Skip to content

Attribution Tracker

The Attribution Tracker is a tool designed to explore the processes of assigning responsibility for cyberattacks to specific actors. It draws data from the European Repository of Cyber Incidents data and is updated regularly, with updates occurring every night and following your lunch break.

Select a time period: The Attribution Tracker will analyze attributions made within the time frame you choose.
Time frames always start from today.

scroll down

About Attribution

“Attribution describes the process of assigning respon­sibility for a cyberattack to an actor”  (Bendiek/Schulze 2021).

Our Attribution Tracker, as described above, documents these responsibility assignments for a selected time period starting from 2022. Earlier versions of the Attribution Tracker recorded all attributions documented by EuRepoC since 2000. However, the updated version focuses exclusively on attributions covered by the EuRepoC Project since 2022, ensuring more comprehensive coverage of each incident.

  • Technical Attribution

    This is the process of assigning technical responsibility for a cyber incident, taking into account the tactics, techniques and procedures (TTPs) used by the attackers in order to deduce the origins of the incident on this basis. The "Technical Report" category covered by EuRepoC primarily includes reports from cybersecurity companies.

  • Unofficial Policy Attribution

    This is the process of unofficial policy attribution of responsibility for a cyber incident. Examples may include leaks from public officials or high-ranking civil servants making statements in media reports.

  • Official Policy Attribution

    This is the process of official policy attribution of responsibility for a cyber incident through public speeches or press releases by public officials/high-ranking civil servants. In contrast to technical or legal attributions, this form of attribution usually involves less circumstantial evidence or proof.

  • Legal Attribution

    This is the pocess of direct legal attribution of responsibility for a cyber incident with the aim of prosecution or public declaration of a breach of norms. This regularly involves the presentation of verifiable circumstantial evidence and proof.

  • Self-Attribution

    This is the process of direct attribution of responsibility for a cyber incident by a perpetrator (e.g., via social media), such as hacktivists or cyber criminals. This may be done for a variety of reasons, such as intimidation of a victim or an increase in pressure for them to pay in ransomware attacks.

Attribution Map

Browse attributions

Based on the selected country in the attribution map.

Actors within democracies attribute most frequently

The majority of all (technical, political, or legal) attributions recorded by EuRepoC are made by actors from democratic states. In contrast, only a small proportion of attributions are made by actors from states with autocratic or hybrid regimes.

Attributions from democratic states are most often made through technical attributions, followed by official policy attributions at a clear distance. In contrast, actors from autocracies often attribute themselves. This can be seen especially with self-attributions by criminally- and patriotically-motivated threat actors of Russian origin.

A substantial proportion of attributions cannot be assigned to any regime type or state territory. Among other reasons, this may happen when a threat actor discloses an attack itself (self-attribution) but its operational base or national affiliation is unknown.

Number of attributions recorded by type of regime and attribution

Technical report    Unofficial policy attribution     Self-attribution
Official policy attribution    Media-attribution     Legal attribution    Other attribution

Number of cyber incidents and attributions by month

Number of attributions done in this month     Number of incidents started in this month

Attribution activity has remained stable over time

The number of cyber incidents and the number of (technical, political and legal) attributions varies considerably over time (see graph), but the ratio of recorded cyber operations and attributions remains relatively stable.

It can be seen that, for the vast majority of incidents recorded by EuRepoC, an attribution is made at a certain point in time, whereby the period between the start of the cyber operation and the associated attribution can be shorter (self-attribution; unofficial policy attribution) or longer (official policy and legal attribution; see the following graph on “Attribution time”), depending on the form of attribution.

Attribution processes become quicker over time; Exceptions prove the rule

The average duration of an attribution process (i.e., the period between the start of a cyber incident and its public attribution) decreases over time. However, long-past operations that have yet to be attributed can still impact these average values.

The majority of attributions occur within the first four months after the start of a cyber incident. However, there is also a significant number of attributions that take place much later, with some attribution processes lasting 50 months or longer (not shown here).

Period between the start of a cyber incident and its public attribution

Attributions in the past six months        Total attributions over time

Actors from the USA attribute the most frequently

Both state and non-state actors in the USA (e.g., cybersecurity companies) attribute most frequently. The majority of attributions point to threat actors from China, Iran, North Korea and Russia.

Within the European Union, EuRepoC records the largest share of attributions from Slovakia because a large cybersecurity company is based there which regularly carries out (mostly technical) attributions.

The Repository usually records attributions when there is no available country of origin and an unknown attacker type primarily when threat actors without a known country of origin attribute themselves.

Attribution activity between countries (dyads)

Joint attribution efforts remain rare

The majority of attributions are made by a single state, where actors from that state alone assign responsibility for the incident.

A smaller proportion of attributions occur when actors from two or more states independently issue their own attribution statements.

Joint attributions, where actors from a coalition of states collaborate to create a unified attribution statement, are exceptionally rare.

Patterns of Attribution Between States

●    Single attributions   
 Actors from two states attributed independently
     Actors from multiple states attributed independently
     Joint attributions (actors from two states)
     Joint attributions (actors from multiple states)

Notes on methodology

All attribution data comes from the EuRepoC data set. In contrast to the Attribution Dashboard, the Attribution Tracker takes into account all attributions of each cyber incident, not just their “settled attributions,” which are determined for the clear assignment of attacker and victim information in the Dashboard. Each attribution recorded by EuRepoC made by a specific actor, in a specific state, in a specific form, and which assigns a cyber incident to an actor in a state, is counted individually.

The classification of attribution types is inspired by Lee 2023 for the political responsibility attributions and simplifies the EuRepoC category system as follows:

Welcome to our Cyber Incident Dashboard!

For best results, please view on a desktop device.