█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Threat Intelligence/Threat Actors and Motivations
35 minBeginner

Threat Actors and Motivations

After this lesson, you will be able to: Categorize threat actors and understand attribution.

Knowing your adversary changes your defenses. A teenager with Metasploit is different from a nation-state APT. This lesson maps the actor categories, motivations, and the always-tricky business of attribution.

Prerequisites:What is Threat Intelligence?

Actor categories

Cybercriminals, financial. Ransomware, fraud, theft. Most prolific by volume. Nation-state (APT), espionage, disruption. Patient, well-funded. Hacktivists, political. Defacement, leaks. Insiders, covered in DLP track. Script kiddies, using others' tools, often opportunistic.

💡 Famous APTs

APT28 / Fancy Bear (Russia/GRU). APT29 / Cozy Bear (Russia/SVR). Lazarus (North Korea). APT41 (China, dual-use crime + espionage). Each has distinct TTPs documented in MITRE.

Attribution sources

  1. 1

    1. TTPs, toolset, tradecraft fingerprints.

  2. 2

    2. Infrastructure overlap, same C2 servers, certificates.

  3. 3

    3. Code reuse, same malware families, mistakes.

  4. 4

    4. Targets, geographic, industrial.

  5. 5

    5. Operational windows, working hours.

  6. 6

    Attribution is rarely certain. Confidence levels (low/medium/high) matter.

Why attribution matters

Different actors = different defenses. Ransomware crew = backup hygiene. APT espionage = detection of low-and-slow. Hacktivists = OPSEC of public-facing staff.

Quick Check

Most common attacker?

Pick.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←What is Threat Intelligence?
Back to Threat Intelligence
Indicators of Compromise→