Skip to content
All posts

Who's Behind the Screen? A Comprehensive Guide to Cyber Threat Actors


The threat of cyber-attacks becomes more prevalent as the world becomes increasingly reliant on technology. From nation-state actors to financially-motivated criminals, there are a wide variety of threat actors with differing motivations and skill sets that organizations must be prepared to defend against. Understanding these different profiles of threat actors is crucial for organizations to protect their assets and sensitive information effectively.

Often backed by government resources and funding, nation-state actors are typically motivated by political, economic, or strategic gain. On the other hand, financially-motivated criminals who seek monetary gain often engage in ransomware attacks or theft of personal and financial information. In addition, hacktivists may use their technical skills to promote a particular cause or ideology. At the same time, insider threats may involve employees or contractors with access to sensitive information who may intentionally or unintentionally cause harm. By understanding the motivations and techniques of different threat actors, organizations can better prepare their defenses and mitigate the risk of a cyber attack.

Understanding Threat Actors

The aim or goal behind attacks depends on the type of threat actor. While monetary gain drives many, others have more complex motivations. Understanding what motivates threat actors helps with organizational threat modeling, allowing organizations a better grasp of where to focus their defensive investments with more accurate threat models. 


Source: Coalfire


Initial access brokers

Initial Access Brokers (IABs) are a significant cybersecurity threat that have become a key factor towards the rise of ransomware attacks. These individuals or groups specialize in gaining access to compromised networks and selling that access to other nefarious actors. The methods used by IABs to obtain access can vary. One common tactic is stealing user or employee credentials through phishing or scam sites. These credentials can be stored long-term and used to breach networks well after the theft.  

Once IABs have successfully breached a network, they can sell access to it on the dark web or use it for their own malicious purposes. The impact of IABs can be severe, including data breaches, financial loss, and reputational damage. 


Initial Access Broker selling access via SSH/RDP/VNC/SHELL on a darkweb forum



Hacktivism is a form of cyberattack used by hacktivists to break into computer systems for politically or socially motivated reasons. These attacks target governments, corporations, and other prominent groups and individuals such as religious groups, drug traffickers, terrorists, or pedophiles. The primary objective of hacktivism is to make a statement in support of a particular cause or ideology. 

The cybercriminals involved in these attacks may deface websites, leak sensitive information, or carry out other disruptive activities to draw attention to their cause. While hacktivism is a form of cybercrime, some argue it serves as a legitimate form of activism in the digital age. It has a mixed public perception of the act, such as Edward Snowden’s leaking of government secrets using the ends justifying the means argument. 

As a result of the Russia-Ukraine conflict, hacktivist groups have matured and become more professional and organized with clear political ideologies affiliated with national interests. They now conduct military-like operations where they have focused on recruitment, training, sharing tools, intelligence and allocation of targets. 

Government sponsored/state-sponsored

Cyber attacks carried out by nation-state actors pose a significant cybersecurity threat. Cybercriminals directly linked to a particular government or state make up these groups, such as Iranian state sponsored APT42. Their primary objective is to spy on their adversaries, steal data and gather intelligence for defense or national interests. Attacks from these groups may also include long-term plays. These attacks compromise smaller organizations to conduct supply-chain attacks targeting larger organizations with more robust security. 

In some cases, they may also aim to identify or exploit vulnerabilities in national infrastructure to gain an advantage over their enemies. Nation-state cyber-attacks can have serious consequences, including data breaches, financial loss, and damage to critical infrastructure. These attacks are often sophisticated and can be challenging to detect and prevent.

Overview of APT42. Read more here!


Cyber terrorists

Cyberterrorism is a growing concern in today’s digital age. This type of terrorism uses the internet to spread propaganda, psychological campaigns, and intelligence to incite fear in the population. Cyber terrorists seek to influence governments and public bodies through their actions, often motivated by political, religious, ethnic, or ideological beliefs. 

Cyber terrorists are known to attack companies, organizations, and people to cause widespread panic and disruption. This drive makes them especially dangerous as it opens up a broader range of tactics, including direct destruction of data and infrastructure to disrupt infrastructure or harm individuals. Defending against this variety of threats is most complex as no variety of tactics is off the table for them. 

Organized cybercriminals

Organized cybercrime is a growing concern in the digital age. It involves a network of hackers, programmers, and other tech-savvy individuals who combine their skills and resources to commit cyber crimes. These individuals work together to gain unauthorized access to computer systems and networks, steal sensitive information, and carry out other illegal activities. 

These criminals come in a variety of structures. Some of them are connected through a rigid hierarchy where a boss issues orders which are propagated down to lower ranking or less skilled individuals to conduct a portion of the attack, such as in the example below showcasing the organizational structure of CONTI. Alternatively they may be a loose collective where they jointly decide on targets and each of them takes roles in the attack based on their expertise. 

For example one cybercriminal may be responsible for gaining initial access which they pass on to other team members who some go in and steal data, others work to install ransomware throughout the network. As a team, they each have a specialization and by dividing the attack they can cause wider impact in a single attack. 

The primary goal of organized cybercriminals is usually financial gain, but they may also have political or personal motives for their actions. Some cybercriminals aim to damage computers or networks to achieve their goals, while others seek to steal valuable information. 


Source: RiskInsight


Script Kiddies

Script kiddies are novice hackers who use pre-made scripts to hack and exploit computer systems. Their attacks are typically random and carried out with little understanding of the tools they are using, how they work, or the harm they may cause. Script kiddies are often motivated by personal reasons, such as seeking attention, creating chaos, or taking revenge. In some cases, they may also be motivated by financial gain. 

While their attacks may not be as sophisticated as those of more experienced hackers, they can still cause significant damage leading to company data breaches and financial loss. Especially considering the recent increase in the use of readily available Artificial Intelligence, such as ChatGPT, that make existing attacks more sophisticated.


An insider threat originates within the targeted organization, and typically involves a current or former employee or business associate with access to sensitive information or privileged accounts within an organization’s network who misuses this access. These insider threats have increased by 44% over the past two years, and as they often seek corporate secrets, sensitive data, passwords, and other types of access from secure networks, it puts companies at serious risk, often resulting in the direct theft of money or sensitive information.

The insider can be intentionally malicious, such as someone holding a grudge against a former employer. Alternatively, they may be an opportunistic employee. They may sell secret information to a competitor or unintentionally give away sensitive data due to a security mistake. Insiders can also become unwilling participants in cybercrime if blackmailed by criminal organizations into releasing sensitive information such as credentials, network diagrams, or financial data.

Source: TechTarget



Common Themes

Common motivations can lead to collaborations between different cyber threat actors, escalating the overall danger. While the specific objectives of each threat may vary, there are often similar underlying motivations, such as financial gain, political or social activism, or personal vendettas. 

These shared motivations can create common ground between cyber threat actors, leading them to collaborate and combine their skills and resources. When these varied groups collaborate, they can carry out more complex and widespread cyber attacks that pose an even more significant threat to individuals, organizations, and governments. 


Mitigating Threats 

Bfore.Ai provides organizations with the necessary tools to safeguard their brand and manage a wide range of cyber threats, no matter their motivation. With the increasing complexity and frequency of cyber attacks, it is essential to have comprehensive threat management capabilities. Bfore.Ai delivers advanced Prediction and PreEmption services powered by machine learning and artificial intelligence that quickly identifies and Preempts potential cyber threats. By leveraging these cutting-edge technologies, Bfore.Ai can help organizations stay ahead of emerging threats and minimize the risk of significant data breaches and financial losses using our PreCrime Technology

PreCrime Landscape Report Promo Blog AdTake control of your brand's reputation and schedule a demo with today and see how we can help your company put a stop to brand attacks.