Home
Contacts
Know Your Enemy: A Field Guide to Cyber Threats
Cyber adversaries range from opportunistic "script kiddies" to sophisticated, state-sponsored espionage groups. To build effective defenses, organizations must understand the specific threats they face using structured frameworks like Canada's ITSG-33.
The Critical Need for Threat Intelligence
The Problem
A one-size-fits-all defense is a recipe for failure. Organizations often overspend on defenses for improbable scenarios while leaving critical vulnerabilities exposed.
The Solution
ITSG-33 provides a systematic framework for categorizing deliberate threats, helping organizations assess risk and build proportional defenses based on real adversary capabilities.
This analysis uses real-world examples—from Colonial Pipeline ransomware to Nortel's decade-long espionage—to illustrate threat categories in action, providing organizations with a clearer risk landscape picture.
The Spectrum of Cyber Threats: A Comprehensive Overview
Understanding the full range of cyber adversaries is crucial for building robust defenses. This illustrates threat categories from the simplest, non-malicious actors to the most sophisticated, state-sponsored entities, outlining their capabilities and risk appetite.
TD7: Extremely Sophisticated Adversary (Extreme Risk)
Abundant resources, extreme risk. Blackmail/intimidation of insiders, physical penetration of secure facilities (e.g., nation-states in crisis).
TD6: Extremely Sophisticated Adversary (Abundant Resources)
Abundant resources, little risk. TEMPEST, supply chain attacks, hard-to-detect implants (e.g., nation-state).
TD5: Sophisticated Adversary (Significant Risk)
Moderate resources, significant risk. Insider bribery, physical destruction, fraudulent products (e.g., international terrorists).
TD4: Sophisticated Adversary (Moderate Resources)
Moderate resources, little risk. Advanced use of public tools, custom attacks, basic social engineering (e.g., organized crime).
TD3: Adversary (Minimal Resources)
Minimal resources, significant risk. Uses public hacker tools, simple phishing, or malware.
TD2: Passive, Casual Adversary
Minimal resources, little risk. Execution of public vulnerability scanners or simple scripts.
TD1: Non-Malicious Adversary
Accidental unauthorized browsing or modification due to lack of training or attentiveness.
Source: Adapted from ITSG-33 Annex 2, Table 5
Low-Sophistication Actors: TD1 - TD3
Low-sophistication actors represent a significant portion of the cyber threat landscape, encompassing threat levels TD1-TD3. These actors may lack advanced technical skills or resources but can still inflict substantial damage through readily available tools and common attack vectors. The following slides will delve deeper into the characteristics and capabilities of these groups.
TD1: Low-Sophistication Threats - The Accidental Adversary
TD1: Non-Malicious Adversary
Basic end-user whose actions, often due to lack of training, can compromise security. Damage is accidental but potentially severe.
Recent Example: UK SAS Data Leak (2025)
The identities and deployment details of active UK Special Air Service (SAS) personnel were inadvertently published in a regimental magazine that was available online for over a decade. This breach was not malicious but stemmed from a lack of internal review protocols, highlighting how a simple, non-malicious oversight can lead to a severe national security risk.
TD2 & TD3: Script Kiddies and Unsophisticated Hackers
TD2 & TD3: Casual Adversaries
Minimal resources, using publicly available tools. Motivated by curiosity or small-scale financial gain, but impact can be disproportionately large against vulnerable targets.
Recent Example: 23andMe Credential Stuffing (2023)
Genetic testing company 23andMe was breached when an attacker used "credential stuffing"—a low-sophistication technique where previously leaked username/password pairs are automatically tested against a new target. While the initial breach was small, the attacker leveraged platform features to scrape the data of nearly 7 million users, showing how a TD3-level attack can have massive consequences on a poorly secured platform.
These attacks demonstrate how low-sophistication techniques can have massive consequences on poorly secured platforms.
The Dynamic Criminal Campaign: TD4 & TD5
Sophisticated criminal actors (TD4 & TD5) execute dynamic campaigns, often integrating stealthy reconnaissance with high-impact attacks. Modern ransomware operations exemplify this, showcasing a seamless transition from covert intelligence gathering to devastating system breaches. This multi-phased approach maximizes disruption and financial gain for the adversaries.
TD4: The Reconnaissance Phase - Going Low and Slow
Sophisticated Criminal Adversary (Stealth Mode)
Organized crime groups with moderate resources operating in "low and slow" phase. Goal is moving through networks stealthily, mapping valuable assets, and escalating privileges without detection.
01
Initial Access
Social engineering, purchased credentials, or rented exploits to gain foothold
02
Network Mapping
Stealthy reconnaissance to identify valuable assets and vulnerabilities
03
Privilege Escalation
Gaining higher-level access without alerting security systems
Real-World TD4 Examples
Infiltrating the Colonial Pipeline: Before the DarkSide group could launch its disruptive ransomware, it first had to gain access to the Colonial Pipeline's corporate network. This initial intrusion phase—finding a vulnerability and establishing a foothold without alerting defenders—is a classic TD4 "low and slow" operation, executed with little immediate risk to the attacker.
Recent Example: Infiltrating the Las Vegas Casinos (2023): The hacker group Scattered Spider began its attack on MGM Resorts with a simple 10-minute "vishing" (voice phishing) call, tricking the help desk into giving them credentials. This low-risk social engineering tactic allowed them to bypass perimeter defenses and begin their reconnaissance inside the network undetected.
TD5: High-Stakes Attack Phase: Maximum Disruption
Sophisticated Criminal Adversary (Attack Mode)
Same actors escalating to high-risk operations after successful reconnaissance. Deploying ransomware, exfiltrating data, and engaging in extortion despite exposure risks. This transition from stealthy infiltration to disruptive deployment represents the evolution from TD4 to TD5 behavior within single campaigns.
Real-World TD5 Examples
Paralyzing the Pipeline: Following the successful reconnaissance outlined in TD4, the DarkSide group moved to TD5 by deploying its ransomware on Colonial Pipeline’s operational technology (OT) network. This disruptive action took significant risk, shutting down critical national infrastructure and drawing the full attention of the U.S. government, perfectly illustrating the transition from TD4 to TD5 behavior.
Recent Example: Paralyzing the Casinos (2023): After gaining initial access and conducting internal reconnaissance, the Scattered Spider group escalated to TD5 against MGM Resorts. They deployed ransomware, encrypted systems, and exfiltrated sensitive data, resulting in widespread operational shutdowns and significant financial losses ($100M). This aggressive move, despite the high risk of detection and legal repercussions, showcases a TD5-level commitment to maximum disruption and extortion.
State-Affiliated Actors: TD5, TD6 & TD7
While criminal groups are motivated by profit, nation-states and their proxies operate with strategic, geopolitical goals. Their campaigns often demonstrate extreme sophistication and a willingness to take different kinds of risks, posing unique challenges to cybersecurity defenses.
TD5: State-Sponsored Proxies: Plausible Deniability with Geopolitical Motivation
Non-state groups acting on behalf of nation-states, providing governments plausible deniability while achieving disruptive political goals without official military involvement.
Foundational Example: The Evolution of the Conti Group
The Conti ransomware group, originally a criminal enterprise, evolved into a state-affiliated proxy, suspected of conducting cyberattacks against nations opposing Russia's war in Ukraine. This transformation illustrates how nation-states can leverage existing cybercriminal infrastructure for geopolitical objectives, providing plausible deniability while executing sophisticated and disruptive operations. The group’s activities shifted from purely financial gain to targeting critical infrastructure and government entities, showcasing a convergence of cybercrime and state-sponsored cyber warfare.
Recent Example: Iran's 'CyberAv3ngers' (2023)
In 2023, the Iranian-linked hacktivist group 'CyberAv3ngers' conducted a series of cyberattacks against critical infrastructure, including water treatment plants and energy facilities, primarily in the US and Europe. These attacks, though claimed by a seemingly independent group, align with Iran's strategic interests, demonstrating a state's ability to exert influence and cause disruption through proxy groups. The targeting of operational technology systems highlights the growing threat of state-sponsored actors to industrial control systems and public utilities.
TD6: Nation-State Espionage: The Patient Predator
Nation-state espionage actors (TD6) represent an extremely sophisticated threat, leveraging abundant resources for patient, persistent, and stealthy intelligence gathering. Unlike financially motivated attacks, their goal is strategic advantage, often involving long-term infiltration. These campaigns frequently start with TD4-level reconnaissance to establish an enduring, covert presence, minimizing immediate risk while maximizing strategic gain.
Foundational Case Study: Economic Espionage - The Nortel Hack
The decade-long cyber espionage campaign against Canada's Nortel Networks is a textbook example of a TD6 operation. Beginning in the late 1990s, hackers associated with China's People's Liberation Army (PLA) Unit 61398, also known as APT1, established a persistent presence inside Nortel's global network. This was not a smash-and-grab attack; it was a systematic, long-term effort to achieve economic and technological dominance.
The attackers penetrated the email accounts of the CEO and other senior executives, allowing them not only to steal enormous amounts of technical data and intellectual property but also to surveil the company's internal decision-making processes. They knew Nortel's business plans, its pricing strategies, and its product roadmaps. This stolen research and development directly fueled the rise of Chinese telecom giant Huawei, which was able to leapfrog its competition by leveraging Nortel's innovations. The sustained, patient theft of Nortel's "crown jewels" was a key factor in the Canadian tech giant's eventual bankruptcy in 2009, representing what former NSA Director General Keith Alexander called part of the "greatest transfer of wealth in history".
Recent Example: China's "Volt Typhoon" Campaign
Active since at least mid-2021 and disrupted by the FBI in early 2024, Volt Typhoon is a Chinese state-sponsored group that has infiltrated U.S. critical infrastructure sectors. Their primary technique is "living off the land," using built-in network tools to evade detection. The group's focus is on long-term, persistent access for espionage and to preposition itself for future disruptive attacks, making it a prime example of a stealthy, low-risk TD6 campaign.
This timeline highlights key events in the Nortel Networks economic espionage case study, which was detailed in the previous section, showcasing the patient and persistent nature of nation-state espionage.
01
Late 1990s
China's PLA Unit 61398 begins infiltrating Nortel Networks
02
2000s
Systematic theft of R&D, business plans, pricing strategies fueling Huawei's rise
03
2009
Nortel declares bankruptcy, representing "greatest transfer of wealth in history"
TD7: The Nation-State Wartime Actor
Representing the highest threat level, these extremely sophisticated adversaries possess abundant resources and are willing to take extreme risk. Typically, a nation-state operating during a crisis or open conflict, their actions are acts of cyber warfare, often actively seeking military escalation.
1
Foundational Case Study: Strategic Sabotage - The SolarWinds Attack
The 2020 SolarWinds supply-chain attack, attributed to Russia's Foreign Intelligence Service (SVR), demonstrates the capabilities of a TD7 adversary. This operation was a masterclass in stealth and strategic patience, designed to establish a permanent presence inside the most sensitive networks of the U.S. government and its allies. Rather than attacking its targets directly, the SVR compromised the software build process of a trusted IT management company, SolarWinds. They inserted a malicious backdoor into a legitimate software update for the company's Orion platform.
Because the update was digitally signed by SolarWinds, it was inherently trusted by its thousands of customers. As a result, the Russian intelligence service gained access to the networks of Microsoft, Intel, Cisco, and multiple U.S. government agencies, including the Departments of Defense, Treasury, and Justice. For nine months, the hackers were able to move undetected through these networks, establishing persistent access and prepositioning themselves for future intelligence gathering or destructive attacks. This operation, like the earlier Stuxnet attack against Iran's nuclear program, highlights the extreme risk associated with a TD7 threat actor willing to compromise the global software supply chain to achieve its objectives.
2
Recent Example: Russia's Sandworm Attacks on Ukraine (2022-Present)
Throughout the war in Ukraine, the Russian GRU unit known as Sandworm (or APT44) has conducted relentless destructive cyberattacks against Ukrainian critical infrastructure. These include deploying wiper malware against energy facilities and media outlets. These are not mere espionage acts; they are direct, high-risk military operations intended to cause disruption and sabotage in coordination with kinetic military efforts, representing a clear and ongoing example of TD7 cyber warfare.
Building on the SolarWinds case study detailed previously, these statistics underscore the profound impact and strategic implications of this sophisticated cyber attack:
9 Months Undetected
SolarWinds attackers maintained access across government agencies
18K Organizations Affected
Customers who received compromised SolarWinds updates
100+ Companies Breached
Including Microsoft, Intel, Cisco, and multiple government agencies
Russia's Sandworm unit continues destructive attacks on Ukrainian infrastructure, representing direct military cyber operations coordinated with kinetic warfare.
From Theory to Action: Building Proportional Defense
The diverse spectrum of cyber threats, from amateur script kiddies to advanced nation-state actors, demands a nuanced security strategy. Understanding these adversaries is crucial for moving beyond generic defenses to informed, risk-based decisions.
Know Your Enemy
Recognize that not all threats are created equal. This guide, drawing from the ITSG-33 framework, illustrates the varying sophistication and motivations across different threat actor types.
Informed Decision-Making
Leverage structured threat intelligence to transition from reactive, fear-driven security measures to proactive strategies grounded in a clear understanding of specific risks.
Proportional Defense
Implement formal Threat and Risk Assessments (TRA) to identify your most probable adversaries and protect critical assets effectively, justifying investments and prioritizing resources.
In the asymmetric battlefield of cyberspace, a clear understanding of the enemy is the first—and most important—victory, enabling security leaders to build truly resilient defenses.

Framework adapted from ITSG-33 (Government of Canada). Case studies sourced from "Battlefield Cyber" and recent public reporting.