Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Threat Intelligence Glossary

Threat Actor - Angreifer-Kategorisierung und Attribution

Threat actors are the entities behind cyberattacks—classified by motivation, resources, and capabilities: nation-state groups (APT28, Lazarus), organized crime (ransomware-as-a-service), hacktivists, insider threats, and opportunistic script kiddies. Knowing which threat actor is involved determines which protective measures are appropriate.

Threat Actor Attribution—the process of attributing attacks to specific groups—is one of the most complex disciplines in cybersecurity. At the same time, it is crucial: Identifying who my realistic attackers are determines which protective measures should be prioritized and what resources are available for attacks.

Threat Actor Taxonomy

1. Nation-State Actors (State-sponsored groups)

  • Resources: Unlimited (government budget)
  • Capabilities: Elite (zero-days, custom malware, SIGINT)
  • Motivation: Espionage, sabotage, strategic interests
  • Patience: Months to years (APT = Advanced Persistent Threat)
  • Targets: Governments, defense, energy, critical infrastructure

Known groups:

  • APT28 (Fancy Bear / Russian GRU): Geopolitical espionage, NATO countries, Ukraine conflict; Tools: X-Agent, Sofacy, Zebrocy; Operations: 2016 DNC hack, 2015 Bundestag
  • APT29 (Cozy Bear / Russian SVR): Long-term espionage, clean techniques, low noise; SolarWinds hack (SUNBURST backdoor) 2020; theft of COVID-19 vaccine research
  • Lazarus Group (North Korea): The only state-sponsored group with primarily financial motivation; Crypto theft ~$1.7 billion in 2023; Sony Hack 2014, Bangladesh Bank 2016, WannaCry
  • APT41 (Winnti / China MSS): Dual motivation: espionage + financial gain; supply chain attacks (CCleaner, ASUS Live Update); healthcare, gaming industry, telecommunications
  • Sandworm (Russia GRU Unit 74455): Sabotage and destruction; NotPetya 2017 (over $10 billion in damages), Ukraine power outages

2. Cybercriminals / Organized Crime

  • Resources: High (ransomware revenue: billions/year)
  • Capabilities: High to very high (professional, division of labor)
  • Motivation: Financial (ransomware, data theft, BEC)
  • Targets: All companies capable of paying (opportunistic)

Ransomware-as-a-Service groups:

  • LockBit (until 2024): Largest RaaS group (~40% of all ransomware attacks); affiliate model: developers 20%, attackers 80%; dismantled by Operation Cronos (FBI/Europol/NCA) in 2024
  • ALPHV / BlackCat: Rust-based ransomware; double/triple extortion (encryption + leak + DDoS); MGM Resorts 2023 (~$100M in damages)
  • Cl0p: Specializes in mass exploitation of vulnerabilities; MOVEit campaign 2023: 2,000+ organizations affected

Underground economy: Ransomware revenue in 2023 ~$1.1 billion (Chainalysis), average ransom ~$400,000 (Coveware Q4 2023), access brokers sell compromised credentials for $500–$5,000, stealer logs for $50–$200 per batch.

3. Hacktivists

  • Resources: Low to medium; Capabilities: Low to medium (often commodity tools)
  • Motivation: Political, ideological; Main threat: DDoS, website defacement
  • Anonymous: Decentralized, no fixed structure; KillNet: Pro-Russian, DDoS against NATO countries; Hacktivismo: Human rights, against censorship
  • Low relevance for businesses, except in politically sensitive industries

4. Insider Threats

  • Resources: High (legitimate system access!); Skills: Variable
  • Motivation: Dissatisfaction, financial hardship, extortion, revenge
  • Malicious Insider: Intentional damage, data theft
  • Negligent Insider: Careless actions, phishing victim
  • Compromised Insider: Account taken over, user unaware

60% of all data breaches involve an insider component (average cost: $15.4 million, IBM 2023). Detection via UEBA: anomalies in access patterns, mass downloads shortly before termination, access to unusual systems.

5. Script Kiddies / Opportunists

  • Resources/Skills: Low (use existing tools and exploits)
  • Motivation: Curiosity, attention-seeking, petty crime
  • Main threat: Exploitation of known unpatched vulnerabilities, automated scans (Shodan-driven), credential stuffing with stolen lists – SMEs are also affected!

Threat Actor Profiles for Risk Assessment

IndustryMost Likely Threat ActorsRecommendation
HealthcareRansomware: VERY HIGH; Nation-State (medical research): MEDIUMAir-gapping of critical systems, network segmentation
Financial ServicesRansomware: HIGH; Organized Crime (BEC, Fraud): VERY HIGH; Nation-State (Lazarus): MEDIUMStrong MFA, transaction monitoring, BEC protection
Critical InfrastructureNation-State (Sandworm, APT33): VERY HIGH; Hacktivists: MEDIUMOT/IT separation, incident response, KRITIS requirements
SMEs (general)Script Kiddies: HIGH; Ransomware: HIGH; Nation-State: LOWBasic security hygiene (patching, MFA, backup)

Threat intelligence sources for attribution:

Free:

  • MITRE ATT&CK; Groups (attack.mitre.org/groups/): All known APT groups with TTPs, tools, target industries
  • Mandiant APT Reports (mandiant.com/resources/blog)
  • CISA Known Exploited Vulnerabilities (KEV) (cisa.gov/known-exploited-vulnerabilities)
  • BSI Alerts (bsi.bund.de → Threat Situation)

Paid:

  • Recorded Future Intelligence Cloud
  • CrowdStrike Intelligence
  • Mandiant Advantage Threat Intelligence
  • MISP (Malware Information Sharing Platform) - free, community-driven

AWARE7 Services on This Topic

Penetrationstest
Back to Glossary Book a free consultation