Where possible, efforts were made to link together the multiple aliases for various threat actors one actor can be referred to in different ways by various cybersecurity companies. Additional information was supplied by books, some of which provided more accurate in-depth reporting and detail. This data was then supplemented with incidents and threat actors that were more recently disclosed in the media and by cybersecurity companies. It is collected from existing repositories of state-sponsored incidents, such as Florian Roth’s APT Groups and Operations spreadsheet, the Center for Strategic and International Studies’ list of significant cyber events, and Kaspersky Lab’s Targeted Cyberattacks Logbook. For term definitions, please see the glossary.Īll data collected for the tracker is open source. The data exclusively tracks incidents and threat actors engaged in denial of service attacks, espionage, defacement, destruction of data, sabotage, and doxing. Reporting on nonstate actors, such as hacktivist groups, tends to be murkier and makes for less reliable data.
Furthermore, state-sponsored incidents generally have the most accurate and comprehensive reporting. The tracker focuses on state-sponsored actors because its purpose is to identify when states and their proxies conduct cyber operations in pursuit of their foreign policy interests. The tracker only contains data in which the perpetrator, also known as the threat actor, is suspected to be affiliated with a nation-state. The cyber operations tracker categorizes all instances of publicly known state-sponsored cyber activity since 2005.