The following graphics illustrate the frequency with which the U.S. government deploys sanctions and indictments to combat malicious cyber activity conducted for the benefit or at the behest of China, Russia, Iran, or North Korea. This dataset can help analysts understand how the United States employs these tools and why it does so against certain cyber threat actors but not others. The dataset facilitates the discussion of questions such as, “Why are both sanctions and indictments used against some targets but not others? Are the differences in usage related to the type of cyber operation, the evidence available, the nature of the U.S. relationship with the relevant nation-state, or some other consideration?” Through such discussion, analysts can assess more effectively whether sanctions and indictments are effective tools to punish or deter malicious cyber activity.

FDD’s Center on Cyber and Technology Innovation created these visualizations and is making the underlying data publicly available so that others can build on this effort by pairing these data and graphics with additional tools and information. The visualization is interactive and can be filtered according to the nationality and type of the malicious actors. Users can also export the data in their desired format.

This data includes only those cases that have an explicit cyber component and excludes those in which cyber was a tangential or negligible part of the operation. For example, this dataset does not include instances of intellectual property theft conducted nearly exclusively through physical access to systems and personnel.

This dataset does not distinguish between malicious actors operating independently from state authorities and those acting under the express order of a foreign government. Attribution, particularly as it relates to determining who ordered an operation, requires information beyond what may be included in public statements accompanying the sanctions or indictments. Additionally, cyber operatives may work for government entities while concurrently engaging in criminal activities. For example, the Department of Justice made no mention of state-sponsorship in its indictment of the Iranian individual responsible for the hack and extortion of HBO, but he was also later indicted as part of an espionage operation conducted by the Islamic Republic of Iran. Where possible, the dataset makes note of cyber operations that the U.S. government has expressly attributed to nation states.