Threat Actors — Class Notes
These notes explain what a threat actor is, the different types of threat actors, what motivates them, and why we care in cybersecurity.
1. What is a Threat Actor?
- A threat actor is any person, group, or organization that causes an event that affects someone else’s security.
- We often call them malicious actors because what they do usually hurts security — stealing data, disrupting services, spying, etc.
- We describe threat actors using attributes like:
- Where they are (inside your company or outside it)
- Resources (how much money, tools, people, and time they have)
- Skill level / sophistication
- Motivation (why they’re doing it)
Why this matters: If you know who attacked you, you can guess why they attacked you, how they did it, and what they’ll probably try next.
2. Internal vs External Threat Actors
- External attackers:
- Outside the organization
- Trying to break in through the internet, public systems, social engineering, etc.
- Examples: nation-state actors, hacktivists, organized crime
- Internal attackers:
- Already inside the organization
- Already have access to systems, data, or accounts
- Examples: insider threats, shadow IT
Key idea: Attackers are not always strangers. Sometimes it’s someone who already works there.
3. Attributes We Use to Describe Threat Actors
A. Resources / Funding
- Some attackers are low-budget (a person with a laptop and free tools).
- Some attackers are funded by a government with huge budgets.
- More money = more tools, more time, more power.
-
Low funding → “I downloaded a free script and I’m hoping it works.”
High funding → “We built a custom cyber weapon for this exact target.”
B. Sophistication (Skill Level)
- Low sophistication:
- Runs a script they found online
- Doesn’t fully know how it works
- Can’t fix it if it fails
- High sophistication:
- Builds their own malware, tools, and exploits
- Understands defenses and how to avoid them
- Can adapt and stay hidden
- Many attackers are in the middle.
C. Motivation (Why They Attack)
- Steal data or secrets (intellectual property, research, customer info)
- Make money
- Revenge
- Disrupt services to create chaos or embarrassment
- Political or social message
- Spying on competitors or governments (espionage)
- Sometimes: just “for the thrill”
You should always ask: “Why would someone want to attack this target?”
The answer usually tells you who is behind it.
4. Types of Threat Actors
4.1 Nation-State (Government / Military-Backed)
- Usually means: an entire government or a part of a government.
- Motivations:
- Political power
- Military advantage
- Control of information
- Causing disruption or instability
- Forcing another country to react
- They may try to steal data, damage infrastructure, or disrupt services like power, finance, or military systems.
- Resources: Extremely high. They have money, talent, tools, and time.
- They can run continuous attacks on multiple targets at once.
- These long-term, high-skill operations are called APTs — Advanced Persistent Threats:
- Advanced: Custom, high-end tools and exploits
- Persistent: They stay in the network quietly for a long time
- Threat: They are dangerous and strategic
- Example: The Stuxnet worm
- Built by the United States and Israel
- Designed to sabotage nuclear centrifuges
- Shows that code can break physical machines
Why they’re scary: Nation-states are patient, well-funded, and mission-focused.
4.2 Unskilled Attackers (a.k.a. "Script Kiddies")
- Attackers with little or no technical understanding.
- They download hacker tools or scripts written by someone else and just run them.
- If it works, great. If it fails, they usually don’t know how to fix it.
- Motivation:
- Thrill / curiosity
- Show off
- Cause chaos or embarrassment
- Resources: Very low.
- Sophistication: Low.
- Usually external attackers, but sometimes someone inside an organization acts this way too.
- They can still do real damage if they get lucky and the target is weak.
4.3 Hacktivists
- Hacktivist = Hacker + Activist.
- Motivation:
- Politics
- Social causes
- Exposing or embarrassing an organization
- Typical actions:
- Taking down websites (denial of service)
- Defacing websites with their own messages
- Leaking private documents to the public
- Resources: Usually not rich or government-funded.
- Some hacktivist groups do fundraising to pay for tools and infrastructure.
- Sophistication: Can be high. Many hacktivists are skilled.
- They are usually external, but in some cases one can get hired and act from the inside.
4.4 Insider Threat
- This is someone inside the organization who decides to attack it.
- Could be an employee, contractor, or someone who was hired for the purpose of spying or stealing.
- Motivation:
- Revenge (“I’m angry at this company”)
- Money (“I can sell this data”)
- Why insiders are dangerous:
- They already have valid login credentials.
- They already know where sensitive data is stored.
- They often know how to work around security quietly.
- Sophistication: Usually medium. They don’t always need elite hacking skills because they already have access.
- Defense against insiders:
- Good hiring/vetting
- Monitoring access and behavior
- “Need-to-know” access limits
- Important: This is not “I made a mistake with my password.” This is intentional, malicious activity.
4.5 Organized Crime
- Main goal: MONEY.
- Everything they do is to profit.
- Common activities:
- Ransomware (locking systems and demanding payment)
- Stealing and selling data
- Blackmail/extortion (“Pay us or we leak this.”)
- These groups often act like businesses:
- Person A: Breaks in
- Person B: Designs and updates the malware
- Person C: Sells stolen data
- Person D: Handles “customer support” to help victims pay ransom
- Resources: High, because crime brings in money.
- Sophistication: High, because they keep improving tools and methods.
4.6 Shadow IT
- Shadow IT = Any system, app, server, database, etc. that employees set up without approval from the official IT department.
- Example:
- A department spins up its own cloud server because “IT is too slow.”
- They store company data in a personal app or personal cloud drive.
- Why they do it:
- They want fast results.
- They don’t want to follow IT rules, security review, budgeting, change control, etc.
- Why it’s risky:
- No security review
- No proper backups
- No patching or monitoring
- IT/security may not even know this system exists
- Shadow IT is usually not intentionally evil, but it can accidentally expose sensitive data to the outside world.
- It is considered internal because it happens inside the organization.
- Sophistication: Often low to medium. Many times these are non-IT people who don’t fully understand security.
5. Comparing the Threat Actors
| Threat Actor |
Internal / External |
Motivation |
Resources / Funding |
Skill / Sophistication |
| Nation-State |
Mostly external |
Political, military, strategic control |
Extremely high |
Very high (APT-level) |
| Unskilled Attacker (“Script Kiddie”) |
Mostly external (sometimes internal) |
Thrill, disruption, ego |
Very low |
Low |
| Hacktivist |
Mostly external (can infiltrate) |
Cause / ideology / political message |
Usually low |
Medium to high |
| Insider Threat |
Internal |
Revenge, money, anger |
Uses company’s own resources |
Medium (knows the environment) |
| Organized Crime |
External |
Money / profit |
High (criminal funding) |
High |
| Shadow IT |
Internal |
“Get work done fast” (not wait for IT) |
Low to medium (department budget) |
Low to medium |
6. Why This Matters in Cybersecurity
- Different attackers require different defenses.
- You defend against a nation-state differently than you defend against shadow IT.
- You watch insiders differently than you block random internet scans.
- If you understand:
- who is attacking,
- what they want, and
- how capable they are,
you can design better protection.
That’s basically the job in cybersecurity:
Identify the actor, predict the goal, block the path.