Threat actors, also known as cyberthreat actors or malicious actors, are individuals or groups that intentionally cause harm to digital devices or systems. Threat actors exploit vulnerabilities in computer systems, networks and software to perpetuate various cyberattacks, including phishing, ransomware and malware attacks.
Today, there are many types of threat actors, all with varying attributes, motivations, skill levels and tactics. Some of the most common types of threat actors include hacktivists, nation-state actors, cybercriminals, thrill seekers, insider threat actors and cyberterrorists.
As the frequency and severity of cybercrimes continue to grow, understanding these different types of threat actors is increasingly critical for improving individual and organizational cybersecurity.
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Register for the X-Force Threat Intelligence Index
The term threat actor is broad and relatively all-encompassing, extending to any person or group that poses a threat to cybersecurity. Threat actors are often categorized into different types based on their motivation and to a lesser degree, their level of sophistication.
These individuals or groups commit cybercrimes mostly for financial gain. Common crimes that are committed by cybercriminals include ransomware attacks and phishing scams that trick people into making money transfers or divulging credit card information, login credentials, intellectual property or other private or sensitive information.
Nation states and governments frequently fund threat actors with the goal of stealing sensitive data, gathering confidential information or disrupting another government’s critical infrastructure. These malicious activities often include espionage or cyberwarfare and tend to be highly funded, making the threats complex and challenging to detect.
These threat actors use hacking techniques to promote political or social agendas, such as spreading free speech or uncovering human rights violations. Hacktivists believe that they are affecting positive social change and feel justified in targeting individuals, organizations or government agencies to expose secrets or other sensitive information. A well-known example of a hacktivist group is Anonymous, an international hacking collective that claims to advocate for freedom of speech on the internet.
Thrill seekers are just what they sound like: they attack computer and information systems primarily for fun. Some want to see how much sensitive information or data they can steal; others want to use hacking to better understand how networks and computer systems work. One class of thrill seekers, called script kiddies, lack advanced technical skills, but use pre-existing tools and techniques to attack vulnerable systems, primarily for amusement or personal satisfaction. Though they don't always seek to cause harm, thrill seekers can still cause unintended damage by interfering with a network's cybersecurity and opening the door to future cyberattacks.
Unlike most other actor types, insider threat actors do not always have malicious intent. Some hurt their companies through human error, such as by unwittingly installing malware or losing a company-issued device that a cybercriminal finds and uses to access the network. But malicious insiders do exist. For example, the disgruntled employee who abuses access privileges to steal data for monetary gain or inflicts damage to data or applications in retaliation for being passed over for promotion.
Cyberterrorists start politically or ideologically motivated cyberattacks that threaten or result in violence. Some cyberterrorists are nation-state actors; others are actors on their own or on behalf of a nongovernment group.
Threat actors often target large organizations; because they have more money and more sensitive data, they offer the largest potential payoff.
However, in recent years, small and medium-sized businesses (SMBs) have also become frequent targets of threat actors due to their relatively weaker security systems. In fact, the FBI recently cited concern over the rising rates of cybercrimes that are committed against small businesses, sharing that in 2021 alone, small businesses lost USD 6.9 billion to cyberattacks, a 64 percent increase from the previous year (link resides outside ibm.com).
Similarly, threat actors increasingly target individuals and households for smaller sums. For example, they might break into home networks and computer systems to steal personal identity information, passwords and other potentially valuable and sensitive data. In fact, current estimates suggest that one in three American households with computers are infected with malware (link resides outside ibm.com).
Threat actors are not discriminating. Though they tend to go for the most rewarding or meaningful targets, they’ll also take advantage of any cybersecurity weakness, no matter where they find it, making the threat landscape increasingly costly and complex.
Threat actors deploy a mixture of tactics when running a cyberattack, relying more heavily on some than others, depending on their primary motivation, resources and intended target.
Malware is malicious software that damages or disables computers. Malware is often spread through email attachments, infected websites or compromised software and can help threat actors steal data, take over computer systems and attack other computers. Types of malware include viruses, worms and Trojan horse viruses, which download onto computers disguised as legitimate programs.
Ransomware is a type of malware that locks up the victim's data or device and threatens to keep it locked up—or worse—unless the victim pays a ransom to the attacker. Today most ransomware attacks are double-extortion attacks that also threaten to steal the victim's data and sell it or leak it online. According to the IBM Security® X-Force® Threat Intelligence Index 2023, ransomware attacks represented 17 percent of all cyberattacks in 2022.
Big game hunting (BGH) attacks are massive and coordinated ransomware campaigns that target large organizations, including governments, major enterprises, and critical infrastructure providers that have lots to lose from an outage and will be more likely to pay a large ransom.
Phishing attacks use email, text messages, voice messages or fake websites to deceive users into sharing sensitive data, downloading malware or exposing themselves to cybercrime. Types of phishing include:
- Spear phishing, a phishing attack that targets a specific individual or group of individuals with messages that appear to come from legitimate senders who have a relationship to the target.
- Business email compromise, a spear phishing attack that sends the victim a fraudulent email from a co-workers or colleague's impersonated or hijacked email account.
- Whale phishing, a spear phishing attack aimed specifically at high-level executives or corporate officers.
Phishing is one form of social engineering, a class of attacks and tactics that exploit feelings of fear or urgency to manipulate people into making other mistakes that compromise their personal or organizational assets or security. Social engineering can be as simple as leaving a malware-infected USB drive where someone will find it (because "hey, free USB drive!"), or as complex as spending months cultivating a long-distance romantic relationship with the victim in order to bilk them out of plane fare so they can "finally meet".
Because social engineering exploits human weakness rather than technical vulnerabilities, it is sometimes called "human hacking".
This type of cyberattack works by flooding a network or server with traffic, making it unavailable to users. A distributed denial-of-service (DDoS) attack marshalls a distributed network of computers to send the malicious traffic, creating an attack that can overwhelm the target faster and be more difficult to detect, prevent or mitigate.
Advanced persistent threats (APTs) are sophisticated cyberattacks that span months or years rather than hours or days. APTs enable threat actors to operate undetected in the victim's network, infiltrating computer systems, conducting espionage and reconnaissance, escalating privileges and permissions (called lateral movement) and stealing sensitive data. Because they can be incredibly difficult to detect and relatively expensive to run, APTs are typically started by nation-state actors or other well-funded threat actors.
A backdoor attack exploits an opening in an operating system, application or computer system that is not protected by an organization's cybersecurity measures. Sometimes, the backdoor is created by the software developer or hardware manufacturer to enable upgrades, bug fixes or (ironically) security patches; other times, threat actors create backdoors of their own using malware or by hacking the system. Backdoors allow threat actors to enter and exit computer systems undetected.
The terms threat actor, hacker and cybercriminal are often used interchangeably, especially in Hollywood and popular culture. But there are subtle differences in the meanings of each and their relationship to each other.
Not all threat actors or cybercriminals are hackers. By definition, a hacker is someone with the technical skills to compromise a network or computer system. But some threat actors or cybercriminals don’t do anything more technical than leave an infected USB drive for someone to find and use, or send an email with a malware attached.
Not all hackers are threat actors or cybercriminals. For example, some hackers, called ethical hackers, essentially impersonate cybercriminals to help organizations and government agencies test their computer systems for vulnerability to cyberthreats.
Certain types of threat actors aren’t cybercriminals by definition or intent, but are in practice. For example, a thrill seeker who is "just having fun" by shutting down a town’s electrical grid for a few minutes, or a hacktivist who exfiltrates and publishes confidential government information in the name of a noble cause may also be committing a cybercrime, whether they intend to or believe that they are.
As technology becomes more sophisticated, so does the cyberthreat landscape. To stay ahead of threat actors, organizations are continually evolving their cybersecurity measures and getting smarter about threat intelligence. Some steps that organizations take to mitigate the impact of threat actors, if not to stop them altogether, include:
Security awareness training. Because threat actors often explore human error, employee training is an important line of defense. Security awareness training can cover anything from not using company-authorized devices to properly storing passwords to techniques for recognizing and dealing with phishing emails.
Multi-factor and adaptive authentication. Implementing multi-factor authentication (requiring one or more credentials in addition to a username and password) and/or adaptive authentication (requiring additional credentials when users log in from different devices or locations) can prevent hackers from gaining access to a user’s email account, even if they are able to steal the user’s email password.
- Endpoint security solutions. These range from antivirus software, which detects and stops known malware and viruses, to tools such as endpoint detection and response (EDR) solutions that use artificial intelligence (AI) and analytics to help security teams detect and respond to threats that get past traditional endpoint security software.
- Network security technologies. The foundational network security technology is the firewall, which stops suspicious traffic from entering or leaving a network while allowing legitimate traffic through. Other technologies include intrusion prevention systems (IPSs), which monitor the network for potential threats and intervene to stop them, and network detection and response (NDR), which uses AI, machine learning and behavioral analytics to help security professionals detect and automate responses to cyberthreats.
Enterprise security software. These solutions can help security teams and security operations centers (SOCs) detect and intercept aberrant or malicious activity across all IT infrastructure domains—endpoints, email, applications, the network and cloud workloads. They include (but are not limited to) security orchestration, automation and response (SOAR), security incident and event management (SIEM) and extended detection and response (XDR).
Organizations can also perform regular security assessments to identify system vulnerabilities. Internal IT staff are usually capable of conducting these audits, but some companies outsource them to experts or external service providers. Running regular software updates also helps companies and individuals catch and shore up potential vulnerabilities in their computer and information systems.
Detect advanced threats that others miss. QRadar SIEM uses analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities confronting an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack and help you recover faster.
To prevent and combat modern ransomware threats, IBM® uses insight from 800 TB of threat activity data, information on more than 17 million spam and phishing attacks and reputation data on nearly 1 million malicious IP addresses from a network of 270 million endpoints.
Cyberattacks are attempts to steal, expose, alter, disable or destroy another's assets through unauthorized access to computer systems.
Now in its 17th year, this report shares the latest insights into the expanding threat landscape and offers recommendations for saving time and limiting losses.
Ransomware is malware that holds victims' devices and data hostage until a ransom is paid.