Cyber Threat Actors and Motivations
Lucky Ogoo
MSc in Computer Science and Data Analytics | Doctorate Degree in Education (EdD | Cyber Intelligence Gathering | Cyber Engineering | Global Security & Defence | Cloud Security | CompTIA Security+, CREST, CISM
Behind every cyber threat, there’s a threat actor: a person or group of people causing intentional harm by exploiting vulnerabilities in the cyber sphere.
As the frequency and sophistication of cyber threats?continues to grow, so too will the number of threat actors behind them. What exactly are threat actors, and what do they want?
This newsletter will review what threat actors are, threat actor targets, types of threat actors, and how to prevent their attacks.
What is a Threat Actor?
A cyber threat actor is any individual or group that poses a threat to cybersecurity. Threat actors are the perpetrators behind cyberattacks, and are often categorised by a variety of factors, including motive, type of attack, and targeted sector.
Today, the cyber threat environment is arguably more dynamic than ever before and threat actors are becoming more sophisticated.
Understanding threat actors and their motives can help organisations better protect themselves from the damage these actors cause as they exploit vulnerabilities, compromise user?identities with elevated privileges, evade security controls, damage or delete data, or manipulate sensitive information.
Threat Actor Targets
Threat actors primarily target large organisations for monetary gain, data, and sensitive intelligence, or to cause service disruption and reputational harm. However, small and medium-sized businesses (SMBs) have also become?frequent targets?for threat actors because their relative lack of resources can mean that their security systems are weaker than those of large enterprises.
In today’s threat landscape, most organisations are likely to be targeted by a threat actor, regardless of their size or industry. In fact, businesses faced?50% more cyberattack attempts?per week in 2022 compared to 2023 according to CB Group Consulting (www.cbgroupconsulting.co.uk). Today, threat actors can and will find a path straight to the crown jewels if the path is unprotected.
Threat Actor Types and Attributes
“Threat actor” is a broad term that encompasses a wide variety of individuals and groups categorised based on their skill set, resources, or motivation for attack.
Here are some of the most common types of threat actors and the motivations typically behind their actions:
1. Cybercriminals
Cybercriminals are individuals or groups who use digital technology to conduct illegal activity. They’re often motivated by financial gain.
This type of threat actor typically employs?social engineering?tactics such as?phishing emails?to lure victims into clicking on a malicious link or downloading malicious software (malware). Other examples of cybercrime include stealing data, tricking victims into transferring money, stealing login credentials, and making ransom demands.
2. Nation-States
Nation-states may fund threat actor groups to perform a variety of malicious activities on the networks of other governing entities including espionage or cyberwarfare. Since nation-state funded threat actors tend to be highly resourced, their behaviour is often persistent and more difficult to detect.
Targeting their opponents’ networks in stealth, nation-state-funded threat actors typically seek to exfiltrate or corrupt sensitive data and assets, disrupt critical infrastructure, or gather confidential intelligence.
3. Terrorist Groups
As with physical acts of terrorism, the goal of cyber terrorists is typically to cause harm and destruction that furthers their cause. This type of threat actor targets businesses, state machinery, and critical infrastructures or services that will cause the most damage or disruption.
4. Thrill-Seekers
Thrill-seekers are threat actors who attack computer systems or networks for personal enjoyment. Whether they want to see how much data and sensitive information they can steal, or they are interested in how specific networks and computer systems operate, thrill-seekers may not necessarily intend to do much harm to their targets. However, they can interfere with computer systems and networks or exploit vulnerabilities for more sophisticated cyberattacks in the future.
5. Insider Threats
Insider threats are?on the rise. These threats can be categorised into the following types:
6. Hackers
Although the term ‘threat actor’ is often used interchangeably with ‘hackers’, hackers and threat actors are not one and the same. A?hacker?is someone who uses their computer skills to overcome a challenge or problem, for better or for worse, while threat actors almost always have malicious intent.
Hollywood popularised the term to invoke images of nefarious individuals with malicious intentions, such as causing disruption or breaking the law. However, there are many types of hackers with different capabilities.
Here are some examples of different types of hackers and what they can do:
Black Hat Hackers
Black hat hackers work against organisations or government agencies in an attempt to break into computer networks or systems with malicious intent. Black hat hackers often work alone or with organised crime groups and employ a number of techniques to hack their targets, including social engineering, hacking passwords, infecting devices with malware, logging keystrokes, or creating?botnets?to execute a?Distributed-Denial-of-Services?(DDoS) attack.
White Hat Hackers
White hat hackers, also called ethical hackers, work with organisations or government agencies to identify vulnerabilities and protect cyber systems from malicious hackers. Unlike other types of hackers, white hat hackers always have permission from the organisation or agency they work with to hack into computer networks or systems.
Grey Hat Hackers
Grey hat hackers fall somewhere in between white hat hackers and black hat hackers. Grey hat hackers hack into computer networks or systems in order to draw the target’s attention to vulnerabilities or potential attack paths and then charge a fee to fix the issues they’ve discovered. Most often, this type of hacker exploits security issues without malicious intent, but it is done without permission and often through illegal tactics.
Green Hat Hackers
Green hat hackers are beginners and often seek out information from more experienced members of the hacking community. Although green hat hackers may not always have the necessary skills or knowledge to launch a coordinated attack, they can still cause serious damage if they don’t have a clear understanding of what they’ve done or how to fix it.
Blue Hat Hackers
Blue hat hackers are most similar to white hat hackers: they’re security professionals working at consulting firms that are hired specifically to test a system prior to its launch. Sometimes, blue hat hackers also target individuals or companies in retaliation for some wrongdoing without putting much thought into the consequences of their actions.
Red Hat Hackers
Red hat hackers are often seen as the “dark horses” of the hacking world, working alone or in private groups to disarm black hat hackers. Unlike white hat hackers who turn black hat hackers into the authorities, red hat hackers often focus on destroying resources and doing harm.
Script Kiddies
Unlike other types of hackers, script kiddies are often motivated by boredom and don’t write their own computer scripts or code. Instead, they insert existing scripts or codes into viruses or applications to hack computer systems belonging to others. In the hacking world, script kiddies are notorious for being relatively unskilled and immature compared to other types of hackers.
Hacktivists
Hacktivists are often considered black hat hackers, but their motivations for hacking are political. Whether they’re concerned with preserving free speech or exposing instances of human rights violations, hacktivists target individuals, organisations, or government agencies.
Most of the time, hacktivists believe they’re trying to enact a positive change in the world. For example, the hacking group Anonymous is well-known for its numerous cyberattacks against several governments and have been called “freedom fighters” by their supporters.
Of the different types of hackers, the term “threat actor” most directly applies to black hat hackers, blue hat hackers, script kiddies, and hacktivists.
Cybersecurity Concepts
In addition to understanding the essential components of threat actors and their attributes, it’s helpful to review these cybersecurity concepts:
Malware
Malware is a type of malicious software that is designed to damage or disable computers. Malware can be used to steal data, take control of systems, or launch attacks on other computers.
There are many different types of malware, including viruses, worms, Trojans, and?ransomware. Malware can be spread through email attachments, infected websites, or compromised software.
Phishing
Phishing is a type of cyberattack that uses emails or websites that appear to be from legitimate sources in order to trick users into disclosing sensitive information or clicking on malicious links.
Phishing attacks can be very difficult to detect because they often use spoofed email addresses and websites that look similar to legitimate ones. Attackers will also target specific individuals or organisations in order to increase their chances of success.
Denial-of-Service Attack
A Denial-of-Service attack (DoS attack) is a type of cyberattack that attempts to make a system or network unavailable to users. DoS attacks target websites or online services and can be used to take down entire systems.
DoS attacks are usually carried out by flooding the target with traffic or requests until it can no longer handle the load and becomes unavailable. They can also be used to disable systems or networks by corrupting data, taking advantage of vulnerabilities, or overloading resources.
Ransomware
Ransomware?is a type of malware that encrypts files or locks systems, making them inaccessible to users. It can be spread through email attachments, infected websites, or compromised software. This type of malware blocks access or encrypts assets, often forcing the user to pay a ransom to regain access to their device, files, or system.
Thinking of ransomware as simple encryption of randomly stolen data is no longer an accurate representation of the plethora of today’s data extortion strategies.?Ransomware actors?have recently turned toward data theft instead of time-expensive encryption. Trends indicate that full encryption of victim data is often too arduous and slow for many threat actors, and increases the risk of detection.
What’s emerged is a spectrum of threat actors who are moving past traditional, time-consuming encryption and focused on destroying all stolen data. Now, actors are seen prioritising faster attacks either through data extortion where the data is more or less preserved, or only partial corruption allowing them to move quickly and demand increasingly larger ransom demands.
Drive-by Download
A drive-by download is a type of cyberattack that involves infecting a system with malware without the user’s knowledge or consent. Drive-by downloads usually happen when a user visits an infected website or clicks on a malicious link.
This form of attack can be used to install all types of malware, including viruses, Trojans, and ransomware.
领英推荐
Threat Actor Examples
Some threat actors may be lone attackers while others may be part of a larger, organised crime ring or cyber threat organisation.
Reviewing some recent examples of cyberattacks can help organisations better anticipate what type of threat actor might target their networks or systems and prepare for similar incidents in the future.
MeteorExpress
In July of 2021, a?wiper attack?– an attack using malware designed to erase the hard drive of the computer it infects – crippled the Iranian national railway system. Once successfully hacked, the displays instructed railway passengers to direct any complaints to the phone number of the Iranian Supreme Leader Khamenei’s office.
Dubbed “MeteorExpress,” this campaign demonstrates the ways in which a threat actor can use technical skills to gain access to an information system and exploit it for a political purpose. Today, the threat actor behind this attack is still a mystery.
8220 Gang
A crimeware group known as?8220 Gang?targets cloud infrastructure services including AWS, Microsoft Azure, Google Cloud, Aliyun and Qcloud, to deploy illicit cryptocurrency miners at their victims’ expense. Although the group has operated for years, by mid 2021, new campaigns using long-running sets of infrastructure brought botnet numbers from roughly?2,000 infected hosts up to today’s figure of around 50,000 according to CB Group Consulting.
Threat actors such as 8220 Gang often spend years slowly evolving their campaigns until they become too massive to dismantle.
REvil Ransomware
REvil ransomware?was successfully delivered to thousands of corporate endpoints through a?zero-day attack?targeting Kaseya VSA servers commonly used by Managed Security Service Providers (MSSPs) and IT management firms. This attack appears to be one of the largest ransomware incidents to date with attackers offering a universal decryption tool for all its victims at a lump sum of $50 million (originally $70 million).
Although initially considered a?supply chain attack, this well-orchestrated, mass-scale ransomware campaign reveals how lucrative cyberattacks can be for threat actors, and how important a modern endpoint detection and response (EDR) tool is for organisations.
Aoqin Dragon
Named and tracked as “Aoqin Dragon” by SentinelLabs?researchers, this nation-state funded threat actor group is responsible for a cluster of malicious activity dating back to 2013 targeting government, education, and telecommunications organisations across Southeast Asia and Australia. Although the exact motives are unknown, it is likely that this Chinese-linked?advanced persistent threat (APT)?group’s main focus is espionage.
This example illustrates how threat actors can quietly conduct long-lasting campaigns to stay under the radar while conducting espionage operations and continuing to advance their tradeoff.
Moshen Dragon
Dubbed “Moshen Dragon,” this Chinese-aligned threat actor has been attributed with hijacking legacy security products including Symantec, TrendMicro, McAfee, BitDefender, and Kaspersky to conduct attacks. In addition to the five different malware triads Moshen Dragon deployed, they also used a variety of other tools including an LSA notification package and a passive backdoor known as GUNTERS.
Threat actors are often likely to use multiple tactics, techniques, and tools to breach computer systems and networks. Once threat actors establish a foothold, they will often proceed with?lateral movement?within the network, place a passive backdoor into the environment, harvest as many credentials as possible, and then focus on data exfiltration.
How to Prevent & Stop Threat Actor Cyber Attacks
The best advice for defenders is to always act under the assumption that their networks already host threat actors. The best way to prevent threat actors is to have a comprehensive security solution in place. The ideal security solution should include the following capabilities:
1. Endpoint Protection, Detection, and Response (EDR)
To protect organisations against threat actors, security teams use comprehensive?endpoint security solutions?with detection and response capabilities.
“Endpoint protection” refers to the technology and processes used to defend network endpoints, such as laptops, servers, and mobile devices, from malware and other threats.? EDR tools are different from other security solutions in that they do not only focus on identifying and quarantining specific malware or officially declared incidents. Instead, EDR tools look for anomalous activities and provide alerts to security teams for further investigation.
According to?CB Group Consulting, EDR solutions:
Record and store endpoint-system-level behaviours, use various data analytics techniques to detect suspicious system behaviour, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected solutions.
2. Zero Trust Security
A zero trust security model is an approach to cybersecurity that doesn’t rely on predefined trust levels. Instead, it treats all users, devices, and networks as untrusted until they are verified through continuous authentication and authorisation checks.
Zero trust architecture?can help prevent threat actors from gaining access to computer systems or networks because it does not provide automatic access to sensitive data. Every single user, including employees and contractors, must go through the verification process each time they want to access something.
3. Multi-Factor Authentication
Multi-factor authentication?(MFA) adds an extra layer of security by requiring users to provide two or more pieces of evidence, or factors, before they can access sensitive data. For example, a user may be required to enter their password and then confirm their identity with a fingerprint or code sent to their mobile phone.
MFA is effective against threat actors because it makes it more difficult for unauthorized users to access sensitive data. Even if they have a valid password, they would also need to have the other factor, such as a physical token or smartphone, to gain access to systems or networks.
4. Defence Against Advanced Persistent Threats (APTs)
An advanced persistent threat is a cyberattack where criminals work together to steal data or infiltrate systems that often go undetected over an extended period of time. In most cases, these attacks are performed by nation-states seeking to undermine another government.
Whereas other cyberattacks such as malware and?phishing schemes?work in a matter of days, an APT can take place over months or even years.
Some of the most common methods used by APTs include:
APTs are more difficult to defend against because they are usually carried out by well-funded and sophisticated organisations. However, with the right preparation and security measures in place, it can be much harder for them to succeed.
Preventing and stopping threat actor cyber attacks involves a multi-layered approach that includes technical, administrative, and human factors. Here’s a comprehensive strategy:
Technical Measures
a.?Network Security
b.?Endpoint Security
c.?Encryption
d.?Access Control
Administrative Measures
a.?Policy and Governance
b.?Incident Response Plan
3.?Human Factors
a.?Security Awareness Training
b.?Insider Threat Programs
4.?Monitoring and Detection
5.?Response and Recovery
6.?Advanced Threat Protection
7.?Regular Audits and Assessments
By integrating these strategies, organisations can build a robust defence against cyber attacks. It is essential to stay proactive, regularly update security measures, and continuously educate employees to adapt to the evolving threat landscape. For support, please contact me or CB Group Consulting (www.cbgroupconsulting.co.uk).