New Entries in the CFR Cyber Operations Tracker

Alex Grigsby is the assistant director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.

Last November, the Digital and Cyberspace Policy program at the Council on Foreign Relations launched the Cyber Operations Tracker. The tracker is an effort to catalogue publicly known state-sponsored cyber incidents that have occured since 2005, ranging from cyber espionage to sabotage. 

The tracker will be updated four times a year at the end of every quarter. During this update, new incidents and threat actors that have been made public during the preceding reporting period will be included in the database. We'll also make modifications to older entries if new information has come to light to ensure the tracker is as accurate as possible.

A detailed log of the added and modified entries can be found at the end of this post. A special thanks goes out to Trend Micro and ClearSky for flagging incidents and threat actors for inclusion in the database. 

Here are some quick facts and interesting tidbits that have emerged as a result of this latest update:

• Two new state-sponsored actors have emerged, bringing the total number of countries suspected of sponsoring cyber operations to eighteen. The two new suspected states are Lebanon and Ethiopia. 
• In 2017, there were twenty-eight state sponsored cyber operations revealed. Of those, twenty were cases of espionage, three were cases of sabotage, two were cases of data destruction (NotPetya and WannaCry), two were DDOSes, one was a case of defacement (the Qatar incident).
• In 2017, there were seven cases in which states publicly accused another of conducting a cyber operation against it. Ukraine, Switzerland, Norway, and Denmark accused Russia of conducting operations against them; the Five Eyes and Japan denounced North Korea over WannaCry; the United States indicted individuals who worked for a Chinese intelligence contractor; and Qatar accused the United Arab Emirates over defacing a website that sparked an embargo. 

As always, please let us know if there are any incidents we missed. If they meet our methodological criteria, they will be entered into the tracker. You can submit new incidents here. 

Edits to Old Entries

APT 3. Added a reference to the U.S. Justice Department indictments.
WannaCry. Added a reference to the Five Eyes and Japan attribution to North Korea.
Newscaster. Added a reference that at least one cybersecurity company believes that Behzah Mersi, who was indicted by the U.S. Department of Justice, was a member of this threat actor.
Compromise of South Korean government computers (2016). Added a reference that South Korean officials attributed this incident to North Korea. 

New Entries

Targeting of Far Eastern International Bank
JadeRAT
Indictment of APT 3 threat actors
APT 34
Targeting of the government of Belarus
Sowbug
Targeting of U.S. electric companies
Targeting of citizen journalism website Bellingcat
Targeting of Ethiopian dissidents
Targeting of a Swiss federal agency
MuddyWater
Leviathan
Bronze Butler
Compromise of Kaspersky Labs
Targeting of international sports federations
Attempted compromise of email accounts associated with the UK Parliament
Targeting of individuals of interest to the government of Lebanon