What is a threat actor?
A threat actor is any person or group that intentionally targets digital environments, networks, or infrastructure through malicious activities to achieve specific objectives. This means they deliberately attack your systems not always simply to cause random harm. Many pursue specific objectives such as stealing data, disrupting operations, gaining financial benefits, conducting espionage, or accomplishing other strategic goals.
Unlike accidental security incidents or system failures, threat actors operate with clear intent and specific objectives. They use various tactics, techniques, and procedures to break through your security defenses and maintain access to compromised systems.
The term covers a wide range of adversaries. You might face individual hackers, organized crime groups, or sophisticated state-sponsored teams. What connects them all is their purposeful engagement in unauthorized activities that threaten your data's confidentiality, integrity, or availability.
In cloud environments, threat actors find both new opportunities and challenges. Your cloud infrastructure changes constantly as resources spin up and down automatically, creating a shifting attack surface. Complex identity and access management configurations across multiple cloud providers give these actors additional ways to exploit your systems.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
Types of threat actors
Different threat actors work with varying levels of skill, resources, and goals. Understanding these differences helps you anticipate attack patterns and build appropriate defenses.
Nation-state actors
Nation-state actors are government-sponsored groups that conduct cyber operations to advance their country's interests. These highly skilled adversaries have substantial resources, advanced tools, and often operate with legal protection from their sponsoring governments.
These actors typically focus on long-term intelligence gathering rather than quick financial gains. They might maintain access to your systems for months or years without being detected. They often blend custom-built malware and zero-day exploits with widely available tools like Cobalt Strike, Sliver, or Mimikatz, making them versatile and difficult to defend against.
Key characteristics:
Extended presence: They stay hidden in your systems for months or years to gather intelligence
Custom tools: They often use bespoke malware and may leverage zero-day exploits, but also blend living-off-the-land techniques and commodity tools when it serves their goals.
Strategic targets: They focus on critical infrastructure, government agencies, and organizations with valuable secrets
Nation-state actors engage in espionage, sabotage, or influence operations. They use stealthy methods to establish multiple backdoors and employ sophisticated techniques to avoid detection.
Real-World Nation-State TTPs See how North Korea's TraderTraitor group operates with this full breakdown of their tactics, tools, and MITRE ATT&CK techniques. Get the Threat Report
Cybercriminals
Cybercriminals are financially motivated threat actors who range from individual operators to large crime organizations. Their primary goal is making money from their attacks through various schemes.
The rise of ransomware-as-a-service has made it easier for less technical criminals to launch sophisticated attacks. They can now rent tools and infrastructure from other criminals, lowering the barrier to entry.
Common money-making tactics:
Ransomware attacks: Encrypting your data and demanding payment for decryption keys, often combined with double extortion (threatening to leak stolen data) or triple extortion (targeting customers, partners, or other stakeholders)
Data theft: Stealing sensitive information to sell on underground markets
Cryptojacking: Using your computing resources to mine cryptocurrency without permission
Business email compromise: Tricking employees into making unauthorized financial transfers
Hacktivists
Hacktivists use cyber attacks to promote political or social causes. They want to raise awareness, embarrass targets, or disrupt operations of organizations they oppose.
Unlike financially motivated actors, hacktivists care more about spreading their message than making money. Their attacks often happen during political events, social movements, or public controversies. DDoS attacks—their go-to disruption tactic—make up 28% of threats tracked across the EU according to ENISA's Threat Landscape Report.
Typical activities:
Website defacement: Replacing legitimate website content with political messages
Data leaks: Exposing sensitive information to damage a target's reputation
DDoS attacks: Overwhelming servers with traffic to disrupt services
Insider threats
Insider threats come from people with legitimate access to your systems who misuse their privileges. These threats are especially hard to detect because they operate within normal access patterns and bypass traditional security defenses.
Categories of insider threats:
Malicious insiders: Current or former employees who intentionally steal data or sabotage systems
Negligent insiders: Employees who accidentally create security risks through careless actions
Compromised insiders: Legitimate accounts taken over by external threat actors
Threat actor motivations and targets
Understanding what drives threat actors and who they target helps you assess risks and build better defenses. Their motivations directly shape how they attack, how persistent they are, and what resources they'll invest.
Financial gain
Most cybercrime is motivated by money. The FBI tracked $16.6 billion in losses from cybercrime complaints in 2024 alone—a 33% jump from the previous year. This drives a wide variety of schemes, from direct extortion to selling stolen data on underground markets.
Espionage and intelligence gathering
State-sponsored actors and corporate competitors steal sensitive information for strategic advantage. These attacks are usually targeted and well-funded.
They commonly target trade secrets, government classified information, personal data of important individuals, and strategic business plans. These actors often maintain long-term access, stealing data slowly to avoid detection.
Disruption and destruction
Some threat actors aim to cause operational damage rather than steal data. These attacks are often politically motivated and can have serious real-world consequences.
Their goals include disrupting critical infrastructure, destroying data with wiper malware, damaging reputations through public breaches, and taking essential services offline.
How to Prepare for a Cloud Cyberattack: An Actionable Incident Response Plan Template
A quickstart guide to creating a robust incident response plan - designed specifically for companies with cloud-based deployments.
Common threat actor tactics and techniques
Threat actors use diverse and evolving methods to achieve their goals. Understanding these common tactics, as mapped in the MITRE ATT&CK framework, helps you implement appropriate defenses at each stage of an attack.
Initial access techniques
Before causing damage, actors must first get into your environment. This is often the most critical phase of an attack.
Phishing and social engineering involves tricking users into revealing credentials through fake login pages, delivering malware via email attachments, or impersonating executives to authorize fraudulent transactions.
Vulnerability exploitation means scanning for and exploiting unpatched software vulnerabilities in your public-facing systems, web applications, and APIs.
Supply chain attacks target third-party vendors, open-source components, or development pipelines to reach ultimate victims. Threat actors compromise trusted software updates, inject malicious code into popular libraries, or infiltrate managed service providers to access multiple downstream targets simultaneously.
Stolen credentials come from previous data breaches, password reuse attacks, or purchasing access from criminals who specialize in initial network access.
Persistence and lateral movement
Once inside your network, threat actors work to maintain access and expand their reach to find valuable assets. This phase focuses on stealth and using legitimate system tools to blend in.
They establish persistence by creating backdoor accounts, installing web shells on servers, modifying startup processes, or exploiting legitimate remote access tools. This ensures they can regain access if discovered.
For lateral movement in cloud environments, threat actors may use token theft and session hijacking, cloud role assumption (such as AWS AssumeRole), exploiting overly permissive cross-account trusts, OAuth consent phishing, Pass-the-Hash in Windows domains, exploit trust relationships, and use built-in tools like PowerShell to avoid detection. Mapping relationships between roles, services, and data stores helps reveal chained permissions and cross-account paths that enable stealthy lateral movement.
Data exfiltration and impact
The final stage involves achieving the actor's ultimate objectives, whether stealing data, deploying ransomware, or disrupting operations. When threat actors succeed, the damage hits hard—breaches now cost organizations an average of $4.44 million, and it takes about 241 days to find and stop them.
They transfer stolen data slowly to avoid triggering alerts, use legitimate cloud storage services to hide their activity, and employ covert channels like DNS tunneling to exfiltrate data undetected.
Anatomy of a Cryptomining Attack
Follow the complete attack flow of the SeleniumGreed exploit, from initial access and persistence to the final payload. Explore the Attack Flow
Threat actors in cloud environments
Cloud environments create a unique battleground for cybersecurity. The shared responsibility model, dynamic infrastructure, and API-driven architecture create different threats than traditional data centers.
Cloud-specific attack vectors
Threat actors have developed specific tactics to exploit cloud platform characteristics.
Threat actors constantly scan for common cloud misconfigurations like publicly exposed storage buckets, overly permissive IAM policies, unprotected APIs, and exposed or hardcoded credentials in code, images, or user data. Once they compromise an account, threat actors often abuse the cloud's elastic nature for their own gain, abusing stolen compute resources for cryptomining, mass spam or phishing campaigns, or leveraging compromised accounts to pivot into partner and customer environments.
They may also create persistent backdoors through techniques like adding SSH keys to cloud instances, modifying serverless functions, or establishing malicious automation scripts that recreate access even after initial compromise is detected.
Unique cloud challenges
For threat actors, ephemeral resources may disappear before exploitation completes. Native logging is available in most cloud platforms, but requires deliberate configuration and coverage to be effective.
For defenders, visibility is strong at the control plane and workload layers you own, but you don’t get hypervisor or infrastructure-level telemetry—so designing controls and monitoring for your shared-responsibility layer is essential. The rapid pace of change makes maintaining accurate asset inventories difficult. In fact, 56% of organizations say they lack cloud security expertise, while 51% struggle with multi-cloud complexity. These permission models across multiple clouds can create unintended access paths.
Detecting and responding to threat actors
Effective detection requires understanding both technical indicators and behavioral patterns that reveal a threat actor's presence. You need multiple detection methods to identify sophisticated adversaries who are skilled at avoiding traditional security tools.
Detection strategies
Behavioral analytics baselines normal user and system behavior to detect unusual access patterns, impossible travel scenarios, or suspicious privilege escalation attempts. Blending cloud audit signals with runtime telemetry and identity context reduces false positives and surfaces high-fidelity detections.
Threat intelligence integration consumes feeds of known threat actor infrastructure, tracks their tactics and techniques, and monitors for specific toolsets to correlate your internal data with external intelligence.
Cloud-native detection monitors cloud-specific signals like API activity logs, resource creation events, IAM changes, and—when deployed—workload or runtime telemetry for suspicious activity.
Response and containment
When you detect a threat actor, rapid and coordinated response is critical to minimize breach impact. Automated investigation that stitches together events, entities, and blast radius accelerates scoping and guides precise containment.
Initiate your incident response plan. First, snapshot affected resources and preserve logs, then contain by isolating impacted assets, revoking or rotating compromised credentials, and blocking command-and-control. Avoid actions that could tip off adversaries before you have scoped the incident.
During investigation and remediation, determine the full scope of compromise, identify how they got in initially, remove all persistence mechanisms, and patch exploited vulnerabilities.
How Wiz counters threat actor tactics across the cloud lifecycle
Wiz provides comprehensive visibility and protection against threat actors by combining agentless code-to-cloud scanning, contextual risk assessment on the Security Graph, and continuous monitoring across cloud and runtime. The platform identifies toxic combinations of risks that threat actors exploit, helping you prioritize remediation based on actual attack paths.
Wiz's Security Graph maps relationships between cloud resources, identities, network exposures, and vulnerabilities, revealing hidden attack paths that threat actors use for lateral movement and privilege escalation. This graph-based approach provides insights that traditional scanning tools miss, showing how minor issues can combine to create critical, exploitable risks.
Key benefits:
Attack path visibility: See your environment through a threat actor's eyes to identify and eliminate attack paths before exploitation
Contextual prioritization: Focus on risks that actually matter by understanding how vulnerabilities, misconfigurations, and permissions combine
Comprehensive coverage: Protect the entire lifecycle – from code and pipelines to cloud and runtime – with unified visibility and consistent policy.
Wiz enables you to proactively defend against threat actors by understanding and eliminating the attack paths they use to compromise cloud environments. The platform complements your existing security tools by providing essential cloud context needed to prioritize risks effectively.
Ready to detect and respond to threat actors in your cloud environment? Wiz Defend provides continuous monitoring, real-time threat detection, and guided response capabilities to identify and neutralize threats before they impact your business. Get started with Wiz Defend