Cyber Threat Actors

Cyber Threat Actors

A Cyber Threat Actor (CTA) is a participant (person or group) in an action or process that is characterized by malice or hostile action (intending harm) using computers, devices, systems, or networks.

CTAs can be classified into groups based on their affiliations and motivations.


Due to heightened geopolitical tensions multiple governments have warned about the increased risk of cyber attacks to both public and private sector organizations.

Nation-State actors aggressively target and gain persistent access to public and private sector networks to compromise, steal, change, or destroy information.

They may be part of a state apparatus or receive direction, funding, or technical assistance from a nation-state. Nation-state has been used interchangeably with Advanced Persistent Threat (APT), however APT refers to a type of activity conducted by a range of actor types.

  • Motivation: Espionage, political, economic, or military;
  • Affiliation: Nation-states or organizations with nation-state ties;
  • Common Tactics, Techniques, and Procedures (TTPs): Spear-phishing password attacks, social engineering, direct compromise, data exfiltration, remote access trojans, and destructive malware.


Cybercriminals are largely profit-driven and represent a long-term, global, and common threat. They target data to sell, hold for ransom, or otherwise exploit for monetary gain. 

Cybercriminals may work individually or in groups to achieve their purposes.


Hacktivists (a.k.a. Ideologically-Motivated Criminal Hackers) are motivated by political, social, or ideological views and target victims for publicity or to effect change which often results in high profile operations.

  • Motivation: Political, social, or ideological;
  • Affiliation: Non-governmental individuals or organizations;
  • Common Tactics, Techniques, and Procedures (TTPs): DDoS attacks, doxing, website defacements.


Insiders are current or former employees, contractors, or other partners who have access to an organization’s networks, systems, or data.

Malicious insiders intentionally exceed or misuse their access in a manner that negatively affects the confidentiality, integrity, or availability of the organization’s information or information systems.

This differs from unwitting insiders who unintentionally cause damage to their organization’s information systems through their actions, such as clicking on malicious links in a phishing email.

  • Motivation: Financial gain or to seek revenge;
  • Affiliation: Current or former employee, contractor, or other partner who has authorized access;
  • Common Tactics, Techniques, and Procedures (TTPs): data exfiltration or privilege misuse.

Terrorist Organizations

Terrorist organizations’ offensive cyber activity is typically disruptive or harassing in nature. This group primarily use the internet for communications and recruitment.

  • Motivation: Political or ideological, possibly for financial gain, espionage, or as propaganda;
  • Affiliation: Individuals, organizations, or nation-states;
  • Common Tactics, Techniques, and Procedures (TTPs): Defacements and claimed data breach and leaks.

Why it matters

CTAs differ in terms of their knowledge, skills, abilities, motivations, and resources. These characteristics help to determine who CTAs will target, which data or assets are valuable to them, and how they will carry out their attacks.

For instance, cybercriminals opportunistically target any entities that can generate monetary gain. Therefore, any organization with valuable or sensitive data could be a target.

In a similar fashion, insiders are a threat to any organization since they already have some level of access to the information systems.

Conversely, nation-state actors conduct more targeted operations against organizations they want to exploit for espionage purposes or to gain leverage over.

7 thing you can do now to be more cyber secure

A CTA’s motivation or intent should also be balanced against their capability to conduct malicious activity.

While a cybercriminal might have the capability to target a website they may lack the intent because they cannot monetize the impact.

Meanwhile, a hacktivist may have the intent to target a political party over their policies and subsequently deface their website to disrupt operations and cause reputational harm or send a political message.

Understanding each actor in this context will allow you to develop a more focused cybersecurity plan.

Create Separate Passwords

Create separate strong passwords for each of your online accounts. Your accounts include sensitive information about your customers, your organization and financial information. If your accounts are not secure, your organization could be at risk of a cyber incident.

Create strong passwords

Weak passwords can be hacked in seconds. The longer and more unusual your password is, the stronger it becomes and the harder it is to hack. The UK's National Cyber Security Centre recommends using three random words as part of that password.

Turn on Two-Factor Authentication

2FA (or multi-factor authentication) reduces the risk of being hacked by asking you to provide a second factor of information, such as getting a text or code when you log in. You should ensure all your accounts have 2FA enabled, and consider changing vendor if the ability is not available.

Keep your devices up to date

Make sure all your devices have the latest software updates to reduce the risk of a cyber incidents. This will ensure that all your devices include the latest security fixes.

Back up important data and key contacts

By securely backing up your data, you can continue operating even if you suffer a cyber incident. Backups can include paper copies, removable media or backed up to a secure location in the cloud. Always ensure any backups are inline with your internal policies and stored securely.

Always be suspicious

You should regard any message that seems to be urgent with susicion. This is a common method used by attackers to ensure you reply quickly and without more regard. This can include emails, text, and voice messages.

Refuse to take the bait.

The attackers can't steal your information if you don't respond or reply, so refuse to take the bait and simply don't reply!

We recommend everyone educate themselves on the dangers of cyber threat actors. With well managed Security Awareness Training the threat posed by today’s advanced attacks can be significantly reduced. Take back control, today.

Let us help with our Managed Service

If resources are stretched or hard to find let Phishing Tackle manage your security awareness training with our Managed Service offering.  It’s the quickest and most effective way to reduce your cyber risk.

With thanks to the Center for Internet Security for information and extracts on this page.


Start Phishing & Security
Awareness Training Today

 (no credit card required)

You have Successfully Subscribed!