Types of threat actors: Script kiddies, hacktivists, APTs, nation-states

ID: 1.4 Level: 2 Parent: Cybersecurity Fundamentals Tags: #level2 #module1

Overview

Understanding threat actors—who they are, what motivates them, and how they operate—is fundamental to effective cybersecurity defense. Different adversaries possess varying levels of capability, resources, and objectives. Defending against script kiddies requires different strategies than protecting against nation-state actors.

This topic provides a comprehensive taxonomy of threat actors, examining their motivations, capabilities, tactics, techniques, and procedures (TTPs). By understanding the adversary landscape, security professionals can implement threat-informed defense strategies, prioritize security investments, and design detection capabilities tailored to likely threats.

The spectrum of threat actors ranges from opportunistic amateurs using automated tools to sophisticated state-sponsored groups conducting multi-year espionage campaigns. Each category presents unique challenges and requires appropriate defensive responses.

Key Concepts

Threat Actor Classification Framework

Threat actors can be categorized along multiple dimensions:

Capability: Technical sophistication and access to resources
Motivation: Financial gain, political goals, ideology, curiosity, or espionage
Resources: Funding, personnel, infrastructure, and time available
Intent: Targeted vs opportunistic, destructive vs stealth operations
Organization: Individual actors, loosely organized groups, or structured organizations

Script Kiddies and Opportunistic Attackers

Characteristics:

Low technical skill, rely on pre-packaged tools and exploits
Minimal resources and short attention spans
Motivation: curiosity, bragging rights, minor financial gain
Use automated scanning tools to find vulnerable targets
Exploit known, unpatched vulnerabilities
Easily deterred by basic security controls

Common Tactics:

Running automated vulnerability scanners (Nmap, Nessus, OpenVAS)
Using exploit frameworks like Metasploit with default settings
Deploying publicly available malware and scripts
Password spraying with common credential lists
Defacement of websites for recognition
DDoS attacks using rented botnet services

Defense Strategies:

Patch management and timely security updates
Basic security hygiene and configuration hardening
Web Application Firewalls (WAF) and rate limiting
Network segmentation and access controls
Automated vulnerability scanning and remediation

Impact Level: Generally low, but can cause disruption and embarrassment. Opportunistic nature means any exposed vulnerability may be exploited.

Hacktivists

Characteristics:

Politically or socially motivated attackers
Variable technical capability (from low to sophisticated)
Seek publicity for causes through cyberattacks
Target organizations based on political alignment
Often operate in loosely organized collectives
May face legal consequences if caught

Notable Groups and Operations:

Anonymous: Decentralized collective conducting operations against governments, corporations, and organizations
LulzSec: Short-lived group focused on high-profile breaches
Syrian Electronic Army: Pro-Assad government hacktivist group
Operation Payback: Attacks supporting WikiLeaks
OpIsrael: Attacks targeting Israeli websites

Common Tactics:

DDoS attacks to disrupt websites and services
Website defacement with political messages
Data breaches and leaks (doxing) of sensitive information
Social media account compromises
SQL injection and web application attacks
Email account compromises and publication

Defense Strategies:

Reputation monitoring and crisis communication plans
DDoS mitigation services and CDN protection
Strong web application security controls
Social media account security and monitoring
Public relations preparedness for potential attacks

Impact Level: Medium to high, particularly regarding reputation. Can cause operational disruption and embarrassment. Leaked data can have lasting consequences.

Organized Cybercrime Groups

Characteristics:

Sophisticated, profit-driven criminal enterprises
Well-funded with professional organizational structures
Employ specialists for different attack phases
Operate Ransomware-as-a-Service (RaaS) and other crime-as-a-service models
Use cryptocurrency for payment to maintain anonymity
Often operate from jurisdictions with limited law enforcement cooperation

Financial Motivation Models:

Ransomware attacks encrypting data for ransom payment
Banking trojans stealing financial credentials
Business Email Compromise (BEC) causing fraudulent transfers
Credit card theft and sale on dark web marketplaces
Cryptocurrency theft and cryptojacking
Sale of access credentials to other criminals

Notable Groups:

LockBit, BlackCat/ALPHV, REvil: Ransomware gangs with RaaS models
FIN7, Carbanak: Financial crime specialists targeting banking infrastructure
Lazarus Group: North Korean actors engaged in financial theft
Trickbot/Emotet: Banking trojan operators transitioning to ransomware
Magecart: Credit card skimming operations targeting e-commerce sites

Common Tactics:

Spear phishing campaigns with malicious attachments
Exploit kits targeting browser and plugin vulnerabilities
Initial access brokers selling network access
Living-off-the-land (LOLBins) techniques using legitimate tools
Double and triple extortion ransomware tactics
Cryptocurrency mining malware deployments

Defense Strategies:

Comprehensive backup and disaster recovery capabilities
Endpoint Detection and Response (EDR) platforms
Email security gateways with advanced threat protection
Network segmentation limiting lateral movement
Privileged Access Management (PAM) systems
Threat intelligence feeds for IOC detection
Incident response retainers and cyber insurance

Impact Level: High. Financial losses can be substantial. Operational disruption from ransomware. Regulatory penalties for data breaches. Long-term reputational damage.

Advanced Persistent Threats (APTs) and Nation-State Actors

Characteristics:

Highly sophisticated, state-sponsored or state-affiliated groups
Extensive resources including zero-day exploits and custom malware
Long-term campaigns spanning months or years
Primary objectives: espionage, intellectual property theft, and infrastructure disruption
Meticulous operational security and evasion techniques
Patient, methodical approach with strategic objectives
Often immune from prosecution due to state protection

Motivations:

Cyber Espionage: Stealing government secrets, military technology, and industrial IP
Strategic Intelligence: Monitoring diplomatic communications and adversary capabilities
Supply Chain Compromise: Infiltrating software vendors to reach multiple targets
Critical Infrastructure: Positioning for potential future conflict
Information Operations: Influence campaigns and disinformation

Notable APT Groups:

APT28 (Fancy Bear): Russian GRU-attributed group, DNC hack, military targets
APT29 (Cozy Bear): Russian SVR-attributed, SolarWinds supply chain attack
APT41 (Double Dragon): Chinese group blending espionage and financial crime
Lazarus Group: North Korean actors, Sony Pictures, WannaCry, cryptocurrency theft
APT33 (Elfin): Iranian group targeting aviation and energy sectors
Equation Group: NSA-linked group with sophisticated tooling (exposed by Shadow Brokers)

Advanced Tactics:

Zero-day exploit development and weaponization
Supply chain attacks compromising software vendors
Custom malware frameworks with modular capabilities
Anti-forensic techniques and evidence destruction
Strategic web compromises (watering hole attacks)
Compromising certificate authorities and code signing
Living-off-the-land and fileless malware techniques
Multi-stage C2 infrastructure with resilience

Defense Strategies:

Assume-breach security architecture
Network segmentation with strict access controls
Advanced threat hunting programs
Endpoint detection with behavioral analytics
Network traffic analysis and anomaly detection
Threat intelligence focused on APT TTPs
Privileged credential protection and monitoring
Regular security assessments and penetration testing
Incident response capabilities with forensic expertise

Impact Level: Very high to critical. Intellectual property theft can undermine competitive advantage. Government espionage affects national security. Infrastructure compromise could enable future attacks. Long-term persistence difficult to fully eradicate.

Insider Threats

Characteristics:

Current or former employees, contractors, or business partners
Legitimate access to systems and knowledge of security controls
Motivations include financial gain, revenge, ideology, or espionage
Can bypass many perimeter security controls
Difficult to detect due to authorized access
Account for significant percentage of security incidents

Types:

Malicious Insiders: Intentionally steal data or cause harm
Negligent Insiders: Unintentionally create security risks through carelessness
Compromised Insiders: Accounts hijacked by external attackers

Practical Applications

Threat-Informed Defense

Prioritize controls based on threat actors most likely to target your sector
Financial services: Focus on organized crime and BEC
Defense contractors: Prepare for APT and nation-state actors
Healthcare: Address ransomware gangs and insider threats
Small businesses: Emphasize script kiddie and opportunistic attacker defenses

Threat Intelligence Programs

Subscribe to industry-specific threat intelligence feeds
Monitor threat actor campaigns targeting similar organizations
Participate in Information Sharing and Analysis Centers (ISACs)
Track APT group TTPs via MITRE ATT&CK mappings
Implement threat hunting based on known adversary behaviors

Security Architecture Decisions

For APT threats: Assume-breach architecture, micro-segmentation, zero trust
For ransomware: Backup resilience, EDR, network segmentation
For hacktivists: DDoS protection, reputation monitoring, PR preparedness
For insiders: Data Loss Prevention (DLP), User Behavior Analytics (UBA)

Security Implications

Attribution Challenges

Nation-state actors use false flags and proxy infrastructure
Organized crime groups hide behind anonymizing services
Technical attribution requires extensive forensic analysis
Legal and political considerations complicate response

Asymmetric Threat Landscape

Small organizations face sophisticated automated attacks
Defenders must succeed always; attackers need one success
Resource disparity between defenders and well-funded adversaries
Commodity malware can be as damaging as custom tools

Geopolitical Dimensions

Cyber operations increasingly used in international conflicts
Critical infrastructure targeted for strategic positioning
Economic espionage undermines competitive advantage
Attribution and response create diplomatic tensions

Tools & Techniques

Threat Intelligence Platforms

MISP: Open-source threat intelligence sharing
Recorded Future, ThreatConnect: Commercial threat intelligence
AlienVault OTX: Community threat intelligence exchange
VirusTotal: Malware analysis and IOC repository

APT Tracking Resources

MITRE ATT&CK: Adversary tactics and techniques knowledge base
APT Notes: Repository of APT campaign reports
Malpedia: Malware and actor tracking
Threat Actor Encyclopedia: Comprehensive actor profiling

Detection and Monitoring

EDR Platforms: CrowdStrike, SentinelOne, Carbon Black, Microsoft Defender
SIEM: Splunk, QRadar, ArcSight, Elastic Security
NDR: Darktrace, Vectra, ExtraHop, Corelight
UEBA: Exabeam, Securonix, Splunk UBA

Related Topics at Same Level:

References & Further Reading

MITRE ATT&CK Framework: https://attack.mitre.org/
VirusTotal: https://www.virustotal.com/
Industry white papers and research publications
Vendor security documentation and best practice guides
Security blogs and conference presentations

Note: This is part of a comprehensive Zettelkasten knowledge base for cybersecurity education. Links connect to related concepts for deeper exploration.