Threat Actor Case Studies

Codecademy Team
In this article, you’ll look at examples of real-world threat actors, then apply your knowledge in a threat actor analysis exercise!

What we’ll be learning

In this article, we’ll be looking at three real-world threat actors, and discussing their attributes and classification, along with any notable techniques and tactics they use. You’ll also get a chance to apply your knowledge to analyze the attributes of fictional threat actors based on limited information.

Case studies

Case 1: Gary McKinnon

  • Classification: Solo hacker
  • Targets: U.S. military and government institutions, including NASA and the Department of Defense.
  • Sophistication: Low to Medium
  • Support: None
  • Resources: Low
  • Objectives: Obtain hidden information on UFOs and alien technology.
  • Motivation: Personal Interest, has sworn off hacking.
  • Notable Tactics and Techniques: Used commercially available software to compromise poorly secured Windows machines.

Active in 2001 and 2002, Gary McKinnon, also known as Solo, was a hacker who targeted U.S. government computer systems looking for evidence of UFOs and alien technology. He was accused of sabotaging military computers and sabotaging munitions supply to the U.S. Navy after 9/11, but supporters claim that these charges have never been brought before a court, and McKinnon himself denies ever acting with malicious intent. McKinnon was able to locate machines with inadequate security configurations that were easy to hack into and did so without fully covering his tracks.

Case 2: Anonymous

  • Classification: Decentralized hacker/hacktivist group
  • Targets: Varies, has included U.S. government and ISIS.
  • Sophistication: Varies from member to member
  • Support: Large number of members, but there is no large-scale coordination or organization.
  • Resources: Varies
  • Objectives: Generally opposes censorship, but different members may have different goals.
  • Motivation: Varies
  • Notable Tactics and Techniques: DDoS attacks, Doxxing, Threats

Anonymous is a decentralized and disorganized hacking collective that anyone can join. This means that it is very difficult to talk about Anonymous as a whole, since the objectives, motivations, targets, and abilities can vary widely from member to member, or subgroup to subgroup.

Anonymous started on the 4chan message boards in 2003, but only became associated with hacktivism in 2008 when members launched Project Chanology: A series of semi-coordinated actions against the Church of Scientology. Since then, members have engaged in many hacktivist causes under the banner of Anonymous.

Case 3: Double Dragon

  • Classification: State Actor, APT
  • Targets: Healthcare, telecommunications, technology, and video game industries.
  • Sophistication: Very high
  • Support: Strongly believed to be associated with the Chinese government.
  • Resources: Very high; Access to government-developed malware and cyber-espionage tools.
  • Objectives: Objectives are given to them by their sponsors, personal financial gain.
  • Motivation: Very High
  • Notable Tactics and Techniques: Use of passive backdoors, supply-chain attacks, sophisticated malware and rootkits, and spear-phishing.

Double Dragon (Also known as APT41), is a state-sponsored APT group that is strongly believed to be associated with the Chinese government. According to FireEye, “…APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.”

This duality of state-sponsored activity and acting for personal financial gain is considered unusual, and this can make it difficult to determine which operations are conducted on behalf of their sponsors, and which are conducted for their own gain. What is known is that many of their operations for personal financial gain involve the video game industry.

Double Dragon’s use of passive backdoors distinguishes them from other APT groups, and this type of backdoor is more difficult to detect than a traditional “active” type. Other techniques they are known for are spear-phishing emails and sophisticated malware with stealth capabilities.

Hypothetical threat actors

Now that you’ve seen some examples of real-life threat actors, it’s time to try your hand at analyzing some hypothetical threat actors on your own. Below are three profiles of fictional threat actors. Use your judgment to make guesses at the following information:

  • Classification: What type of threat actor do they appear to be? A script kiddie? Independent hacker? Hacktivist group? APT?
  • Targets: What sort of targets does the threat actor seem to focus on?
  • Sophistication: What level of sophistication do their actions suggest?
  • Support: Does the threat actor appear to have support, or are they working independently?
  • Resources: What level of resources does the threat actor appear to have?
  • Objectives: What are the threat actor’s apparent objectives?
  • Motivation: How motivated does the threat actor appear to be? Are they persistent, or easily dissuaded?
  • Notable Tactics and Techniques: What tactics or techniques stand out to you in the threat actor’s profile if any?

Profile 1

An unknown threat actor that has targeted multiple companies in the movie industry, stealing and releasing unfinished movies in production. There was no request for ransom, and the attacks that succeeded were against targets with poor cybersecurity.

Profile 2

An unknown threat actor targets a retailer known for its poor treatment of workers and illegal union-busting activities. The threat actor has attacked multiple times, each time attempting to disrupt operations. Some sensitive data, including incriminating internal communications, were stolen and released to the general public without ransom.

Profile 3

An unknown threat actor that distributes malware. Representatives of the threat actor have been encountered on various darknet hacking forums, offering custom malware development services, or pre-made packages of malware. The threat actor has also run malware campaigns of their own, using newly-developed malware. Most of the malware campaigns they have run themselves are ransomware.


No two threat actors are exactly the same, which is part of why determining their attributes is so important. By understanding what a threat actor wants, and how they operate, you can better defend yourself against that threat actor, and others like them.