Understanding Modern Threat Actors: Perspectives & Strategies

Threat actors are not a single, uniform group. They range from financially motivated gangs to state-linked operators and loosely structured criminal ecosystems, each with different objectives and levels of sophistication. Understanding a few prominent examples can assist teams in thinking more clearly about how attackers operate. This helps identify where defences are likely to be tested. It also shows which controls deserve sustained investment.

This overview focuses on three well-known threat actor categories that illustrate how identity, access and core business systems have become central targets in modern attacks. The details will evolve over time, but the patterns they represent remain highly relevant for most organisations.

Scattered Spider: Financially Motivated Social Engineers

Scattered Spider is a financially motivated group known for targeting large enterprises, telecoms and technology-heavy organisations using social engineering and identity-focused attacks. They often start their operations with convincing impersonation. They contact employees while posing as internal IT or support staff. Why? To gain credentials or initiate remote access sessions.

Common techniques associated with this style of activity include:

• Multi-factor authentication (MFA) fatigue attacks, where users are bombarded with prompts in the hope they eventually approve one.
• SIM swapping or related methods to intercept authentication codes sent via SMS or voice.
• Abuse of legitimate remote access tools and management platforms already present in the environment, reducing the need for bespoke malware.

The significance for defenders is clear: strong technical controls are necessary. However, they are not sufficient when attackers primarily exploit human trust. Weak identity practices are also targeted by attackers. Security programmes that focus only on perimeter defences or endpoint tooling may miss how easily social techniques can bypass those layers, especially when processes for verifying IT requests or access changes are weak.

APT29 / “Cozy Bear”: State-Linked Strategic Access

APT29, often referred to as “Cozy Bear”, is widely associated in open-source reporting with Russian state-linked intelligence interests. Unlike many financially driven groups, it usually focuses on long-term, covert access for intelligence gathering. Immediate disruption or ransom is not their main objective. Historical reporting has linked this actor to intrusions against government agencies, political organisations, think tanks and technology or cloud service providers.

Typical behaviours attributed to this type of actor include:

• Targeting identity providers and authentication systems to gain broad access to user accounts.
• Focusing on cloud services, email and collaboration platforms used widely across organisations.
• Maintaining presence over extended periods using stealthy tooling, careful operational security and techniques designed to blend into normal administrative activity.

For organisations, the lesson is that identity, federation services, and cloud administration layers are now high-value targets. These are important in their own right, not just as supporting infrastructure. Even smaller entities can be exposed if they are part of a supply chain, provide specialist services, or hold access to larger partners. Monitoring for unusual authentication patterns, protecting administrative accounts, and treating cloud identity as critical infrastructure become essential parts of defence.

LockBit: Ransomware-as-a-Service Ecosystem

LockBit is often described as a “group”, but it is better understood as a ransomware-as-a-service (RaaS) ecosystem. Instead of carrying out all attacks themselves, core operators develop ransomware tools, infrastructure, and payment mechanisms. They then provide these to affiliates. Those affiliates then conduct intrusions in exchange for a share of the proceeds. This model has enabled widespread targeting across public and private sectors, including healthcare, education, manufacturing, and local government.

Key characteristics of this kind of operation include:

• Regular updates to ransomware variants and tooling to evade detection and maintain effectiveness.
• A structured affiliate programme, lowering the barrier to entry for less technically capable criminals.
• Data theft, extortion and “double extortion” tactics, where attackers both encrypt data and threaten to leak it publicly.

LockBit shows how ransomware has evolved into a distributed business model rather than a single, tightly controlled group. This widens the potential pool of attackers and means that victims can range from small organisations to large enterprises. For defenders, it reinforces the need for robust backup and recovery, strong access controls, segmentation, well-practiced incident response, alongside efforts to reduce initial access opportunities through patching and secure remote access.

What These Groups Have in Common

Despite differences in motivation and structure, these actors share several themes that are highly relevant to most organisations:

• Identities and access pathways are prime targets, whether for long-term espionage, rapid monetisation or broad ransomware campaigns.
• Legitimate tools and services (remote access platforms, cloud collaborations, administrative utilities) are frequently used as part of attacks, making detection rely more on behaviour than simple signatures.
• Supply chains, service providers and shared platforms create additional routes into environments beyond the traditional network perimeter.

A practical takeaway is that strong identity protection, effective monitoring and proportionate, well-understood controls are central to defending against a broad spectrum of threats. Technical measures should be complemented by robust processes around user verification, access changes, third-party connections and incident response. The threat landscape will continue to change. Organisations that treat identity and core business platforms as critical assets will be better positioned to adapt. Investing in resilience and visibility is also essential.