The cyber operations tracker categorizes all instances of publicly known state-sponsored cyber activity since 2005. The tracker only contains data in which the perpetrator, also known as the threat actor, is suspected to be affiliated with a nation-state.

The tracker focuses on state-sponsored actors because its purpose is to identify when states and their proxies conduct cyber operations in pursuit of their foreign policy interests. Furthermore, state-sponsored incidents generally have the most accurate and comprehensive reporting. Reporting on nonstate actors, such as hacktivist groups, tends to be murkier and makes for less reliable data.

The data exclusively tracks incidents and threat actors engaged in denial of service attacks, espionage, defacement, destruction of data, sabotage, and doxing. For term definitions, please see the glossary.

All data collected for the tracker is open source. It is collected from existing repositories of state-sponsored incidents, such as Florian Roth’s APT Groups and Operations spreadsheet, the Center for Strategic and International Studies’ list of significant cyber events, and Kaspersky Lab’s Targeted Cyberattacks Logbook. This data was then supplemented with incidents and threat actors that were more recently disclosed in the media and by cybersecurity companies. Additional information was supplied by books, some of which provided more accurate in-depth reporting and detail. Where possible, efforts were made to link together the multiple aliases for various threat actors; one actor can be referred to in different ways by various cybersecurity companies. The tracker also attempts to identify which threat actors were responsible for a specific incident.

The information contained in the data set comes from a combination of primary sources, such as government press releases and cybersecurity companies, and secondary sources, such as press reports and trade publications.

The tracker is updated quarterly. Changes will be made public via the Net Politics blog and will identify which incidents or threat actors were added, as well as any changes to data already in the tracker, such as changing the suspected state sponsor of an attack if new evidence is made public.

The tracker also has a feature that allows people to submit additional data. This crowdsourcing element allows cybersecurity firms and the general public to contribute incident or threat actor data to the project.

Known Limitations

Attribution

Attributing a cyber incident to a particular actor, let alone a state-sponsored actor, is a tricky and laborious process. The ability to attribute an incident has been the subject of longstanding debate within the cybersecurity community. Threat actors have been known to deliberately plant “false flags” in code to obfuscate attribution, use malware in the public domain to hide their tracks, and share code with allies. Although some cybersecurity companies expressly refuse to attribute cyber incidents to specific threat actors, a significant number of cybersecurity companies, researchers, and intelligence agencies can deduce [PDF] a threat actor’s responsibility by using a combination of technical data, open-source information, and an understanding of the threat actor’s foreign policy priorities.

This data set identifies suspected threat actors and their state sponsors based on what the reporting suggests and whether the tools, techniques, and procedures used by the threat actor conform to what is known about a state sponsor’s preferred methods of intrusion.

Completeness of Data

No claims are made that the data contained within the tracker is entirely complete. There are three reasons for this disclaimer.

First, due to resource and language constraints, this database has an inherent bias toward over-reporting incidents or threat actors affecting countries where English is widely spoken, cybersecurity companies publish in English, or there is English-language media. This explains why most of the incidents in the data set identify victims in the United States, the United Kingdom, Australia, Canada, and India.

Second, the database relies on publicly accessible data. State intelligence agencies and private cybersecurity firms are likely to have the most complete data about state-sponsored actors, but may not make what they know public to protect national security or trade secrets. Furthermore, some reporting from the media or cybersecurity companies can be vague or incomplete, making it difficult to confirm incidents for which data is only available from a single source.

Third, complete and accurate information about cyber incidents and threat actors take time to emerge. For example, the attack on TV5 Monde in 2015 was initially believed to be the work of a terrorist-affiliated group calling itself the Cyber Caliphate. Months later, further evidence surfaced that French intelligence suspected Russian intelligence was behind the operation. It is also probable that, in some instances, state actors have masqueraded as non-state groups and have yet to be unmasked. Investigating cyber incidents is an iterative process that involves chasing leads and testing hypotheses. For this reason, it is possible that information about incidents or threat actors could change as new evidence comes to light. It is also possible that some state-sponsored incidents have been missed entirely.