What is a Threat Actor in Cyber Security?

In cyber security, a threat actor refers to an individual, group, or entity that has the capability and the intent to carry out malicious activities against digital assets, information systems, or networks.

Threat actors vary widely in terms of their motivations, resources, and techniques and can include hackers, cyber-criminal organisations, nation-states state-sponsored entities, hacktivists, insiders, disgruntled employees, or even a competing organisation. They can launch a variety of cyber-attacks, using different Tactics, Techniques, and Procedures (TTPs) to gain unauthorised access to your digital assets and infrastructure, depending on their primary motivation – to monetise the attack via ransomware or other extortion, to cause disruption to operations or services, to steal or exfiltrate sensitive data, or a combination of all.

Why are TTPs important?

TTPs or Tactics, Techniques, and Procedures are the key elements used to describe the behaviour and methods used by threat actors during the various stages of a cyber-attack.

1. Tactics

The high-level goals or objectives that threat actors aim to achieve, and which describe the broader purpose behind a cyber-attack.

2. Undertake Cybersecurity awareness training and executive wargames

The specific methods or approaches used by threat actors to accomplish their tactical objectives. Techniques provide more detailed insights into the tools, procedures, and exploits employed during an attack.

3. Procedures

The step-by-step processes or sequences of actions that threat actors follow to implement their techniques and achieve their tactical goals. Procedures offer a more granular view of the actual execution of an attack, including specific commands, tools, and behaviours.

When faced with a cyber-attack, it’s very important to analyse the TTPs used, as this will provide insight into the identity and motive of the threat actor, which will influence your organisation’s response to the specific incident you are facing. Knowledge of TTPs can also help with cyber preparedness by enabling your organisation to develop and adapt its cyber-defence strategies and improve your overall cybersecurity posture.

What are common cyber security threat actors in Australia?

Although the threat landscape is dynamic, and new threat actors and TTPs continually emerge, we have observed some very specific trends in threat actors over the past few years.

1. Cybercriminal Organisations

Cybercriminal Organisations are criminal groups that seek financial gain through activities such as ransomware attacks, credit card fraud, or identity theft. Several of Australia’s high-profile data breaches over the last 18 months have had ransomware elements and are thought to have been carried out by cyber-criminal organisations based in Russia. With the development of Ransomware as a Service model, cyber-criminal organisations provide infrastructure and software that affiliates purchase and then deploy.

This has meant that threat actors do not necessarily need to have strong technical skills themselves but can rely on the technical skills of others. There are also documented examples of Australian crime gangs moving from traditional criminal activities into cybercrime, which has enabled them to not only target Australian organisations and individuals but to also expand offshore.

2. Nation-State Actors

Nation-state actors are governments or government-sponsored entities engaging in cyber espionage, intelligence gathering, or launching attacks for political or strategic reasons. Australia is thought to face cyber-attacks from Russia, China, North Korea and Iran. The motivations of each vary:

Russia – in the aftermath of the shooting down of MH17 by Russian-controlled forces which had 38 Australian citizens and residents onboard, and then following the outbreak of the Ukraine War, it is suspected that the Russian government gave a green light to Russian-based cyber-criminal organisations to target Australia and to cause disruption.
China – has long been accused of intellectual property theft and using artificial intelligence for hacking and spying against Australia and other Western nations. In May 2023, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) issued an advisory saying that Volt Typhoon, a state-sponsored actor based in China, was using TTPs to exploit built-in Windows tools to steal information and evade detection by blending in with normal Windows systems and network activities. NS Bravo, a suspected Chinese cyber intelligence unit, has allegedly been tasked with using malware to steal strategic data from Australia and other nations.
North Korea – state-sponsored hackers are engaged in both ransomware and data theft. The Lazarus Group which is thought to be run by the government of North Korea was behind some of the infamous global cyber incidents, including the development and spread of the WannaCry ransomware and a cyber heist against a central bank via the SWIFT banking systems, amongst many others. The North Korean government is believed to use cyber-crime as one of its ways to boost its economy
Iran – threat actors affiliated with the Iranian Revolutionary Guard are reported to have launched targeted cyber-attacks on Australian organisations, to gather data for extortion, as well as conducting surveillance on Iranian-Australians who oppose the Iranian regime and have led demonstrations against Iran in Australia.

3. Hacktivists

Hacktivists are individuals or groups with ideological or political motivations who use hacking as a means of expressing their views or protesting. In March 2023 the Australian fashion industry was targeted after an Australian designer created a dress featuring a phrase in Arabic lettering that was perceived to be offensive to Muslims. Pakistani hacktivists driven by religious motivations to target countries they believe are offensive to the Islamic religion launched #OpAustralia which led to over 200 successful DDoS attacks against Australian websites, including critical infrastructure (hospitals and a port). In another example, a DDoS attack against a number of Australian government agency websites was reported to have been in retaliation for Australian government support for Ukraine’s defensive war against Russia.

4. Insiders

Insiders: Employees or individuals within organisations with access and/or inside knowledge to exploit the vulnerabilities of the organisation’s security, systems, services, products, or facilities who misuse their access for malicious purposes. Motivations have included revenge from disgruntled employees who look to cause disruption, theft of IP or commercially sensitive information, and in rare cases extortion or ransomware. Some insiders are also motivated by ideological reasons and act as hacktivists.

5. Advanced Persistent Threats (APT)

Advanced Persistent Threats (APT) actors are sophisticated, well-funded and often state-sponsored attackers who conduct long-term, targeted cyber espionage or data theft campaigns. APTs will seek to compromise networks and then move laterally to obtain economic, policy, legal, or defence and security information for their strategic advantage. APT threat actors may also seek to cause disruption or to deliberately destroy data. Whereas cyber-criminals are often opportunistic and move quickly, APT threat actors are very targeted in their malicious activities. There have been documented cases of APT threat actors undertaking detailed reconnaissance of networks over the years. In recent times, APT groups have also been using ransomware attacks, as was the case with the Optus and Medibank cyber incidents. Threat-hunting solutions such as extended detection and response (XDR) platforms are important tools to prevent, detect, and respond to APT attacks.

Understanding the motivations and tactics of different threat actors is crucial for developing effective cybersecurity strategies and defences and responding efficiently to a significant Cyber incident. As TTPs are constantly evolving, it is important to assess this periodically.

Contact CyBiz to ensure your organisation is able to prevent, detect and respond to cyber-attacks from different respond to a cyber-incident from different threat actors.