Computer security is not only about vulnerabilities and exploits. Behind every attack is an adversary, a person, group, or state pursuing specific goals. Understanding adversaries helps us anticipate threats and prepare defenses. At the highest level, some adversaries use cyber operations as instruments of national power, which turns security into a matter of international conflict.
Characteristics of Adversaries
Adversaries differ in several ways:
- Goals: profit, political influence, espionage, sabotage, or notoriety.
- Risk tolerance: a criminal group seeks low risk and quick returns; a nation-state may accept long-term risk for strategic gains.
- Resources: lone hackers may have limited infrastructure; governments command research labs, intelligence agencies, and large budgets.
- Expertise: from unskilled “script kiddies” who use prebuilt kits to elite teams that develop zero-day exploits.
Types of Adversaries
-
Hackers: individuals who probe systems for curiosity, profit, or defense.
- White hats: security professionals or hobbyists who discover flaws and report them responsibly, often via bug bounties; they operate with authorization.
- Black hats: malicious attackers who exploit vulnerabilities for financial gain or disruption; they may deploy ransomware, steal data, or sell exploits.
- Gray hats: operate without clear authorization, sometimes demonstrating or disclosing flaws to pressure fixes or request payment; they blur legal and ethical lines.
-
Criminal groups: organized gangs that run fraud, ransomware, and “as-a-service” offerings, including access brokers and botnet rentals.
-
Malicious insiders: employees or contractors who abuse legitimate access. Because they already have privileges, their attacks are difficult to prevent and detect.
-
Hacktivists: politically or socially motivated attackers who target organizations to make a point.
-
Spies: industrial spies steal trade secrets; state-backed operators conduct political or military espionage.
-
Press or politicians: reporters or campaign staff may be tempted to obtain opponents’ data to gain advantage; most are risk averse due to reputational and legal consequences.
-
Police and law enforcement: act under legal authority through warrants, subpoenas, and seizures; history also shows instances of overreach, such as unauthorized surveillance or improper handling of evidence.
-
Nation-states: governments maintain offensive cyber units within militaries or intelligence services; they have the persistence, skill, and funding to compromise hardened systems.
Economic Incentives
Underground markets sustain a robust economy. Botnets, stolen credentials, and exploit kits are commodities. Zero-day vulnerabilities can command high prices in brokered sales. By contrast, bug bounty programs reward defensive work through legal disclosure.
Skill Levels
Attackers differ in skill as well as motivation.
Script kiddies are low-skilled attackers who rely on tools and instructions made by others. Phishing kits, exploit packs, step-by-step videos, and AI tooling make it easy to launch attacks with little understanding of the techniques.
A recent example outside traditional IT is the Kia and Hyundai car theft wave in 2022–2023. Viral videos showed how certain models could be started by removing the steering column cover and attaching a USB cable to an exposed port. The knowledge spread quickly, enabling large-scale thefts by people with minimal mechanical or hacking expertise. Once tools and instructions are widely available, low-skilled attackers can cause significant damage.
Advanced Persistent Threats (APTs)
At the high end are Advanced Persistent Threats (APTs): skilled, well-funded, often state-backed.
- Advanced: they may use custom malware, zero-day exploits, and stealthy tradecraft.
- Persistent: they maintain access for months or years while avoiding detection.
- Threat: they can bypass defenses and achieve high-value objectives.
Examples often cited include Russia’s Fancy Bear, China’s APT41, North Korea’s Lazarus Group, and Iran’s Charming Kitten. Different vendors use different naming conventions for the same actors; we discuss naming later in this course.
Stolen Cyberweapons
Offensive tools developed by intelligence agencies have been stolen and leaked.
- CIA Vault 7 (2017): documents and tools exposed capabilities to compromise phones, smart TVs, and operating systems; attributed to a malicious insider.
- NSA Shadow Brokers (2016–2017): a group published NSA tools; EternalBlue was later used in the WannaCry and NotPetya outbreaks.
- NSA TAO tools theft: a former insider removed sensitive tools from the NSA’s Tailored Access Operations; insider risk can undermine even highly secured organizations.
Powerful tools do not remain confined to their original purpose once leaked; criminals and rival states repurpose them.
Cyber Warfare
Cyber operations are used as instruments of statecraft. Cyber warfare refers to state-sponsored operations that disrupt, damage, or disable critical infrastructure and military systems. Espionage seeks information; warfare seeks direct impact.
Stuxnet
Discovered in 2010, Stuxnet targeted Iran’s uranium enrichment program by infecting Windows systems and Siemens industrial controllers. The facilities relied on an air gap, physical isolation from the Internet. Stuxnet circumvented this by spreading through removable media, then reprogrammed centrifuges to destructive speeds while reporting normal values to operators. It was the first widely known malware to cause physical damage.
Russia and Ukraine
Russia has used cyber operations alongside military action.
- In 2015 and 2016, attackers disrupted Ukraine’s power grid, cutting electricity to hundreds of thousands.
- In 2017, NotPetya spread globally, causing large economic losses. Although it looked like ransomware, it functioned as a wiper.
- In early 2022, just before the invasion, destructive malware such as WhisperGate appeared, and satellite communications were disrupted in parts of Europe.
China
Chinese operators have focused on infiltration and pre-positioning.
- Volt Typhoon: public reporting in 2025 described long-term, stealthy access in U.S. critical infrastructure, including energy, ports, and pipelines; the intent appeared to be readiness for future disruption.
- Salt Typhoon: campaigns against telecom providers and data centers affected operators in the United States and abroad. Control over communications backbones provides visibility and leverage.
These operations go beyond espionage and signal preparation for potential sabotage during crises.
Other Examples
- Iran and Israel: Iranian groups have targeted hospitals and government entities; Israeli-linked operations have disrupted services in Iran.
- North Korea: the Lazarus Group has combined espionage with large financial thefts, including the Bangladesh Central Bank heist.
GPS Spoofing
Cyber and electronic operations intersect. GPS spoofing injects false navigation signals, disrupting aviation, shipping, and military activity. In recent conflicts, widespread spoofing has affected normal operations in impacted regions.
Countermeasures
Defenders do not only block and patch; they also take the fight to the attacker within legal boundaries.
- Court-authorized botnet operations: Law enforcement, sometimes with vendors and ISPs, has dismantled major botnets by sinkholing domains, seizing command servers, and pushing court-approved remediation. Examples include takedowns against Emotet, QakBot, and variants attributed to state-linked infrastructure.
- Preemptive infrastructure disruption: The U.S. Department of Justice and partners have seized or neutralized servers used to conceal intrusions into critical infrastructure, including large collections of compromised small-office routers.
- Provider-led takedowns: Companies have obtained injunctions to disrupt criminal infrastructure, for example sinkholing Necurs or taking down abusive domain families.
These actions are not the same as private “hack-backs.” In the United States, the Computer Fraud and Abuse Act (CFAA) generally prohibits individuals and companies from intruding into systems they do not own, even if those systems are controlled by an attacker. Active defense for the private sector typically means deception environments, beaconing documents, or rapid takedown requests, not hacking back.
Hack-Backs and Active Defense
Hack-back refers to offensive actions by victims against attackers, such as breaking into attacker infrastructure to delete stolen data or disable malware. This is usually illegal for private entities and risky in practice: attribution is uncertain, collateral damage is likely, and victims may destroy evidence needed for prosecution.
What is permitted * Law enforcement can conduct offensive operations with court authorization. * Victims can practice active defense that stays within the law: honeytokens and beacons to trace exfiltration, deception networks to study intruders, rapid domain takedown processes, and close coordination with ISPs and government partners.
Illustrative examples * Emotet and QakBot disruptions: multinational operations seized control servers and, with warrants, pushed removal directives or uninstalled malware components on infected machines through lawful processes. * State-linked botnet disruptions: operations have targeted botnets built from compromised edge devices, seizing command infrastructure and notifying owners through ISPs.
The lesson is simple: counter-offense is possible, but for the private sector it is coordinated and legal, not vigilante hacking.
Implications
Cyber operations blur the line between peace and conflict. Malware can spread globally in seconds, attackers route through compromised machines, and attribution is difficult. States deny involvement, maintaining plausible deniability.
For defenders, critical infrastructure, enterprises, and individuals are all potential targets. Planning must consider opportunistic criminals and patient, well-funded adversaries preparing for conflict years in advance.