Threat actors, also known as cyber threat actors or malicious actors, are individuals or groups that intentionally cause harm to digital devices or systems. Threat actors exploit vulnerabilities in computer systems, networks, and software to perpetuate a variety of cyberattacks, including phishing, ransomware, and malware attacks.
Today, there are many types of threat actors—all with varying attributes, motivations, skill levels, and tactics. Some of the most common types of threat actors include hacktivists, nation-state actors, cybercriminals, thrill seekers, insider threat actors, and cyberterrorists.
As the frequency and severity of cybercrimes continue to grow, understanding these different types of threat actors is increasingly critical for improving individual and organizational cybersecurity.
The term threat actor is broad and relatively all-encompassing, extending to any person or group that poses a threat to cybersecurity. Threat actors are often categorized into different types based on their motivation and, to a lesser degree, their level of sophistication.
These individuals or groups commit cyber crimes, mostly for financial gain. Common crimes committed by cybercriminals include ransomware attacks, and phishing scams that trick people into making money transfers or divulging credit card information, login credentials, intellectual property or other private or sensitive information.
Nation states and governments frequently fund threat actors with the goal of stealing sensitive data, gathering confidential information, or disrupting another government’s critical infrastructure. These malicious activities often include espionage or cyberwarfare and tend to be highly funded, making the threats complex and challenging to detect.
These threat actors use hacking techniques to promote political or social agendas, such as spreading free speech or uncovering human rights violations. Hacktivists believe they are affecting positive social change and feel justified in targeting individuals, organizations, or government agencies to expose secrets or other sensitive information. A well-known example of a hacktivist group is Anonymous, an international hacking collective that claims to advocate for freedom of speech on the internet.
Thrill seekers are just what they sound like—they attack computer and information systems primarily for fun. Some want to see how much sensitive information or data they can steal; others want to use hacking to better understand how networks and computer systems work. One class of thrill seekers, called script kiddies, lack advanced technical skills, but use pre-existing tools and techniques to attack vulnerable systems, primarily for amusement or personal satisfaction. Though they don't always seek to cause harm, thrill seekers can still cause unintended damage by interfering with a network's cybersecurity and opening the door to future cyberattacks.
Unlike most other actor types, insider threat actors do not always have malicious intent. Some hurt their companies through human error, e.g. by unwittingly installing malware, or losing a company-issued device that a cybercriminal finds and uses to access the network. But malicious insiders do exist—for example, the disgruntled employee who abuses access privileges to steal data for monetary gain, or causes damage to data or applications in retaliation for being passed over for promotion.
Cyberterrorists launch politcally or ideologically motivated cyberattacks that threaten or result in violence. Some cyberterrorists are nation-state actors; others actor on their own or on behalf of a non-government group.
Threat actors often target large organizations; because they have more money and more sensitive data, they offer the largest potential payoff.
In recent years, however, small and medium-sized businesses (SMBs) have also become frequent targets for threat actors due to their relatively weaker security systems. In fact, the FBI recently cited concern over the rising rates of cybercrimes committed against small businesses, sharing that in 2021 alone, small businesses lost USD 6.9 billion to cyberattacks, a 64 percent increase from the previous year (link resides outside ibm.com).
Similarly, threat actors increasingly target individuals and households for smaller sums. For example, they might break into home networks and computer systems to steal personal identity information, passwords, and other potentially valuable and sensitive data. In fact, current estimates suggest that one in three American households with computers are infected with some kind of malware (link resides outside ibm.com).
Threat actors are not discriminating. Though they tend to go for the most rewarding or meaningful targets, they’ll also take advantage of any cybersecurity weakness, no matter where they find it, making the threat landscape increasingly costly and complex.
Threat actors deploy a mixture of tactics when executing a cyber attack, relying more heavily on some than others, depending on their primary motivation, resources, and intended target.
Malware is malicious software that damages or disables computers. Malware is often spread through email attachments, infected websites, or compromised software and can help threat actors steal data, take over computer systems, and attack other computers. Types of malware include viruses, worms, and Trojan horse viruses, which download onto computers disguised as legitimate programs.
Ransomware is a type of malware that locks up the victim's data or device and threatens to keep it locked up—or worse—unless the victim pays a ransom to the attacker. Today most ransomware attacks are double-extortion attacks that also threaten to steal the victim's data and sell it or leak it online. According to the IBM Security X-Force Threat Intelligence Index 2023, ransomware attacks represented 17 percent of all cyberattacks in 2022.
Big game hunting (BGH) attacks are massive and coordinated ransomware campaigns that target large organizations—governments, major enterprises, critical infrastructure providers—that have lots to lose from an outage and will be more likely to pay a large ransom.
Phishing attacks use email, text messages, voice messages or fake web sites to decieve users into sharing sensitive data, downloading malware, or exposing themselves to cybercrime. Types of phishing include:
Phishing is one form of social engineering, a class of attacks and tactics that exploit feelings of fear, or urgency to manipulate people into making other mistakes that compromise their personal or organizational assets or security. Social engineering can be as simple as leaving a malware-infected USB drive where someone will find it (because 'hey, free USB drive!'), or as complex as spending months to cultivate long-distance romantic relationship with the victim in order to bilk them out plane fare for the can 'finally meet.'
Because social engineering exploits human weakness rather than technical vulnerabilities, it is sometimes called ‘human hacking.’
This type of cyberattack works by flooding a network or server with traffic, making it unavailable to users. A distributed denial-of-service (DDoS) attack marshalls a distributed network of computers to send the malicious traffic, creating an attack that can overwhelm the target faster and be more difficult to detect, prevent or mitigate.
Advanced persistent threats (APTs) are sophisticated cyberattacks that span months or years rather than hours or days. APTs enable threat actors to operate undetected in the victim's network—infiltrating computer systems, conducting espionage and reconnaissance, escalating privileges and permissions (called lateral movement), and stealing sensitive data. Because they can be incredibly difficult to detect and relatively expensive to execute, APTs are typically launched by nation-state actors or other well-funded threat actors.
A backdoor attack exploits an opening in an operating system, application or computer system that is not protected by an organization's cybersecurity measures. Sometimes the backdoor is created by the software developer or hardware manufacturer, to enable upgrades, bug fixes or (ironically) security patches; other times threat actors create backdoors of their own using malware or by hacking the system. Backdoors allow threat actors to enter and exit computer systems undetected.
The terms threat actor, hacker and cybercriminal are often used interchangeably, especially in Hollywood and popular culture. But there are subtle differences in the meanings of each and their relationship to each other.
Not all threat actors or cybercriminals are hackers. By definition, a hacker is someone with the technical skills to compromise a network or computer system. But some threat actors or cybercriminals don’t do anything more technical then leave an infected USB drive for someone to find and use, or send an email with a malware attached.
Not all hackers are threat actors or cybercriminals. For example, some hackers—called ethical hackers—essentially impersonate cybercriminals help organizations and government agencies test their computer systems for vulnerability to cyberthreats.
Certain types of threat actors aren’t cybercriminals by definition or intent, but are in practice. For example, a thrill seeker who is ‘just having fun’ by shutting down a town’s electrical grid for a few minutes, or a hacktivist who exfiltrates and publishes confidential government information in the name of a noble cause, may also be committing a cybercrime, whether or not they intend to or believe they are.
As technology becomes more sophisticated, so does the cyber threat landscape. To stay ahead of threat actors, organizations are continually evolving their cybersecurity measures and getting smarter about threat intelligence. Some steps that organizations take to mitigate the impact of threat actors, if not stop them altogether, include:
Security awareness training. Because threat actors often explore human error, employee training is an important line of defense. Security awareness training can cover anything from not using company-authorized devices, to properly storing password, to techniques for recognizing and dealing with phishing emails.
Multi-factor and adaptive authentication. Implementing multi-factor authentication (requiring one or more credentials in addition to a username and password) and/or adaptive authentication (requiring additional credentials when users log in from different devices or locations) can prevent hackers from gaining access to a user’s email account, even if they are able to steal the user’s email password.
Enterprise security software. These solutions can help security teams and security operations centers (SOCs) detect and intercept aberrant or malicious activity across all IT infrastructure domains—endpoints, email, applications, the network and cloud workloads. They include (but are not limited to) security orchestration, automation and response (SOAR), security incident and event management (SIEM), and extended detection and response (XDR).
Organizations can also perform regular security assessments to identify system vulnerabilities. Internal IT staff are usually capable of conducting these audits, but some companies outsource them to experts or external service providers. Running regular software updates also helps companies and individuals catch and shore up potential vulnerabilities in their computer and information systems.
Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack, and help you recover faster.
To prevent and combat modern ransomware threats, IBM uses insight from 800 TB of threat activity data, information on more than 17 million spam and phishing attacks and reputation data on nearly 1 million malicious IP addresses from a network of 270 million endpoints.
Cyberattacks are attempts to steal, expose, alter, disable, or destroy another's assets through unauthorized access to computer systems.
Now in its 17th year, this report shares the latest insights into the expanding threat landscape, and offers recommendations for saving time and limiting losses.
Ransomware is malware that holds victims' devices and data hostage, until a ransom is paid.
Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.