Modern groups operate as identity attackers first, file-encryptors second. They leverage credential harvesting, rapid privilege escalation, and token replay to achieve operational disruption.
Insider Threats
Malicious insiders exploit trusted identity positions rather than vulnerabilities. They misuse legitimate credentials, hijack access tokens, and leverage human trust to bypass security controls.
Hybrid IAB + Operator Models
Combined threat actors create identity intrusion supply chains. They merge credential marketplaces with ransomware operations, enabling rapid cross-cloud monetization and persistence.
These three categories share a common trait: identity is their primary weapon, not malware. They move fast, escalate privileges rapidly, and focus relentlessly on operational disruption through identity compromise.
Ransomware Operators: Identity-Focused
Modern ransomware groups have evolved beyond traditional malware delivery. They operate as sophisticated identity attackers, treating file encryption as the final stage rather than the primary objective. Their operational model prioritizes speed, stealth, and privilege acquisition.
These operators understand that compromising identity infrastructure provides faster, more reliable access than exploiting software vulnerabilities. They invest heavily in credential acquisition capabilities and identity persistence mechanisms.
Key Characteristics
Identity-first attack methodology
Rapid privilege escalation paths
Cloud-native operational focus
Token-based persistence mechanisms
Multi-stage monetization strategy
Ransomware: Core Identity Techniques
1
Credential Harvesting at Scale
Operators deploy automated credential acquisition campaigns including password spray attacks against cloud authentication endpoints, credential stuffing using breached password databases, MFA fatigue attacks through repeated push notifications, and browser cookie theft via malware and phishing.
Mapped to: BP-005, BP-010, BP-013
2
Rapid Privilege Escalation
After initial access, operators systematically target cloud admin roles with global permissions, domain admin-equivalent privilege paths through misconfigurations, and overprivileged service principals with extensive API access rights across the environment.
Mapped to: BP-021, BP-026, BP-034
3
API & Cloud Console Abuse
Following escalation, operators leverage administrative access to disable security monitoring tools, modify identity and access policies, create new administrative identities for redundancy, and establish multiple persistence mechanisms across the environment.
Mapped to: BP-040, BP-041
4
Token Replay for Speed
Token replay is the preferred technique for ransomware operations because it completely bypasses multi-factor authentication requirements, evades login monitoring and alerting systems, and grants immediate privileged access without triggering authentication workflows.
Operators create concealed administrative identities within cloud IAM systems, often using naming conventions that blend with legitimate service accounts. These accounts provide long-term access even after primary compromise vectors are remediated.
Long-Lived OAuth Tokens
Long-Lived OAuth Refresh Tokens
By generating OAuth refresh tokens with extended validity periods, operators maintain persistent access to cloud resources and SaaS applications without requiring repeated authentication. These tokens often survive password resets and account lockouts.
Misconfigured Federation
Misconfigured Federation Entries
Operators inject malicious federation trust relationships or modify existing SAML/OIDC configurations to establish backdoor authentication pathways. These misconfigurations enable persistent access through trusted identity provider mechanisms.
Insider Threats: Trusted Position Exploitation
The Insider Advantage
Insider threats represent a fundamentally different attack profile. These actors exploit their trusted identity position rather than technical vulnerabilities, making them exceptionally difficult to detect using traditional security controls.
Unlike external attackers who must overcome authentication barriers, insiders already possess legitimate credentials and authorized access. They understand organizational processes, security blind spots, and data sensitivity classifications. Their attacks often blend seamlessly with normal business activity.
Insider threat detection requires behavioral analytics and anomaly detection rather than signature-based security. The challenge lies in distinguishing malicious intent from legitimate job functions.
Insiders use legitimate credentials to perform unauthorized actions beyond their job scope, extract sensitive data from SaaS platforms they legitimately access, and pivot through applications where they have trusted access rights.
Malicious insiders reuse old authentication tokens that haven't expired, leverage saved browser cookies from previous sessions, and exploit residual OAuth grants that remain active after role changes or termination.
Insiders exploit unused administrative roles that weren't properly deprovisioned, leverage overprivileged security group memberships, and activate dormant accounts with elevated permissions across the environment.
Insiders bypass identity controls by persuading colleagues to share access, social engineering internal IT helpdesks to reset credentials, and leveraging manual approval culture where personal relationships override security policies.
Hybrid Threat Actors: Identity Supply Chains
Hybrid threat actors represent the convergence of multiple attack capabilities into integrated criminal enterprises. These sophisticated groups combine Initial Access Brokers, ransomware operators, credential harvesting botnets, and cloud intrusion specialists into identity intrusion supply chains.
Credential Harvesting
Harvest
Automated collection of credentials, tokens, and keys
Marketplace Sale
Broker
IABs sell access through underground markets
Privilege Escalation
Escalate
Operators exploit purchased access for rapid privilege gains
Monetization
Exploit
Deploy ransomware or exfiltrate data for profit
This division of labor enables specialization and scale. Each component optimizes for specific attack stages, creating a highly efficient criminal ecosystem that adapts quickly to defensive measures.
Initial Access Brokers operate sophisticated marketplaces where stolen credentials are categorized by privilege level, organization size, and industry vertical. Pricing reflects access quality and potential monetization value.
High-value targets include healthcare, finance, and government sectors. Premium listings offer administrative credentials with immediate privilege escalation potential, selling for significantly higher prices than standard user access.
Operators use purchased access credentials to escalate privileges via cloud IAM misconfigurations, modify Conditional Access policies to weaken security controls, and pivot across SaaS applications to cloud infrastructure.
These actors frequently steal AWS, Azure, and GCP access keys, move sensitive data across cloud providers to complicate forensics, exfiltrate SaaS data for competitive intelligence, and ransom multi-cloud environments simultaneously.
Mapping to Identity Attack Chain (IAC)
All three threat actor categories heavily leverage the Identity Attack Chain, concentrating their operations on stages that enable rapid privilege acquisition and operational impact.
1
Stage 3: Credential Acquisition
Harvesting credentials through phishing, password spray, credential stuffing, and browser cookie theft
2
Stage 4: Authentication Abuse
Bypassing MFA, replaying tokens, and exploiting weak authentication policies
3
Stage 5: Privilege Escalation
Exploiting IAM misconfigurations to gain administrative access across cloud and SaaS environments
4
Stage 6: Token Tampering
Manipulating authentication tokens to extend access duration and bypass security controls
5
Stage 7: Lateral Movement
Pivoting across cloud services, SaaS applications, and federated environments using compromised identities
6
Stage 8: Persistence
Establishing hidden admin accounts, long-lived tokens, and federation backdoors for sustained access
7
Stage 9: Impact
Executing ransomware deployment, data exfiltration, or operational disruption for monetization
Mapping to Identity Misconfiguration Universe (IMU)
These threat actors systematically exploit identity misconfigurations across multiple domains. Understanding these misconfiguration categories is essential for preventing identity-based attacks.
Identity-centric threat actors generate distinctive behavioral patterns that security teams can detect through proper monitoring and analytics. These detection signals focus on identity abuse rather than traditional malware indicators.
High-Volume Password Spray Attacks
Detect distributed authentication attempts across multiple accounts with common passwords, originating from diverse IP addresses within compressed timeframes.
Abnormal Token Replay Patterns
Identify authentication tokens used from unusual geographic locations, impossible travel scenarios, or devices that don't match historical user patterns.
Privileged Role Activation Anomalies
Monitor for administrative role activations during non-business hours, from atypical locations, or without corresponding approved change requests.
OAuth Consent Anomalies
Track unusual OAuth application consent patterns, especially high-privilege applications approved by users without administrative oversight.
Mass API Operations
Detect high-volume API calls to sensitive endpoints, bulk data export operations, or rapid sequential privilege changes across multiple identities.
Cloud-to-Cloud Lateral Movement
Identify unusual cross-service authentication patterns, especially SaaS-to-IaaS pivots or access to cloud services not typically used by the identity.