Team Structures and Attacker Roles

Cybercrime is a supply chain

Modern cybercrime does not operate as single actors executing complete campaigns. It operates as a supply chain of independent specialists connected by criminal marketplaces. The access broker compromises your VPN, verifies the access works, lists it for sale with your industry, revenue, endpoint count, and security stack. The affiliate purchases the listing and executes their objective. The RaaS operator built the ransomware platform, manages the leak site, and handles ransom negotiations. None of them work for the same organization. Each is an independent business with its own constraint profile.

M-Trends 2026 documented the operational consequence of this specialization: the median handoff time between initial access partner and secondary operator collapsed from over 8 hours in 2022 to 22 seconds in 2025. The supply chain has become so tightly integrated that initial access partners pre-stage the secondary group's malware during the initial infection, eliminating the marketplace delay entirely.

Understanding this supply chain structure changes your investigation. If you see a skill discontinuity (sophisticated initial access followed by crude post-exploitation), that is not one inconsistent attacker. It is a handoff. The broker may have sold access to fifty other organizations the same week. Your incident is one transaction in a marketplace.

The criminal supply chain. Each actor has a different skill level and produces different telemetry. The victim sees one campaign but faces two or more independent operators.

The access broker

IABs specialize in initial access: phishing, vulnerability exploitation, credential stuffing, VPN and RDP compromise. Their technical capability is generally high in their specialization. Once access is established, they create a marketplace listing that provides everything a buyer needs to plan their post-exploitation.

TYPICAL IAB MARKETPLACE LISTING (reconstructed from Rapid7 2025 analysis)
[SELL] US | Engineering company | $35M revenue | 865 endpoints
Access type: Domain user VPN credentials (Cisco AnyConnect)
Domain: northgateeng.com
Security: CrowdStrike Falcon on endpoints, Microsoft Sentinel SIEM
Notes: VPN does not require MFA on legacy client. Tested 04/15.
       Access verified clean — no IR activity observed.
Price: $5,000
The listing includes industry, revenue, endpoint count, access type,
and security stack. The buyer knows the target's EDR and SIEM before
they touch the environment. They can pre-test tooling against the
exact detection stack.

The IAB's telemetry profile is distinctive: sophisticated initial access, minimal post-compromise activity (just enough to verify the access and inventory the environment for the listing), then silence. The access sits dormant until a buyer activates it, which may be days, weeks, or months later.

Dormant persistence is the detection surface for broker-established access. A VPN account that authenticated once or twice and then went silent for weeks. A web shell in a rarely audited directory with no recent callbacks. A scheduled task that was created but never executed. The dormancy itself is the indicator. Query for accounts with minimal activity followed by silence on a weekly cadence.

The investigation scoping implication is significant. When you discover a ransomware deployment and trace back to the initial access, the access event may have occurred weeks or months before the ransomware operator arrived. The initial access and the ransomware deployment were conducted by different actors with different tools and different techniques. Your remediation must address both: the vulnerability the broker exploited (the unpatched VPN, the legacy auth endpoint, the phished credential) and the damage the affiliate caused. If you remediate only the affiliate's ransomware artifacts without closing the broker's access method, the next buyer uses the same path.

The affiliate

Affiliates are the execution layer. Skill varies from sophisticated operators who run manual, targeted campaigns to beginners following step-by-step RaaS documentation. Revenue sharing typically gives affiliates 60-80% of ransom payments, with the RaaS operator keeping the rest.

Low-skill affiliates copy commands from documentation (sometimes with the documentation's example hostnames still in the command), use default tool configurations, and don't adapt when blocked. They are actually more dangerous in one respect: they are less predictable. A skilled attacker follows logical operational flow. A low-skill attacker runs commands out of sequence because they are following a generic playbook rather than adapting to what they find in your specific environment.

The RaaS ecosystem tracked 124 distinct named groups operating simultaneously in 2025 with 93 new ransomware variants identified, a 94% increase from 2024. Many affiliates migrate between RaaS platforms, taking their access and operational patterns with them. An affiliate who operated under LockBit last quarter may operate under RansomHub this quarter using the same techniques with a different encryption payload. The affiliate's post-exploitation behavior is the consistent signal, not the ransomware brand.

Scattered Spider illustrates how affiliate capability can be high while still following the supply-chain model. This group (tracked by CrowdStrike as SCATTERED SPIDER and by Microsoft as Octo Tempest) demonstrated sophisticated social engineering, including voice phishing against help desks and SIM swapping to bypass MFA. They operated as affiliates of multiple RaaS platforms including ALPHV/BlackCat and RansomHub. Their initial access capability was exceptional, but their ransomware deployment used the platform operator's tooling. The investigation implication: even when the affiliate is skilled, the team structure remains a supply chain. The affiliate's social engineering capability and the RaaS operator's encryption capability are independent. Remediating the help desk social engineering vulnerability addresses the affiliate's method. Remediating the endpoint detection gap addresses the operator's payload. Both require separate fixes.

The handoff signature

The skill discontinuity between campaign phases is the telemetry indicator that multiple actors are involved. This is one of the most important investigation findings because it changes both the threat assessment and the remediation scope.

State-sponsored team structures

State programs organize campaigns under unified command with specialized teams for each function: access development (researching and weaponizing vulnerabilities), initial operations (establishing access in target networks), sustained operations (conducting intelligence collection over months), infrastructure management (maintaining C2, proxy chains, and exfiltration channels), and intelligence analysis (processing collected data into finished intelligence products).

The coordination produces campaigns that show consistency across phases, unlike the criminal supply chain's skill discontinuities. Same coding style, same operational tempo, same infrastructure patterns from initial access through objective execution. If the initial access was sophisticated, expect the post-exploitation to be equally sophisticated. Your commodity-tool detection rules will not catch them. Behavioral detection based on access patterns, collection cadences, and data movement anomalies is the detection surface for state-sponsored operations.

State programs also have institutional memory. When you evict a state-sponsored operator, they return. They return with knowledge of your detection capability because the eviction itself taught them what you can see. The re-entry uses different initial access, different infrastructure, and potentially different tooling, but the same objective and the same operational doctrine.

This pattern has been documented repeatedly. Mandiant has reported cases where evicted state-sponsored operators re-compromised the same organization within weeks using a completely different access vector, sometimes targeting a vulnerability that was patched during the remediation of the first intrusion but had a different exposure path the remediation team missed. The attacker had spent months inside the environment before eviction. They understood the network topology, the security architecture, and the monitoring gaps better than the defenders who evicted them.

Remediation against state-sponsored intrusions must assume re-compromise. Build monitoring specifically for the collection pattern (what data is being accessed, at what cadence, from which accounts) rather than for the tooling (which will change). If the attacker's objective was executive mailbox collection every Tuesday and Thursday morning, monitor for that pattern regardless of what tool or identity is used to achieve it.

Insider threat structures

Insider threats have three structural variants, each with a different detection profile.

The lone insider uses legitimate access for unauthorized purposes. No external tools, no C2. Detection is anomalous data handling: unusual volume, unusual destinations, unusual timing. A finance manager downloading 3,000 files from SharePoint in a single session is the signal, not a process execution event.

The recruited insider acts on instructions from an external handler who may provide tools, communication channels, or specific collection requirements. The combination of the handler's tradecraft (encrypted external communication channels, dead drops) and the insider's legitimate access creates a mixed detection surface.

The compromised insider's credentials are used without their knowledge. This has the same profile as an external attacker with stolen credentials: unfamiliar device, legitimate credentials, unusual behavior. The distinction matters for the investigation because the employee is a victim, not a participant.