Who's actually attacking, why, and what that tells you about how to defend. "Hackers" isn't one group โ it's six or seven very different kinds of people.
A threat actor is anyone who might attack a system. They differ in motive, skill, and target. Know the main categories: script kiddies (low skill, opportunistic), hacktivists (ideology), cybercriminals (money), insiders (access + grievance), nation-state actors (intelligence, sabotage), and terrorists (disruption, fear). Different actors = different attacks = different defences. A bank worries about cybercriminals; a defence contractor worries about nation-states; every organisation worries about insiders.
9.1 Why "Hacker" Isn't a Useful Word
In the news, "hacker" covers everyone from a bored teenager who found a password list online to a highly-trained intelligence officer operating from a state agency. These are wildly different threats. Lumping them together hides the fact that you defend against different threat actors in very different ways.
Security professionals talk about threat actors โ categorised by motive and capability โ and then build defences matched to the actors most likely to target them. This is called threat modelling: knowing who would plausibly attack you, what they'd want, and what they'd do.
THE FRAMEWORK: For any organisation, the threat actor question asks: who is likely to target us, and what are they likely to do? A small accounting firm isn't on China's target list. A defence contractor is. A hospital is a target for ransomware crews; so is almost every business. Matching defences to realistic threats is the core of cost-effective security.
9.2 The Main Categories
The position of each actor is approximate. Note how "script kiddies" are many but low-impact; "nation-state" are few but extremely capable.
Script kiddies
Who: Usually individuals, often young, with limited technical skill. They use tools, scripts, and exploits written by others without fully understanding them.
Motivation: Curiosity, bragging rights, attention, low-level mischief. Sometimes they're just bored.
Capabilities: Limited to running pre-made tools. They won't find new vulnerabilities but they'll happily exploit known ones.
What they target: Opportunistic โ anything exposed, vulnerable, and easy. They'll scan the whole internet for outdated servers and attack whatever responds.
Defence against them:Patch management. Most of their attacks rely on vulnerabilities that have been publicly fixed for months or years. Keep software up to date and most script-kiddie attacks bounce off.
DON'T UNDERESTIMATE THEM: Script kiddies are unsophisticated individually, but there are thousands of them running constant automated scans. Every public-facing server gets probed within minutes of coming online. This is why "I'm too small to be a target" is wrong โ you're not targeted personally, but you'll be hit by undirected scans that happen to find you.
Hacktivists
Who: Individuals or loosely-organised groups motivated by political, social, or ideological beliefs.
Motivation: Making a statement. Exposing what they consider injustice. Embarrassing organisations they disagree with. Getting the media to cover their cause.
Capabilities: Varies widely โ from defacing websites to sophisticated breaches. Anonymous and LulzSec are the famous examples.
What they target: Organisations whose actions conflict with the hacktivist's ideology โ corporations, governments, politicians, religious institutions, specific industries.
Australian example: In 2023, an activist group claimed responsibility for DDoSing several Australian government websites during a protest over refugee policy. The sites were down for a few hours โ no data stolen, no permanent damage, but the disruption was the point. Hacktivist attacks are usually more about visibility than damage. The 2022 Medibank data dumps following the ransom non-payment also had a political edge โ partly criminal, partly performative.
Cybercriminals
Who: Organised criminal groups, often operating internationally from jurisdictions where prosecution is unlikely. Some operate like businesses, with divisions, contractors, and support functions.
Motivation:Money. Every decision is driven by return on investment.
Capabilities: Medium to high. The successful groups have developers, operators, negotiators, and money-laundering specialists. They buy and sell tools and access on criminal marketplaces.
What they target: Anyone with money to pay โ businesses with weak security, individuals with reusable credentials, banks, healthcare (where downtime is urgent), anywhere with payment data.
Typical attacks: Ransomware, banking trojans, business email compromise (BEC), credential theft, scams, stealing and reselling data.
Ransomware as a service (RaaS) changed the landscape. Core developers build the ransomware; "affiliates" rent it and share profits. A relatively unskilled affiliate can deploy sophisticated ransomware because they're paying specialists for the hard parts. This is why ransomware went from rare to ubiquitous in 5 years โ the barrier to entry dropped dramatically.
Medibank (2022): likely the Russian-speaking group BlogXX / REvil affiliates. Once payment was refused, patient records โ including sensitive mental-health and termination data โ were published to pressure Medibank. Confidentiality was the pillar exploited; the pressure was psychological and reputational rather than technical.
Defence against them: Strong authentication (MFA), good patch management, backups that can't be encrypted by ransomware, endpoint detection, user awareness training. Cybercriminals typically take the path of least resistance โ make your organisation harder than the next one and they'll often move on.
Insiders
Who: Current or former employees, contractors, or partners who have legitimate access to the organisation's systems.
Motivation: Varies wildly:
Malicious insiders โ disgruntled, seeking revenge, or paid by a competitor/foreign power
Financial insiders โ stealing data or money for personal gain
Negligent insiders โ no malicious intent, but they click the phishing link, misconfigure the server, or email sensitive data to the wrong person
Capabilities: Varies by role, but they already have the access. That's what makes them dangerous โ many defences assume the attacker is external.
What they target: Whatever they have access to. A developer with admin rights can do tremendous damage; a receptionist with customer-database access might leak data but can't modify backups.
TRAP: "Insider threats are rare" โ insider-caused incidents are among the most common source of breaches, especially when you include negligent insiders. Most breaches don't start with hackers penetrating firewalls โ they start with a user clicking something, losing a laptop, or misconfiguring a share. In exam terms: human vulnerability is a consistent attack vector, not a rare edge case.
DEFENCE AGAINST INSIDERS: This is where least privilege (Chapter 8) and monitoring/accounting (Chapter 8, Chapter 15) really earn their keep. If every user has only the access they need, a rogue insider can only damage a limited zone. If accounting logs are reviewed and alerted on, suspicious activity (bulk downloads, after-hours access, unusual file access patterns) gets caught. Separation of duties โ requiring two different people to authorise sensitive actions โ also helps.
Nation-state actors (APTs)
Who: Intelligence agencies and military-aligned groups, often operating under the protection of their government. Called "Advanced Persistent Threats" (APTs) because they are advanced (sophisticated tooling), persistent (will keep trying for months or years), and threats (well-resourced).
Motivation: Strategic โ intelligence gathering, industrial espionage, military advantage, economic disruption of rivals, pre-positioning for possible future conflicts.
Capabilities: The highest in the field. Can discover and exploit zero-days (vulnerabilities nobody else knows about), maintain multi-year operations, tailor attacks to specific targets, operate under strict counter-intelligence discipline.
What they target: Government agencies, defence contractors, critical infrastructure (power, water, telecoms, finance), research institutions, journalists and dissidents, technology companies with valuable IP.
Known Australian context: ASIO, ASD, and the ACSC regularly warn that Australia is persistently targeted by nation-state actors โ most frequently attributed to China (industrial and government espionage), Russia (particularly after 2022), and North Korea (financial theft to fund weapons programs). The 2019 Australian Parliament House breach and attacks on universities in 2020 were attributed to state-level actors. Schools and small businesses are not typical APT targets, but organisations holding research, government contracts, or critical infrastructure access are.
Defence against them: For a regular business โ you're not going to "beat" a nation-state with your budget. The goal is to raise the cost enough that they go elsewhere, and to have excellent detection and response so if they do target you, you find them quickly. For critical infrastructure, defence is a full-time national-security problem involving the ACSC, partnered security firms, and threat-intelligence sharing.
Terrorists and violent extremists
Who: Individuals or groups seeking to cause fear, disruption, or physical harm through cyber means.
Motivation: Political, religious, or ideological โ to coerce governments, punish societies, inspire followers, or cause physical damage.
Capabilities: Generally lower than nation-states but rising. More dangerous when combining cyber with physical attacks.
What they target: Critical infrastructure (especially where cyber-attack could cause physical harm), symbolic targets (government sites), financial systems.
This is a much smaller category in terms of actual incidents than the others, but the potential impact if they succeeded against critical infrastructure is catastrophic, so national-security agencies take it seriously.
9.3 White Hat, Grey Hat, Black Hat
A different way to classify people who attack systems โ by whether their activity is authorised and legal.
Colour
Authorised?
What they do
White hat
Yes โ with explicit permission
Penetration testers, security researchers, "bug bounty" hunters. They find vulnerabilities and report them through proper channels. Career path for many security pros.
Black hat
No โ acting illegally
The cybercriminals, nation-state operators, hacktivists. What most of this chapter covers.
Grey hat
Ambiguous โ unauthorised but intended helpfully
Someone who finds a vulnerability in a system they don't have permission to test and reports it. Technically illegal in Australia under the Cybercrime Act 2001, even if the intent is good. Professionally controversial.
TRAP: "Hacking a company to tell them about the vulnerability" is still illegal in Australia regardless of intent. Grey-hat researchers have been prosecuted. If you want to find bugs legally, use official bug bounty programs or Coordinated Vulnerability Disclosure (CVD) programs โ many organisations publish these so you can test with permission. Chapter 17 covers the legal framework in detail.
9.4 Threat Intelligence โ Knowing Who's Targeting You
Modern security teams use threat intelligence โ feeds of information about active attacker groups, their tools, and their current targets โ to prioritise defences. Sources include:
ACSC (Australian Cyber Security Centre) โ issues threat advisories, Essential Eight guidance, and national alerts
Commercial providers โ Crowdstrike, Mandiant, Recorded Future publish reports on APT groups and criminal campaigns
ISACs (Information Sharing and Analysis Centres) โ industry groups share threat data among peers
Open-source intelligence (OSINT) โ public data about attacker infrastructure, leaked tools, underground forum activity
FOR THE EXAM: You won't be asked to name specific APT groups, but knowing that threat intelligence exists โ and that organisations choose defences partly based on "who's targeting us" โ is an example of risk-based security. This maps directly onto Chapter 16's "Requirements โ Threats โ Architecture โ Controls" framework.
9.5 Mapping Threat Actors to the CIA Triad
Different actors tend to attack different pillars. Knowing their typical target helps you predict what they'll do:
Actor
Most common CIA target
Why
Script kiddies
Any โ opportunistic
Whatever the exploit they're running happens to do
Hacktivists
Availability (DDoS) + Confidentiality (leaks)
Visibility โ they want attention and to embarrass the target
Cybercriminals
Availability (ransomware) + Confidentiality (data theft for resale)
Monetisation โ both encrypt-to-ransom and steal-to-sell are profitable
Insiders
Confidentiality most commonly (data theft), sometimes Integrity
Whatever they have access to read or modify
Nation-states
Confidentiality (espionage); sometimes Integrity and Availability (sabotage)
Intelligence value; long-term strategic advantage
Terrorists
Availability (disruption)
Fear and disruption require visible impact
9.6 Why This Matters for Design
When you design a security architecture (Chapter 16), you should explicitly identify which threat actors are realistic for the scenario. A dental clinic faces cybercriminals and insiders; a defence research lab faces nation-states and insiders; a celebrity's personal accounts face hacktivists, stalkers, and cybercriminals.
The defences you pick should match:
If cybercriminals are your main threat โ MFA, patched systems, ransomware-proof backups, email filtering, user training.
If insiders are your main concern โ least privilege, separation of duties, monitoring/alerting, offboarding processes, data loss prevention.
If nation-states are realistic โ add threat hunting, air-gapped backups, strict change control, vetted personnel, classified handling.
If hacktivists might target you โ DDoS mitigation, hardened public-facing services, incident communications plan.
EXAM PATTERN: In any scenario design question, include a short section: "The primary threat actors for this organisation are [X] and [Y], motivated by [reason]. Defences are prioritised accordingly: [specific controls that address these actors]." That sentence alone buys you marks by showing you're reasoning about realistic threats instead of listing every possible control.
9.7 Quiz Time
A local coffee shop's point-of-sale system is breached. The attacker installed card-skimming malware that sends customer credit card numbers to a server overseas. Which threat actor category and which CIA pillar?
Threat actor: Cybercriminals. The attack is financially motivated (credit cards to resell or use), sophisticated enough to involve custom malware and infrastructure, and targeted at a type of business rather than the specific coffee shop. CIA pillar: Confidentiality โ customer card data was stolen. There's no evidence (in this scenario) of integrity change or availability loss.
Why does "I'm too small to be a target" fail as a security argument?
Because much of cybercrime is opportunistic โ script kiddies and cybercriminals run automated scans against huge ranges of internet addresses, attacking whatever answers with a known vulnerability. You're not targeted as "you," you're targeted as "any responding server on this port." Small businesses also tend to have weaker security, so criminals deliberately chase them as easier payouts. In exam terms: much of the threat is non-targeted and automated, so size doesn't protect you.
An administrator with legitimate access takes a USB drive home that contains customer data and accidentally loses it on the train. Is this an insider threat? What defences could have helped?
Yes โ this is a negligent insider incident. Intent isn't malicious but the outcome is a confidentiality breach. This is reportable under the Notifiable Data Breaches (NDB) scheme if personal information is involved and could cause serious harm to the affected individuals.
Defences that would have helped:
โ Full-disk encryption on the USB drive (data unreadable even if lost)
โ Policy restricting data off-premises
โ Data Loss Prevention (DLP) software blocking large transfers to removable media
โ Alternatives like secure cloud access instead of physical media
โ User training โ people handle sensitive data every day and often don't see the risk
A company notices their web servers receiving millions of requests per minute from IP addresses across many countries. Their site becomes unavailable. Which threat actors typically do this and why?
This is a DDoS attack. Common perpetrators:
โ Hacktivists โ disrupting a company they ideologically oppose
โ Cybercriminals โ as an extortion tactic ("pay us or we keep it up") or as a smokescreen for another attack happening simultaneously
โ Nation-states โ in geopolitical conflicts (rare against private businesses but happens)
โ Business competitors โ occasionally, though this is usually cybercriminals hired by someone
The CIA pillar attacked is Availability. Defences: DDoS mitigation services (Cloudflare, Akamai), scalable infrastructure, traffic analysis to distinguish bots from real users.