Understanding who's who in the cyber zoo...

Published: Tuesday, 09 November 2021 09:38

Cyber security risks keeps changing and developing. Who do you really need to be concerned about? Pascal Geenens, director of threat intelligence at Radware, provides a helpful summary of who’s who in the cyber threat landscape.

As 2021 moves towards a close, malicious actors show no signs of abating when it comes to unleashing crippling cyber attacks. This underlines why company boards have a responsibility to stay abreast of the threats and understand the motivations, tactics, techniques, and procedures being used. In doing so they can formulate a focused strategy that takes into account their geography and sector so that the company’s most valuable assets are protected.

Threat actors, which can be a person, group, or organization with malicious intent, can be broadly classified into five groups. They are nation state or state sponsored, organized crime, hacktivists, hackers, and disgruntled insiders and customers. There can be some overlap between groups either because of tactics, or because one group will masquerade as another to cover up its tracks – this is a common tactic by nation state groups.

Nation states

Nation state actors, which could have close links to military or state intelligence services are some of the most notorious in terms of the vast scale of operation and their ability to influence, disrupt, or politically/ economically compromise another nation. Their primary aim is to run missions without being identified, and it can therefore be very hard to attribute attacks to any single nation-state.

Nation states use technology as a lever of war, where cyber espionage is the high-tech version of a cold-war craft. It’s used to infiltrate leading research facilities for example, with no concept of borders or regulation. USA, UK, Russia, Iran, China, and North Korea are leading nations in terms of capabilities, with Russia edging ahead in terms of most nations’ risk charts because of its propensity to go after critical infrastructure and use tactics that influence the behaviour of groups of people like voters.

This is in contrast to North Korea, whose Bureau 121 has operations very much geared to state-sponsored espionage and financially motivated attacks. Espionage is also high on the agenda in China, and Iran where practices are centered around targeting dissidents using contractors hired to work on behalf of the Islamic Republic of Iran’s Ministry of Intelligence and Security (MOIS) or the Islamic Revolutionary Guard Corps (IRGC).

The US, however is home to the most advanced and sophisticated nation state actors in the world. Groups are involved in gathering intel whilst others were created for defensive purposes but are increasingly involved in targeting of critical infrastructure and political interference. The UK plays a similar role harnessing diverse talent from around the world to conduct information warfare.

While it’s important to understand this global context, most companies will not encounter nation state attacks directly unless they are linked to government or financing. That said they may feel the knock-on effects as the tactics used permeate into the consciousness of organized crime groups. As more people and devices become connected it becomes easier for criminals to turn to digital methods and exploit the innovations in attack methods.

Organized crime

The corner stone for many organized groups is ‘cybercrime-as-a-service’, in which criminals develop advanced tools and services, which are sold or rented to other cybercriminals. There are four types of services: bulletproof hosting, crimeware-as-a-service, hacking-as-a-service, and DDoS-as-a-service.

Bulletproof hosting is a form of infrastructure as a service, which includes virtual private servers, domain hosting, and web hosting. Bulletproof hosts turn a blind eye to the activity their services are used for of which illegal gambling, spamming, and pornography are typical activities. The platforms are often used to launch cyber attacks or serve as command and control services for botnets.

Hacking-as-a-service effectively turns hacking skills into a commodity. Hackers for hire will offer to hack into just about anything such as social media accounts, education systems to manipulate grades, or to change bank account balances. But they can do more serious harm with malware and distributed denial of service attacks (DDoS).

That said, DDoS-as-a-service also known as ‘booter’ or ‘stresser’ services, has its own industry. Operators of the service provide professionally designed portals that allow anyone to perform an attack with just a few clicks. Costing from as little as $9.99 per month for an unlimited number of 5 minutes of attack time at low volume, through to thousands of dollars for unlimited attack time at high volume. In 2017, two young Israelis were caught having earned over $600,000 this way. Their service supported around 150,000 attacks in little more than two years.

Crimeware-as-a-service uses a similar business model, whereby people can rent or buy a ransomware package or a zero-day attack to cause havoc by gaining remote access, running reconnaissance, and stealing sensitive data. Trickbot and Emotet are two very well-known malware platforms offered to malware operators through a paying subscription.

Cybercrime doesn’t stop there. Many criminals are running their own operations for extortion by using ransomware and ransom denial-of-service tactics. Ransomware-as-a-Service (RaaS) affiliates have evolved into using a ‘profit-sharing’ approach where operators pay the affiliates a cut of 30 percent, 40 percent or even 80 percent depending on the service and paid ransom.

Other threat actors specialise in financial organized crime, using tactics to infiltrate organizations and scam them out of substantial sums of money through hard to detect stings. Toyota Subsidiary famously lost $37milllion after employees were duped by criminals posing as a business partner of Toyota Boshoku. 


This term generally describes someone who is well versed in computer technology and electronics. The two to be most aware of are black and grey hat hackers. But not all hackers are malicious - white hat hackers use hacking for ethical reasons and will publish findings on vulnerabilities so companies can address them.

Black hat hackers will use hacking for criminal activities and have no moral or ethical boundaries. They will access, modify, steal or destroy data and degrade services, and will happily use published findings from white hat hackers for their own gain.

Grey hat hackers operate slightly differently. They might violate the law but aren’t operating maliciously. They seek to identify exploits and vulnerabilities in network systems, with or without permission and will try and get paid for pointing out and fixing the problem. Respectfully dealing with them is generally the best approach.


Hacktivists are driven by ideology. While generally considered low-risk threats compared to the types described above, they have what is known as a ‘hive’ mindset they can very quickly galvanise others to join a cause in reaction to an incident and amplify activity to overwhelm a target. With names like #OpOlympicHacking, #OpKillingBay, #OpISIS, #OpParis, Hacktivists draw attention and a following around the world in a wide variety of causes.

Disgruntled insiders

While hacktivist have a united cause, disgruntled insiders usually operate alone and act on emotion caused by something that has happened directly to them. With access already available to them, an employee who believes they are the victim of malpractice might intentionally sabotage operations, expose secrets or attempt theft or fraud. It’s difficult to mitigate against this threat but it does need to be taken seriously and everyone needs to be able to spot the warning signs. It’s not unthinkable for one person to bring an entire company down either operationally or reputationally.

Why does this matter?

Every company will have a different risk profile related to the sector it operates in, the size of the company, the geographic and sociological environment, products offered and customers targeted. The threat can change quickly based on social and geopolitical tensions and so it’s important to keep on top of the latest developments and reappraise the level of exposure the company has. In doing so, it’s a little easier to determine the best strategy for detecting unusual behaviour and dealing with it, and ensuring the right blend of cyber-skills and technology is in place.