In a digital world, companies collect more data and more types of data than ever before. As people use more technology, they generate new types of sensitive data. While data protection laws and compliance frameworks often detail categories of information requiring enhanced protection, they fail to keep pace with technological advances. When people understand the reason for securing data, they strengthen their data protection programs. By understanding the different types of threat actors and their motivations, security teams can more effectively identify and protect sensitive data.
What Is a Cyber Threat Actor?
Cyber threat actors, also called malicious actors, are people or groups who exploit security vulnerabilities in systems, devices, software, or administrative processes, intending to steal sensitive data or disrupt business operations. Threat actors can be financially, ideologically, or politically motivated, and their motivations drive the attack’s outcome.
Once threat actors gain access to devices, networks, or systems, they typically engage in the following activities:
- Use processing power
- Steal or change data
- Undermine network performance
- Extort business owner
What Are the Types of Threat Actors?
When you understand the types of threat actors and their motivations, you can build scenarios for each kind, enabling you to enhance your data protections.
Organized Crime
Threat actors that fall into this category are financially motivated. Typically, they all into a few general categories:
- Ransomware gangs: develop and sell ransomware or malware that other criminals use
- Data sales: selling the stolen data, like credentials, bank account information, social security numbers, lists of infected devices
- Fraud: using the stolen data, like identity theft, financial fraud, or account takeover activities
Depending on the type of crime they commit, these threat actors vary in sophistication and skill level. For example, ransomware gangs who develop malware are often more sophisticated than someone purchasing the malware.
Nation-State Actors
A country’s government finances these threat actors to engage in sabotage or espionage. They target another country’s infrastructures to steal secrets or undermine operations. They also target businesses supporting the government’s infrastructure, including:
- Cybersecurity technologies
- Critical infrastructure, like oil, gas, electrical, financial services, healthcare
- Think tanks
- Industry trade associations
Nation-state actors are highly skilled and sophisticated, making them difficult to identify and trace.
Cyber Terrorists
Politically motivated, cyber terrorists target government agencies and critical infrastructure, disrupting activities to cause physical or economic harm. No government officially finances them.
Cyber terrorists typically purchase tools on the dark web or through Telegram forums.
Hacktivists
Hacktivists are ideologically-motivated individuals or groups that target governments or businesses, hoping to disrupt operations or damage data. While not financially motivated, they want to cause financial harm through business interruption.
Malicious Insiders
Malicious insider threats may not be sophisticated, typically having legitimate access to systems because they are an employee or contractor. Malicious insiders target their own organization, seeking to steal intellectual property or trade secrets. They can be a disgruntled employee or someone that a competitor pays to steal the information.
Thrill-Seekers
Thrill-seekers are internally motivated threat actors who attack systems just to see if they can compromise them. While they may not intend to cause harm, they can still damage data, steal information, or disrupt business activities. They possess varying skill and sophistication levels.
What Are Some Common Threat Actors?
Understanding some common threat actors can give you insight into how they operate so that you can implement mitigation strategies.
APT19
This Chinese-based group targets various industries, including:
- Defense
- Financial
- Energy
- Pharmaceutical
- Telecommunications
- Technology
- Education
- Manufacturing
- Legal
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
They launched a 2017 phishing campaign that targeted law and investment firms.
APT29 (Cozy Bear)
Attributed to Russia’s Foreign Intelligence Service (SVR), this group typically targets government networks across European and NATO member countries, research institutes, and think tanks. The U.S. government held them responsible for compromising the SolarWinds Orion software updates.
Cobalt Group
A financially motivated threat actor, Cobalt Group primarily targets financial institutions, stealing money by using ATM systems, card processing, payment systems, and SWIFT systems. In some cases, they target organizations then use that access to compromise additional victims.
LAPSUS$
Active since mid-2021, LAPSUS$ is falls into the criminal threat actor category. It focuses on large-scale social engineering and extortion activities across the following sectors:
- Government
- Manufacturing
- Higher education
- Energy
- Healthcare
- Technology
- Telecommunications
- Media
Aquatic Panda
This group engages in intelligence and industrial espionage. Since mid-2020, it primarily targets the following sectors:
- Telecommunications
- Technology
- Government
Mitigating Risks Arising From Threat Actors
Regardless of their motivation, threat actors continuously evolve their attack methods and actively exploit vulnerabilities. To mitigate risk, organizations can implement some security best practices.
Reduce the External Attack Surface
With more digital tools and services, organizations expand their digital footprints and attack surface. As organizations lose visibility, threat actors gain opportunities. To remediate digital risk, organizations should consider monitoring:
- User access to resources
- Device security posture
- Server configurations
- Github repositories
When security teams have a complete picture of their organization’s digital footprint, they can reduce the attack surface, making it more difficult for threat actors to compromise data.
Monitor the Dark Web
Threat actors build entire communities on the dark web where they sell information and tools. With dark web monitoring, companies gain visibility into:
- Stolen user credentials
- Targeted threats
- Account takeover attacks
With visibility into threat actors’ forums, security teams can proactively mitigate risks. For example, by identifying compromised credentials, the security team can require the user to create a new password.
Engage in Red Teaming
With information about threat actors’ attack methodologies, security teams engage in red team exercises that test their detection rules, defensive tools, and response processes. Threat actors’ first activity is always cyber reconnaissance, looking for vulnerabilities to exploit. By behaving like a threat actor, security teams can implement a proactive approach to cybersecurity by fine-tuning security tools and enhancing processes.
Flare: Automated Clear and Dark Web Monitoring
With Flare’s platform, organizations have access to the same data that threat actors use. To get real-time, actionable alerts, security teams can leverage intelligence across dark, deep, and clear web resources, including illicit Telegram channels. With our AI-driven system, teams can prioritize threats efficiently, enabling them to reduce the attack surface and protect data more effectively.
Try a free trial and get started in just 15 minutes.
