Tracking State-Sponsored Cyber Operations

Academics, policymakers, and journalists who analyze cybersecurity policy issues face a common problem: the absence of good data. It is difficult to determine whether state-sponsored cyberattacks are actually increasing or whether companies and governments are simply identifying more activity. There is no good data to determine what types of attacks are most frequent, and which warrant a foreign policy response.

It is also next to impossible to keep up with the different threat actor names the press and cybersecurity companies use to refer to the same activity. Depending on who you talk to, the hack of the networks of the Democratic National Committee was the responsibility of a group known as APT 28, the GRU, Pawn Storm, Fancy Bear, Sofacy, Tsar Team, Strontium, Grizzly Steppe, or Sednit.

Today, the Digital and Cyberspace Policy program at the Council on Foreign Relations hopes to bring more clarity and data to a confusing environment. We’re launching a Cyber Operations Tracker, a database of the publicly known state-sponsored cyber incidents that have occurred since 2005.

The database, which draws on previous work done by CSIS, Florian Roth, and others contains almost two hundred entries of state-sponsored cyber incidents or threat actors for which data is publicly available. Want to know who is spying on whom? Looking for the number of times North Korea has been publicly denounced for its cyber operations? Heard of Equation Group but would like to know more about it? The tracker can help answer all of these questions.

In collecting and making sense of the data, we identified sixteen countries that are suspected of being responsible for cyber operations. Some of these are the usual suspects, like China, Russia, and the United States. Others are relatively new to the game, like Mexico, Vietnam, and Kazakhstan.

States are increasingly more comfortable denouncing other states when they get caught. Prior to 2014, publicly calling out another government for an attack was relatively rare. Our data show that the practice became considerably more common around the same time the United States indicted five members of the Chinese People’s Liberation Army for industrial espionage. Many of these new cases are the United States calling out China, Russia, and Iran, but in a few instances, Germany has called out Russia and Canada has accused China.

Those are just some of the trends we were able to identify in the data. (You can find an explanation of our methodology here). If you think you can find more, feel free to download the data and tell us what you find!

The dataset is still a work in progress, and we know that it is incomplete. That’s where you come in. If you’re a cybersecurity researcher, company, or would like to contribute, feel free to let us know about a new state-sponsored threat actor or incident. If it meets our methodological criteria and is fairly well documented, we’ll include it during our quarterly update.