Hubbry Logo
Threat actorThreat actorMain
Open search
Threat actor
Community hub
Threat actor
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Threat actor
Threat actor
Threat actor
View on Wikipedia
from Wikipedia

In cybersecurity, a threat actor, bad actor or malicious actor is either a person or a group of people that take part in malicious acts in the cyber realm, including computers, devices, systems, or networks.[1] Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations.[2] Threat actors have different educational backgrounds, skills, and resources.[1] The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors.[3] These threat actors all have distinct motivations, techniques, targets, and uses of stolen data.[4]

Background

[edit]

The development of cyberspace has brought both advantages and disadvantages to society. While cyberspace has helped further technological innovation, it has also brought various forms of cyber crime.[2] Since the dawn of cyberspace, individual, group, and nation-state threat actors have engaged in cyber related offenses to exploit victim vulnerabilities.[2] There are a number of threat actor categories who have different motives and targets.

Financially motivated actors

[edit]

Cyber criminals have two main objectives. First, they want to infiltrate a system to access valuable data or items. Second, they want to ensure that they avoid legal consequence after infiltrating a system. Cyber criminal can be broken down into three sub-groups: mass scammers/automated hackers, criminal infrastructure providers, and big game hunters.[3]

Mass scammers and automated hackers include cyber criminals who attacks a system to gain monetary success. These threat actors use tools to infect organization computer systems. They then seek to gain financial compensation for victims to retrieve their data.[2] Criminal infrastructure providers are a group of threat actors that aim to use tools to infect a computer system of an organization. Criminal infrastructure providers then sell the organization's infrastructure to an outside organization so they can exploit the system. Typically, victims of criminal infrastructure providers are unaware that their system has been infected.[2] Big game hunters are another sub-group of cyber criminals that aim to attack one single, but high-value target. Big game hunters spend extra time learning about their target, including system architecture and other technologies used by their target. Victims can be targeted by email, phone attacks or by social engineering skills.[2]

Nation-state actors

[edit]

Nation-state threat actors aim to gain intelligence of national interest. Nation-state actors can be interested in a number of sectors, including nuclear, financial, and technology information.[2] There are two ways nations use nation-state actors. First, some nations make use of their own governmental intelligence agencies. Second, some nations work with organizations that specialize in cyber crime. States that use outside groups can be tracked; however, states might not necessarily take accountability for the act conducted by the outside group. Nation-state actors can attack both other nations or other outside organizations, including private companies and non-governmental organizations. They typically aim to bolster their nation-state's counterintelligence strategy.[2] Nation-state attacks can include: strategic sabotage or critical infrastructure attacks. Nation states are considered an incredibly large group of threat actors in the cyber realm.[5]

Ideologues (hacktivists and terrorists)

[edit]

Threat actors that are considered ideologues include two groups of attackers: hackers and terrorists. These two groups of attackers can be grouped together because they are similar in goals. However, hacktivists and terrorists differ in how they commit cyber crimes.

Hacktivism is a term that was coined in the early days of the World Wide Web. It is derived from a combination of two words: hacking and activism.[2] Hacktivists typically are individuals or entities that are ready to commit cyber crimes to further their own beliefs and ideologues.[3] Many hacktivists include anti-capitalists or anti-corporate idealists and their attacks are inspired by similar political and social issues.[2] Terrorism includes individuals or groups of people that aim to cause terror to achieve their goals. The main difference between hacktivists and terrorists is their end goal. Hacktivists are willing to break security laws to spread their message while terrorists aim to cause terror to achieve their goals. Ideologues, unlike other types of threat actors, are typically not motivated by financial incentives.[2]

Thrill seekers and trolls

[edit]

A thrill seeker is a threat actor that attacks a system for the sole purpose of experimentation.[3] Thrill seekers are interested in learning more about how computer systems and networks operate and want to see how much data they can infiltrate within a computer system. While they do not aim to cause major damage, they can cause problems to an organization's system. As time has gone on, thrill seekers have evolved into modern trolls. Similar to thrill seekers, a troll is a type of person or group that attacks a system for recreation. However, unlike thrill seekers, trolls aim to cause malice.[2] Modern day trolls can cause misinformation and harm.

Insiders and competitors

[edit]

Insiders are a type of threat actor that can either be an insider who sells network information to other adversaries, or it can be a disgruntled employee who feels like they need to retaliate because they feel like they have been treated unfairly.[3] Insider attacks can be challenging to prevent; however, with a structured logging and analysis plan in place, insider threat actors can be detected after a successful attack. Business competitors can be another threat actor that can harm organizations. Competitors can gain access to organization secrets that are typically secure. Organizations can try to gain a stronger knowledge of business intelligence to protect themselves against a competition threat actor.[3]

Organizations that identify threat actors

[edit]

Government organizations

[edit]

United States (US) - National Institute for Standards and Technology (NIST)

The National Institute for Standards and Technology (NIST) is a government agency that works on issues dealing with cyber security on the national level. NIST has written reports on cyber security guidelines, including guidelines on conducting risk assessments.[6] NIST typically classifies cyber threat actors as national governments, terrorists, organized crime groups, hactivists, and hackers.[7]

European Union (EU) - The European Union Agency for Cybersecurity (ENISA)

The European Union Agency for Cybersecurity is a European Union-based agency tasked in working on cyber security capabilities. The ENISA provides both research and assistance to information security experts within the EU.[8] This organization published a cyber threat report up until 2019. The goal of this report is to identify incidents that have been published and attribute those attacks to the most likely threat actor. The latest report identifies nation-states, cyber criminals, hactivists, cyber terrorists, and thrill seekers.[3][8]

United Nations (UN)

The United Nations General Assembly (UNGA) has also been working to bring awareness to issues in cyber security. The UNGA came out with a report in 2019 regarding the developments in the field of information and telecommunications in the context of international security.[3][9] This report has identified the following threat actors: nation-states, cyber criminals, hactivists, terrorist groups, thrill seekers, and insiders.[3][9]

Canada - Canadian Centre for Cyber Security (CCCS)

Canada defines threat actors as states, groups, or individuals who aim to cause harm by exploiting a vulnerability with malicious intent. A threat actor must be trying to gain access to information systems to access or alter data, devices, systems, or networks.[10]

Japan - National Center of Incident Readiness and Strategy (NISC)

The Japanese government's National Center of Incident Readiness and Strategy (NISC) was established in 2015 to create a "free, fair and secure cyberspace" in Japan.[11] The NICS created a cybersecurity strategy in 2018 that outlines nation-states and cybercrime to be some of the most key threats.[12] It also indicates that terrorist usage of the cyberspace needs to be monitored and understood.[12]

Russia - Security Council of the Russian Federation

The Security Council of the Russian Federation published the cyber security strategy doctrine in 2016.[13] This strategy highlights the following threat actors as a risk to cyber security measures: nation-state actors, cyber criminals, and terrorists.[3][13]

Non-Government Organizations

[edit]

CrowdStrike

CrowdStrike is a cybersecurity technology company and antivirus company that publishes an annual threat report. The 2021 Global Threat Report reports nation-states and cybercriminals as two major threats to cyber security.[14]

FireEye

FireEye is a cybersecurity firm that is involved with detecting and preventing cyber attacks. It publishes a report on detected threat trends annually, containing results from their customers sensor systems.[15] Their threat report lists state sponsored actors, cyber criminals and insiders as current threats.[15]

McAfee

McAfee is an American global computer security software company. The company publishes a quarterly threat report that identifies key issues in cybersecurity.[16] The October 2021 threat report outlines cybercriminals as one of the biggest threats in the field.[16]

Verizon

Verizon is an American multinational telecommunications company that has provided a threat report based on past customer incidents. They ask the following questions when defining threat actors: "Who is behind the event? This could be the external “bad guy” who launches a phishing campaign or an employee who leaves sensitive documents in their seat back pocket".[17] They outline nation state actors and cybercriminals as two types of threat actors in their report.[17]

Techniques

[edit]

Phishing

Phishing is one method that threat actors use to obtain sensitive data, including usernames, passwords, credit card information, and social security numbers. Phishing attacks typically occur when a threat actor sends a message designed to trick a victim into either revealing sensitive information to the threat actor or to deploy malicious software on the victim's system.[18]

Cross-Site Scripting

Cross-site scripting is a type of security vulnerability that can be found when a threat actor injects a client-side script into an otherwise safe and trusted web applications.[19] The code then launches an infectious script onto a victim's system. This allows a threat actor to access sensitive data.[20]

SQL Injections

SQL injection is a code injection technique used by threat actors to attack any data-driven applications. Threat actors can inject malicious SQL statements. This allows threat actors to extract, alter, or delete victim's information.[20]

Denial of Service Attacks

A denial-of-service attack (DoS attack) is a cyber-attack in which a threat actor seeks to make an automated resource unavailable to its victims by temporarily or indefinitely disrupting services of a network host. Threat actors conduct a DoS attack by overwhelming a network with false requests to disrupt operations.[20]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Threat actor

View on Grokipedia
from Grokipedia
A threat actor, also known as a malicious actor or cyber threat actor, is the source of risk capable of causing harmful impact to systems, typically through intentional exploitation of vulnerabilities in digital environments. These entities encompass individuals, organized groups, or state-sponsored operations that demonstrate the capability and intent to execute cyber intrusions, data theft, or disruption, distinguishing them from accidental or environmental threats. Threat actors vary widely in sophistication, resources, and motivations, ranging from financially driven cybercriminals who deploy for to nation-state actors conducting for geopolitical advantage. Nation-state groups, often attributed to specific governments, prioritize stealth and persistence, maintaining prolonged access to networks for intelligence collection, as evidenced by advanced persistent threats (APTs) that evade detection for months or years. In contrast, opportunistic cybercriminals leverage commodity tools like kits for rapid financial gains, contributing to the majority of reported breaches targeting enterprises. Insider threats, involving personnel with legitimate access, pose unique risks through witting or unwitting facilitation of external attacks, underscoring the need for behavioral monitoring alongside technical defenses. The identification and attribution of threat actors rely on indicators such as tactics, techniques, and procedures (TTPs), though challenges persist due to tactics like proxy usage and false flags, complicating defensive responses. High-profile incidents, including compromises and targeting, highlight their evolving capabilities, driven by accessible tools and state investments in offensive cyber operations. Effective mitigation demands layered strategies, including threat intelligence sharing and zero-trust architectures, to counter actors' adaptive methods amid rising global cyber conflicts.

Definition and Characteristics

Core Definition

A threat actor in cybersecurity refers to an , group, or that intentionally engages in activities designed to compromise the security of computer systems, networks, or data, thereby posing a to , , or . This encompasses actions such as unauthorized access, , disruption of services, or deployment of , with the actor serving as the originating source of the threat rather than the or exploited. Unlike passive risks like software flaws, threat actors exhibit agency and motivation, often leveraging technical sophistication, social engineering, or insider knowledge to achieve objectives ranging from financial gain to geopolitical influence. The concept emphasizes attribution challenges, as actors frequently employ techniques—such as proxy servers, false flags, or code similarities—to mask their identity and complicate forensic analysis by defenders. Empirical data from incident reports indicate that threat actors vary widely in capability; for instance, advanced persistent threats (APTs) linked to state actors demonstrate sustained campaigns lasting months or years, as evidenced by operations like APT28's intrusions documented in U.S. government assessments from 2014 onward. Core to threat actor analysis is distinguishing intent from capability, where verifiable indicators like tactics, techniques, and procedures (TTPs) enable partial profiling, though complete attribution remains probabilistic due to adversarial adaptations.

Key Attributes and Distinctions

Threat actors are characterized primarily by their malicious intent to exploit vulnerabilities in digital systems, networks, or data for objectives such as , financial gain, disruption, or ideological advancement, distinguishing them from non-adversarial risks like accidental misconfigurations or hardware failures. This intent drives targeted actions, often involving , initial access, and lateral movement, as opposed to random system glitches or benign testing. A core attribute is persistence and adaptability, where actors maintain prolonged access—sometimes spanning months or years—while evolving tactics, techniques, and procedures (TTPs) to evade detection, such as shifting from to supply-chain compromises. Capabilities vary widely: low-sophistication actors rely on commoditized tools like ransomware-as-a-service, whereas advanced persistent threats (APTs) deploy zero-day exploits and custom , reflecting resource disparities between individuals and organized groups. Distinctions from broader threat landscapes include attribution difficulties, as actors frequently use proxies, anonymization tools like VPNs or Tor, and false flags to mask origins, complicating forensic analysis compared to identifiable physical threats. Unlike passive vulnerabilities, threat actors actively probe and iterate, prioritizing high-value targets like over opportunistic scans. They are also differentiated by motivational opacity, where surface-level actions (e.g., ) may conceal deeper aims, such as state-sponsored intelligence gathering, requiring multi-source intelligence for accurate profiling.

Historical Evolution

Early Origins and Pre-Digital Threats

The concept of threat actors predates digital technologies, originating in ancient practices of and conducted by states, rivals, and individuals to gain strategic advantages. In ancient , Sun Tzu's , composed around the 5th century BCE, dedicated a chapter to the use of spies, classifying them into five types—local, inward, converted, doomed, and surviving—and emphasizing their role in foreknowledge and deception to forestall battles. Egyptian pharaohs employed spies circa 1000 BCE to gather intelligence on neighboring powers like and , utilizing methods such as codes and poisons to support conquests. In , the stratagem around 1200 BCE exemplified deceptive infiltration as a form of against fortified targets. Roman intelligence networks similarly warned of his assassination plot in 44 BCE through infiltration, though the intelligence was disregarded, highlighting early attribution challenges. During the and , threat actors evolved into organized networks blending with . The deployed spies and saboteurs during the starting in 1095 CE to undermine Muslim control in the , combining intelligence gathering with targeted disruptions. In Elizabethan by the late 1500s, the court's —comprising linguists and scholars—thwarted plots and contributed to the defeat of the in 1588 through counter-, demonstrating state-sponsored actors' focus on protecting sovereignty via . These pre-modern actors operated without technological aids, relying on personal infiltration, , and physical theft, which mirrored later digital tactics like unauthorized access and . In the industrial era, economic threat actors emerged through cross-border targeting proprietary technologies, acting as precursors to modern corporate and state-sponsored theft. , a British mechanic, memorized Richard Arkwright's designs and emigrated to the in 1789, establishing the first successful cotton-spinning mill in and accelerating American industrialization. Similarly, toured British factories around 1812, committing mechanisms to memory before partnering to build an integrated mill in , by 1814, which bypassed Britain's export restrictions on machinery. These individuals, often recruited by host nations like the U.S. to counter British dominance, exemplified non-state or quasi-state actors motivated by economic gain, using analog methods such as visual memorization and defection to transfer secrets, much as contemporary threat actors exploit insiders for competitive edges.

Rise of Networked and Organized Actors (1980s-2000s)

During the 1980s, the expansion of into the broader facilitated the first instances of networked propagation, transitioning threat from isolated experiments to entities leveraging connectivity for wider impact. The Brain virus, released in January 1986 by brothers Basit and Amjad Farooq Alvi in , marked the earliest known PC virus, infecting floppy disks to overwrite boot sectors and display a message promoting their ; it spread via shared media but demonstrated rudimentary networking potential through international dissemination. The , deployed on November 2, 1988, by , exploited Unix vulnerabilities to self-replicate across approximately 6,000 machines—roughly 10% of the at the time—causing widespread slowdowns and estimated damages of $10-100 million, underscoring how individual could harness networks for unintended scale without formal organization. These events, while primarily lone efforts, laid groundwork for collaboration via systems (BBS), where hackers shared code and techniques, fostering proto-networks. Into the 1990s, threat actors began forming loose affiliations through underground forums and early online communities, enabling coordinated distribution of viruses and trojans amid rising adoption. The AIDS Trojan, distributed in December 1990 via floppy disks mailed to WHO conference attendees, encrypted files and demanded $189 , representing an early pivot toward financial , though executed by a single Chilean programmer, Joseph Popp. By mid-decade, macro viruses like (1995) exploited , infecting millions of documents globally and highlighting script-based attacks' ease of networked spread. Organized elements emerged in incidents like (1998), where unidentified actors—later attributed to Russian intelligence—probed U.S. Department of Defense networks, stealing terabytes of data over months, signaling state-backed persistence beyond individual capabilities. High-profile breaches at entities like and further illustrated growing actor coordination, often via shared exploits traded in nascent precursors. The 2000s witnessed a marked shift to structured syndicates, driven by profit motives and the internet's commercialization, with Eastern European groups professionalizing operations through malware-as-a-service models and botnets. The worm, launched on May 4, 2000, by Filipino students Reonel Ramones and Onel de Guzman, propagated via email attachments to infect 50 million systems worldwide, causing $5.5-10 billion in damages by overwriting files and enabling password theft. This era saw the rise of financially oriented networks, such as those behind the Zeus trojan (first detected 2007), which facilitated credential harvesting from millions of users, enabling exceeding $100 million before its disruption in 2010 by U.S. authorities. Botnets like (2007) mobilized hundreds of thousands of compromised machines for spam and DDoS attacks, operated by transnational syndicates that commoditized hacking tools, marking a departure from hobbyist threats to industrialized ecosystems. These developments reflected causal incentives: low via shared infrastructure combined with high rewards from scalable attacks, propelling disorganized hackers toward syndicate-like structures resilient to individual arrests.

Modern Sophistication and State Dominance (2010s-2025)

During the , threat actors exhibited marked increases in technical sophistication, transitioning from opportunistic exploits to advanced persistent threats (APTs) that utilized custom zero-day vulnerabilities, modular frameworks, and living-off-the-land techniques to evade detection and achieve prolonged network dwell times averaging months to years. State-sponsored entities, benefiting from dedicated resources and national R&D investments, pioneered these methods, outpacing non-state actors in scale and persistence; for instance, APT groups linked to , , and executed operations involving compromises and lateral movement across global enterprises. This era saw APT campaigns evolve from to disruptive effects, as evidenced by in 2010, a worm deploying four zero-days to physically sabotage Iranian nuclear centrifuges, attributed to U.S. and Israeli based on and operational signatures. State dominance became pronounced, with nation-states conducting over 77% of tracked cyber operations since 2005, primarily espionage and sabotage against rivals' infrastructure and elections. Russian military intelligence (GRU's APT28, aka Fancy Bear) exemplified this through the 2016 Democratic National Committee breach, using spear-phishing and implant deployment to influence U.S. elections, followed by NotPetya in 2017—a wiper malware disguised as ransomware that caused $10 billion in global damages, targeting Ukrainian systems but propagating worldwide via Ukrainian accounting software. Chinese PLA-linked groups, such as APT41, blended espionage with financial crime, compromising U.S. Office of Personnel Management in 2015 to steal 21.5 million security clearance records, while North Korea's Lazarus Group orchestrated the 2014 Sony Pictures attack—leaking terabytes of data and deploying destructive wipers—and WannaCry in 2017, exploiting an NSA-leaked vulnerability to encrypt systems across 150 countries, affecting 200,000 victims. By the 2020s, state actors further refined tactics, incorporating cloud-native tools and AI-assisted reconnaissance, with supply chain attacks surging; Russia's SVR (APT29, ) compromised Orion software in 2020, enabling on nine U.S. federal agencies and 18,000 organizations via tampered updates. Chinese operations escalated, including the 2021 Exchange hacks exploiting zero-days for mass implantation and Salt Typhoon's 2024 breach of U.S. telecoms, extracting data from eight providers. North Korean actors persisted with crypto heists, stealing $1.5 billion in from ByBit in early 2025 via wallet exploits, while Russian groups like Sandworm intensified , launching 4,315 attacks on Ukrainian in January 2025 alone. These developments underscored states' resource advantages, enabling sustained campaigns amid rising non-state imitation, though attributions rely on indicators like tooling reuse and infrastructure overlaps, often contested by targets.

Classification by Motivation and Capability

Nation-State Sponsored Actors

Nation-state sponsored actors, often classified as advanced persistent threats (APTs), are cyber operations units funded and directed by governments to achieve geopolitical, military, or economic objectives, such as intelligence collection, of adversaries, or influence operations. Unlike financially motivated cybercriminals, who prioritize rapid monetary extraction through or data sales, these actors demonstrate high resource levels, custom development, exploitation of zero-day vulnerabilities, and sustained network dwelling times measured in months or years to maintain covert access. Their activities emphasize strategic patience and targeted selection of high-value victims, including defense contractors, diplomatic entities, and , over opportunistic hits. Primary motivations include to steal proprietary or policy insights, disruption of enemy capabilities during conflicts, and economic , as evidenced by campaigns prepositioning for wartime activation. Attributions to specific states rely on indicators like code similarities to prior operations, infrastructure overlaps, and intelligence correlations, though Western agencies such as those in the U.S. and allies predominate in public disclosures, potentially reflecting access asymmetries rather than exhaustive global coverage. Notable actors include Russia's APT28 (, linked to Unit 26165), which conducted spear-phishing and implants against U.S. political targets in 2016, compromising emails for election influence; and APT29 (, SVR-affiliated), responsible for the 2020 affecting 18,000 organizations via trojanized software updates for . China-associated groups like APT1 (Comment Crew, PLA Unit 61398) have exfiltrated intellectual property from aerospace and tech firms since at least 2006, targeting over 140 organizations globally. North Korea's Lazarus Group, tied to the Reconnaissance General Bureau, blends espionage with funding operations, as in the 2014 Sony Pictures destructive wiper attack retaliating against a film portrayal of Kim Jong-un, and the February 2025 theft of $1.5 billion in Ethereum from ByBit exchange via vulnerability exploitation. Iran's APT33 (Elfin), linked to the Ministry of Intelligence, focuses on aviation and energy sectors, deploying wiper malware against Saudi petrochemical plants in 2012 and espionage tools against U.S. allies. Recent escalations highlight hybrid tactics: In November 2024, China's Salt Typhoon infiltrated U.S. telecoms, stealing call records of political figures for ; Russia's Sandworm disrupted Ukrainian energy grids with 4,315 incidents in 2024 alone; and Iran's campaigns targeted Iraqi government systems in March 2025 using custom backdoors. These actors leverage state impunity for deniability, employing proxies or commercial tools to obscure origins, though overlaps with criminal enterprises—such as North Korea's cyber revenue generation funding weapons programs—blur lines without altering core state-directed intent. Capabilities often exceed private threats, incorporating satellite communications, AI-driven evasion, and integration with kinetic military actions, as in Russia's 2022 cyber prelude.

Financially Motivated Cybercriminals

Financially motivated cybercriminals constitute a class of threat actors whose primary objective is monetary profit, often operating through structured enterprises that resemble illicit businesses rather than ideological or geopolitical entities. These actors deploy , campaigns, and schemes to extract payments, typically in , from victims ranging from individuals to large corporations. Unlike nation-state actors focused on or disruption, their activities prioritize efficiency in monetization, with groups frequently employing Ransomware-as-a-Service (RaaS) models where developers lease tools to affiliates for a share of proceeds. Key tactics include initial access via stolen credentials, emails, and exploitation of unpatched vulnerabilities, followed by and for . In 2024, and spoofing emerged as the most reported cybercrimes by volume, according to FBI , enabling financially driven actors to deploy info-stealers and payloads. Groups like Cl0p and Akira have specialized in exploiting zero-day vulnerabilities in software such as and Citrix, demanding ransoms exceeding millions per incident. often extends beyond , involving threats to leak stolen on sites, amplifying pressure on victims to pay. Prominent ransomware operations in 2024-2025 include LockBit, which maintained dominance through rapid and RaaS evolution despite disruptions; RansomHub, which surged in activity targeting industrial sectors; and emerging groups like and Akira, responsible for high-profile breaches. These entities have demonstrated business-like resilience, with some reinvesting ransoms into tooling and affiliates, leading to a proliferation of subgroups—11 net new variants appeared in Q2 2025 alone. The economic toll underscores their impact: global damages reached projections of $10.5 trillion annually by 2025, with comprising a significant portion through payments and recovery costs. reported a 35.82% year-over-year decrease in payments in 2024 due to victim reluctance and actions, yet total illicit crypto activity tied to persisted at elevated levels, funding further operations. Financial institutions faced heightened targeting, with 65% of organizations reporting attempts in 2024, often via AI-obfuscated or . Attribution remains feasible through code signatures and tracing but is complicated by tool-sharing across groups and occasional false flags mimicking state actors.

Ideological Actors Including Hacktivists

Ideological threat actors encompass individuals or groups driven primarily by political, social, religious, or ethical convictions, conducting cyber operations to propagate their beliefs, protest perceived injustices, or coerce policy changes. Unlike financially motivated cybercriminals, these actors prioritize symbolic disruption over monetary gain, often publicizing their actions to amplify messaging and recruit sympathizers. Hacktivists, a prominent subset, merge hacking techniques with , targeting symbols of opposition such as websites, corporations, or media outlets. Their operations typically involve lower technical sophistication compared to nation-state actors, relying on readily available tools like distributed denial-of-service (DDoS) attacks, website defacements, and data leaks, though capabilities have evolved with access to commoditized . The Anonymous collective exemplifies early hacktivist activity, originating from online forums around 2006 and gaining prominence through Operation Chanology in January 2008, which launched DDoS attacks and defacements against sites to protest censorship and expose internal documents. In December 2010, Anonymous executed Operation Payback, disrupting payment processors like Visa and via DDoS for blockading donations, demonstrating coordination across loosely affiliated participants to challenge corporate and governmental power structures. These actions, while disruptive, often resulted in limited long-term damage but achieved widespread media attention, underscoring hacktivists' focus on visibility over destruction. Attribution relied on public manifestos and leaked chat logs, though the decentralized nature complicated precise identification. Contemporary ideological actors frequently align with geopolitical conflicts, as seen with pro-Russian groups like , formed in January 2022 amid the Russia-Ukraine war, which conducted DDoS campaigns against NATO-supporting entities, including U.S. airports and government sites in October 2022 and healthcare infrastructure thereafter. Similarly, the pro-Palestinian group, active since at least 2023 and linked to Iranian interests, has targeted Israeli organizations, leaking data from thousands of soldiers in July 2025 and claiming breaches of satellite operator in September 2025 through and tactics. These operations exploit ideological sympathies for recruitment, often via Telegram channels, and extend to industrial control systems in critical sectors. Tactics among ideological actors have shifted toward deployment for amplified impact, with at least eight groups adopting it in early 2025 not solely for profit but to enforce ideological demands through prolonged outages and exposure. This convergence blurs lines with cybercriminals, as actors like those in pro-Russian or pro-Iranian campaigns leverage ransomware-as-a-service models to target and , causing economic pressure aligned with political goals. Such evolution heightens risks to , prompting defenses focused on rapid incident response and ideological threat intelligence over traditional attribution alone.

Insider Threats and Corporate Competitors

Insider threats encompass individuals with authorized access—such as employees, contractors, or partners—who intentionally or negligently misuse privileges to exfiltrate , systems, or enable external , often motivated by financial incentives, grievances, or ideological alignment. These exploit inherent trust within organizations, evading perimeter defenses that external threats encounter, which results in prolonged dwell times and higher impacts per incident. The Ponemon Institute's 2025 Cost of Insider Risks Global Report quantifies the average annual organizational cost at $15.4 million, covering detection, response, legal fees, and productivity losses, with North American firms facing elevated expenses due to regulatory scrutiny. Between 2018 and 2024, the cost of such incidents rose over 109%, driven by increasing data volumes and hybrid work environments facilitating remote misuse. Empirical data underscores their prevalence: insider-driven data exposure, loss, or theft events surged 28% from 2023 to 2024, per aggregated cybersecurity analyses. The Verizon 2025 Data Investigations Report attributes 22% of breaches to stolen credentials, frequently originating from insider compromise or negligence, with human factors implicated in 68% of overall incidents across 30,000+ analyzed events. Recent cases illustrate tactics: in May 2025, suffered a breach where overseas support contractors accessed 70,000 user records, including names and transaction histories, before alerting the firm, prompting federal investigation into intentional insider abuse. Similarly, a 2023 Tesla incident involved a former employee leaking personally identifiable information of 75,000 personnel to media outlets, motivated by internal disputes, highlighting as a common vector. Detection challenges persist, as activities mimic routine access; effective demands behavioral and zero-trust architectures, though adoption lags, with only partial times declining historically for the first time in 2025. Corporate competitors function as threat actors through economic , deploying insiders, custom intrusions, or to pilfer s, R&D data, or market strategies for direct commercial gain, absent state-directed imperatives. These operations prioritize stealth to avoid antitrust repercussions, often routing through third-party hires or shell entities to obscure origins. In high-stakes sectors like , rivals target to accelerate product cycles; for instance, in 2023, a Nvidia engineer transmitted proprietary GPU architectural details to competitors in , resulting in the individual's and civil suits under laws, as the firm alleged intent to undermine its market lead in AI hardware. Such cases echo patterns in semiconductors, where poached executives carry embedded knowledge, though verifiable prosecutions remain rare due to evidentiary hurdles. Attributing actions to specific rivals proves arduous, as perpetrators emulate legitimate or use deniable proxies, complicating forensic linkage amid global supply chains. Unlike ideologically driven actors, corporate yields measurable returns—stolen designs can shave years off development costs—but underreporting prevails, with firms prioritizing nondisclosure over public disclosure to preserve investor confidence. U.S. Department of Justice data on economic convictions, while dominated by foreign state ties, includes domestic rival disputes, emphasizing the need for like access logging and employee vetting to deter of disaffected insiders.

Low-Sophistication Actors Such as Thrill-Seekers

Low-sophistication threat actors encompass individuals with minimal technical proficiency who leverage pre-existing tools, scripts, and exploit kits to perpetrate cyberattacks, often without deep comprehension of the underlying mechanisms. These actors, frequently labeled script kiddies, prioritize motivations such as personal thrill, curiosity, or notoriety over strategic objectives like financial profit or geopolitical influence. Their activities typically involve opportunistic targeting of vulnerable systems, exploiting publicly known weaknesses rather than engineering novel vulnerabilities, which distinguishes them from advanced persistent threats. Thrill-seekers within this category derive satisfaction from the challenge and excitement of unauthorized access, akin to a game or test of prowess, frequently publicizing their exploits on forums or to garner peer admiration. Common tactics include deploying denial-of-service tools like (LOIC) for DDoS disruptions, automated scanners for data extraction, and website defacement scripts to alter online content for visibility. Such methods rely on downloadable kits or boilerplate code from hacker communities, enabling rapid execution without custom development. Notable incidents illustrate their potential impact despite rudimentary skills. In the 2015 TalkTalk breach, a 17-year-old in the UK utilized a publicly available tool to access customer databases, exposing personal data of approximately 157,000 individuals and resulting in regulatory fines and remediation costs surpassing £42 million for the telecommunications firm. Similarly, the 2016 Mirai , assembled by youthful perpetrators scanning for insecure IoT devices with default credentials, orchestrated DDoS attacks peaking at 1.2 terabits per second, crippling DNS services and intermittently halting access to sites including and for users across the . These cases demonstrate how low-sophistication efforts, amplified by scalable tools, can yield widespread disruptions, with attackers often motivated by competitive gaming rivalries or simple vandalism rather than coordinated malice. The proliferation of user-friendly attack frameworks has lowered entry barriers, contributing to a rise in amateur-led incidents; for example, compromises using basic tactics like exploitation have increased, as attackers exploit unpatched industrial systems without advanced . While individually less destructive than state-sponsored operations, these actors collectively strain resources, with cybersecurity reports indicating that opportunistic exploits account for a notable fraction of reported vulnerabilities leading to breaches. Mitigation emphasizes foundational defenses such as patch management and credential hygiene, as thrill-seekers' reliance on known vectors renders them vulnerable to proactive security measures.

Attribution Processes and Challenges

Methods of Identifying Threat Actors

Technical indicators of compromise (IOCs), such as IP addresses, domain names, file hashes, and signatures, form the foundational evidence for linking cyber intrusions to specific threat actors by clustering related artifacts across incidents. Analysts reverse-engineer samples to identify unique code strings, compilation artifacts, or reused modules that match known actor toolsets, enabling probabilistic matches through similarity scoring. Infrastructure analysis examines command-and-control (C2) servers, including registration data, SSL certificates, and hosting patterns, to trace operational overlaps, though proxies and virtual private networks often necessitate cross-referencing with passive DNS records. Behavioral profiling relies on tactics, techniques, and procedures (TTPs) mapped against frameworks like , where actors are distinguished by consistent operational patterns, such as preferred initial access vectors (e.g., spear-phishing with specific lures) or persistence mechanisms (e.g., custom backdoors). Temporary threat groups are identified when clusters of TTPs evolve over at least six months, showing adaptation in tooling while maintaining core behaviors, progressing to named attributions only with high-confidence linkages via multiple corroborating indicators. Code-level forensics, including linguistic artifacts like non-English comments or error messages, further refines attribution by revealing cultural or regional origins, as seen in state-sponsored actors' use of specific programming idioms. Contextual factors, including , provide supplementary evidence; for instance, targeting patterns aligned with geopolitical interests—such as attacks on defense contractors by actors linked to adversarial nations—support strategic attribution when combined with technical data. Temporal analysis of attack timings, often correlating with actor time zones or national holidays, aids in narrowing candidates, while shared operational profiles across victims enable activity clustering under designations like uncategorized clusters (UNCs). Attribution frameworks employ structured scoring, such as the for source reliability, to weigh evidence and assign levels, escalating from tactical (indicator-based) to strategic (identity-linked) claims only with convergent validation.

Limitations Including False Flags and Misattribution Risks

Attributing cyberattacks to specific threat faces inherent limitations due to the internet's , enabling perpetrators to employ proxies, VPNs, and compromised to obscure origins. Technical indicators such as IP addresses and signatures are frequently spoofed or rented from third parties, complicating forensic analysis. Tactics, techniques, and procedures (TTPs) exhibit significant overlap across , with average similarity scores of 0.21 to 0.37 between distinct groups, rendering high-level indicators insufficient for precise identification. False flags exacerbate these challenges by deliberately planting deceptive artifacts to implicate unrelated entities, aiming to deflect blame or provoke misguided responses. Attackers may embed misleading code strings, use variants mimicking known groups, or claim responsibility under false personas via , as seen in the 2015 television network intrusion, initially portrayed as ISIS-affiliated but later linked to Russian APT28 through analysis of inconsistent claims and reused tools. While low-level artifacts like IPs are easily fabricated (trustworthiness score ~2/5), sustaining false TTPs demands operational consistency that most fail to maintain, yet even partial sows doubt. Misattribution risks amplify potential harms, including erroneous retaliation against innocent parties, diplomatic fallout, or escalation to kinetic conflict, as public disclosures often precede full verification. Jurisdictional barriers and fragmented sharing further hinder accuracy, with rebranded affiliates in ransomware-as-a-service models or state-sponsored blurring lines between actors. Consequently, many attributions remain probabilistic, reliant on contextual correlations rather than irrefutable proof, underscoring the need for multi-source validation to mitigate errors.

Organizations Tracking Threat Actors

Government and Intelligence Agencies

The United States Intelligence Community, coordinated by the Office of the Director of National Intelligence (DNI), annually assesses cyber threats from state and non-state actors, detailing their capabilities, intentions, and activities in reports such as the 2025 Annual Threat Assessment. The National Security Agency (NSA) plays a central role in tracking advanced persistent threats (APTs), particularly nation-state actors, by analyzing signals intelligence and collaborating on attributions; for instance, in August 2025, NSA issued joint guidance with allies on countering China-sponsored actors targeting critical infrastructure sectors like communications and energy. The Federal Bureau of Investigation (FBI) leads domestic cyber investigations, sharing threat intelligence with partners like NSA to disrupt actor operations, including ransomware groups and foreign intelligence services. The Cybersecurity and Infrastructure Security Agency (CISA) focuses on nation-state cyber actors, issuing advisories on their tactics and partnering with infrastructure owners to mitigate risks from groups like those linked to Russia and Iran. In the , the National Cyber Security Centre (NCSC), operating under the Government Communications Headquarters (), monitors and reports on evolving cyber threats, including surges and state-sponsored intrusions, as detailed in its 2025 Annual Review which highlighted a growing disparity between threat sophistication and national defenses. NCSC conducts proactive threat hunting and issues sector-specific guidance to attribute and counter actors exploiting vulnerabilities in supply chains and critical systems. International cooperation amplifies tracking efforts through alliances like the Five Eyes (comprising the , , , , and ), which share intelligence on nation-state threats to enable joint attributions and defenses; in October 2024, the alliance launched a campaign advising tech startups on mitigating risks from such actors. These agencies often collaborate via joint advisories, such as CISA, FBI, NSA, and international partners' June 2025 statement on potential targeted cyber activity against .

Private Sector Firms and Non-Governmental Entities

Private sector cybersecurity firms play a significant role in tracking and attributing threat actors by leveraging proprietary data from incident response, endpoint detection, and global sensor networks. These companies conduct forensic investigations, reverse-engineer , and analyze command-and-control infrastructure to link attacks to specific groups, often publishing detailed reports that inform both commercial clients and broader industry defenses. For instance, , acquired by Google Cloud, maintains intelligence on over 390 active threat actors and provides tools for organizations to assess targeting by region and industry based on observed tactics. Similarly, CrowdStrike's Threat Intelligence offers adversary profiles detailing active threat actors, their tools, and vulnerabilities exploited, enabling proactive hunting and response. Recorded Future delivers real-time threat intelligence through its platform, including actor-specific profiles and taxonomies for advanced persistent threats, cybercriminals, and hacktivists, derived from monitoring, code analysis, and geopolitical signals. ' tracks dozens of threat groups, assigning unique designators and documenting their evolution, such as shifts in Iranian-linked operations. These firms often collaborate to standardize attribution; in June 2025, and initiated a joint effort to map aliases for over 80 threat actors across vendors, reducing confusion in naming conventions and accelerating incident response. Non-governmental entities, primarily non-profits, complement private efforts by fostering threat intelligence sharing and community-driven analysis without direct commercial incentives. The Cyber Threat Alliance (CTA), a 501(c)(6) organization founded in 2014, coordinates automated data exchange among member firms—including , , and —to disrupt threat actors through collective indicators of compromise and campaign insights, enhancing global ecosystem security. The Center for Internet Security (CIS), a nonprofit established in 2000, aggregates threat data from a global IT community to produce actionable intelligence, benchmarks, and controls that help organizations identify and mitigate actor-driven risks across sectors. Such entities prioritize transparency and , often feeding into public-private partnerships while avoiding state affiliations that could compromise neutrality in attribution.

Techniques and Tactical Evolution

Core Tactics, Techniques, and Procedures

Threat actors systematically apply tactics, techniques, and procedures (TTPs) to infiltrate, persist within, and extract value from target networks, with the ATT&CK framework providing a comprehensive model based on observed adversary behaviors across thousands of incidents. This framework organizes TTPs into 14 enterprise tactics representing stages of the attack lifecycle, from pre-compromise planning to post-exploitation impact, enabling defenders to map and mitigate common patterns regardless of the actor's sophistication or motivation. While specific techniques vary—such as spear-phishing for initial access or living-off-the-land binaries for execution—core tactics remain consistent, emphasizing stealth, adaptability, and resource efficiency to evade detection. Reconnaissance involves active and passive information gathering to identify vulnerabilities, network perimeters, and potential entry points, often using tools like for internet-exposed assets or social engineering to profile personnel; this phase minimizes risk by avoiding direct interaction until exploitable weaknesses are confirmed. Initial access typically exploits human or technical flaws, with emails delivering malicious attachments or links accounting for over 80% of breaches in analyzed datasets, alongside unpatched software vulnerabilities like those in public-facing applications. Execution follows, where actors run code on victim systems via command-line interfaces, scripts, or loaders, prioritizing native OS tools to blend with legitimate activity and reduce forensic footprints. Subsequent tactics focus on entrenchment and expansion: establishes backdoors through scheduled tasks, registry modifications, or compromised accounts to survive reboots and patches; leverages kernel exploits or misconfigurations to gain administrative rights, as seen in 2023 incidents exploiting CVE-2023-23397 for Outlook elevation. Defense evasion employs , such as process hollowing or disabling security software, to mask operations, while credential access targets hashes, tickets, or keyloggers to impersonate users. Discovery, lateral movement, and collection enable mapping and traversal: actors enumerate domains, shares, and endpoints using tools like BloodHound, then pivot via RDP, SMB, or Pass-the-Hash techniques, aggregating data in staging areas for later exfiltration. Command and control maintains communication through DNS tunneling, HTTPS beacons, or covert channels to receive directives, with exfiltration compressing and encrypting data over protocols like DNS or cloud storage to avoid volume-based detection. Finally, impact delivers objectives via ransomware encryption, data destruction, or resource hijacking, as in wiper malware campaigns that have rendered systems inoperable in under 24 hours. These TTPs are not actor-specific but form a modular playbook adaptable to contexts, with empirical data from incident reports showing and as precursors in 90% of operations tracked since 2015.

Recent Adaptations and Emerging Methods

Threat actors have increasingly adopted malware-free techniques, leveraging legitimate tools and living-off-the-land methods to evade detection, as observed in a 75% rise in cloud intrusions reported for 2023 activities extending into subsequent years. This shift emphasizes stealth over traditional deployment, with adversaries prioritizing and persistence in cloud environments through misconfigurations and credential abuse. Integration of has emerged as a key adaptation, enabling automated code generation for and enhanced campaigns. For instance, the FunkSec group utilized generative AI for and development, contributing to a 60% surge in attacks in the first half of 2025, while APT35 employed AI-driven spear- with 2FA bypass mechanisms targeting specific sectors. Similarly, threat actors have leveraged large language models to craft high-volume, convincing emails, with over 12.6 million malicious instances detected from January to May 2025, 32% featuring elevated text complexity indicative of AI assistance. Ransomware-as-a-service operators have refined their tactics for speed and scalability, achieving record eCrime breakout times of 2 minutes and 7 seconds in analyzed incidents. Groups like , RansomHub, and Akira have incorporated cartel-like models and targeted SaaS accounts, with Akira executing 72 attacks in January 2025 alone, often combining encrypted payloads with social engineering. Social engineering variants, such as ClickFix tactics involving fake CAPTCHAs to deliver , resurged in March-April 2025 across government and healthcare sectors. Exploitation of vulnerabilities has intensified, with software defects serving as the initial access vector in one-third of attacks investigated in 2024. Three of the four most exploited flaws that year were zero-day vulnerabilities in devices, underscoring attackers' focus on compromising defensive tools themselves. Nation-state actors, including Chinese groups like Salt Typhoon, have adapted by prioritizing and compromises, as seen in U.S. telecom breaches in 2025. Financially motivated actors now comprise 55% of tracked groups, reflecting a broader pivot from to extortion-driven operations.

References

  1. https://csrc.nist.gov/glossary/term/threat_actor
  2. https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  3. https://www.ibm.com/think/topics/threat-actor
  4. https://www.sentinelone.com/cybersecurity-101/threat-actor/
  5. https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors
  6. https://www.wiz.io/academy/threat-actor
  7. https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats
  8. https://www.sophos.com/en-us/cybersecurity-explained/threat-actors
  9. https://www.splunk.com/en_us/blog/learn/threat-actors.html
  10. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-150.pdf
  11. https://attack.mitre.org/groups/
  12. https://www.professormesser.com/security-plus/sy0-701/sy0-701-video/threat-actors-sy0-701/
  13. https://www.cyber.gc.ca/en/guidance/introduction-cyber-threat-environment
  14. https://www.worldhistory.org/The_Art_of_War/
  15. https://www.encyclopedia.com/politics/encyclopedias-almanacs-transcripts-and-maps/espionage-and-intelligence-early-historical-foundations
  16. https://www.history.com/articles/industrial-revolution-spies-europe
  17. https://cybersecurityventures.com/the-history-of-cybercrime-and-cybersecurity-1940-2020/
  18. https://online.yu.edu/katz/the-evolution-of-cyber-threats
  19. https://www.csoonline.com/article/572911/11-infamous-malware-attacks-the-first-and-the-worst.html
  20. https://netwrix.com/en/resources/blog/biggest-cyber-attacks-in-history
  21. https://novatech.net/blog/the-evolution-of-cybersecurity-from-its-roots-to-modern-day-necessity
  22. https://www.businessofgovernment.org/sites/default/files/Viewpoint%2520Strickland%2520et%2520al.pdf
  23. https://arxiv.org/html/2509.07457v1
  24. https://www.cfr.org/cyber-operations/
  25. https://theconversation.com/five-notorious-cyberattacks-that-targeted-governments-230690
  26. https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
  27. https://cloud.google.com/security/resources/insights/apt-groups
  28. https://freemindtronic.com/apt41-cyberespionage-and-cybercrime/
  29. https://www.cm-alliance.com/cybersecurity-blog/nation-state-cyber-threats-responding-to-a-coordinated-cyber-attack
  30. https://attack.mitre.org/groups/G0007/
  31. https://attack.mitre.org/groups/G0016/
  32. https://attack.mitre.org/groups/G0006/
  33. https://attack.mitre.org/groups/G0032/
  34. https://attack.mitre.org/groups/G0064/
  35. https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/top-nation-state-cyber-attack.html
  36. https://socradar.io/top-10-advanced-persistent-threat-apt-groups-2024/
  37. https://www.chainalysis.com/blog/2025-crypto-crime-report-introduction/
  38. https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/
  39. https://www.fbi.gov/news/press-releases/fbi-releases-annual-internet-crime-report
  40. https://flashpoint.io/blog/top-threat-actor-groups-targeting-financial-sector/
  41. https://www.darkreading.com/threat-intelligence/akira-clop-top-5-most-active-ransomware-groups-list
  42. https://www.chainalysis.com/blog/crypto-crime-ransomware-victim-extortion-2025/
  43. https://swisscyberinstitute.com/blog/10-most-notorious-ransomware-groups-2025/
  44. https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q2-2025
  45. https://www.rapid7.com/blog/post/q2-2025-ransomware-trends-analysis-boom-and-bust/
  46. https://cybersecurityventures.com/official-cybercrime-report-2025/
  47. https://www.fortinet.com/resources/cyberglossary/cybersecurity-statistics
  48. https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index
  49. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/understanding-hacktivists-the-overlap-of-ideology-and-cybercrime
  50. https://www.huntress.com/cybersecurity-101/topic/what-is-hacktivism
  51. https://www.infosecinstitute.com/resources/general-security/a-history-of-anonymous/
  52. https://www.hhs.gov/sites/default/files/killnet-analyst-note.pdf
  53. https://westoahu.hawaii.edu/cyber/uncategorized/killnet-russian-hacktivists-ddos-us-airports-government-websites/
  54. https://malpedia.caad.fkie.fraunhofer.de/actor/handala
  55. https://www.scworld.com/brief/handala-hacktivists-lay-claim-on-israeli-space-firm-breach
  56. https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/
  57. https://industrialcyber.co/manufacturing/hacktivists-state-sponsored-groups-step-up-cyberattacks-targeting-manufacturing-operations-and-ot-systems/
  58. https://ponemon.dtexsystems.com/
  59. https://www.syteca.com/en/blog/insider-threat-statistics-facts-and-figures
  60. https://www.stationx.net/insider-threat-statistics/
  61. https://www.verizon.com/business/resources/reports/dbir/
  62. https://www.pkware.com/blog/recent-data-breaches
  63. https://www.mimecast.com/blog/insider-threat-examples/
  64. https://www.currentware.com/blog/corporate-espionage-cases/
  65. https://www.fbi.gov/news/stories/economic-espionage
  66. https://us.norton.com/blog/emerging-threats/script-kiddie
  67. https://www.malwarebytes.com/cybersecurity/basics/script-kiddie
  68. https://www.teramind.co/blog/types-of-threat-actors/
  69. https://nordvpn.com/blog/script-kiddie/
  70. https://www.techtarget.com/searchsecurity/definition/script-kiddy-or-script-kiddie
  71. https://cyber.uk/areas-of-cyber-security/cyber-security-threat-groups-2/script-kiddies-case-study/
  72. https://finitestate.io/cyberbasics/what-is-a-script-kiddie-cyberbasics
  73. https://cloud.google.com/blog/topics/threat-intelligence/increasing-low-sophistication-operational-technology-compromises
  74. https://www.infosecinstitute.com/resources/scada-ics-security/operational-technology-compromises-low-sophistication-high-frequency/
  75. https://cloud.google.com/blog/topics/threat-intelligence/trade-offs-attribution/
  76. https://unit42.paloaltonetworks.com/unit-42-attribution-framework/
  77. https://ccdcoe.org/uploads/2018/10/False-flag-and-no-flag-20052015.pdf
  78. https://cybersecurity.springeropen.com/articles/10.1186/s42400-020-00048-4
  79. https://www.usenix.org/system/files/usenixsecurity25-van-der-horst.pdf
  80. https://www.dni.gov/files/ODNI/documents/assessments/ATA-2025-Unclassified-Report.pdf
  81. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4287371/nsa-and-others-provide-guidance-to-counter-china-state-sponsored-actors-targeti/
  82. https://www.fbi.gov/news/speeches-and-testimony/oversight-of-the-fbi-cyber-division-032922
  83. https://www.ncsc.gov.uk/section/keep-up-to-date/threat-reports
  84. https://www.ncsc.gov.uk/blog-post/strengthening-national-cyber-resilience-through-observability-threat-hunting
  85. https://www.dni.gov/index.php/newsroom/press-releases/press-releases-2024/4010-pr-25-24
  86. https://www.cisa.gov/news-events/news/joint-statement-cisa-fbi-dc3-and-nsa-potential-targeted-cyber-activity-against-us-critical
  87. https://cloud.google.com/security/threats
  88. https://www.crowdstrike.com/en-us/platform/threat-intelligence/adversary-profiling/
  89. https://www.recordedfuture.com/products/threat-intelligence
  90. https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/
  91. https://www.crowdstrike.com/en-us/blog/crowdstrike-and-microsoft-unite-to-deconflict-cyber-threat-attribution/
  92. https://www.cyberthreatalliance.org/
  93. https://www.cisecurity.org/
  94. https://attack.mitre.org/
  95. https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack
  96. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a
  97. https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/china/publications
  98. https://www.crowdstrike.com/en-us/resources/reports/crowdstrike-2024-global-threat-report/
  99. https://www.cyberproof.com/cyber-threat-intelligence/cyberproof-2025-mid-year-cyber-threat-landscape-report/
  100. https://www.darktrace.com/blog/2025-cyber-threat-landscape-darktraces-mid-year-review
  101. https://cyberscoop.com/mandiant-m-trends-2025/
  102. https://medium.com/p/three-of-the-four-most-exploited-vulnerabilities-in-2024-were-zero-day-flaws-found-in-security-7db63bdf72a5
  103. https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025
Add your contribution
Related Hubs
User Avatar
No comments yet.