Threat Actors Explained

What it is

A threat actor is whoever is on the other end of an attack. The term is deliberately vague, because in practice you rarely know exactly who is attacking you when you are first seeing the activity. You might know it is a Russian-speaking group with a particular set of tools. You might know it is an affiliate of a ransomware-as-a-service operation. You might just know it is someone using a specific phishing kit. All of these qualify as "threat actor" descriptions at different levels of specificity.

In threat intelligence vocabulary, an actor can be:

• An individual. A single person operating alone or as part of a group.
• A group. A collective with shared infrastructure, tooling, or operational patterns. APT29, FIN7, and Lazarus are examples.
• A campaign. A specific operation, possibly run by an actor whose identity is not yet established.
• An ecosystem. A loosely connected set of operators sharing infrastructure or services. The ransomware affiliate ecosystem is the canonical example.

Different vendors use different naming conventions for the same group. Mandiant calls one group APT41. CrowdStrike calls them Wicked Panda. Microsoft calls them Brass Typhoon. They are all describing the same operators. Sorting out who is naming whom takes some practice.

The major categories

There is no clean taxonomy of threat actors, but a small number of categories cover most of what defenders see in practice.

Nation-state and state-aligned groups

Government-funded operators conducting espionage, sabotage, or strategic operations on behalf of a nation. Often referred to as APTs (advanced persistent threats), although the term has lost most of its meaning through overuse.

The major countries with significant offensive cyber programmes:

• Russia. Multiple distinct groups, often run out of the GRU (military intelligence) and the SVR/FSB (foreign and domestic intelligence). Notable groups include APT28 (Fancy Bear, GRU), APT29 (Cozy Bear, SVR), and Sandworm (GRU, responsible for NotPetya, Ukraine grid attacks). Targets vary from government and military to private sector strategic interests.
• China. A large and diverse cyber programme spanning the Ministry of State Security and PLA units. APT1, APT10, APT41, Volt Typhoon, and Salt Typhoon are among the well-documented groups. Targeting prioritises strategic technology theft, telecommunications, and infrastructure pre-positioning.
• North Korea. The Lazarus Group umbrella covers operations including financial theft (the SWIFT bank heists, cryptocurrency exchange compromises) and espionage. Cryptocurrency theft alone has reportedly funded a significant share of the regime.
• Iran. Multiple groups (APT33, APT34, APT35, MuddyWater) running espionage and increasingly destructive operations against regional rivals and Western targets.
• Other state programmes. Israel, the United States, the UK, France, India, Pakistan, South Korea, Vietnam, and a growing list of others have documented offensive capabilities. Most are less visible publicly because of the targets they pick.

These actors generally have time, money, and patience that criminal groups do not. They will spend months or years inside a network before being detected.

Organised cybercrime

Groups whose purpose is making money. They run scaled operations across multiple specialisations: initial access brokering, malware development, credential trading, money laundering, and (in the most visible category) ransomware.

Notable historical and active groups:

• FIN7. Long-running group focused on payment card theft from retail and hospitality, also pivoted into ransomware affiliations.
• The TrickBot/Conti/Black Basta lineage. A long-running operation that has changed names and structure multiple times following law enforcement actions and internal leaks.
• The LockBit ecosystem. Until 2024 the dominant ransomware-as-a-service operation. Disrupted by Operation Cronos. Successor groups absorbed much of the affiliate base.
• REvil/Sodinokibi. Another major RaaS operation, disrupted in 2021 with some operators reappearing in successor groups.
• Scattered Spider (UNC3944). English-speaking, social-engineering-heavy group responsible for high-profile retail and hospitality breaches in 2023 to 2024.

The lines between organised crime and state-sponsored activity blur regularly, particularly with Russian-speaking groups whose members have been observed coordinating with state interests when convenient.

Ransomware affiliates

Worth treating as their own category because of how the ecosystem now works. A ransomware-as-a-service operation provides the malware, the negotiation infrastructure, the leak site, and the payment processing. Affiliates do the actual breaching and deployment. Affiliates change operators frequently, sometimes running campaigns under multiple RaaS brands at the same time.

This means the "actor" behind a specific incident is often more accurately described as "an affiliate using LockBit's tooling" rather than "LockBit". Tracking affiliate-level patterns across operator changes is its own discipline.

Hacktivists

Politically or ideologically motivated actors. Targets are picked for symbolic value rather than financial gain. Common patterns include website defacement, DDoS attacks, and data leaks to embarrass the target.

The category has changed significantly over time. The Anonymous-style movements of the early 2010s evolved into more state-aligned operations during the Russia-Ukraine conflict, with groups like Killnet and IT Army of Ukraine carrying out operations whose hacktivist label is debatable. Pure ideological hacktivism still exists but the line between hacktivism and state-aligned proxy operations has thinned.

Insiders

Employees, contractors, or partners who have legitimate access and use it for unauthorised purposes. Either malicious (deliberate theft, sabotage) or accidental (data leakage through misconfiguration). The Verizon Data Breach Investigations Report consistently shows insiders as a meaningful share of incidents, although outweighed by external actors in absolute numbers.

Notable patterns:

• Departing employees taking customer lists or proprietary data
• Contractors with extended privileged access used after the engagement ends
• Privilege escalation through legitimate access plus negligent controls
• Recruited insiders working for external attackers (rare but rising, with state actors and ransomware groups openly recruiting)

Lone actors and small groups

Individual operators or small ad-hoc teams running smaller-scale operations. Phishing kit operators, individual scammers, low-end stealer operators, opportunistic credential stuffers. Volume is enormous, sophistication is generally low, but cumulative damage is significant.

Script kiddies and opportunistic operators

The bottom of the skill curve. Using public tools, copy-pasted exploits, and free phishing kits. Real damage is rare from any single operator but mass-scanning and opportunistic exploitation by this category accounts for a lot of background noise on any internet-facing asset.

Motivations

Understanding why an actor is attacking shapes what they will do once they are in.

• Financial gain. Ransomware, theft, fraud, extortion, cryptocurrency theft. Most of cybercrime falls here. Behaviour is monetisation-focused: deploy ransomware, exfiltrate data for resale, drain accounts.
• Espionage. Stealing information for strategic advantage. State actors and some commercially-motivated competitors. Behaviour is stealth-focused: stay hidden, collect for long periods, exfiltrate selectively.
• Sabotage and disruption. Destroying or degrading systems to harm the target. Sandworm's NotPetya, the various wiper campaigns against Ukraine, Iranian campaigns against Saudi targets. Behaviour is destructive: deploy wipers, target operational technology, time attacks for maximum impact.
• Ideology. Hacktivism, political messaging, religious motivation. Behaviour varies but tends toward visibility (defacement, data dumps) rather than stealth.
• Ego and reputation. Bragging rights, status in underground communities, "owning" a famous target. Behaviour involves visible compromises, public claims, sometimes theatrical leaks.
• Personal grievance. Disgruntled former employees, stalkers, doxxers. Targeted, often personal, sometimes overlapping with insider threat.

A single actor can have multiple motivations. North Korean operators do espionage and financial theft. Russian operators do espionage and (through plausibly deniable proxies) sabotage. The motivation profile is one of the inputs to predicting what they will do.

How attribution actually works

Attribution sounds clean in incident reports. It is not.

The signals analysts use to attribute activity include:

• Tooling. Malware families, command-and-control infrastructure, custom tools that have been seen with specific groups before.
• Infrastructure overlaps. Domains, IPs, hosting providers, certificate patterns shared with previous attributed activity.
• TTPs (tactics, techniques, procedures). How the actor operates: lateral movement methods, persistence techniques, exfiltration patterns. The MITRE ATT&CK framework gives a shared vocabulary.
• Targeting. Which sectors, geographies, and types of organisation get hit. Patterns are recognisable over time.
• Timing patterns. Working hours, days off, holiday breaks. These leak operator location.
• Language artefacts. Comments in code, ransom note phrasing, command-line errors, document metadata.
• Operational mistakes. Briefly using a real IP, accidentally signing into a real account, leaving artefacts that pivot back to known infrastructure.

The combination of multiple signals is what makes attribution credible. Single signals are rarely enough.

What attribution cannot reliably do:

• Identify specific individuals. Group-level attribution is much more reliable than person-level. Saying "this is APT29" is easier than saying "this is Vladimir, a 32-year-old SVR officer."
• Survive false flags. Sophisticated operators deliberately plant artefacts associated with other groups. The Lazarus Group has been observed using techniques designed to look Russian. Russian groups have used Chinese malware. Treat any attribution as a likelihood, not a certainty.
• Move at the speed of incidents. Real attribution takes weeks or months of analysis. The "this is country X" claim made within hours of an incident is usually political or PR, not analytical.

For most defenders, group-level attribution is useful when it informs defence (different groups have different TTPs, so knowing which one is operating tells you what to look for next). Individual attribution is useful for law enforcement and almost nothing else.

Sophistication tiers

A rough hierarchy that informs defence:

• Tier 1. Top-tier nation-state programmes. Custom zero-days, novel implants, multi-year operations. Measured in single-digit numbers globally.
• Tier 2. Capable nation-state and apex criminal operators. Strong tradecraft, commercial-grade tooling, sometimes zero-days but mostly known vulnerabilities used skilfully.
• Tier 3. Organised cybercrime groups, ransomware affiliates, well-resourced criminal operators. Off-the-shelf tools used effectively, social engineering as the primary entry vector.
• Tier 4. Lone operators, low-end criminals, hacktivists with limited resources. Public tools, public exploits, opportunistic targeting.
• Tier 5. Script kiddies, automated mass-scan operators, copycats.

Most defenders are not facing tier 1 actors regularly. Most defenders are facing tier 3 and tier 4, who account for the overwhelming majority of incidents and from whom basic security hygiene provides meaningful protection.

Sector targeting patterns

Different actors prefer different sectors, and this has stayed reasonably consistent over time.

• Financial services. Targeted by everyone. Lazarus for direct theft, FIN7 and successors for payment card fraud, ransomware groups for extortion, nation-state actors for strategic intelligence on financial flows.
• Healthcare. Heavy ransomware targeting because of operational urgency and weak controls in many providers. State actors target pharmaceutical companies for research IP.
• Manufacturing and industrial. Ransomware and IP theft. Operational technology environments are increasingly targeted by state actors for pre-positioning.
• Technology and software. Supply chain targeting (one compromise leads to many downstream victims), source code theft, customer data theft.
• Government and defence. State-on-state espionage, occasional hacktivist defacement, ransomware where the geopolitical lines allow it.
• Energy and utilities. Critical infrastructure pre-positioning by state actors, occasional ransomware.
• Retail and hospitality. Payment card theft (FIN7 lineage), ransomware, social engineering attacks (Scattered Spider).
• Education. Ransomware (high vulnerability, low ability to pay quickly creating drawn-out incidents), state-sponsored research theft.
• Telecommunications. Recently a major target for Chinese state actors (Volt Typhoon, Salt Typhoon) for strategic reasons.

The pattern matters because if you are a hospital, you should expect ransomware affiliates first. If you are a defence contractor, you should expect state actors. The threat model that makes sense for one sector wastes effort in another.

What this means for defenders

A few practical takeaways from all of this.

• Know your likely adversaries. Sector, geography, and asset type predict roughly who you will face. A regional bank in Western Europe and a defence research lab in the US have different threat models.
• Treat attribution as input to defence, not output of it. Useful for picking which TTPs to look for, less useful as an end in itself.
• Track ecosystems, not just groups. Affiliate movements, RaaS operator changes, and cross-group toolkit sharing all matter as much as individual group activity.
• Distinguish reported attribution from confirmed attribution. Press reports often run ahead of analytical confidence. Take them as starting hypotheses, not conclusions.
• Update your model as the landscape changes. Groups disband, rebrand, get arrested, merge with others. The threat actor list from three years ago is not the threat actor list today.

Knowing your adversary matters because attackers are not interchangeable. The defence that works against an opportunistic credential stuffer fails against a state actor with a year of patience, and the defence that works against the state actor would be wildly over-engineered against the credential stuffer. Calibrating to who is actually likely to come at you is most of the work.