CIS Logo
tagline: Confidence in the Connected World

Cybersecurity Spotlight – Cyber Threat Actors

What it is:

A Cyber Threat Actor (CTA) is a participant (person or group) in an action or process that is characterized by malice or hostile action (intending harm) using computers, devices, systems, or networks.  CTAs are classified into one of five groups based on their motivations and affiliations:

  • Cybercriminals are largely profit-driven and represent a long-term, global, and common threat. They target data to sell, hold for ransom, or otherwise exploit for monetary gain. Cybercriminals may work individually or in groups to achieve their purposes.
  • Insiders are current or former employees, contractors, or other partners who have access to an organization's networks, systems, or data. Malicious insiders intentionally exceed or misuse their access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information or information systems. This differs from unwitting insiders who unintentionally cause damage to their organization's information systems through their actions, such as clicking on malicious links in a phishing email.
    • Motivation: Financial gain or to seek revenge
    • Affiliation: Current or former employee, contractor, or other partner who has authorized access.
    • Common TTPs: data exfiltration or privilege misuse
  • Nation-State actors aggressively target and gain persistent access to public and private sector networks to compromise, steal, change, or destroy information. They may be part of a state apparatus or receive direction, funding, or technical assistance from a nation-state. Nation-state has been used interchangeably with Advanced Persistent Threat (APT), however APT refers to a type of activity conducted by a range of actor types.
    • Motivation: Espionage, political, economic, or military
    • Affiliation: Nation-states or organizations with nation-state ties
    • Common TTPs: Spear-phishing password attacks, social engineering, direct compromise, data exfiltration, remote access trojans, and destructive malware.
  • Hacktivists (a.k.a. Ideologically-Motivated Criminal Hackers) are politically, socially, or ideologically motivated and target victims for publicity or to effect change, which can result in high profile operations.
  • Terrorist Organizations are designated by the U.S. Department of State. Their limited offensive cyber activity is typically disruptive or harassing in nature. Terrorist organization’s primarily use the internet for communications and recruitment.
    • Motivation: Political or ideological; possibly for financial gain, espionage, or as propaganda
    • Affiliation: Individuals, organizations, or nation-states
    • Common TTPs: Defacements and claimed leaks

Why does it matter:

CTAs differ in terms of their knowledge, skills, abilities, motivations, and resources. These characteristics help to determine who CTAs will target, which data or assets are valuable to them, and how they will carry out their attacks. For instance, cybercriminals opportunistically target any entities that can generate monetary gain. Therefore, any organization with valuable or sensitive data could be a target. In a similar fashion, insiders are a threat to any organization since they already have some level of access to the information systems. Conversely, nation-state actors conduct more targeted operations against organizations they want to exploit for espionage purposes or to gain leverage over.

What you can do:

A CTA's motivation or intent should also be balanced against their capability to conduct malicious activity. While a cybercriminal might have the capability to target an election office’s website they may lack the intent because they cannot monetize the impact. Meanwhile, a hacktivist may have the intent to target an election office over their choice of voting machine and subsequently deface the election office’s website to disrupt operations and cause reputational harm. Understanding each actor in this context will allow election offices to develop a more focused cybersecurity plan.

Addressing CTA threats is not hard, as many of the available best practice guides and frameworks, like the CIS Handbook for Election Infrastructure Security and CISA’s Best Practices for Securing Election Systems are developed with CTA motivations and tactics in mind. Since most CTAs are opportunistic in nature and look for the easiest way into a network, a defense-in-depth strategy that relies on good cyber hygiene and best practices will allow election offices to address threats from a range of CTAs. A few good examples include:

  • Cybercriminals target data they can sell, so it is important to properly encrypt critical data, rendering it unusable to unauthorized users. Properly encrypted data will also help to defend against hacktivists targeting data for doxing purposes.
  • Cybercriminals use ransomware to generate revenue, so elections offices should maintain regular, offline backups and have an incident response plan ready. Maintaining and testing offline backups can similarly mitigate the impact of a CTA using destructive malware on an entity’s data.
  • To combat insider threats election offices can use the principle of least privilege to restrict access to data to only those employees with a defined business need. The principle of least privilege will also limit what access a cybercriminal or nation-state has if they compromise an employee’s user account.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contactelections@cisecurity.org.