Przejdź do treści

Attribution Tracker

total attributions recorded

of which

were in the last 6 months

scroll down

“Attribution describes the process of assigning respon­sibility for a cyberattack to an actor”  (Bendiek/Schulze 2021). Our Attribution Tracker, as seen above, records these assignments of responsibility from the last six months and records this attribution count in relation to the number of all attributions recorded by EuRepoC since 2000.

  • Technical Attribution

    This is the process of assigning technical responsibility for a cyber incident, taking into account the tactics, techniques and procedures (TTPs) used by the attackers in order to deduce the origins of the incident on this basis. The "Technical Report" category covered by EuRepoC primarily includes reports from cybersecurity companies.

  • Unofficial Policy Attribution

    This is the process of unofficial policy attribution of responsibility for a cyber incident. Examples may include leaks from public officials or high-ranking civil servants making statements in media reports.

  • Official Policy Attribution

    This is the process of official policy attribution of responsibility for a cyber incident through public speeches or press releases by public officials/high-ranking civil servants. In contrast to technical or legal attributions, this form of attribution usually involves less circumstantial evidence or proof.

  • Legal Attribution

    This is the pocess of direct legal attribution of responsibility for a cyber incident with the aim of prosecution or public declaration of a breach of norms. This regularly involves the presentation of verifiable circumstantial evidence and proof.

  • Self-Attribution

    This is the process of direct attribution of responsibility for a cyber incident by a perpetrator (e.g., via social media), such as hacktivists or cyber criminals. This may be done for a variety of reasons, such as intimidation of a victim or an increase in pressure for them to pay in ransomware attacks.

Actors within democracies attribute most frequently

The majority of all (technical, political, or legal) attributions recorded by EuRepoC are made by actors from democratic states. In contrast, only a small proportion of attributions are made by actors from states with autocratic or hybrid regimes.

Attributions from democratic states are most often made through technical attributions, followed by official policy attributions at a clear distance. In contrast, actors from autocracies often attribute themselves. This can be seen especially with self-attributions by criminally- and patriotically-motivated threat actors of Russian origin.

A substantial proportion of attributions cannot be assigned to any regime type or state territory. Among other reasons, this may happen when a threat actor discloses an attack itself (self-attribution) but its operational base or national affiliation is unknown.

Number of attributions recorded by type of regime and attribution

Technical report    Unofficial policy attribution     Self-attribution
Official policy attribution    Media-attribution     Legal attribution    Other attribution

Number of cyber incidents and attributions by month

Number of attributions done in this month     Number of incidents started in this month

Attribution activity has remained stable over time

The number of cyber incidents and the number of (technical, political and legal) attributions varies considerably over time (see graph), but the ratio of recorded cyber operations and attributions remains relatively stable.

It can be seen that, for the vast majority of incidents recorded by EuRepoC, an attribution is made at a certain point in time, whereby the period between the start of the cyber operation and the associated attribution can be shorter (self-attribution; unofficial policy attribution) or longer (official policy and legal attribution; see the following graph on “Attribution time”), depending on the form of attribution.

Attribution Map

Actors from the USA attribute the most frequently

Both state and non-state actors in the USA (e.g., cybersecurity companies) attribute most frequently. The majority of attributions point to threat actors from China, Iran, North Korea and Russia.

Within the European Union, EuRepoC records the largest share of attributions from Slovakia because a large cybersecurity company is based there which regularly carries out (mostly technical) attributions.

Attribution activity between countries (dyads)

Attribution processes become quicker over time; Exceptions prove the rule

The average duration of an attribution process (i.e., the period between the start of a cyber incident and its public attribution) decreases over time. However, long-past operations that have yet to be attributed can still impact these average values.

The majority of attributions occur within the first four months after the start of a cyber incident. However, there is also a significant number of attributions that take place much later, with some attribution processes lasting 50 months or longer (not shown here).

Period between the start of a cyber incident and its public attribution

Attributions in the past six months        Total attributions over time

Browse the attributions added during the last six months

The table above displays details on all the attributions added to the EuRepoC database within the last six months.

Notes on methodology

All attribution data comes from the EuRepoC data set. In contrast to the Attribution Dashboard, the Attribution Tracker takes into account all attributions of each cyber incident, not just their “settled attributions,” which are determined for the clear assignment of attacker and victim information in the Dashboard. Each attribution recorded by EuRepoC made by a specific actor, in a specific state, in a specific form, and which assigns a cyber incident to an actor in a state, is counted individually.

The classification of attribution types is inspired by Lee 2023 for the political responsibility attributions and simplifies the EuRepoC category system as follows:

Welcome to our Cyber Incident Dashboard!

For best results, please view on a desktop device.