What Are Threat Actors?

No, not bad thespians looking for their big breaks and threatening legal action unless their half-second cameo in the next Avatar film is released.

Threat actors are the bad individuals typically at the origin of a cyber attack and can have the potential to significantly disrupt an organization’s security and day-to-day operations.

These provocateurs of cyber attacks can be a single individual or a group as large as a nation-state or organized crime syndicate. Let’s dig into the different types of threat actors and some of the channels they are using in order to infiltrate an organization’s networks and devices.

The Types of Threat Actors

Insider Threats

Historically, insider threats were considered a company’s primary threat and are more prevalent than one might think.

Essentially, insider threats occur when employees act maliciously against their organization.

So what do these insiders do? Using their access, they may steal or destroy information, create backdoors into systems, install malware, or disrupt company operations.

Insider threats are also known as:

  • Corporate Espionage: An employee steals company secrets to sell or use them for personal gain.
  • Sabotage: An employee takes action against an organization in order to damage its reputation or operations.
  • Malicious Data Exfiltration: An employee steals data from a company with malicious intent (i.e., blackmail).
  • Theft of Intellectual Property (IP): is another form of cyber espionage. In this case, a hacker steals trade secrets from companies to gain a competitive advantage or copy their business model for their own purposes.

Organized Crime Rings

Organized crime has moved on from the traditional racketeering, extortion, prostitution, and booze smuggling (it’s been a while since that last one, but still). Now, these rings are a lot more sophisticated in their tools to obtain an easy payday.

Many of these groups operate out of Russia and other Eastern European countries because there aren’t extradition laws and there are unspoken agreements that as long as they don’t attack their home countries, they won’t face criminal punishment for these malicious acts.

These groups use their own command-and-control servers to coordinate this activity between all the different groups and their own infrastructure, servers, and servers.

Since they have all these resources already at their disposal, it’s very easy for them to launch new campaigns very quickly, so they can use them immediately rather than having to start from scratch.


Nation-states typically have the resources, the time, and the motivation to severely disrupt security on a grand scale. These threat actors could be looking for information that could be used for political gain or economic espionage purposes (i.e., stealing money, trade secrets, and defensive infrastructure blueprints).

In today’s environment, nation-state attacks are becoming more common and more sophisticated. A well-known example as recent as July of 2022 is HolyGhost launched by groups in North Korea. For more than a year, these hackers had been running the attack aimed at small businesses in various countries to disrupt economic stability.

The threat from nation-states is growing, they have access to large amounts of funding and resources that allow them to invest in developing advanced tools and techniques for gaining access to systems around the world.

They also possess access to intelligence agencies that can conduct surveillance on targets and plan sophisticated attacks that exploit unknown vulnerabilities in software products used by organizations worldwide.


Derived from combining the words ‘Hack’ and ‘Activism’, Hacktivism is a type of computer hacking that is done for political or social purposes.

Hactivists usually target businesses that they believe have done something against their ideology and aim for denial-of-service (DDoS). For example, Visa was targeted in Operation Payback after it refused to process donations made for Julian Assange.

Attack Vectors used by these Threat Actors

Let’s dive into some of the common attack vectors that are used by these threat actors we’ve detailed.

But first…what is an attack vector?

A security breach can occur through many different means, known as attack vectors. The more attack vectors there are, the greater the risk of a successful intrusion. The term “attack surface” refers to the sum total of all potential vulnerabilities that could be exploited by attackers.

Social Engineering

There are many different ways to attack a system, but one of the most effective is through human interaction. This is known as “social engineering”, and it often involves tricking people into breaking normal security procedures in order to gain unauthorized access to systems, networks, or physical locations.

There are many different types of digital social engineering attacks. The following are five of the most common:

  • Baiting: Baiting attacks are named after the way they use false promises to bait victims into a trap. By luring users with something they want or are curious about, these attacks can steal personal information or infect systems with malware.
  • Scareware: Scareware is a type of malware that tricks users into thinking their system is infected with a virus or other security threat. Scareware can take the form of a fake antivirus program that displays bogus alerts and scan results, or a fake website that claims your computer is at risk. Clicking on the fake antivirus program’s “Remove” button or visiting the fake website may download and install more malware on your computer.
  • Pretexting: In this type of attack, the attacker obtains information by lying to the victim. The attacker will usually start by pretending to be someone who has a need for the victim’s sensitive information, such as a co-worker, police officer, or bank official. The attacker will then ask the victim questions that are designed to gather personal data. By doing this, the attacker is able to establish trust with the victim and obtain the information that they need.
  • Phishing: One of the most common social engineering attack types is phishing. This is where scammers send out emails or text messages with a sense of urgency, curiosity, or fear in order to get the victim to reveal sensitive information, click on links to malicious websites, or open attachments that contain malware.
  • Spear Phishing: Spear phishing is a type of targeted phishing attack where the attacker specifically chooses their victims and tailors their messages to them in order to make their attack less conspicuous. Spear phishing attacks can be much harder to detect than regular phishing scams and may take weeks or even months of planning and execution. However, they can be very successful when done skillfully.

Technical Vulnerabilities

Technical vulnerabilities exploit operating systems or software. A vulnerability is a weak spot that can be exploited by an attacker. By exploiting a vulnerability, the attacker can gain access to more privileged areas of the system and perform malevolent actions.

As more security vulnerabilities are discovered, it becomes increasingly difficult to protect against zero-day attacks. These are attacks that exploit previously unknown vulnerabilities, for which no patch has yet been released. Even with diligent security measures in place, it can be very hard to prevent these kinds of attacks.


A common mistake made by companies is misconfiguring their systems and applications, which leaves them vulnerable to attacks. Inadequate configuration of settings during the configuration process, or lack of maintenance and deployment of default settings, can leave systems vulnerable and can affect any layer of an application stack, cloud service, or network.

An example is when a company sets up its systems and applications without taking into account the threat landscape or when there are too many devices connected to the internet without proper security measures in place.

Watering Hole/Drive-by Attacks

Watering Hole

Watering hole attacks are becoming increasingly common as hackers target specific industries or groups of users. By infecting websites that these users typically visit, hackers can lure them to malicious sites and compromise their information.

Drive-by Attacks

Drive-by attacks, also known as drive-by downloads are attacks that can infect any type of user device with malicious software, without the user’s knowledge or permission. Drive-by attacks often occur simply by visiting an infected website.

DDoS (Denial-of-service)

Cybercriminals often attempt to carry out distributed denial-of-service (DDoS) attacks against servers in order to flood them with traffic and overload their infrastructure. This can cause sites to slow down or even crash, making it difficult or impossible for legitimate traffic to access them. DDoS attacks can cause significant damage to online businesses.

The Continuous Digital Arms Race

In the fight against cyber attacks, we like to call the upgrades on both sides the continuous digital arms race.

As threat actors continue to use more advanced techniques to wreak havoc on networks and devices, the defense used against these attacks also becomes more and more sophisticated.

The bad guys/threat actors are always coming up with new and creative ways to break into systems and the defenders must adapt and be able to block those attacks effectively.

In the next part of this series, we’ll cover some of the defenses organizations can employ in order to thwart these threat actors as they are looking for an easy payday… an organization’s hard-earned capital.

Make sure to read Part 2: Attack Vectors and Defense Strategies Against Them