Cyber Operations Tracker

The Digital and Cyberspace Policy program’s cyber operations tracker is a database of the publicly known state-sponsored incidents that have occurred since 2005. Know of an incident not listed in the tracker? Report it to us.

Operations by Country

Since 2005, thirty-four countries are suspected of sponsoring cyber operations. China, Russia, Iran, and North Korea sponsored 77 percent of all suspected operations. In 2019, there were a total of seventy-six operations, most being acts of espionage.

Number of cyber
operations sponsored
Timeline
2023
2022
2021
2020
2019
2018
2017
2005
Glossary
Distributed Denial of Service
Distributed Denial of Service

The intentional paralyzing of a computer network by flooding it with data sent simultaneously from many individual computers.
 

Espionage
Espionage

The act of obtaining confidential information without the information holder’s consent.
 

Defacement
Defacement

The unauthorized act of changing the appearance of a website or social media account.
 

Data Destruction
Data Destruction

The use of malicious software to destroy data on a computer or to render a computer inoperable.
 

Sabotage
Sabotage

The use of malware that causes a disruption to a physical process, such as the provision of electricity or normal function of nuclear centrifuges.
 

Doxing
Doxing

The act of searching and publishing private or identifying information about an individual or group on the internet, typically with malicious intent.
 

Financial Theft.
Financial Theft

The theft of assets, such as cryptocurrencies or cash, for financial gain.

These terms were adapted using definitions from U.S. CERT, the UK National Cyber Security Centre, and the SANS Institute.

Advanced Persistent Threat (APT)

A set of stealthy and continuous computer hacking processes, often orchestrated by a person or group targeting a specific entity, such as a business or government.

Botnet

A network of computers infected with malicious software and controlled as a group. Botnets are often used to spread spam and launch distributed denial of service attacks.

Critical infrastructure

Systems and assets so vital to a country that their incapacity or destruction would have a debilitating effect on a country’s national security, economy, or public health.

Cyber espionage

The use of computer networks to collect information on the activities, movements, and plans of a target.

Distributed denial of service (DDoS)

Intentionally paralyzing a computer network by flooding it with data sent simultaneously from many individual computers.

Doxing

Searching and publishing private or identifying information about an individual or group on the internet, typically with malicious intent.

Encryption

Transformation of data into an illegible form to conceal the data’s original meaning and prevent it from being known or used.

Exfiltrate

The unauthorized transfer of data from one computer to another.

False flag

A ruse designed to attribute an operation to a person or a group other than those who actually planned and executed it.

Incident

A discrete event or series of events in which a threat actor compromises a computer network.

Industrial espionage

Spying directed toward discovering commercial secrets from a rival manufacturer, other company, or held by a government.

Malware

Software designed to interfere with a computer’s normal functioning.

Phishing

The practice of sending emails purporting to be from reputable sources in order to induce individuals to reveal information, such as passwords or credit card numbers.

Security certificate

A small data file that digitally authenticates the identity of a server on the internet.

U.S. Cyber Command

The U.S. military organization assigned with defending U.S. military networks and conducting offensive operations in cyberspace.

Watering hole attack

A technique used to compromise a target by inserting malware on a website the target is likely to visit.

Zero-day

A vulnerability in software or hardware that is unknown to its vendor.

Our Methodology

The cyber operations tracker categorizes all instances of publicly known state-sponsored cyber activity since 2005. The tracker only contains data in which the perpetrator, also known as the threat actor, is suspected to be affiliated with a nation-state.

The tracker focuses on state-sponsored actors because its purpose is to identify when states and their proxies conduct cyber operations in pursuit of their foreign policy interests. Furthermore, state-sponsored incidents generally have the most accurate and comprehensive reporting. Reporting on nonstate actors, such as hacktivist groups, tends to be murkier and makes for less reliable data.

The data exclusively tracks incidents and threat actors engaged in denial of service attacks, espionage, defacement, destruction of data, sabotage, and doxing. For term definitions, please see the glossary.

All data collected for the tracker is open source. It is collected from existing repositories of state-sponsored incidents, such as Florian Roth’s APT Groups and Operations spreadsheet, the Center for Strategic and International Studies’ list of significant cyber events, and Kaspersky Lab’s Targeted Cyberattacks Logbook. This data was then supplemented with incidents and threat actors that were more recently disclosed in the media and by cybersecurity companies. Additional information was supplied by books, some of which provided more accurate in-depth reporting and detail. Where possible, efforts were made to link together the multiple aliases for various threat actors; one actor can be referred to in different ways by various cybersecurity companies. The tracker also attempts to identify which threat actors were responsible for a specific incident.

The information contained in the data set comes from a combination of primary sources, such as government press releases and cybersecurity companies, and secondary sources, such as press reports and trade publications.

The tracker is updated quarterly. Changes will be made public via the Net Politics blog and will identify which incidents or threat actors were added, as well as any changes to data already in the tracker, such as changing the suspected state sponsor of an attack if new evidence is made public.

The tracker also has a feature that allows people to submit additional data. This crowdsourcing element allows cybersecurity firms and the general public to contribute incident or threat actor data to the project.

Known Limitations

Attribution

Attributing a cyber incident to a particular actor, let alone a state-sponsored actor, is a tricky and laborious process. The ability to attribute an incident has been the subject of longstanding debate within the cybersecurity community. Threat actors have been known to deliberately plant “false flags” in code to obfuscate attribution, use malware in the public domain to hide their tracks, and share code with allies. Although some cybersecurity companies expressly refuse to attribute cyber incidents to specific threat actors, a significant number of cybersecurity companies, researchers, and intelligence agencies can deduce [PDF] a threat actor’s responsibility by using a combination of technical data, open-source information, and an understanding of the threat actor’s foreign policy priorities.

This data set identifies suspected threat actors and their state sponsors based on what the reporting suggests and whether the tools, techniques, and procedures used by the threat actor conform to what is known about a state sponsor’s preferred methods of intrusion.

Completeness of Data

No claims are made that the data contained within the tracker is entirely complete. There are three reasons for this disclaimer.

First, due to resource and language constraints, this database has an inherent bias toward over-reporting incidents or threat actors affecting countries where English is widely spoken, cybersecurity companies publish in English, or there is English-language media. This explains why most of the incidents in the data set identify victims in the United States, the United Kingdom, Australia, Canada, and India.

Second, the database relies on publicly accessible data. State intelligence agencies and private cybersecurity firms are likely to have the most complete data about state-sponsored actors, but may not make what they know public to protect national security or trade secrets. Furthermore, some reporting from the media or cybersecurity companies can be vague or incomplete, making it difficult to confirm incidents for which data is only available from a single source.

Third, complete and accurate information about cyber incidents and threat actors take time to emerge. For example, the attack on TV5 Monde in 2015 was initially believed to be the work of a terrorist-affiliated group calling itself the Cyber Caliphate. Months later, further evidence surfaced that French intelligence suspected Russian intelligence was behind the operation. It is also probable that, in some instances, state actors have masqueraded as non-state groups and have yet to be unmasked. Investigating cyber incidents is an iterative process that involves chasing leads and testing hypotheses. For this reason, it is possible that information about incidents or threat actors could change as new evidence comes to light. It is also possible that some state-sponsored incidents have been missed entirely.