1.5 Threat actors & motivations
📘CompTIA Security+ SY0-701
1️⃣ Nation-State Actors (State-Sponsored Attackers)
Definition:
These are hackers or groups supported, funded, or directed by a government. Their goal is usually to gain intelligence, disrupt critical systems, or achieve political, military, or economic advantage.
Characteristics:
- Highly skilled and well-trained.
- Have access to advanced tools, custom-built malware, and zero-day exploits.
- Often target government networks, defense contractors, telecommunication systems, and critical infrastructure (like energy or water systems).
- They conduct long-term, stealthy attacks (Advanced Persistent Threats – APTs).
Motivation:
- Political or strategic advantage, cyber-espionage, or sabotage.
- May steal classified data, industrial secrets, or disrupt another country’s systems.
Example in IT context:
- A government-backed team launching a cyberattack to steal confidential research data from a defense company’s secure servers.
2️⃣ Unskilled Threat Actors (Script Kiddies)
Definition:
Individuals with little to no technical knowledge who use pre-made tools, scripts, or software created by others to attack systems.
Characteristics:
- Low skill level — they do not create new tools; they just run existing ones.
- Use downloaded malware kits, attack scripts, or scanning tools found online.
- Often experiment or attack for fun or curiosity, not for money or politics.
- Can still cause serious damage if they hit critical systems by accident.
Motivation:
- Fun, curiosity, reputation among peers, or boredom.
Example in IT context:
- Someone downloading a “DDoS attack tool” and using it to flood a company’s website without understanding the real consequences.
3️⃣ Hacktivists
Definition:
Hackers who use cyberattacks to promote a political, social, or ideological cause. The word combines hacker + activist.
Characteristics:
- Typically organized groups or individuals.
- Skill level can vary — some are skilled, others are not.
- Use methods like website defacement, data leaks, or DDoS attacks.
- Goal is to raise awareness, embarrass organizations, or spread their message publicly.
Motivation:
- Political or social causes.
- Protesting against governments, corporations, or certain policies.
Example in IT context:
- A hacktivist group compromises a company’s website and replaces the homepage with messages about social injustice.
4️⃣ Insider Threats
Definition:
Someone inside the organization (like an employee, contractor, or vendor) who intentionally or unintentionally causes harm to the company’s systems, data, or reputation.
Types of insiders:
- Malicious insiders:
Intentionally harm the organization (e.g., stealing data, sabotaging systems). - Negligent insiders:
Accidentally cause damage (e.g., falling for phishing, misconfiguring systems). - Compromised insiders:
Have their accounts hacked and used by an external attacker.
Characteristics:
- Already have legitimate access to internal systems.
- Difficult to detect since their actions may appear normal.
- Can exfiltrate sensitive data, install malware, or leak credentials.
Motivation:
- Revenge, greed, ideology, coercion, or simple carelessness.
Example in IT context:
- An employee copying confidential project files to a personal USB drive before leaving the company.
5️⃣ Organized Crime
Definition:
These are professional, well-funded criminal groups that use cyberattacks to make money.
Characteristics:
- Highly structured with defined roles (developers, hackers, money launderers).
- Use ransomware, phishing, credit card fraud, data theft, and extortion.
- Operate globally and sometimes offer cybercrime-as-a-service (e.g., selling malware, access, or botnets).
Motivation:
- Financial gain.
Targets:
- Businesses, financial institutions, and individuals with valuable data or money.
Example in IT context:
- A criminal group encrypting company servers and demanding payment in cryptocurrency to restore access.
6️⃣ Shadow IT
Definition:
Shadow IT refers to unauthorized hardware, software, or cloud services used by employees without the approval of the IT or security department.
Characteristics:
- Common in organizations where employees use personal tools to “get work done faster.”
- Can introduce vulnerabilities since these systems are not monitored or patched by IT.
- Creates data loss, compliance, and security risks.
Motivation:
- Usually not malicious — employees just want convenience or productivity.
- But it can accidentally expose sensitive data or open security holes.
Example in IT context:
- An employee uploads company documents to a personal Google Drive or uses an unauthorized chat app to share client data.
💡 Summary Table
| Threat Actor | Skill Level | Resources | Motivation | Common Targets |
|---|---|---|---|---|
| Nation-State | Very high | Government-level funding | Political, espionage | Government, defense, infrastructure |
| Unskilled (Script Kiddies) | Low | Free/public tools | Fun, curiosity | Random or easy targets |
| Hacktivists | Varies | Moderate | Social/political message | Governments, large corporations |
| Insider | Varies | Internal access | Revenge, mistake, money | Internal systems, data |
| Organized Crime | High | Large financial backing | Profit | Businesses, banks, individuals |
| Shadow IT | Low | Employee-driven | Convenience | Organization data/systems |
✅ Exam Tips:
- Remember nation-state = APT (Advanced Persistent Threat).
- Script kiddie = low skill, using others’ tools.
- Hacktivist = political/social cause.
- Insider = already has access (can be malicious or accidental).
- Organized crime = financially motivated, very structured.
- Shadow IT = not intentional attack but a security risk from unauthorized IT use.
