This is a reference of typical threat actors you may consider while threat modeling. Links are included to famous cases involving similar threat actors.
An attacker with physical access to the system in question. This term is mentioned in a blog post by Joanna Rutkowski. Usually describes secnarios where a threat actor targets a device they do not own, but can sometimes be used to describe attacks against your own devices (IE, bypassing DMCA).
An attacker using physical intimidation to force a target into granting access to a system or to divulge a secret. Can also be used to describe scenarios where national laws allows the use of force to achieve the same ends.
Advanced Persistent Threat groups operate consistently over large periods of time. APT groups are often described as sophisticated. Sophistication may describe advantages available to the APT group that differentiate them others.
These advantages may include long-developed intelligence of their victims, development of their own attack tooling, or infrastructure to quickly ramp up and focus on new targets.
APT groups may operate without consequence, receive state intelligence against their targets, or may not necessarily need to focus exclusively on monetary goals.
Persistent adversaries who are willing to go to great lengths in obtaining vanity usernames or accounts.
Adversary that is interested in compute and hoping to execute mining software on your dime.
Adversaries who have found a way to drive victim attention towards a monetization scheme.
Adversaries with significant access to stolen PII and payment instruments.
Adversary that is looking to move money around until they can eventually make it liquid.
Adversaries that use intricate social engineering ploys in hopes of extracting funds from a target.
Nearly identical to confidence fraud, with a very sad and notable exception that unwilling adversaries may be targeting victims.
An adversary with intent to target something they don’t agree with.
Someone who desires your user database to participate in database trading communities.
An adversary who will use one of many methods towards a goal of intercepting a targets SMS messages and phone calls.
A state sanctioned attacker against backend internet infrastructure.
An adversary that works primarily through help desk or support channels.