Threat Actor Case Studies
What we’ll be learning
In this article, we’ll be looking at three real-world threat actors, and discussing their attributes and classification, along with any notable techniques and tactics they use. You’ll also get a chance to apply your knowledge to analyze the attributes of fictional threat actors based on limited information.
Fundamentals of Cybersecurity
Learn the Cybersecurity fundamentals that will lay a foundation for securing your technology and personal life from dangerous cyber threats.Try it for freeCase studies
Case 1: Gary McKinnon
- Classification: Solo [hacker]
- Targets: U.S. military and government institutions, including NASA and the Department of Defense.
- Sophistication: Low to Medium
- Support: None
- Resources: Low
- Objectives: Obtain hidden information on UFOs and alien technology.
- Motivation: Personal Interest, has sworn off hacking.
- Notable Tactics and Techniques: Used commercially available software to compromise poorly secured Windows machines.
Active in 2001 and 2002, Gary McKinnon, also known as Solo, was a hacker who targeted U.S. government computer systems looking for evidence of UFOs and alien technology. He was accused of sabotaging military computers and sabotaging munitions supply to the U.S. Navy after 9/11, but supporters claim that these charges have never been brought before a court, and McKinnon himself denies ever acting with malicious intent. McKinnon was able to locate machines with inadequate security configurations that were easy to hack into and did so without fully covering his tracks.
Case 2: Anonymous
- Classification: Decentralized hacker/hacktivist group
- Targets: Varies, has included U.S. government and ISIS.
- Sophistication: Varies from member to member
- Support: Large number of members, but there is no large-scale coordination or organization.
- Resources: Varies
- Objectives: Generally opposes censorship, but different members may have different goals.
- Motivation: Varies
- Notable Tactics and Techniques: DDoS attacks, Doxxing, Threats
Anonymous is a decentralized and disorganized hacking collective that anyone can join. This means that it is very difficult to talk about Anonymous as a whole, since the objectives, motivations, targets, and abilities can vary widely from member to member, or subgroup to subgroup.
Anonymous started on the 4chan message boards in 2003, but only became associated with hacktivism in 2008 when members launched Project Chanology: A series of semi-coordinated actions against the Church of Scientology. Since then, members have engaged in many hacktivist causes under the banner of Anonymous.
Case 3: Double Dragon
- Classification: State Actor, APT
- Targets: Healthcare, telecommunications, technology, and video game industries.
- Sophistication: Very high
- Support: Strongly believed to be associated with the Chinese government.
- Resources: Very high; Access to government-developed malware and cyber-espionage tools.
- Objectives: Objectives are given to them by their sponsors, personal financial gain.
- Motivation: Very High
- Notable Tactics and Techniques: Use of passive backdoors, supply-chain attacks, sophisticated malware and rootkits, and spear-phishing.
Double Dragon (Also known as APT41), is a state-sponsored APT group that is strongly believed to be associated with the Chinese government. According to FireEye, “…APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.”
This duality of state-sponsored activity and acting for personal financial gain is considered unusual, and this can make it difficult to determine which operations are conducted on behalf of their sponsors, and which are conducted for their own gain. What is known is that many of their operations for personal financial gain involve the video game industry.
Double Dragon’s use of passive backdoors distinguishes them from other APT groups, and this type of backdoor is more difficult to detect than a traditional “active” type. Other techniques they are known for are spear-phishing emails and sophisticated malware with stealth capabilities.
Hypothetical threat actors
Now that you’ve seen some examples of real-life threat actors, it’s time to try your hand at analyzing some hypothetical threat actors on your own. Below are three profiles of fictional threat actors. Use your judgment to make guesses at the following information:
- Classification: What type of threat actor do they appear to be? A script kiddie? Independent hacker? Hacktivist group? APT?
- Targets: What sort of targets does the threat actor seem to focus on?
- Sophistication: What level of sophistication do their actions suggest?
- Support: Does the threat actor appear to have support, or are they working independently?
- Resources: What level of resources does the threat actor appear to have?
- Objectives: What are the threat actor’s apparent objectives?
- Motivation: How motivated does the threat actor appear to be? Are they persistent, or easily dissuaded?
- Notable Tactics and Techniques: What tactics or techniques stand out to you in the threat actor’s profile if any?
Profile 1
An unknown threat actor that has targeted multiple companies in the movie industry, stealing and releasing unfinished movies in production. There was no request for ransom, and the [attacks] that succeeded were against targets with poor [cybersecurity].
Profile 2
An unknown threat actor targets a retailer known for its poor treatment of workers and illegal union-busting activities. The threat actor has attacked multiple times, each time attempting to disrupt operations. Some sensitive data, including incriminating internal communications, were stolen and released to the general public without ransom.
Profile 3
An unknown threat actor that distributes malware. Representatives of the threat actor have been encountered on various darknet hacking forums, offering custom malware development services, or pre-made packages of malware. The threat actor has also run malware campaigns of their own, using newly-developed malware. Most of the malware campaigns they have run themselves are ransomware.
Conclusion
No two threat actors are exactly the same, which is part of why determining their attributes is so important. By understanding what a threat actor wants, and how they operate, you can better defend yourself against that threat actor, and others like them.
Author
'The Codecademy Team, composed of experienced educators and tech experts, is dedicated to making tech skills accessible to all. We empower learners worldwide with expert-reviewed content that develops and enhances the technical skills needed to advance and succeed in their careers.'
Meet the full teamRelated articles
- Article
Threat Hunting
Learn about Threat Hunting: A proactive defense technique where threats are actively searched for using threat intelligence - Article
The Evolution of Cybersecurity
Discover the fascinating history of cybersecurity, tracing its evolution from the earliest days of computing to modern-day cyber threats and solutions. - Article
How to conduct trustworthy research using ChatGPT
Learn how to use ChatGPT to conduct reliable research, narrow the scope of the study, identify key topics, and validate information to avoid AI-generated inaccuracies.
Learn more on Codecademy
- Skill path
Fundamentals of Cybersecurity
Learn the Cybersecurity fundamentals that will lay a foundation for securing your technology and personal life from dangerous cyber threats.Includes 5 CoursesWith CertificateBeginner Friendly3 hours - Free course
Introduction to Personal Digital Security
Hackers and cyber threats are a fact of today's modern, digital world. Everyone needs to be able to protect themselves from these threats.Beginner Friendly1 hour - Free course
CompTIA Security+: Threat Actors & Vectors
Gain insight into present threatscape with focus on threat actor types and motivations. Learn about human vectors, social engineering, and vulnerabilities across systems and platforms.Beginner Friendly1 hour
