Who are the actors behind cyber incidents? While there is no universally accepted list, and while a perpetrator can be part of multiple groups (however those groups are defined), experience indicates that there is a broad taxonomy we can use to bring some ordered thinking to the question of who is carrying out attacks and why they select their particular targets.

Nation-State Actors

Nation states have recognized that cyber is a domain of warfare that is inherently asymmetric; that is, a small number of talented people can have a huge effect. In the Ukraine, for example, Russian hacking was believed to be responsible for substantial power outages. A nation state can act directly or indirectly.

Direct Actions of Nation States

This is the case when a government is directing the actions of people carrying out an attack. Examples of agencies believed to have offensive cyber capabilities include the US National Security Agency, the Russian Main Intelligence Directorate (GRU), the People’s Liberation Army of China, and governments as diverse as North Korea (Democratic People’s Republic of Korea) and Israel. They have employed cyber operators who act for the nation state under the direction of their superiors.

Outsourced Actions of Nation States

A nation state may lack capacity in terms of qualified hackers but still want to carry out offensive cyber operations. In these cases they may decide to outsource the work and can consider a range of possible actors. They may contract with civilian criminal hacking groups with the requisite capabilities or work through an allied country that has the capabilities. They may also act through a non-government group. For example, it has been reported that during the 2016 US presidential campaign, Russian organizations hacked the Democratic National Committee, but used the Wikileaks organization to release and distribute the stolen material.

Non-State or Quasi-State Actors

There is also a range of non-government organizations (NGOs) that may be behind offensive cyber activities.

Terrorist Activities

Terrorist groups have become sophisticated users of cyber capabilities. They may use the internet for recruiting, financing, information theft or distribution. They may carry out operations to confuse their enemy, appearing to have greater or fewer numbers of personnel than they really do. Cyberterrorism has become a field of study in itself.

Information Anarchists

We have seen the growth of organizations (some loosely organized) that believe no information should be secret, or at the very least, those they target should have no secrets. They may steal emails or other information and post it publicly. They may strike out in various ways, including distributed denial of services (DDoS) attacks designed to take a target website out of operation.

NGOs Who Share a Common Cause With State Actors

Do not think that every attack can be attributed to one of the aforementioned types of operators. Just as threats can involve multiple risks, multiple actors can operate in concert (either formally or informally). They may share a target (but operate independently) or may coordinate their efforts; for example, a nation-state actor steals the data, but an NGO distributes it.

Organized Cybercriminal Organizations

Organized cybercriminal organizations can, aside from their own for-profit operations (e.g., stealing sensitive personal information, credit card data, health insurance data and the like), be the source of malware or they may provide malware as a service offering. They may also engage in other forms of attack (e.g., DDoS). They will provide their services to anyone who pays them. We are seeing an increase in the use of ‘professional’ malware in attacks. This makes it hard to determine attribution because, while the attack may have been seen before, it does not tell you who the attacker is. It also puts sophisticated attacks in the hands of, or at the direction of, less sophisticated attackers; what looks like organized crime may still actually be attributable to a disgruntled employee or a nation state. There have also been reports of groups such as street gangs or criminal motorcycle gangs turning to cybercrime as a source of funds.

Individual Cybercriminals

Individual criminal actors can carry out attacks that may be indistinguishable from those of organized criminal gangs. They may also offer their services to others (malware as a service, DDoS as a service, etc.) in return for a fee. The availability of pre-packaged attack software (i.e., ransomware toolsets) makes today’s cybercriminal far more dangerous than those of former years.

Investigative Journalists

In the past, journalists used hacking techniques to pursue stories, but the spread of cybersecurity and anti-hacking laws has made this practice dangerous. Particularly in the United Kingdom, the phone intrusion trials that resulted in journalists and editors being convicted and sentenced to prison have curtailed these practices.

An extract from the first edition of The Guide to Cyber Investigations. The whole publication is available at Global Investigations Review.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.