1 Introduction
In the physical world, there are different types of criminals: the pickpocket, the organized burglar, the industrial spy, the activist who spray-paints walls. Each has their own motivations, methods, and targets. The cybersecurity world works exactly the same way: attackers are grouped into major threat families, each with a distinct profile.
Understanding these families allows you to better anticipate attacks. A hospital does not face the same threats as a defense ministry or an online retailer. By identifying the actors that target you, you can adapt your defenses effectively.
The five major families
Nation-states
Cybercriminals
Hacktivists
Insiders
Script kiddies
2 How It Works
Each threat family is distinguished by its motivation, resources, and methods. Here is a detailed overview:
APT Groups (Advanced Persistent Threat) / Nation-states
These are the "intelligence agencies" of cyberspace. Funded by governments, these groups have considerable resources, patience, and top-tier technical skills. Their primary objective is political, military, or industrial espionage. Some also engage in infrastructure sabotage.
| Group | Attribution | Primary targets |
|---|---|---|
| APT28 (Fancy Bear) | Russia (GRU) | Governments, elections, NATO, media |
| APT29 (Cozy Bear) | Russia (SVR) | Diplomacy, COVID research, supply chain |
| Lazarus Group | North Korea | Banks, cryptocurrency, defense sector |
| APT41 (Winnti) | China | Technology, gaming, telecoms, healthcare |
Cybercriminals (eCrime)
Their motivation is simple: money. These groups operate like real criminal enterprises, with a hierarchy, "employees," customer support (for ransomware victims who need to pay), and even affiliate programs. Ransomware has become their weapon of choice.
LockBit
The most active ransomware gang in recent years. Affiliate model: they provide the malware, affiliates conduct the attacks, and profits are shared.
ALPHV/BlackCat
Sophisticated ransomware written in Rust. Known for triple extortion: data encryption, data theft with threat to publish, and DDoS attack if the victim refuses to pay.
Hacktivists
Hacktivists use hacking to deliver a political or social message. Like digital protesters, they target organizations they consider contrary to their values. Their most common actions are DDoS attacks (overwhelming a site to make it inaccessible), defacement (modifying a website's homepage), and data leaks. Groups like Anonymous or, more recently, pro-Russian collectives like KillNet illustrate this category.
Insider Threats
The most insidious threat sometimes comes from within. A disgruntled employee, a careless contractor, or a corrupt administrator already has access to the system. No need to force the door when you have the key. Insider threats fall into two categories: malicious (intentional data theft, sabotage out of revenge) and accidental (clicking a phishing link, unintentionally sharing sensitive files, misconfiguration).
Script Kiddies
Script kiddies are unskilled attackers who rely on tools, scripts, and exploits written by others. They typically lack the ability to create their own attacks but can still cause damage by running automated scanners, using leaked exploit kits, or launching DDoS attacks with rented botnets. Their motivation is usually bragging rights, curiosity, or minor vandalism.
3 Detailed Analysis
Threat family comparison
| Family | Motivation | Resources | Persistence | Sophistication |
|---|---|---|---|---|
| Nation-states | Espionage, sabotage | Very high | Months/Years | Very high |
| Cybercriminals | Financial gain | High | Weeks | High |
| Hacktivists | Ideology | Variable | Days | Medium |
| Insiders | Revenge, money | Internal access | Variable | Variable |
| Script kiddies | Notoriety, fun | Low | Hours | Low |
The modern cybercrime ecosystem
Cybercrime has become industrialized. Today it operates as a marketplace with specialized services. This is known as Crime-as-a-Service (CaaS):
Initial Access Brokers (IAB)
They sell already-compromised access to companies. An IAB breaches an organization and sells the access to the highest bidder on the dark web.
Ransomware-as-a-Service (RaaS)
Developers create the ransomware, affiliates deploy it. Profits are shared, like a criminal franchise operation.
Bulletproof Hosting
Hosting providers that deliberately ignore abuse complaints and protect attack infrastructure from takedowns.
Money Mules
Intermediaries (often recruited unknowingly) who launder ransoms by transferring funds between bank accounts and cryptocurrency wallets.
Landmark case studies
SolarWinds (2020) -- APT29 / Russia
A supply chain attack: attackers compromised an update of the SolarWinds Orion software, used by thousands of companies and government agencies. The trojanized update was installed by the victims themselves, granting silent access for months. Over 18,000 organizations downloaded the compromised update, including multiple U.S. federal agencies.
WannaCry (2017) -- Lazarus / North Korea
A ransomware worm that paralyzed hospitals, factories, and businesses across 150 countries in a single weekend. It exploited a Windows vulnerability (EternalBlue) leaked by a hacking group. The UK's National Health Service was particularly hard hit, forcing the cancellation of thousands of surgeries and appointments.
Colonial Pipeline (2021) -- DarkSide / Cybercriminal
The largest fuel pipeline in the United States was shut down for 6 days by a ransomware attack. Fuel shortages spread across the entire southeastern U.S. The company paid $4.4 million in ransom. The attack originated from a single compromised password on a VPN account that lacked multi-factor authentication.
Try it on mlab.sh
Explore the MITRE ATT&CK matrix interactively to see the tactics and techniques used by different threat families. Map attacker behaviors to defensive strategies.
Explore MITRE ATT&CK on mlab.sh4 Red Flags
Here are the warning signs that you may be targeted by one of these threat families:
Connections from unusual countries
VPN connections or authentication attempts from countries with which you have no business relationship may indicate an APT group or cybercriminals.
Targeted spear-phishing emails
Highly personalized emails mentioning internal projects, colleague names, or non-public details are typical of APT groups that conduct reconnaissance before attacking.
Sudden file encryption
Files becoming unreadable with strange extensions (.locked, .encrypted, .crypt) signal an active ransomware attack. Act immediately by isolating the affected machine.
Access outside business hours
Administrative connections at 3 AM or on weekends, especially to critical systems, may reveal a malicious insider or an attacker exploiting stolen credentials.
Your website has been modified
A defacement (modification of your homepage with a political message) is typical of hacktivists. Often linked to a geopolitical or social context.
Large-scale data exfiltration
Abnormally large data transfers to unknown destinations, especially at night, may indicate data theft by an APT or a departing insider.
Related Modules
How to read a CTI report
Deciphering a Cyber Threat Intelligence report: structure, indicators, and recommendations.
What is a threat intel feed?
Threat intelligence feeds: how they work and why they are essential.
What is malware?
Viruses, ransomware, trojans: understanding the different families of malicious software.
Source: mlab Academy — Cybersecurity Awareness Platform
URL: https://academy.mlab.sh//page/threat-families
Module: Major threat families — Threat Intelligence
Disclaimer: This content is for awareness purposes only.