A threat actor is anyone who has the potential to impact Cybersecurity. The phrase ‘threat actor’ is also commonly used in the field of cybercrime. The threat actor can be a person, group of people, or even an entire country. It refers to anyone who is a key driver or participant in a malicious action targeting organizational or personal IT security.
Trends in Vulnerabilities
In 2021, threat actors targeted internet-facing systems (like email and virtual private network servers). Generally, researchers or other benign actors released proof of concept code within two weeks of the vulnerability’s disclosure, likely facilitating threat actors' exploitation of the vulnerability. Threat actors were slightly less likely to continue exploiting publicly known, dated software vulnerabilities (which they did in 2020 and earlier).
Relationships to Targets
Threat actors can be cybercriminals, insiders, and/or nation-states.
Historically, state-sponsored advanced persistent threat (APT) actors have used spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security. State-sponsored actors' techniques exploit global trends (adoption of cloud services and cryptocurrency and pandemic-related economic disruption) In 2021, Russia targeted IT and cloud service providers' trusted relationships. China weaponized vulnerabilities to gain initial access. Iran deployed ransomware to blend disruptive operations with seemingly unrelated eCrime activity. North Korea shifted to cryptocurrency to maintain illicit revenue generation.
- Russian-sponsored cyberattacks have been able to gain access via vulnerabilities in FortiGate VPNs, Cisco routers, Oracle WebLogic Servers, Kibana software, Zimbra software, Exim Simple Mail Transfer Protocol, Pulse Secure, Citrix, Microsoft Exchange, VMWare, and F5 Big-IP
- Recent high-profile cyberattacks targeted state, local, tribal, and territorial governments and aviation networks between September and December 2020, engaged in a global Energy Sector intrusion campaign between 2011 and 2018, and disrupted Ukrainian critical infrastructure in 2015, 2016, and 2022.
Since 2020, Iran-sponsored actors have used ransomware to engage in “lock-and-leak” disruptive information operations on organizations in the U.S., Israel, the Middle East, and North Africa. Criminal/hacktivist fronts (PIONEER KITTEN, SPECTRAL KITTEN/BlackShadow, ChaoticOrchestra/Deus, SplinteredEnvoy/Moses Staff), which offer deniability to the government, encrypt target networks and leak victim information via state-sponsored/controlled leak sites, social media, and chat platforms.
Since 2020, China has exploited vulnerabilities in Oracle WebLogic and Zoho ManageEngine as well as 12 other vulnerabilities in nine other products. China used to require user interaction to carry out its attacks, but now it deploys exploits that rely on vulnerabilities in internet-facing devices or services (rather than social engineering and human error). The level of China's activity by the end of 2021 was six times what it was in 2020.
An uncategorized group (UNC) refers to a cluster of cyber intrusion activity (based on observable artifacts in the form of infrastructure, tools, and practices) that cannot yet be classified as an advanced persistent threat or a financially motivated threat. Nonetheless, a UNC must have at least one key characteristic. As evidence grows, the UNC will likely graduate into a fully defined group (See FIN11).
Advanced persistent threats
Financially motivated threats
- What is a threat actor, Sophos
- 2021 Most Common Vulnerability Exploits, CISA
- Global Threat Report 2022, pg. 5, CrowdStrike
- Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, CISA.gov
- Global Threat Report 2022, pg. 14, CrowdStrike
- Global Threat Report 2022, pg. 16, CrowdStrike
- The graduation of FIN11, Fireye