Threat Actors and Motivations
Compare and contrast common threat actors and motivations — who attacks, why, and how capability and resources shape the risk.
Every Domain 2 question starts with the same question: who is attacking you, and why? Security+ classifies threat actors along three dimensions — Internal vs. external, Resources/funding, and Level of sophistication. The goal is to match who plus what resources to a likely motivation: financial gain, espionage, disruption, hacktivism, revenge, or war.
The six actor archetypes are nation-state (highest resources, espionage and disruption), organized crime (high resources, financial gain), hacktivist (moderate resources, ideological), insider threat (legitimate access, mixed motives), unskilled attacker / script kiddie (low resources, thrill), and shadow IT (unsanctioned internal tools that create attack surface). On the exam, expect a scenario description and an answer choice that asks you to name the actor. The tell is usually the combination of sophistication plus motivation plus target industry.
Nation-state actors. Government-sponsored teams with the largest budgets, the longest timelines, and access to zero-days. They run Advanced Persistent Threats (APTs) with dwell times measured in months or years. Motivations: espionage, intellectual-property theft, geopolitical disruption, and wartime cyber operations. Targets cluster around defense, aerospace, critical infrastructure, government, and strategic tech firms.
Organized crime. Professional criminal operations structured like businesses — with affiliates, support desks, and profit-sharing. Motivation is overwhelmingly financial gain: ransomware, banking trojans, card fraud, and Business Email Compromise (BEC). Tooling now rivals nation-state quality, so “sophisticated attack” is not a unique fingerprint of government actors.
Hacktivists. Ideologically motivated actors whose goals are philosophical or political: defacements, doxxing, leaks, and DDoS campaigns to embarrass or expose targets. Capability ranges from moderate to high. Do not confuse hacktivist with script kiddie — hacktivists can be very capable.
Insider threats. Current or former employees, contractors, or partners with legitimate access. Split into malicious (revenge, financial gain, ideology) and negligent (mistakes, phishing clicks, policy bypass). The negligent insider causes more incidents by volume; the malicious insider causes more damage per incident. Both use legitimate credentials, which is why they are the hardest to detect.
Unskilled attackers (script kiddies). Low capability, motivated by thrill, reputation, or curiosity. They use pre-built tools and public exploits. Targets are opportunistic — whatever is weakly defended and easy to find.
Shadow IT. Not a threat actor in the strict sense, but an attack-surface problem: unsanctioned SaaS apps, personal cloud storage, and rogue services employees deploy to get their work done. The threat is the uncontrolled surface, which malicious actors then exploit.
The motivation ladder. CompTIA lists at least ten: data exfiltration, espionage, service disruption, blackmail, financial gain, political/philosophical beliefs, ethical (authorized pen testers, red teams), revenge, disruption/chaos, and war. Memorize the top five — financial, espionage, disruption, ideology, revenge — and you will cover most questions.
| Actor | Resources | Sophistication | Primary Motivation |
|---|---|---|---|
| Nation-state | Highest | Highest (zero-days, APTs) | Espionage, disruption, war |
| Organized crime | High | High | Financial gain |
| Hacktivist | Moderate | Moderate to high | Ideological / political |
| Insider (malicious) | Access > tools | Varies, access matters more | Revenge, financial, ideology |
| Insider (negligent) | N/A | N/A | Mistake, convenience |
| Unskilled (script kiddie) | Low | Low | Thrill, reputation |
| Shadow IT | N/A (attack surface) | N/A | Convenience (unintended) |
| Attribute | What it means | Exam cue |
|---|---|---|
| Internal | Originates inside the org boundary | Insider, shadow IT |
| External | Originates outside the org boundary | All other actors |
| Resources / funding | Money, people, infrastructure | Nation-state > OC > hacktivist > script kiddie |
| Sophistication | Technical depth, custom tooling, zero-days | “Custom malware” → nation-state or top-tier OC |
Two signals solve most actor questions: (1) target industry and (2) motivation. Aerospace plus espionage equals nation-state. Hospital plus ransom equals organized crime. Political site plus defacement equals hacktivist. Legitimate credentials plus odd-hours data pulls equals insider.
A mid-size aerospace component manufacturer finds anomalous traffic after a threat-hunting exercise. The tooling shows a quiet implant that has been on the network for roughly fourteen months, beaconing to an external host every six hours over HTTPS. No ransom note. No data deletion. The SOC Analyst and the CISO are reading the same evidence and coming to different conclusions.
Quiet Implant, Aerospace Target
Mid-size aerospace firm · 14-month dwell · exfil only, no ransomAssume containment, not cleanup. If the actor is a nation-state APT, you will not fully evict them on the first sweep. Segment the crown jewels, rotate credentials, and treat the network as compromised until proven otherwise. Bring in outside IR expertise — this is not a solo job.
Attribution is hard and expensive. SOC analysts rarely get to “confirm” nation-state; that is a government-agency call. What you can do is recognize the pattern and escalate appropriately. The exam tests whether you can read the fingerprints, not whether you can publish an attribution report.
On the exam: match the scenario’s dwell time, target, and monetization behavior to the actor. Silent + long + strategic = nation-state. Loud + fast + financial = organized crime. Loud + political = hacktivist.
A CFO’s account is used to approve several wire transfers totaling $2.1M to a previously unused vendor. Logs show the logins came from the CFO’s usual city during normal business hours. The CFO denies approving the transfers. There is no evidence of phishing email. Which actor profile best fits?
External organized crime (BEC)
Professional criminal ring spoofed the CFO’s identity, bypassed email, and initiated wire fraud. Financial gain, high sophistication.
Malicious insider with legitimate access
Someone with the CFO’s credentials or delegated approval rights initiated the wires from inside — normal location, normal hours, no phishing evidence.
Option B is the stronger fit — insider threat
Option B: The fingerprints point inside. Logins from the usual city, during normal hours, with no phishing lure and no evidence of external credential theft look far more like a malicious insider who already has credentials or delegated authority. Insiders bypass most perimeter controls precisely because their activity looks normal.
Option A’s kernel of truth: BEC is a common wire-fraud mechanism for organized crime and should be ruled out rigorously (check email gateways, OAuth grants, forwarding rules). But BEC usually leaves a phishing or impersonation trail, and attackers often log in from unfamiliar geos or impossible-travel patterns. Here the pattern is too normal — which is the insider’s signature.
On the exam: watch for the phrase “no evidence of phishing” or “login from usual location.” Those are cues the examiner wants you to pick insider. If the scenario includes impossible travel or foreign IPs, flip toward OC/BEC.
Actor questions always include two or three identifying cues. Read for: (1) industry or target, (2) motivation (money, information, ideology, revenge), and (3) tradecraft (custom malware, long dwell, noisy defacement, phishing campaign). When two answers seem plausible, let motivation break the tie.
- A Organized crime ransomware affiliate
- B Nation-state APT conducting espionage
- C Hacktivist collective
- D Unskilled attacker (script kiddie)
Correct: B. Long dwell time, defense industry target, quiet exfiltration of engineering data, and no financial monetization are classic nation-state espionage indicators.
A wrong: Organized crime monetizes quickly — ransomware, BEC, or card data. Silent 18-month dwell with no ransom attempt is the wrong shape.
C wrong: Hacktivists publicize their work to embarrass or pressure targets. Silence is the opposite of the hacktivist goal.
D wrong: Script kiddies use pre-built tools and target opportunistically. Custom malware plus 18-month operational discipline is well beyond their capability.
Source: CompTIA SY0-701 Objectives v5.0 — 2.1 Threat Actors and Motivations
- A Hacktivist
- B Nation-state APT
- C Shadow IT
- D Malicious insider
Correct: C. Unsanctioned SaaS for work purposes is the textbook shadow-IT pattern. It expands the attack surface and bypasses controls without any malicious intent.
A wrong: Hacktivism requires ideological motivation and typically external origin.
B wrong: Nation-state APTs do not manifest as employee convenience tooling.
D wrong: Malicious insider requires intent to harm. This employee is taking a shortcut, not attacking the org.
Source: CompTIA SY0-701 Objectives v5.0 — 2.1 Threat Actors and Motivations
- A Espionage — nation-state
- B Financial gain — organized crime
- C Political beliefs — hacktivist
- D Revenge — insider
Correct: B. Ransom demand = financial motivation. Professional, multi-target ransomware operations are the signature of modern organized crime.
A wrong: Espionage does not monetize via ransom. It seeks intelligence, not cash.
C wrong: Hacktivists rarely ransom; they publicize for ideological effect.
D wrong: An insider-revenge scenario would include prior-employment context and usually limited blast radius.
Source: CompTIA SY0-701 Objectives v5.0 — 2.1 Threat Actors and Motivations