Threat Actor

A threat actor is an individual, group or organization that deliberately conducts cyberattacks to exploit system vulnerabilities and achieve specific objectives. Identifying these actors helps organizations anticipate threats and strengthen their overall security posture.

Enables development of targeted threat models based on attacker behavior.
Improves incident investigation and attribution accuracy.
Helps prioritize security tools, training and resources effectively.
Encourages collaboration and intelligence sharing across organizations.
Assists in meeting compliance and risk management requirements.

Types of Threat Actors

Threat actors exist in many forms. It is important to identify them because each type has different motives, methods and targets.

Cybercriminals

Cybercriminals conduct attacks mainly for financial gain. They operate individually or in organized groups, often using tools and services that make cybercrime easier and more scalable.

Use ransomware, fraud and data theft to generate profit.
Operate through underground markets to buy/sell stolen data.
Example: Ransomware groups like LockBit and Akira targeting organizations for large payments.

Nation-State Hackers (State-Sponsored Threat Actors)

Nation-state hackers are backed by governments and conduct cyber operations for political, military or economic advantages. They are highly skilled and focus on long-term strategic goals.

Target critical sectors like energy, defense and telecom.
Use advanced techniques like zero-day exploits and APTs.
Example: Groups like APT28 (Fancy Bear) involved in global cyber espionage activities.

Insider Threats(Individual)

Insider threats come from individuals within an organization who misuse their authorized access. These threats can be intentional or accidental but often go unnoticed initially.

Use valid credentials to bypass security controls.
Exploit internal systems, cloud services or personal devices.
Example: Employees leaking sensitive company data or mishandling confidential information.

Hacktivists

Hacktivists use hacking as a tool to promote political or social causes. Their goal is to create awareness, protest or disrupt targeted organizations.

Launch DDoS attacks or deface websites.
Leak confidential data to expose organizations.
Example: Groups targeting government or corporate websites to protest policies.

Cyber Terrorists

Cyber terrorists aim to create fear and large-scale disruption using cyberattacks. They often target critical infrastructure and essential services.

Attack systems controlling power, healthcare or transport.
Use destructive malware to cause maximum damage.
Example: Attempts to disrupt energy grids or emergency systems to create panic.

Workflow

Cyber attacks often follow a structured approach to successfully breach systems and achieve their objectives. One widely used model is the Lockheed Martin Cyber Kill Chain, which breaks down an attack into multiple stages, helping organizations understand and defend against each step. Stages of the Cyber Attack Process

Reconnaissance: Attackers gather information about the target using sources like social media, public records (OSINT) or network scanning tools. This helps identify vulnerabilities and entry points.
Weaponization: The attacker creates a malicious payload by combining exploits with malware. This payload is designed to take advantage of identified weaknesses.
Delivery: The payload is delivered to the target through methods such as phishing emails, malicious attachments, infected websites (drive-by downloads) or USB devices.
Exploitation: A vulnerability in the system is triggered to execute malicious code. This step allows attackers to gain initial access to the system.
Installation: Malware or backdoors are installed to maintain persistent access. This ensures the attacker can return to the system even after initial entry.
Command and Control (C2): The compromised system establishes communication with the attacker’s server. This allows remote control and further instructions to be executed.
Actions on Objectives: Attackers achieve their goal, such as stealing data, encrypting files (ransomware), disrupting services or maintaining long-term access.

Note: Modern attackers often use legitimate system tools (living-off-the-land) to avoid detection. If blocked at any stage, attackers may restart or repeat earlier steps to find alternative entry points.

Real-World Examples of Threat Actor Groups

These cases demonstrate how threat actors operate in real environments:

Commvault SaaS Platform Exploitation (2025)

Attackers exploited a zero-day vulnerability (CVE-2025-3928) in the Commvault Metallic SaaS backup platform.
Gained access to client secrets used for Microsoft 365 backups.
CISA issued advisories urging credential rotation and tighter access controls.

Oracle Cloud Breach by Threat Actor “rose87168” (2025)

Hacker claimed to breach Oracle Cloud infrastructure.
Approximately 6 million records and 140,000 tenants affected.
Exploited vulnerability CVE-2021-35587 in Oracle Access Manager.
Oracle denied the breach, but cybersecurity firm CloudSEK validated the leaked data as plausible.

Identifying or Detecting Threat Actors

Threat actors often remain hidden, but certain indicators reveal their presence. Security teams use monitoring, analytics and threat intelligence to detect attacks early.

Monitor Network Traffic: Large data transfers to unknown servers (especially at odd hours) indicate potential attacks. Tools: Wireshark, Snort, Suricata. Example: A PC sending data to a foreign IP at 3 AM may signal malware activity.
Check Active Network Connections (netstat): netstat shows who your computer is communicating. Unusual or suspicious IP connections may indicate backdoors or malware.
Analyze Logs with SIEM Tools: Logs capture logins, errors and system changes. SIEM tools like Splunk or ELK detect abnormal behaviour multiple failed logins, unauthorized admin privilege changes, word launching PowerShell (macro malware).
Use EDR (Endpoint Detection and Response): EDR tools (CrowdStrike, SentinelOne) monitor program behaviour. Detect abnormal actions like scripts launching from Word. Identify Indicators of Compromise (IoCs) like unusual processes or memory use.
Monitor User Behaviour: UEBA tools analyze how users typically behave. Flags unusual actions logins from unexpected countries, access to sensitive files never used before.