The Who of Hackers

The Who of Hackers 1640 924 ELVT Consulting

These days, the ‘who’ aspect of malware threats often gets downplayed in the fight to protect data and recover from disasters. There is a common misconception that protecting the systems against theoretically universal and known generic vectors will deter all types of bad actors. However, we forget that the context and thought processes behind the attacks really matter here, as they give insights into the motivations, possessed skill levels, capabilities, and funding behind the threats, as well as the comparative dangers posed by the attacker’s specific goals. 

Hacker Profiles

Many malware and hack originators can be profiled as falling into one or more of the following classes, listed generally in the order of threat magnitude, descending. When considering each, note some of the key metrics that help better define them: 

  • Infiltration Complexity: Describes how technically advanced and well orchestrated their attacks may be.
  • Potential Damage and Disruption: Estimates what consequences a successful attack can cause, both in terms of financial, operational and personal collateral. 
  • Detection Difficulty and Persistence: Rates the time, skills and effort needed to detect, contain and permanently remove a threat in the longer term.
  • Resources: The measure of money, motivation, scale and breadth lurking behind the threat actors.

Keep in mind that not all threat actors neatly fall into some of these categories, but generally understanding who and what they are capable of can provide better guidance on how to protect against them, better tailor defenses, and invest in the right countermeasures. The industry is realizing that it’s not just about throwing up firewalls and hoping for the best; it’s about playing 4D chess in an arena where the players are unpredictable, varied, and constantly changing.

Nation-State Actors

Government-Backed Cyberwarfare and Cyberterrorism – “The Big Guns”: Extremely dangerous and well funded. They’re unmatched in scope, resources, and severity of planned attacks, which are often unfortunately motivated by geopolitical, ethnic, religious, or other large scale economic goals. If these groups have targeted you and you’re not already sufficiently fortified against them, it’s probably already too late. Moreover, the defenses against these groups can sadly require other governments to be involved.

Infiltration Complexity: Extreme. Built for the long game.
Potential Damage and Disruption: Extreme and systematic. And often with pinned targets
Detection Difficulty and Persistence: High
Resources: Practically limitless and fueled by ideology
Specific Protection Measures:

  • Collaborate with national cybersecurity agencies
  • Invest in shared threat intelligence to identify new attack vectors
  • Study The threat and pray to not be targeted

Funded Technology Mercenaries Building APTs (Advanced Persistent Threats)

Next to the mega nation-state groups, these are the ones conducting targeted electronic espionage – hacking carried out by private Intelligence firms and corporate mercenary hackers-for-hire. They can still also be funded by nation states, but their goals are ambiguous and ethics are often subjective and fluid going to the highest bidder. 

They are persistent, have large internal research labs who develop powerful proprietary tools necessary to find and exploit 0-day vulnerabilities with advanced techniques. Their motives are however mostly financial, which means their services are often prohibitively expensive, fortunately reducing the victim pool they would be interested in going after. “You get what you pay for.” (Palantir)Example: DarkMatter – A UAE-based cybersecurity company suspected of providing cyber-espionage services and custom widespread spyware.
Infiltration Complexity:
Extreme, the masterclass who show how it’s done
Potential damage and disruption: Very High depending on what they were contracted to do
Detection Difficulty and Persistence: Very High
Resources: Fully scalable based on funding
Specific Protection Measures:

  • Invest in strong enterprise-grade security infrastructure with multiple layers of defense
  • Perform regular security audits and penetration testing
  • Have a comprehensive incident response plan and long term strategies

Insider Threat Actors

These are one of the biggest wildcards, being highly unpredictable and difficult to prepare against. When seeing a low barrier of entry for penetration, those possessing privileged, inside access to proprietary knowledge,  can cause significant damage in ways other actors couldn’t even imagine. 

They might strike due to grievances, both ideological and personal, or simply be playing the long game once they find a loophole. They are also notoriously hard to detect because of how close they can get to critical systems and are sometimes even people embedded into internal security teams. They generate a substantial portion of leaks and PII breaches.

Example: Edward Snowden – Leaked highly classified information from the National Security Agency (NSA).
Infiltration Complexity: So dangerously Low that nearly anyone could do it
Potential Damage and Disruption: High – privileged access is no joke
Detection Difficulty and Persistence: High and long lasting, often impossible to detect
Resources: Not needed – typically just the motivation, as there are no hackers to hire or software to get first
Specific Protection Measures:

  • Implement strict least-privilege access controls
  • Conduct regular audits of employee activities
  • Use background checks and behavioral analytics to detect anomalies

Cyber Scams and Organized Crime

Career criminals who seek financial gain via fraud, ransom, blackmail, identity theft, etc. They’re specifically dangerous because of the nature of direct financial loss caused by breaches. They may be far less funded than large mercenary organizations, but that also makes them desperate and numerous. They often operate from developing nations with few enforced laws, and are willing to target as many victims as possible in a broad net to increase breach probability. 

Their footprint may range from a few people in a shack writing scam emails to an organized corporate call center using social engineering to gain remote system access and steal identities. This is where a lot of ransomware and phishing originates from.

Example: REvil – A criminal gang responsible for high-profile ransomware attacks.
Infiltration Complexity: Moderate, often targeting low hanging fruit via social engineering
Potential Damage and Disruption: High. Usually monetary
Detection Difficulty and Persistence: Moderate. They’re in it for the quick pay-out and not the long game
Resources: Low to moderate efforts, potentially high volume
Specific Protection Measures:

  • Educate employees on phishing and social engineering
  • Use multi-factor authentication (MFA)


They usually claim to promote Ideological causes. Moderately dangerous, often only seeking to disrupt operations or leak data. Fortunately, their plans usually involve taking responsibility and being as flashy as possible in their efforts as the message is part of the end goal. They might not steal your data, but they could ‘dox’ or leak your internal emails, humiliate staff, and share your intellectual secrets publicly.

Example: Anonymous – Involved in high-profile attacks for political and social causes
Infiltration complexity: Low to Moderate
Potential Damage and Disruption: Moderate, mainly due to PII and IP leaks
Detection Difficulty and Persistence: Low
Resources: Moderate. Based on strength of support, but “Where there is a will, there is a way”
Specific Protection Measures:

  • Monitor web applications for vulnerabilities
  • Keep watch for potential social or political triggers for hacktivism

Black Hat Hackers

These are the hackers you often see portrayed in movies. Some of these might be hacktivists, but their ideas are often less altruistic. They usually have selfish goals like fame, notoriety, the thrills of the hack, or purely ‘lols’. The threat they pose varies in danger and is wildly skill-dependent. 

Example: Lizard Squad – Known for DDoS attacks and other forms of cyber-vandalism
Infiltration Complexity: High, favoring the most complicated attacks
Potential Damage and Disruption: Varies. Sometimes just for sport
Detection Difficulty and Persistence: Varies based on motivations
Resources: Low
Specific Protection Measures:

  • Utilize heuristic intrusion detection systems
  • Perform regular penetration testing
  • Have a robust incident response plan

Script Kiddies and Green Hat Hackers

These are often the less technically sophisticated or marginally motivated hackers. They might have limited skills and be just attention-seeking, but also can cause chaos with tools they do not understand. They often cause only minor mischief and look for easy targets. 

Typically they simply use existing known turn-key hacking tools to deploy their attacks which makes them easy to detect. Think stealing wi-fi passwords, defacing WordPress pages, stealing social media accounts and private pictures.

Note that a subset are also known as Green Hats, as they are those who are still learning to be professionals, and just testing the waters.

Infiltration Complexity: Minimal
Potential Damage and Disruption: Low
Detection Difficulty and Persistence: Very Low
Resources: Minimal
Specific Protection Measures:

  • Keep software up to date to reduce the risk that known, patched vulnerabilities are exploited
  • Use basic firewalls and updated antivirus software to thwart known malware
  • Maintain basic security hygiene that takes into account low skilled attacks

White and Blue Hat Hackers

Finally, those sometimes called the “nice hackers”, are usually hired security professionals, who help companies find security vulnerabilities and test existing systems via penetration testing and other evaluation tools. They are willingly hired to discover and exploit security vulnerabilities. They test-run hacking attempts and share the methods and extract artifacts with the clients so the defenses can be improved.

You protect yourself against them to practice and learn how to harden systems against real threats. They should be treated as real risks, as it is the closest thing to a fire drill for preparing for when things really go wrong. Their capabilities and the simulated risks posed scale with your budget.


The landscape of cybersecurity threats is always evolving, so understanding the ‘who’ behind the attack is not just a matter of curiosity but an integral part of effective cybersecurity strategy. From nation-state actors armed with almost limitless resources to the script kiddies with a rudimentary understanding of hacking tools, the motivations, infiltration capabilities, and dangers vary widely. 

Failing to recognize this diversity amongst threat actors can lead to poorly designed and inefficient security measures. Context matters, and knowing your potential adversary allows for a more targeted, contextual, and effective defense.