Cyber Threat Actors

Cyber Threat Actors: Types & Defences

What is a Cyber Threat Actor?

A Cyber Threat Actor (CTA) is a person or group that uses computers, devices, systems, or networks to intentionally cause harm.

There are many different types of cyber threat actor, and these can be classified based on their affiliations and motivations.

Each type will have different knowledge, skills, abilities, motivations, and resources. These characteristics help us understand their preferred target, the kind of data or assets that are valuable to them, and how they might carry out their attacks.

Types of Cyber Threat Actor

Understanding each Cyber Threat Actor’s motivation and goal can help you develop a more focused cybersecurity plan.

For instance, some cyber threat actors may opportunistically target any entities that can generate monetary gain. Following this line of thought, any organisation with valuable or sensitive data could be a target.

On the other side, you may have cyber threat actors who conduct more targeted operations against specific individuals or organisations they want to exploit for espionage or blackmail purposes


Cybercriminals are largely profit-driven and represent a long-term, global, and common threat. They target data to sell, hold for ransom, or otherwise exploit for monetary gain.  Cybercriminals may work individually or in groups to achieve their purposes.


Hacktivists (or Ideologically-Motivated Criminal Hackers) are motivated by political, social, or ideological views. They often target victims for publicity or to effect change – which often results in high profile operations.

  • Motivation: Political, social, or ideological.
  • Affiliation: Non-governmental individuals or organizations.
  • Common Tactics, Techniques, and Procedures (TTPs): DDoS attacks, doxing, website defacements.

Malicious Insiders

An ‘insider’ is a current or former employee, contractor, or other partner who has access to an organization’s networks, systems, or data.

Malicious Insiders intentionally exceed or misuse this access in a manner that negatively affects the confidentiality, integrity, or availability of the organization’s data, network or systems.

They differ from unwitting insiders who unintentionally cause damage to their organization’s information systems through actions like clicking on malicious links in a phishing email.

  • Motivation: Financial gain or to seek revenge.
  • Affiliation: Current or former employee, contractor, or other partner who has authorised access.
  • Common Tactics, Techniques, and Procedures (TTPs): data exfiltration or privilege misuse.

Nation-State Actors

Due to heightened geopolitical tensions, many governments have warned about the increased risk of cyber attacks to both public and private sector organizations.

Nation-State Actors aggressively and persistently target public and private sector networks to compromise, steal, change, or destroy information.

They may be part of a state apparatus or they might receive direction, funding, or technical assistance from a nation-state. ‘Nation-State Actors’ is sometimes used interchangeably with Advanced Persistent Threat (APT), however, APT refers to a type of activity conducted by a more varied range of actor types.

  • Motivation: Espionage, political, economic, or military.
  • Affiliation: Nation-states or organizations with nation-state ties.
  • Common Tactics, Techniques, and Procedures (TTPs): Spear-phishing password attacks, social engineering, direct compromise, data exfiltration, remote access trojans, and destructive malware.

Terrorist Organizations

The offensive cyber activity committed by Terrorist Organizations’ is typically disruptive or harassing in nature. This group primarily uses the internet for communications and recruitment.

  • Motivation: Political or ideological, possibly for financial gain, espionage, or as propaganda.
  • Affiliation: Individuals, organizations, or nation-states.
  • Common Tactics, Techniques, and Procedures (TTPs): Defacements and claimed data breach and leaks.

How to prevent cyber attacks

Each Cyber Threat Actor has a different way of working, and you may need highly focused defences to protect your organization from a specific type.

There are, however, some basic things you can do to protect yourself from almost every type of cybercriminal. These include:

Create separate passwords

Create separate strong passwords for each of your online accounts. Your accounts include sensitive data about your customers, your organization and your financial information. If your accounts are not secure, your organization could be at risk of a cyber incident or data breach.

Create strong passwords

Weak passwords can be hacked in seconds. The longer and more unusual your password is, the stronger it becomes and the harder it is to hack. The UK's National Cyber Security Centre recommends using three random words as part of that password.

Turn on two-factor authentication

2FA (or multi-factor authentication) reduces the risk of being hacked by asking you to provide a second type of information when you log in, alongside your password. This might be a text or secret code sent to your personal device. You should ensure all your accounts have 2FA enabled and consider changing vendor if this feature is not available.

Keep your devices up to date

Make sure all your devices have the latest software updates to reduce the risk of a cyber incidents. This will ensure that all your devices include the latest security fixes.

Back up important data and key contacts

By securely backing up your data, you can continue operating even if you suffer a cyber incident. Backups can include paper copies, removable media, or Cloud backups to a secure location. Always ensure any backups are made in line with your internal policies and stored securely.

Always be suspicious

You should always regard any message that appears ‘urgent’ with suspicion. This is a common social engineering tactic used by attackers to make you act or reply quickly – without thinking about the potential consequences. These messages can include emails, texts, phone calls and voice messages.

Defend against phishing

Phishing is a type of cyber-attack that seeks to impersonate a reputable person or organisation. Using social engineering techniques, the cyber threat actor manipulates their victim into doing something they shouldn’t – like clicking a malicious link.

Let us help with our Managed Service

Help protect your organization by teaching your team about the different types of Cyber Threat Actors and training them to recognise an attempted cyber attack.

Our Click-Prone® Test is a customisable, simulated phishing test that can help you discover who in your organisation is vulnerable to phishing emails. We can then supply you with a library of expert security awareness training content to help improve their knowledge, strengthen your human firewall, and defend your business from cyber threat actors.

With thanks to the Center for Internet Security for information and extracts on this page.