Threat Actors: The Definitive 2023 Guide to Cybercriminals

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "Threat Actors: The Definitive 2023 Guide to Cybercriminals." There is white text underneath that which says "Learn More" with a light orange arrow pointing down.

In a digital world, companies collect more data and more types of data than ever before. As people use more technology, they generate new types of sensitive data. While data protection laws and compliance frameworks often detail categories of information requiring enhanced protection, they fail to keep pace with technological advances. When people understand the reason for securing data, they strengthen their data protection programs. By understanding the different types of threat actors and their motivations, security teams can more effectively identify and protect sensitive data.

What Is a Cyber Threat Actor?

Cyber threat actors, also called malicious actors, are people or groups who exploit security vulnerabilities in systems, devices, software, or administrative processes, intending to steal sensitive data or disrupt business operations. Threat actors can be financially, ideologically, or politically motivated, and their motivations drive the attack’s outcome. 

Once threat actors gain access to devices, networks, or systems, they typically engage in the following activities:

  • Use processing power
  • Steal or change data
  • Undermine network performance
  • Extort business owner

What Are the Types of Threat Actors?

When you understand the types of threat actors and their motivations, you can build scenarios for each kind, enabling you to enhance your data protections. 

Organized Crime

Threat actors that fall into this category are financially motivated. Typically, they all into a few general categories:

  • Ransomware gangs: develop and sell ransomware or malware that other criminals use
  • Data sales: selling the stolen data, like credentials, bank account information, social security numbers, lists of infected devices
  • Fraud: using the stolen data, like identity theft, financial fraud, or account takeover activities

Depending on the type of crime they commit, these threat actors vary in sophistication and skill level. For example, ransomware gangs who develop malware are often more sophisticated than someone purchasing the malware. 

Nation-State Actors

A country’s government finances these threat actors to engage in sabotage or espionage. They target another country’s infrastructures to steal secrets or undermine operations. They also target businesses supporting the government’s infrastructure, including:

  • Cybersecurity technologies
  • Critical infrastructure, like oil, gas, electrical, financial services, healthcare
  • Think tanks 
  • Industry trade associations

Nation-state actors are highly skilled and sophisticated, making them difficult to identify and trace. 

Cyber Terrorists

Politically motivated, cyber terrorists target government agencies and critical infrastructure, disrupting activities to cause physical or economic harm. No government officially finances them.

Cyber terrorists typically purchase tools on the dark web or through Telegram forums.


Hacktivists are ideologically-motivated individuals or groups that target governments or businesses, hoping to disrupt operations or damage data. While not financially motivated, they want to cause financial harm through business interruption. 

Malicious Insiders

Malicious insider threats may not be sophisticated, typically having legitimate access to systems because they are an employee or contractor. Malicious insiders target their own organization, seeking to steal intellectual property or trade secrets. They can be a disgruntled employee or someone that a competitor pays to steal the information. 


Thrill-seekers are internally motivated threat actors who attack systems just to see if they can compromise them. While they may not intend to cause harm, they can still damage data, steal information, or disrupt business activities. They possess varying skill and sophistication levels. 

What Are Some Common Threat Actors?

Understanding some common threat actors can give you insight into how they operate so that you can implement mitigation strategies. 


This Chinese-based group targets various industries, including:

  • Defense
  • Financial 
  • Energy
  • Pharmaceutical
  • Telecommunications
  • Technology
  • Education
  • Manufacturing
  • Legal

They launched a 2017 phishing campaign that targeted law and investment firms. 

APT29 (Cozy Bear)

Attributed to Russia’s Foreign Intelligence Service (SVR), this group typically targets government networks across European and NATO member countries, research institutes, and think tanks. The U.S. government held them responsible for compromising the SolarWinds Orion software updates. 

Cobalt Group

A financially motivated threat actor, Cobalt Group primarily targets financial institutions, stealing money by using ATM systems, card processing, payment systems, and SWIFT systems. In some cases, they target organizations then use that access to compromise additional victims. 


Active since mid-2021, LAPSUS$ is falls into the criminal threat actor category. It focuses on large-scale social engineering and extortion activities across the following sectors:

  • Government
  • Manufacturing
  • Higher education 
  • Energy
  • Healthcare
  • Technology
  • Telecommunications
  • Media

Aquatic Panda

This group engages in intelligence and industrial espionage. Since mid-2020, it primarily targets the following sectors:

  • Telecommunications
  • Technology 
  • Government

Mitigating Risks Arising From Threat Actors

Regardless of their motivation, threat actors continuously evolve their attack methods and actively exploit vulnerabilities. To mitigate risk, organizations can implement some security best practices. 

Reduce the External Attack Surface 

With more digital tools and services, organizations expand their digital footprints and attack surface. As organizations lose visibility, threat actors gain opportunities. To remediate digital risk, organizations should consider monitoring:

  • User access to resources
  • Device security posture
  • Server configurations
  • Github repositories

When security teams have a complete picture of their organization’s digital footprint, they can reduce the attack surface, making it more difficult for threat actors to compromise data.

Monitor the Dark Web 

Threat actors build entire communities on the dark web where they sell information and tools. With dark web monitoring, companies gain visibility into:

  • Stolen user credentials
  • Targeted threats
  • Account takeover attacks

With visibility into threat actors’ forums, security teams can proactively mitigate risks. For example, by identifying compromised credentials, the security team can require the user to create a new password. 

Engage in Red Teaming

With information about threat actors’ attack methodologies, security teams engage in red team exercises that test their detection rules, defensive tools, and response processes. Threat actors’ first activity is always cyber reconnaissance, looking for vulnerabilities to exploit. By behaving like a threat actor, security teams can implement a proactive approach to cybersecurity by fine-tuning security tools and enhancing processes. 

Flare: Automated Clear and Dark Web Monitoring

With Flare’s platform, organizations have access to the same data that threat actors use. To get real-time, actionable alerts, security teams can leverage intelligence across dark, deep, and clear web resources, including illicit Telegram channels. With our AI-driven system, teams can prioritize threats efficiently, enabling them to reduce the attack surface and protect data more effectively. 

Try a free trial and get started in just 15 minutes.

Share This Article

Related Content