Who are attackers in cyber security?

Cyber security threats can come from a wide range of sources known as “attackers”. Understanding who these attackers are and what motivates them is crucial for organizations looking to defend their systems and data.

Types of Cyber Attackers

There are many different categories of cyber attackers, but most can be grouped into the following:

  • Nation-state actors – Sophisticated attackers affiliated with or directed by foreign governments looking to spy on or disrupt their adversaries. Examples include groups linked to China, Russia, North Korea, and Iran.
  • Cyber criminals – Individuals or groups motivated by financial gain. This includes hackers stealing data to sell on the dark web, extortionists using ransomware, and thieves looking to steal money or identities.
  • Hacktivists – “Hackers with a cause”, aim to publicize a political or social message, such as the Anonymous collective.
  • Insiders – Trusted employees, contractors or business partners who abuse access to an organization’s network to steal data, sabotage systems or otherwise damage the organization.
  • Script kiddies – Unskilled individuals who use simple off-the-shelf hacking tools without fully understanding how they work. Often they hack for fun or to show off.
  • Competitors – Companies looking to unlawfully access trade secrets, intellectual property or insider information from business rivals.

Motivations of Cyber Attackers

The incentives driving these malicious actors can include:

  • Espionage – Stealing sensitive data for strategic advantage such as trade secrets, intellectual property, security information, military intelligence or insider personal information.
  • Financial gain – Profiting financially by selling stolen data on the dark web, ransoming seized systems and data via ransomware, or directly stealing money from compromised bank accounts.
  • Hacktivism – Using unauthorized access to computer systems to promote an activist agenda or political message.
  • Cyber warfare – Nation-states developing capabilities to disable critical infrastructure, disseminate propaganda, and otherwise disrupt their adversaries during times of peace or conflict.
  • Revenge – Disgruntled insiders or others with personal grudges intentionally sabotaging or destroying data and systems.
  • Ego and notoriety – Bragging rights that come with breaking into high-profile networks, defacing websites, or pilfering data from major corporations.

Common Attack Vectors

Cyber criminals have many potential routes or “vectors” to gain access to their target’s environments. Common vectors include:

  • Phishing – Sending fraudulent emails designed to trick users into revealing passwords or other sensitive information, or clicking on a malicious link or file.
  • Social engineering – Manipulating people into providing information or performing actions through deception. For example, posing as an IT helpdesk to gain password access.
  • Application and OS vulnerabilities – Exploiting unpatched flaws in software code, operating systems, browsers and web applications.
  • Third party access – Leveraging supplier, partner or maintenance connections to compromise networks.
  • USB devices – Inserting malware-laden flash drives and other removable media into target computers.
  • Insider access – Drawing on authorized credentials, knowledge and access rights to exfiltrate data or sabotage systems as a rogue employee.

Types of Cyber Attacks

Common cyber attack types include:

  • Malware – Malicious software designed to infect systems and perform unwanted actions. Variants include computer viruses, ransomware, spyware, Trojan horses, worms, and botnets.
  • Phishing – Deceiving users via electronic communications to disclose credentials, transfer money, or click on malicious links. Often uses fake websites mimicking legitimate organizations.
  • Denial of Service (DoS) – Flooding systems with traffic to overwhelm servers and networks, causing them to shut down and denying service to legitimate users.
  • Man in the Middle (MITM) – Intercepting and altering communications between two parties who believe they are communicating directly. Allows attackers to eavesdrop or modify traffic.
  • DNS poisoning – Providing false DNS information to redirect traffic to malicious sites instead of the legitimate requested site.
  • SQL injection – Injecting malicious SQL code into application inputs to access, destroy or exfiltrate data from databases behind applications.
  • Zero-day exploit – Attacks using undisclosed vulnerabilities where the vendor has not yet released a patch.
  • Birthday attack – Targeting mathematical vulnerabilities in cryptographic hash functions to obtain password hashes.
  • Password attack – Cracking password hashes through brute force guessing, dictionary attacks, rainbow tables or other means.
  • Insider attack – Stealing data or sabotaging systems using authorized access to enterprise resources as a rogue employee, contractor, or partner.

Most Common Cyber Threat Actors

Some of the most prolific and dangerous cyber attackers include:

APT Groups

Advanced persistent threat (APT) groups are typically affiliated with nation-states and engage in cyber espionage over long periods against high value targets like governments, corporations, and political dissidents. Well-known groups include:

  • APT1 – Believed to be linked to the Chinese People’s Liberation Army (PLA).
  • APT3 – Also known as Gothic Panda, linked to Chinese Ministry of State Security.
  • APT28 – Russian threat actor targeting governments, militaries, and security organizations.
  • APT29 – Russian cyber espionage group, also known as Cozy Bear.
  • Lazarus Group – North Korean APT responsible for Sony Pictures Hack, WannaCry ransomware and Bangladesh Bank heist.
  • Turla – Sophisticated Russian-based group active since at least 2007.

Notable Criminal Groups

Prominent cyber crime groups motivated by financial gain include:

  • FIN7 – Highly effective organized cybercrime ring focused on stealing payment card data from retailers.
  • Cobalt Group – Financially-driven threat actor targeting banks in Europe and South America.
  • Carbanak Group – Prolific crime gang behind series of attacks on financial institutions.
  • Maze Ransomware – Notorious for targeting large enterprises and public agencies with ransomware and data theft.
  • REvil – Russia-linked ransomware group which extracted $11 million from JBS Meats.
  • Wizard Spider – Sophisticated eCrime group operating the Ryuk and Conti ransomwares.

Notable Individual Threat Actors

A few cyber criminals have earned such prominent reputations that their handles are widely recognized:

  • Guccifer 2.0 – Hacker persona that leaked embarrassing emails stolen from the Democratic National Committee in 2016.
  • Albert Gonzalez – Mastermind behind hacks of TJX, Heartland Payment Systems, and other big box retailers.
  • Kevin Mitnick – Early hacker who cracked systems at Nokia, Motorola, Pacific Bell, and others. Now a security consultant.
  • Marcus Hutchins – Researcher who stopped the WannaCry ransomware outbreak only to later be indicted for separate malware authoring charges.

Defending Against Cyber Threat Actors

Organizations can take the following steps to defend themselves against attackers:

  • Implement security awareness training to human employees to avoid falling victim to social engineering and phishing.
  • Keep all software up-to-date with the latest patches.
  • Utilize anti-virus, anti-malware, and intrusion detection solutions.
  • Use strong encryption protocols for sensitive data.
  • Enforce the principle of least privilege access for users.
  • Employ rigorous access controls like multi-factor authentication.
  • Monitor networks to detect anomalies and suspicious behavior.
  • Test defenses through controlled red team exercises mimicking threats.
  • Develop incident response plans to contain, eradicate and recover from compromises.

Proper cyber security requires understanding likely attackers, their motivations, and their common tactics. Organizations should utilize this knowledge to implement layered defenses thwarting an adversary’s ability to gain a foothold, move laterally, or complete their objectives. With proper precautions, the vast majority of cyber attacks can be detected and defeated before causing major damage.


Attackers in cybersecurity can take many forms, ranging from individual rogue hackers to sophisticated nation-state adversaries. While their motivations vary, most can be grouped into categories like cyber criminals, hacktivists, insiders, and nation-state groups. These attackers attempt to compromise systems through phishing, malware, exploiting vulnerabilities, and abusing trusted access. By understanding the most common cyber threat actors, organizations can implement appropriate defenses to detect and thwart their tactics, techniques and procedures. Ongoing security awareness, system monitoring, access controls, and incident planning are key to protecting sensitive data and infrastructure from those wishing to do harm through cyberspace.