Threat actors and motivations
Who attacks systems, what they want, and why attribution and capability matter for defence.
~3 min read
Why classify attackers at all
Defences cost money. Knowing who is likely to attack you, and how skilled and funded they are, tells you where to spend. A village bakery does not need defences against state intelligence services; a defence contractor absolutely does. This is the starting point of threat modelling.
Actors are usually compared along four axes: capability (skill and tooling), resources (money, people, time), intent (what they want) and access (outsider, or already inside?).
The main categories
Cybercriminals are financially motivated, ranging from lone operators to organised groups run like businesses, with HR departments and customer support for their ransomware victims. Responsible for most attacks most organisations will ever see: ransomware, business email compromise, card fraud, credential theft. The rise of ransomware-as-a-service (RaaS) means low-skill affiliates can rent capable tooling and split profits with developers.
Nation-state actors / APTs are funded by governments, pursuing espionage, sabotage, or strategic advantage. The term APT (advanced persistent threat) captures their style: not necessarily flashy, but patient, with months or years of quiet access. Well-known examples: Stuxnet (sabotage of Iranian centrifuges), the SolarWinds supply chain compromise (espionage). High capability, high resources, very specific targeting.
Hacktivists are ideologically motivated. Website defacement, DDoS, leaking documents to embarrass a target. Capability varies wildly; intent is publicity and disruption rather than profit.
Insider threats are people who already have legitimate access: employees, contractors, ex-staff whose accounts were never disabled. Split them into malicious insiders (disgruntled, bribed, or planted) and unintentional insiders (the far more common case: someone who clicks a phishing link or emails a spreadsheet to the wrong address). Insiders bypass perimeter defences entirely, which is why least privilege and offboarding processes matter so much.
Script kiddies are low-skill attackers running tools they didn't write and often don't understand. Individually weak, but numerous. Automated scanning means every internet-facing system gets probed by them constantly, and an unpatched, internet-facing service will be found within hours, not months.
Competitors / corporate espionage: rarer, but real in industries where designs and bids are valuable.
Hat colours
Old terminology, still everywhere:
- White hat: authorised testing, with permission and scope agreed in writing (penetration testers, bug bounty hunters acting within a programme).
- Black hat: unauthorised, malicious.
- Grey hat: unauthorised but claiming good intent, e.g. scanning systems uninvited and then reporting the holes. Still illegal in most jurisdictions, including under the UK Computer Misuse Act: lack of malice is not a defence to unauthorised access.
Remember: authorisation is what separates a penetration test from a crime. The paperwork (a signed scope and rules of engagement) is the white hat's most important tool.
Motivation drives behaviour
You can often work backwards from what an attacker does to what they want:
| Motivation | Typical behaviour | Typical actor |
|---|---|---|
| Money | Ransomware, BEC fraud, selling data or access | Cybercriminals |
| Espionage | Long-term quiet access, exfiltration | Nation states |
| Ideology | Defacement, leaks, DDoS | Hacktivists |
| Revenge | Data destruction, sabotage from inside | Malicious insiders |
| Curiosity / status | Opportunistic compromise, bragging | Script kiddies |
This matters defensively. A money-motivated actor leaves when you stop being cheap to attack, so raising attacker cost works. An espionage actor targeting you specifically will keep trying, so detection and response matter as much as prevention.
Initial access brokers and the criminal economy
Modern cybercrime is specialised. One group phishes credentials and sells them; an initial access broker sells footholds into corporate networks; a ransomware crew buys access and monetises it; money mules launder the proceeds. Understanding this supply chain explains otherwise odd behaviour, like why a compromise might sit dormant for weeks before ransomware suddenly detonates: the access changed hands.
Quick recall
- Compare actors by capability, resources, intent and access.
- Cybercriminals (money) cause most incidents; APTs (states, espionage) are the most capable; insiders bypass the perimeter; script kiddies supply constant background noise.
- Unintentional insiders outnumber malicious ones.
- White/grey/black hat = authorised / unauthorised-but-"well-meaning" / malicious. Authorisation in writing is the dividing line.
- Cybercrime is an economy with specialised roles; access is bought and sold.