What do you mean by “Threat Actor”?

7 January 2024 - Articles

Habitually in our articles we use the term “Threat Actors” where you might expect us to use a term like “attacker” or “cybercriminal”. So why do we do that? In short, we find that threat actor is a more accurate term where something like “cybercriminal” may, in some cases, be overly specific.

You see, there are a whole bunch of different individuals and groups out there which may cause damage to an organisation that the term “cybercriminal” might not cover. So, who might target your organisation?

On one extreme end of the spectrum we have Nation-state attackers, however this can be further broken down and in some cases the distinctions are important. For example, consider groups such as the Office of Tailored Access Operations (TAO), now known as Computer Network Operations. This group is a part of the United States National Security Agency and perform actions such as cyber-espionage and intelligence-gathering. It’s reported that TAO gained access to the public mail server used by the former Mexican President Felipe Calderon as part of Operation Flatliquid.

Whilst the exploits of TAO are certainly interesting, it’s not accurate to refer to them as “cybercriminals”, and these are the actions of military and government personnel – so “Threat Actor” is a better term here. It encompasses the fact that organisations may wish to prevent their access, without the inaccuracy of the term “criminal” in this context.

There are also two more groups that fit within the “Nation-state” cluster, but in distinct ways – and sometimes such distinctions are important. These are not military or government employees but are supported in some way by the nation-state. For example, if the threat group receive funding from the nation-state, or something else of monetary-value such as technical capability, we could use the term “state-sponsored” to distinguish these groups.

State-sponsored attackers may or may not be cybercriminals, or it might be that they are considered criminal in the jurisdiction that they are targeting, but not in the jurisdiction that they are attacking from – so the term cybercriminal might not be a good fit or might require additional context.

These are distinct however, from groups who are not financially supported (or supported through other means such as capability) but are simply allowed to continue functioning without intervention from local law enforcement. For example, there could be an agreement that the threat group will be left alone, as long as they only target foreign organisations or foreign nationals. We could distinguish these groups as “State-condoned”.

Additionally, we have threat actors such as “hacktivists” that use computer hacking capabilities for the purposes of activism, to drive political or social change. Now whilst their activities may be against the letter of the law, some people morally are against criminalising activism, seeing their activities as closer to a form of protest than a criminal action, feeling that it is an important part of a healthy society. That’s a controversial stance, but to use the term “cybercriminal” here, or even “attacker” may miss this important nuance or drive the discussion away from the political or social aspects of these activities. Again, many organisations would still like to prevent their access, and so the term Threat Actor still fits.

There are also unintentional insider threats to consider, and these can be broad. We might not like to attribute the term “cybercriminal” to an employee who makes a mistake and so causes damage or disruption to organisational systems – but they’re still a threat and we might still want to prevent ‘Tom’ in Operations from accidentally emailing confidential documents to the wrong person. Damnit Tom, you dumb threat actor!

Perhaps an employee does something to your systems that you dislike, they exceed their authority in some way, something that you want to stop them doing – but perhaps it doesn’t rise to anywhere near level of criminality. For example, installing video games, or bypassing a corporate proxy to access social media.

Finally, we’ve got teenagers with too much time on their hands. They might not have the financial resources of a state-sponsored threat group – but time itself is a resource. Whilst some of these groups are very disruptive and definitely rise to the level of criminality, some of them might be more appropriately handled via the Police’s “Cyber Choices” programme. Designed to help young people use their cyber skills in a legal way, and they might just need a kick in the right direction.

It is important to balance this with the need to be clearly understood though. For example, if using the pedantically correct term would reduce your audience’s ability to understand your message, or would take the focus away from what you are trying to convey – then it’s fine to use “cyberattacker” or even just “bad person from the internet” instead. If you’re trying to be technically accurate though, threat actor or threat group might be the best term to use.

Quite often, terms like “Cybercriminal” or even “cyberattacker” are either not appropriate, not accurate, or lack important nuance. But whether it’s state-sponsored, state-condoned, a member of organised crime, a politically motivated hacktivist, or just a bored nerd messing with things they shouldn’t – they’re all threat actors.

Tagged as:

Play Cover Track Title
Track Authors