A threat actor is anyone who has the potential to impact Cybersecurity. The phrase ‘threat actor’ is commonly used in cybersecurity. The threat actor can be a person, group of people, or even an entire country. It refers to anyone who is a key driver or participant in a malicious action targeting organizational or personal IT security.[1]

Types

Threat actors can be cybercriminals, insiders, and/or nation-states.

=State-Sponsored

Historically, state-sponsored advanced persistent threat (APT) actors have used spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security.

Russian

  • Russian-sponsored cyberattacks have been able to gain access via vulnerabilities in FortiGate VPNs, Cisco routers, Oracle WebLogic Servers, Kibana software, Zimbra software, Exim Simple Mail Transfer Protocol, Pulse Secure, Citrix, Microsoft Exchange, VMWare, and F5 Big-IP
  • Recent high-profile cyberattacks targeted state, local, tribal, and territorial governments and aviation networks between September and December 2020, engaged in a global Energy Sector intrusion campaign between 2011 and 2018, and disrupted Ukrainian critical infrastructure in 2015, 2016, and 2022.[2]

Classifications

UNC

An uncategorized group (UNC) refers to a cluster of cyber intrusion activity (based on observable artifacts in the form of infrastructure, tools, and practices) that cannot yet be classified as an advanced persistent threat or a financially motivated threat. Nonetheless, a UNC must have at least one key characteristic. As evidence grows, the UNC will likely graduate into a fully defined group (See FIN11[3]).

APT

Advanced persistent threats

FIN

Financially motivated threats

References