: mass scammers/automated hackers, criminal infrastructure providers, and big game hunters. [3]

Mass scammers and automated hackers include cyber criminals who attacks a system to gain monetary success. These threat actors use tools to infect organization computer systems. They then seek to gain financial compensation for victims to retrieve their data. [2] Criminal infrastructure providers are a group of threat actors that aim to use tools to infect a computer system of an organization. Criminal infrastructure providers then sell the organization's infrastructure to an outside organization so they can exploit the system. Typically, victims of criminal infrastructure providers are unaware that their system has been infected. [2] Big game hunters are another sub-group of cyber criminals that aim to attack one single, but high-value target. Big game hunters spend extra time learning about their target, including system architecture and other technologies used by their target. Victims can be targeted by email, phone attacks or by social engineering skills. [2]

Nation-state actors

Nation-state threat actors aim to gain intelligence of national interest. Nation-state actors can be interested in a number of sectors, including nuclear, financial, and technology information. [2] There are two ways nations use nation-state actors. First, some nations make use of their own governmental intelligence agencies. Second, some nations work with organizations that specialize in cyber crime. States that use outside groups can be tracked; however, states might not necessarily take accountability for the act conducted by the outside group. Nation-state actors can attack both other nations or other outside organizations, including private companies and non-governmental organizations. They typically aim to bolster their nation-state's counterintelligence strategy. [2] Nation-state attacks can include: strategic sabotage or critical infrastructure attacks. Nation states considered an incredibly large group of threat actors in the cyber realm. [5]

Ideologues (hacktivists and terrorists)

Threat actors that are considered ideologues include two groups of attackers: hackers and terrorists. These two groups of attackers can be grouped together because they are similar in goals. However, hacktivists and terrorists differ in how they commit cyber crimes.

Hacktivism is a term that was coined in the early days of the World Wide Web. It is derived from a combination of two words: hacking and activism. [2] Hacktivists typically are individuals or entities that are ready to commit cyber crimes to further their own beliefs and ideologues. [3] Many hactivists include anti-capitalists or anti-corporate idealists and their attacks are inspired by similar political and social issues. [2] Terrorism includes individuals or groups of people that aim to cause terror to achieve their goals. The main difference between hacktivists and terrorists is their end goal. Hacktivists are willing to break security laws to spread their message while terrorists aim to cause terror to achieve their goals. Ideologues, unlike other types of threat actors, are typically not motivated by financial incentives. [2]

Thrill seekers and trolls

A thrill seeker is a type of threat actor that attacks a system for the sole purpose of experimentation. [3] Thrill seekers are interested in learning more about how computer systems and networks operate and want to see how much data they can infiltrate within a computer system. While they do not aim to cause major damage, they can cause problems to an organization's system. As time has gone on, thrill seekers have evolved into modern trolls. Similar to thrill seekers, a troll is a type of person or group that attacks a system for recreation. However, unlike thrill seekers, trolls aim to cause malice. [2] Modern day trolls can cause misinformation and harm.

Insiders and competitors

Insiders are a type of threat actor that can either be an insider who sells network information to other adversaries, or it can be a disgruntled employee who feels like they need to retaliate because they feel like they have been treated unfairly. [3] Insider attacks can be challenging to prevent; however, with a structured logging and analysis plan in place, insider threat actors can be detected after a successful attack. Business competitors can be another threat actor that can harm organizations. Competitors can gain access to organization secrets that are typically secure. Organizations can try to gain a stronger knowledge of business intelligence to protect themselves against a competition threat actor. [3]

Identified threat actors

Internet Research Agency

Organizations that identify threat actors

Government organizations

United States (US) - National Institute for Standards and Technology (NIST)

The National Institute for Standards and Technology (NIST) is a government agency that works on issues dealing with cyber security on the national level. NIST has written reports on cyber security guidelines, including guidelines on conducting risk assessments. [6] NIST typically classifies cyber threat actors as national governments, terrorists, organized crime groups, hactivists, and hackers. [7]

European Union (EU) - The European Union Agency for Cybersecurity (ENISA)

The European Union Agency for Cybersecurity is a European Union-based agency tasked in working on cyber security capabilities. The ENISA provides both research and assistance to information security experts within the EU. [8] This organization published a cyber threat report up until 2019. The goal of this report is to identify incidents that have been published and attribute those attacks to the most likely threat actor. The latest report identifies nation-states, cyber criminals, hactivists, cyber terrorists, and thrill seekers. [3] [8]

United Nations (UN)

The United Nations General Assembly (UNGA) has also been working to bring awareness to issues in cyber security. The UNGA came out with a report in 2019 regarding the developments in the field of information and telecommunications in the context of international security. [3] [9] This report has identified the following threat actors: nation-states, cyber criminals, hactivists, terrorist groups, thrill seekers, and insiders. [3] [9]

Canada - Canadian Centre for Cyber Security (CCCS)

Canada defines threat actors as states, groups, or individuals who aim to cause harm by exploiting a vulnerability with malicious intent. A threat actor must be trying to gain access to information systems to access or alter data, devices, systems, or networks. [10]

Japan - National Center of Incident Readiness and Strategy (NISC)

The Japanese government's National Center of Incident Readiness and Strategy (NISC) was established in 2015 to create a "free, fair and secure cyberspace" in Japan. [11] The NICS created a cybersecurity strategy in 2018 that outlines nation-states and cybercrime to be some of the most key threats. [12] It also indicates that terrorist usage of the cyberspace needs to be monitored and understood. [12]

Russia - Security Council of the Russian Federation

The Security Council of the Russian Federation published the cyber security strategy doctrine in 2016. [13] This strategy highlights the following threat actors as a risk to cyber security measures: nation-state actors, cyber criminals, and terrorists. [3] [13]

Non-Government Organizations


CrowdStrike is a cybersecurity technology company and antivirus company that publishes an annual threat report. The 2021 Global Threat Report reports nation-states and cybercriminals as two major threats to cyber security. [14]


FireEye is a cybersecurity firm that is involved with detecting and preventing cyber attacks. It publishes a report on detected threat trends annually, containing results from their customers sensor systems. [15] Their threat report lists state sponsored actors, cyber criminals and insiders as current threats. [16]


McAfee is an American global computer security software company. The company publishes a quarterly threat report that identifies key issues in cybersecurity. [17] The October 2021 threat report outlines cybercriminals as one of the biggest threats in the field. [17]


Verizon is an American multinational telecommunications company that has provided a threat report based on past customer incidents. They ask the following questions when defining threat actors: "Who is behind the event? This could be the external “bad guy” who launches a phishing campaign or an employee who leaves sensitive documents in their seat back pocket". [18] They outline nation state actors and cybercriminals as two types of threat actors in their report. [18]



Phishing is one method that threat actors use to obtain sensitive data, including usernames, passwords, credit card information, and social security numbers. Phishing attacks typically occur when a threat actor sends a message designed to trick a victim into either revealing sensitive information to the threat actor or to deploy malicious software on the victim's system. [19]

Cross-Site Scripting

Cross-site scripting is a type of security vulnerability that can be found when a threat actor injects a client-side script into an otherwise safe and trusted web applications. [20] The code then launches an infectious script onto a victim's system. This allows a threat actor to access sensitive data. [21]

SQL Injections

SQL injection is a code injection technique used by threat actors to attack any data-driven applications. Threat actors can inject malicious SQL statements. This allows threat actors to extract, alter, or delete victim's information. [21]

Denial of Service Attacks

A denial-of-service attack (DoS attack) is a cyber-attack in which a threat actor seeks to make an automated resource unavailable to its victims by temporarily or indefinitely disrupting services of a network host. Threat actors conduct a DoS attack by overwhelming a network with false requests to disrupt operations. [21]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from information disclosure, theft of, or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Cybercrime</span> Term for an online crime

A cybercrime is a crime that involves a computer or a computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone's security or finances.

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, programming scripts can all be forms of internet terrorism. Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a nation

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. There are numerous measures available to prevent cyberattacks.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Advanced persistent threat</span> Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced. No matter, in developing or developed countries, governments and industries have gradually realized the colossal threats of cybercrime on economic and political security and public interests. However, complexity in types and forms of cybercrime increases the difficulty to fight back. In this sense, fighting cybercrime calls for international cooperation. Various organizations and governments have already made joint efforts in establishing global standards of legislation and law enforcement both on a regional and on an international scale. China–United States cooperation is one of the most striking progress recently, because they are the top two source countries of cybercrime.

The 2011 U.S. Department of Defense Strategy for Operating in Cyberspace is a formal assessment of the challenges and opportunities inherent in increasing reliance on cyberspace for military, intelligence, and business operations. Although the complete document is classified and 40 pages long, this 19 page summary was released in July 2011 and explores the strategic context of cyberspace before describing five “strategic initiatives” to set a strategic approach for DoDʼs cyber mission.

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

<span class="mw-page-title-main">Cyberattack</span> Attack on a computer system

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organisations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyber attacks have increased with an alarming rate for the last few years

Cyber-insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

Information security awareness is an evolving part of information security that focuses on raising consciousness regarding potential risks of the rapidly evolving forms of information and the rapidly evolving threats to that information which target human behavior. As threats have matured and information has increased in value, attackers have increased their capabilities and expanded to broader intentions, developed more attack methods and methodologies and are acting on more diverse motives. As information security controls and processes have matured, attacks have matured to circumvent controls and processes. Attackers have targeted and successfully exploited individuals human behavior to breach corporate networks and critical infrastructure systems. Targeted individuals who are unaware of information and threats may unknowingly circumvent traditional security controls and processes and enable a breach of the organization. In response, information security awareness is maturing. Cybersecurity as a business problem has dominated the agenda of most chief information officers (CIO)s, exposing a need for countermeasures to today's cyber threat landscape. The goal of Information security awareness is to make everyone aware that they are susceptible to the opportunities and challenges in today's threat landscape, change human risk behaviors and create or enhance a secure organizational culture.

<span class="mw-page-title-main">National Cyber Security Centre (Ireland)</span>

The National Cyber Security Centre (NCSC) is a government computer security organisation in Ireland, an operational arm of the Department of the Environment, Climate and Communications. The NCSC was developed in 2013 and formally established by the Irish government in July 2015. It is responsible for Ireland's cyber security, with primary focus on securing government networks, protecting critical national infrastructure, and assisting businesses and citizens in protecting their own systems. The NCSC incorporates the Computer Security Incident Response Team (CSIRT-IE).

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165.

<span class="mw-page-title-main">Internet security awareness</span> Knowledge of end users about the cyber security threats and the risks their actions may introduce

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

<span class="mw-page-title-main">Global Commission on the Stability of Cyberspace</span> Commission developing diplomatic norms limiting cyber-offense

The Global Commission on the Stability of Cyberspace was a multistakeholder Internet governance organization, dedicated to the creation of diplomatic norms of governmental non-aggression in cyberspace. It operated for three years, from 2017 through 2019, and produced the diplomatic norm for which it was chartered and seven others.


  1. 1 2 "Cybersecurity Spotlight - Cyber Threat Actors". CIS. Retrieved 2021-11-13.
  2. 1 2 3 4 5 6 7 8 9 10 11 12 Pawlicka, Aleksandra; Choraś, Michał; Pawlicki, Marek (2021-10-01). "The stray sheep of cyberspace a.k.a. the actors who claim they break the law for the greater good". Personal and Ubiquitous Computing. 25 (5): 843–852. doi:10.1007/s00779-021-01568-7. ISSN   1617-4917. S2CID   236585163.
  3. 1 2 3 4 5 6 7 8 9 10 Sailio, Mirko; Latvala, Outi-Marja; Szanto, Alexander (2020). "Cyber Threat Actors for the Factory of the Future". Applied Sciences. 10 (12): 4334. doi: 10.3390/app10124334 .
  4. [ bare URL PDF ]
  5. "ENISA Threat Landscape Report 2018". ENISA. Retrieved 2021-11-14.
  6. Ross, Ronald S. (2012-09-17). "Guide for Conducting Risk Assessments".{{cite journal}}: Cite journal requires |journal= (help)
  7. "Cyber Threat Source Descriptions | CISA". Retrieved 2021-12-07.
  8. 1 2 "ENISA Threat Landscape Report 2018". ENISA. Retrieved 2021-12-07.
  9. 1 2 "A/74/120 - E - A/74/120 -Desktop". Retrieved 2021-12-07.
  10. Security, Canadian Centre for Cyber (2018-08-15). "Canadian Centre for Cyber Security". Canadian Centre for Cyber Security. Retrieved 2021-12-07.
  11. "National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) Japan". Retrieved 2021-12-07.
  12. 1 2 "National center of Incident readiness and Strategy for Cybersecurity | NISC". Retrieved 2021-12-07.
  13. 1 2 "Совет Безопасности Российской Федерации". Retrieved 2021-12-07.
  14. "2021 CrowdStrike Global Threat Report". Retrieved 2021-12-07.
  15. "[Report] M-Trends 2021". FireEye. Retrieved 2021-12-07.
  16. "[Report] M-Trends 2021". FireEye. Retrieved 2021-12-07.
  17. 1 2 "McAfee Labs Threats Reports – Threat Research | McAfee". Retrieved 2021-12-07.
  18. 1 2 "2021 DBIR Master's Guide". Verizon Business. Retrieved 2021-12-07.
  19. "What Is Phishing? Examples and Phishing Quiz". Cisco. Retrieved 2021-12-08.
  20. "Cross Site Scripting (XSS) Software Attack | OWASP Foundation". Retrieved 2021-12-08.
  21. 1 2 3 "What is a Web Application Firewall? | WAF Explained | CrowdStrike". Retrieved 2021-12-08.