A regional water utility's SCADA network is breached by an attacker who patiently maintains access for months, exfiltrates engineering diagrams, and tampers with no production processes. Forensics traces the operation to infrastructure linked to a foreign military intelligence unit. Which threat actor category best fits the adversary in this incident?
- AAn organised cybercrime gang motivated by extorting the utility through a ransomware payout demand.
- BA hacktivist collective protesting the utility's environmental record through public defacement actions.
- CA disgruntled insider abusing valid credentials to harvest confidential project files for personal use.
- DA nation-state actor conducting cyber espionage to map critical infrastructure for future leverage. Correct
Why A is wrong: Tempting because utilities are common ransomware targets, but the long dwell time, lack of disruption, and theft of engineering diagrams point to espionage rather than financially motivated extortion.
Why B is wrong: Hacktivists seek visibility and publicity for a cause, so they would deface sites or leak data publicly rather than quietly steal schematics for months.
Why C is wrong: An insider scenario is plausible at utilities, but forensics here points to external foreign infrastructure rather than a current employee acting from within the network.
Why D is correct: Long-term stealthy access, theft of engineering data, and attribution to a foreign military intelligence unit are hallmarks of nation-state espionage against critical infrastructure.