What is a threat actor?
Threat actors are individuals or groups that attack digital devices, networks or computer systems
Subscribe to the IBM Newsletter Explore IBM Security QRadar
Isometric drawing showing different office personnel, all using IBM Security
What is a threat actor?

Threat actors, also known as cyber threat actors or malicious actors, are individuals or groups that intentionally cause harm to digital devices or systems. Threat actors exploit vulnerabilities in computer systems, networks, and software to perpetuate a variety of cyberattacks, including phishing, ransomware, and malware attacks. 

Today, there are many types of threat actors—all with varying attributes, motivations, skill levels, and tactics. Some of the most common types of threat actors include hacktivists, nation-state actors, cybercriminals, thrill seekers, insider threat actors, and cyberterrorists.

As the frequency and severity of cybercrimes continue to grow, understanding these different types of threat actors is increasingly critical for improving individual and organizational cybersecurity.

Types of threat actors

The term threat actor is broad and relatively all-encompassing, extending to any person or group that poses a threat to cybersecurity. Threat actors are often categorized into different types based on their motivation and, to a lesser degree, their level of sophistication. 


These individuals or groups commit cyber crimes, mostly for financial gain. Common crimes committed by cybercriminals include ransomware attacks, and phishing scams that trick people into making money transfers or divulging credit card information, login credentials, intellectual property or other private or sensitive information. 

Nation-state actors

Nation states and governments frequently fund threat actors with the goal of stealing sensitive data, gathering confidential information, or disrupting another government’s critical infrastructure. These malicious activities often include espionage or cyberwarfare and tend to be highly funded, making the threats complex and challenging to detect. 


These threat actors use hacking techniques to promote political or social agendas, such as spreading free speech or uncovering human rights violations. Hacktivists believe they are affecting positive social change and feel justified in targeting individuals, organizations, or government agencies to expose secrets or other sensitive information. A well-known example of a hacktivist group is Anonymous, an international hacking collective that claims to advocate for freedom of speech on the internet.

Thrill seekers

Thrill seekers are just what they sound like—they attack computer and information systems primarily for fun. Some want to see how much sensitive information or data they can steal; others want to use hacking to better understand how networks and computer systems work. One class of thrill seekers, called script kiddies, lack advanced technical skills, but use pre-existing tools and techniques to attack vulnerable systems, primarily for amusement or personal satisfaction. Though they don't always seek to cause harm, thrill seekers can still cause unintended damage by interfering with a network's cybersecurity and opening the door to future cyberattacks. 

Insider threats

Unlike most other actor types, insider threat actors do not always have malicious intent. Some hurt their companies through human error, e.g. by unwittingly installing malware, or losing a company-issued device that a cybercriminal finds and uses to access the network. But malicious insiders do exist—for example, the disgruntled employee who abuses access privileges to steal data for monetary gain, or causes damage to data or applications in retaliation for being passed over for promotion.


Cyberterrorists launch politcally or ideologically motivated cyberattacks that threaten or result in violence. Some cyberterrorists are nation-state actors; others actor on their own or on behalf of a non-government group. 

Threat actor targets

Threat actors often target large organizations; because they have more money and more sensitive data, they offer the largest potential payoff. 

In recent years, however, small and medium-sized businesses (SMBs) have also become frequent targets for threat actors due to their relatively weaker security systems. In fact, the FBI recently cited concern over the rising rates of cybercrimes committed against small businesses, sharing that in 2021 alone, small businesses lost USD 6.9 billion to cyberattacks, a 64 percent increase from the previous year (link resides outside ibm.com).

Similarly, threat actors increasingly target individuals and households for smaller sums. For example, they might break into home networks and computer systems to steal personal identity information, passwords, and other potentially valuable and sensitive data. In fact, current estimates suggest that one in three American households with computers are infected with some kind of malware (link resides outside ibm.com). 

Threat actors are not discriminating. Though they tend to go for the most rewarding or meaningful targets, they’ll also take advantage of any cybersecurity weakness, no matter where they find it, making the threat landscape increasingly costly and complex.

Threat actor tactics

Threat actors deploy a mixture of tactics when executing a cyber attack, relying more heavily on some than others, depending on their primary motivation, resources, and intended target. 


Malware is malicious software that damages or disables computers. Malware is often spread through email attachments, infected websites, or compromised software and can help threat actors steal data, take over computer systems, and attack other computers. Types of malware include viruses, worms, and Trojan horse viruses, which download onto computers disguised as legitimate programs. 

Learn more about malware

Ransomware is a type of malware that locks up the victim's data or device and threatens to keep it locked up—or worse—unless the victim pays a ransom to the attacker. Today most ransomware attacks are double-extortion attacks that also threaten to steal the victim's data and sell it or leak it online. According to the IBM Security X-Force Threat Intelligence Index 2023, ransomware attacks represented 17 percent of all cyberattacks in 2022.

Big game hunting (BGH) attacks are massive and coordinated ransomware campaigns that target large organizations—governments, major enterprises, critical infrastructure providers—that have lots to lose from an outage and will be more likely to pay a large ransom.

Learn more about ransomware

Phishing attacks use email, text messages, voice messages or fake web sites to decieve users into sharing sensitive data, downloading malware, or exposing themselves to cybercrime. Types of phishing include:

  • Spear phishing, a phishing attack that targets a specific individual or group of individuals with messages that appear to come from legitimate senders who have a relationship to the target

  • Business email compromise, a spear phishing attack that sends the victim fradulent email from a co-worker's or colleague's impersonated or hijacked email account

  • Whale phishing, a spear phising attack aimed sopecifically at high-level executives or corporate officers
Learn more about phishing
Social engineering

Phishing is one form of social engineering, a class of attacks and tactics that exploit feelings of fear, or urgency to manipulate people into making other mistakes that compromise their personal or organizational assets or security. Social engineering can be as simple as leaving a malware-infected USB drive where someone will find it (because 'hey, free USB drive!'), or as complex as spending months to cultivate long-distance romantic relationship with the victim in order to bilk them out plane fare for the can 'finally meet.'

Because social engineering exploits human weakness rather than technical vulnerabilities, it is sometimes called ‘human hacking.’

Learn more about social engineering
Denial of service attacks

This type of cyberattack works by flooding a network or server with traffic, making it unavailable to users. A distributed denial-of-service (DDoS) attack marshalls a distributed network of computers to send the malicious traffic, creating an attack that can overwhelm the target faster and be more difficult to detect, prevent or mitigate.

Learn more about DDoS attacks
Advanced persistent threats

Advanced persistent threats (APTs) are sophisticated cyberattacks that span months or years rather than hours or days. APTs enable threat actors to operate undetected in the victim's network—infiltrating computer systems, conducting espionage and reconnaissance, escalating privileges and permissions (called lateral movement), and stealing sensitive data. Because they can be incredibly difficult to detect and relatively expensive to execute, APTs are typically launched by nation-state actors or other well-funded threat actors.

Backdoor attacks

A backdoor attack exploits an opening in an operating system, application or computer system that is not protected by an organization's cybersecurity measures. Sometimes the backdoor is created by the software developer or hardware manufacturer, to enable upgrades, bug fixes or (ironically) security patches; other times threat actors create backdoors of their own using malware or by hacking the system. Backdoors allow threat actors to enter and exit computer systems undetected.

Threat actors vs. cybercriminals vs. hackers

The terms threat actor, hacker and cybercriminal are often used interchangeably, especially in Hollywood and popular culture. But there are subtle differences in the meanings of each and their relationship to each other.

  • Not all threat actors or cybercriminals are hackers. By definition, a hacker is someone with the technical skills to compromise a network or computer system. But some threat actors or cybercriminals don’t do anything more technical then leave an infected USB drive for someone to find and use, or send an email with a malware attached.

  • Not all hackers are threat actors or cybercriminals. For example, some hackers—called ethical hackers—essentially impersonate cybercriminals help organizations and government agencies test their computer systems for vulnerability to cyberthreats.

  • Certain types of threat actors aren’t cybercriminals by definition or intent, but are in practice. For example, a thrill seeker who is ‘just having fun’ by shutting down a town’s electrical grid for a few minutes, or a hacktivist who exfiltrates and publishes confidential government information in the name of a noble cause, may also be committing a cybercrime, whether or not they intend to or believe they are.


Staying ahead of threat actors

As technology becomes more sophisticated, so does the cyber threat landscape. To stay ahead of threat actors, organizations are continually evolving their cybersecurity measures and getting smarter about threat intelligence. Some steps that organizations take to mitigate the impact of threat actors, if not stop them altogether, include:

  • Security awareness training. Because threat actors often explore human error, employee training is an important line of defense. Security awareness training can cover anything from not using company-authorized devices, to properly storing password, to techniques for recognizing and dealing with phishing emails.

  • Multi-factor and adaptive authentication. Implementing multi-factor authentication (requiring one or more credentials in addition to a username and password) and/or adaptive authentication (requiring additional credentials when users log in from different devices or locations) can prevent hackers from gaining access to a user’s email account, even if they are able to steal the user’s email password.

Organizations can also perform regular security assessments to identify system vulnerabilities. Internal IT staff are usually capable of conducting these audits, but some companies outsource them to experts or external service providers. Running regular software updates also helps companies and individuals catch and shore up potential vulnerabilities in their computer and information systems.

Related solutions
IBM Security® QRadar® SIEM

Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.

Explore QRadar SIEM solutions

X-Force incident response team

Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack, and help you recover faster.

Explore X-Force incident response
Ransomware protection solutions

To prevent and combat modern ransomware threats, IBM uses insight from 800 TB of threat activity data, information on more than 17 million spam and phishing attacks and reputation data on nearly 1 million malicious IP addresses from a network of 270 million endpoints.

Explore ransomware protection solutions
Resources What is a cyberattack?

Cyberattacks are attempts to steal, expose, alter, disable, or destroy another's assets through unauthorized access to computer systems.

Cost of a Data Breach

Now in its 17th year, this report shares the latest insights into the expanding threat landscape, and offers recommendations for saving time and limiting losses.

What is ransomware?

Ransomware is malware that holds victims' devices and data hostage, until a ransom is paid.

Take the next step

Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.

Learn about QRadar SIEM Request a demo