Module 3: Threat Actors, Tactics, and Common Attack Types

1. Why Threat Actors and Tactics Matter for Lawyers

In earlier modules you saw why cybersecurity matters and learned core vocabulary. This module connects that knowledge to who is attacking, how they attack, and what that means legally.

For lawyers, the goal is not to become a technical analyst. Your goal is to:

• Recognize patterns of attacks (e.g., phishing → credential theft → ransomware).
• Map those patterns to data impacts (what was accessed, altered, exfiltrated, or encrypted).
• Translate impacts into legal consequences:
• Regulatory notification duties (e.g., under GDPR, state breach laws, sector rules like HIPAA, GLBA, NIS2).
• Contractual obligations (security clauses, SLAs, incident reporting timelines).
• Litigation and enforcement exposure (e.g., negligence, unfair practices, data protection fines).
• Evidence needs (what logs, emails, and system records you must preserve).

Keep one core question in mind throughout this module:

> “Given this attack pattern, what *legally relevant facts* do I need from the technical team?”

We will walk through major threat actors, their typical objectives, and the common attack flows that most modern incidents (as of early 2026) follow.

2. Major Categories of Threat Actors (with Legal Relevance)

Security teams often classify threat actors by motivation and capability. For legal work, these categories help you:

• Assess foreseeability and reasonableness of controls.
• Understand regulator expectations and sanctions issues.
• Frame litigation strategy and attribution questions.

1. Cybercriminals

• Motivation: Financial gain (ransom, fraud, resale of data, theft of crypto or funds).
• Typical targets: Any organization that can pay; often SMEs, healthcare, education, and professional services (including law firms).
• Common tactics: Phishing, ransomware, business email compromise (BEC), credential stuffing, data theft for sale on dark web.
• Legal angles:
• Data breach notification (PII, PHI, payment card data, trade secrets).
• OFAC / sanctions risk if paying ransom (especially after 2020–2024 guidance and enforcement posture).
• Consumer and shareholder litigation; regulatory investigations (e.g., data protection authorities, FTC-style agencies).

2. Insiders (Malicious or Negligent)

• Motivation: Revenge, financial gain, ideology, or simple carelessness.
• Typical actors: Employees, contractors, vendors with access.
• Common tactics: Data theft via USB/cloud, unauthorized downloads, misdirected emails, improper sharing, using personal devices.
• Legal angles:
• Internal controls and access management (least privilege, monitoring).
• HR, employment law, and disciplinary processes.
• Data protection principles (e.g., GDPR’s data minimization and access limitation).
• Evidence for intent vs. negligence.

3. Nation-State and State-Sponsored Actors

• Motivation: Espionage, political influence, disruption, intellectual property theft.
• Typical targets: Critical infrastructure, government, defense, tech, large enterprises; sometimes law firms with sensitive clients.
• Common tactics: Advanced phishing, zero-day exploits, long-term stealthy presence (Advanced Persistent Threats / APTs).
• Legal angles:
• National security and critical infrastructure rules (e.g., NIS2 in the EU, sectoral rules in other regions).
• Attribution sensitivity: public statements can have diplomatic or sanctions implications.
• Higher bar for “reasonable security” may be debated when APTs are involved.

4. Hacktivists and Ideological Groups

• Motivation: Political or social causes; reputation damage; public pressure.
• Typical targets: Governments, corporations, organizations tied to controversial issues.
• Common tactics: Website defacement, data leaks, DDoS, social media account takeovers.
• Legal angles:
• Reputational harm and crisis communications.
• Privacy and data protection if data is dumped online.
• Content moderation, defamation, and media law issues.

5. Opportunistic “Script Kiddies” and Hobbyists

• Motivation: Curiosity, bragging rights, low-level crime.
• Typical targets: Poorly secured systems, exposed databases, IoT devices.
• Common tactics: Re-using known exploits, scanning for misconfigurations.
• Legal angles:
• Often exposes basic hygiene failures (e.g., no MFA, unpatched systems), relevant for negligence claims.

Key takeaway: You rarely need to prove the exact actor type in court, but understanding the likely actor helps you argue about foreseeability, standard of care, and appropriate response.

3. Match Threat Actor to Legal Concern (Thought Exercise)

Consider these short scenarios and mentally match each to the most pressing legal concern. There can be more than one correct angle, but focus on what you would prioritize first.

Scenario A

A regional hospital receives a ransom note. Attackers have encrypted systems and claim to have exfiltrated patient records.

• Possible primary concerns:

1. Data protection / privacy notification duties.
2. Healthcare-specific regulations (e.g., HIPAA-type rules, medical device safety).
3. OFAC / sanctions and law enforcement coordination.

Your task: Which do you prioritize first, and why?

---

Scenario B

A disgruntled employee in a tech company downloads a large volume of source code and customer data to a personal drive before resigning.

• Possible primary concerns:

1. Trade secrets and IP protection.
2. Data protection and contractual confidentiality.
3. Employment law and internal investigations.

Your task: Which is your first call: IP counsel, privacy counsel, or HR? Justify your choice in one sentence.

---

Scenario C

A political advocacy group defaces a company website and posts internal emails embarrassing senior management.

• Possible primary concerns:

1. Reputational damage and PR.
2. Data protection (if personal data is in the leaked emails).
3. Defamation and media law.

Your task: Which legal workstream activates first, and which follows?

> Reflection: For each scenario, list 2–3 questions you would ask the technical team (e.g., "Do you see evidence of data exfiltration?" or "What logs exist for the employee’s downloads?").

4. Common Attack Flow: From Initial Access to Impact

Most modern incidents follow a multi-step path rather than a single event. Understanding this flow helps you ask targeted questions.

A typical attack chain (simplified):

1. Initial Access – How attackers first get in.
2. Establish Foothold – They maintain presence (malware, backdoors).
3. Privilege Escalation – Gaining higher-level access (e.g., admin rights).
4. Lateral Movement – Moving across systems and accounts.
5. Action on Objectives – What they ultimately want (data theft, encryption, fraud).

For legal purposes, focus on where in this chain the incident was detected, because that usually determines:

• How much data or which systems are likely affected.
• Whether there is evidence of exfiltration (data leaving the environment).
• The time window for exposure (important for regulators and litigation).

Visual Description

Imagine a floor plan of an office:

• Initial access: The attacker sneaks in through a side door someone forgot to lock.
• Foothold: They hide in a storage room.
• Privilege escalation: They steal a master key from a supervisor’s desk.
• Lateral movement: They walk into other rooms, copying documents.
• Action on objectives: They steal confidential files, sabotage equipment, or lock doors and demand payment.

Your legal analysis often starts with: “How far did they get in the building, and what rooms did they enter?”

5. Phishing, Ransomware, and BEC – Three Core Patterns

Three attack types show up repeatedly in cases, regulatory actions, and news reports (through 2025): phishing, ransomware, and business email compromise (BEC).

A. Phishing (Often the Starting Point)

• What it is: Deceptive messages (usually email, but also SMS/voice) that trick users into clicking links, opening attachments, or giving up credentials.
• Common goals:
• Steal usernames/passwords (for email, VPN, cloud apps).
• Install malware that enables further access.
• Key legal questions:
• Did the phishing lead to account compromise? Which accounts?
• From those accounts, what systems or data were accessible?
• Were multi-factor authentication (MFA) and other controls in place and functioning?

B. Ransomware

• What it is: Malware that encrypts data or systems and demands payment for decryption; often combined with data exfiltration and threats to leak data.
• Modern trend (as of 2026): "Double" or "triple" extortion:
• Encrypt data.
• Exfiltrate and threaten to publish data.
• Harass customers or partners if victim does not pay.
• Key legal questions:
• Was data exfiltrated, or only encrypted? (Regulators increasingly treat likely exfiltration as a breach.)
• What categories of data were affected (PII, PHI, payment data, trade secrets, employee data)?
• What backups existed and how long were systems down (relevant for damages and regulatory expectations of resilience under frameworks like NIS2)?
• Was any ransom payment made, and how was sanctions risk evaluated and documented?

C. Business Email Compromise (BEC)

• What it is: Attackers gain access to or impersonate business email accounts to redirect payments, change bank details, or trick staff into sending money or sensitive data.
• Common patterns:
• Fake invoice or vendor payment change.
• CEO/CFO fraud: urgent wire transfer requests.
• Payroll or benefits redirection.
• Key legal questions:
• Did attackers access the mailbox, or just spoof the address? (Access usually triggers privacy/breach analysis; spoofing may not.)
• For how long was the account compromised? (Lookback period for possible data access.)
• What personal data or confidential information was in that mailbox?
• Which contracts govern the impacted transactions (allocation of loss between bank, customer, vendor)?

> In many real incidents, these patterns overlap: phishing → BEC → payment fraud, or phishing → credential theft → ransomware.

6. Walkthrough Example: Phishing → Ransomware → Notification

Let’s walk through a realistic scenario and highlight key legal decision points.

Scenario

1. An employee at a mid-sized law firm receives a convincing email that appears to be from a major client, asking them to open a "revised contract" in an attached document.
2. The attachment is actually malware. When opened, it installs software that gives attackers remote access.
3. Attackers use the employee’s access to move laterally, eventually reaching the document management system.
4. They deploy ransomware that encrypts file shares and claim they have exfiltrated 200 GB of data, including client documents and employee HR records.
5. They demand payment in cryptocurrency and threaten to publish the data on a leak site if the firm does not pay.

Key Legal-Focused Questions to Ask the Technical Team

Organize your questions around timeline, scope, and data:

1. Timeline

• When did the phishing email arrive and when was it opened?
• When did the malware first establish a foothold?
• When was lateral movement detected?
• When did encryption start and stop?

2. Scope of Access

• Which user accounts and systems did the attacker control?
• Did the attacker obtain administrator or domain-level privileges?
• What systems (e.g., document management, email, HR, finance) were accessible from those accounts?

3. Data Impact

• Do logs show files accessed, copied, or exfiltrated? Any evidence of large outbound data transfers?
• Can we identify categories of data potentially affected (e.g., EU/UK personal data, US state residents’ data, health data, financial data)?
• Was any data altered or destroyed, or only encrypted?

4. Evidence and Reporting

• What logs, forensic images, and system snapshots are being preserved?
• Are there screenshots or samples of the ransom note and any communications with the attackers?
• What external parties are already involved (incident response firm, law enforcement, regulators)?

Legal Consequences

From this scenario, you would likely need to assess:

• Data protection / privacy notifications (e.g., GDPR, UK GDPR, state breach laws, sector-specific rules) based on exfiltration and the types of data.
• Client notification obligations under engagement letters and outside counsel guidelines.
• Professional responsibility issues (confidentiality, competence in safeguarding client information).
• Regulatory reporting under any applicable critical infrastructure or sectoral rules (e.g., if the firm services regulated industries).

Your role is to synthesize technical findings into:

• A factual incident description.
• A data classification and jurisdiction map.
• A notification and reporting plan with timelines and content.

7. Quick Check: Attack Type and Legal Focus

Test your understanding of how attack patterns connect to legal obligations.

8. Data Exfiltration and Notification Triggers

Across many jurisdictions (EU/UK, US states, and others), data exfiltration is a central factor in deciding if an incident is a legally defined breach that triggers notification.

Key Concepts

• Data exfiltration: Unauthorized copying or transfer of data out of the organization’s control.
• Encryption-only ransomware: Attackers encrypt data but do not (or claim not to) exfiltrate it.
• Regulators’ evolving view (up to 2025):
• Increasingly skeptical of "no evidence of exfiltration" if logging is weak.
• Expect risk-based assessment, considering:
• Type and sensitivity of data.
• Duration and breadth of access.
• Attackers’ capabilities and behavior.

Questions to Ask Technical Teams

To support your risk assessment and notification decisions, ask:

1. Logging and Monitoring

• What logs exist for network traffic, file access, and cloud storage?
• Are logs complete for the relevant period, or are there gaps?

1. Indicators of Exfiltration

• Any evidence of large or unusual outbound data transfers?
• Any use of known exfiltration tools or cloud storage services by attackers?
• Any staging of data (e.g., data compressed into archives on internal systems)?

1. Data Mapping

• Which systems contain regulated data (e.g., EU personal data, US state residents’ personal information, health or financial data)?
• Did attackers have access to those systems, even if exfiltration is uncertain?

1. Risk Assessment Inputs

• How sophisticated does the attack appear (commodity malware vs. targeted APT)?
• Did attackers show interest in specific data sets (e.g., HR vs. R&D)?

Your output from these questions should be a risk-based narrative:

• What data could reasonably have been accessed or exfiltrated.
• How that maps onto legal definitions of “personal data,” “personal information,” or “protected health information.”
• Why you conclude that notification is required, not required, or subject to further investigation.

This narrative is often crucial for:

• Regulator inquiries.
• Class action or group litigation.
• Board and insurer communications.

9. Flashcards: Key Terms and Concepts

Use these flashcards to reinforce the most important ideas from this module.

10. Practice: Formulating Focused Questions for Technical Teams

In this final exercise, practice turning a high-level incident description into precise, legally relevant questions.

Incident Summary

A manufacturing company learns from its bank that several large wire transfers to a new "supplier" account were flagged as suspicious. Investigation shows that an attacker had access to the CFO’s email account for at least four weeks, created mailbox rules to hide certain messages, and sent fraudulent invoices to the finance team.

Your Task

1. Write down 3–5 questions you would ask the technical/IT team. Aim to cover:

• Scope of email account compromise.
• Types of data in the mailbox.
• Evidence of data exfiltration or further lateral movement.
• Available logs and evidence.

1. Write down 2–3 questions you would ask the business/finance team, such as:

• Which payments were made, and under what approvals?
• What contracts govern these transactions and allocation of loss?
• Have customers, suppliers, or banks been notified?

1. Classify the incident in your own words:

• Primary attack type (e.g., BEC via phishing and credential theft).
• Likely legal issues (e.g., financial loss allocation, data breach notification, internal controls and governance).

> Compare your questions with a peer or instructor. Are they specific, answerable, and clearly tied to legal decisions (notification, liability, evidence preservation)?