Cyber Threat Actor Types & Motives
I’m often asked who is behind cyberattacks, and why they attack. It’s not a simple answer, because there’s a wide variety of threat actor types and motives. Organizations differ in how they categorize them, but here are the most common.
Threat Actor Types & Their Motives
Cybercriminals, Organized Crime
Criminals are the most common type of threat actor. They’re generally financially-motivated. They may work alone or in groups. Their cybercrime may be connected to non-digital, “real world” crime.
Hacktivists
Hacktivists (a portmanteau of hack and activists) are ideologically-driven, motivated by political, social, and/or religious causes. Their attacks are to hurt those they oppose, or to spread their beliefs. They often act in groups.
Insiders
Insiders are individuals with access inside organizations. They may be employees or third parties. They may not be malicious, but unintentionally damage their organizations through their errors. Others are malicious, seeking to damage their organizations due to a grudge or for financial gain. They may act alone, or collaborate with others outside the organization.
State-Sponsored, APTs
State-sponsored actors are backed by a government to conduct espionage, sabotage, and other offensive activity. They can be government employees or third-party contractors. They’re politically motivated, working to advance the causes of their state. They’re usually highly-skilled, with ample resources.
Those that are highly skilled and use powerful tools to infiltrate and retain access to networks are known as advanced persistent threats (APTs).
Cyberterrorists
Terrorists operating online are more extreme than hacktivists; they’re willing to do more damage to people and property than hacktivists are. They’re ideologically-driven, motivated by political, social, and/or religious causes. They may also be financially-motivated, to fund their operations. Their attacks are to hurt those they oppose, or to spread their beliefs.
Script Kiddies, Thrill-Seekers
Script kiddies (skiddies) are less skilled and experienced than other threat actors. They often use tools created by others, with limited understanding of how they work, but the saying “knows enough to be dangerous” applies to them. They’re generally seeking thrill or notoriety. They may work alone or in groups.
Threat Actor Types & Motives, Ranked
According to the Verizon 2023 Data Breach Investigations Report (DBIR), these are the threat actor types (Verizon calls them “varieties”) behind 2,489 analyzed breaches.
- Organized crime: ~72%
- Other: ~16%
- End-user: ~10%
- Nation-state or State-affiliated: ~6%
According to the DBIR, these are the motives behind 2,328 analyzed breaches. The DBIR gives a further breakdown of motives by industry.
- Financial: 94.6% of breaches
- Espionage: ~5%
- Ideology: <1%
- Grudge: <1%
- Other: <1%
