Home

FAQ

Data & Methodology

The types of information collected

Publicly available information is collected in order to better understand the harm and impact of cyberattacks and operations, and their perpetrators, in the context of the ongoing armed conflict between Ukraine and the Russian Federation. The scope extends beyond impacts and harms in the countries that are parties to the armed conflict and includes cyberattacks in other countries emanating from that conflict. This section provides information on the scope of the data collection and associated indicators, which were carefully selected.

What types of cyber incidents are documented?

Incidents that fall under the umbrella of cyberattacks and operations as defined by the CyberPeace Institute, notably, any incident conducted by a threat actor using a computer network or system with the intention to disrupt, disable, destroy, control, manipulate, surveil or extract a computing environment/infrastructure and/or data.

Incidents documented to date include, but are not limited to, malware (including wiper malware), distributed denial of service (DDoS), malspam, information operations, hack and leak, account takeover and website defacements.

What specific criteria is used when selecting the types of victims and targets to document?

Data collection is concentrated on, but not limited to, incidents targeting and/or impacting civilians, civilian objects (including private companies), and infrastructure ensuring the delivery of essential services to civilians. There is no data collection on cyber incidents against military objects, in as far as it is possible to differentiate these from incidents against civilian objects.

In relation to the international armed conflict in Ukraine, we have used the following definitions in line with the rules of International Humanitarian Law (IHL):

  • Civilians: persons who are not members of the armed forces.
  • Civilian objects: all objects that are not military objectives.
  • Infrastructure: objects ensuring the delivery of essential services to civilians.
What sectors are included in the documentation of attacks ?

The priority focus for data collection is on cyber incidents impacting institutions and facilities in the following sectors as per the United Nations International Standard Industrial Classification of All Economic Activities naming convention:

  • Agriculture, forestry and fishing [Agriculture]
  • Content and media [Media]
  • Education [Education]
  • Electricity, gas, steam and air conditioning supply [Energy]
  • Financial and insurance activities [Financial]
  • Human health and social work activities [Health]
  • Information and Communication Technology [ICT]
  • Manufacturing [Manufacturing]
  • Mining and quarrying [Mining]
  • Public administration and defense; compulsory social security [Public administration]
  • Transportation and storage [Transportation]
  • Water supply; sewerage, waste management and remediation activities [Water]
  • Wholesale and retail trade; repair of motor vehicles and motorcycles [Trade]

At an incident-level, all targeted entities have been classified under the respective sector. In aggregating data for analysis, any targeted entities that are not within the above list are grouped under the category ‘Other’. When the sector is unknown, this is recorded as ‘Unknown’.

The words in [square brackets] are the terms used throughout this site when referring, for example, to specific sectors in graph labels.

What is the geographical scope of data collection?

Data collection relates to cyber incidents in the context of the Russian-Ukrainian war including incidents in Ukraine, the Russian Federation and other countries. It is important to note that there are particular challenges in verifying and/or confirming incidents, particularly in the Russian Federation and Belarus.

Although it’s not always possible to confirm if a specific cyberattack or operation has been committed with political, military, activist and/or strategic motives related to the conflict, this forms the basis of the scope of the data collection.

For example, incidents are documented relating to:

  • the leak of data from Russian organizations committed in the name of pro-Ukrainian activism,
  • the disruption of services after a country took a public political or economic position on the conflict or provided military aid,
  • collateral damage in a third country that spills over from an incident originally targeting an entity in either the Russian Federation or Ukraine.
What date period does the data collection cover?
The incidents collected begin in January 2022. The date of the latest update is available under the menu Attack Details.
How is the harm caused by cyber incidents documented?

Analyzing the harm and impact of cyberattacks is at the heart of the CyberPeace Institute’s work. The Institute is currently developing indicators and a methodology to document and measure the harm and impact of cyberattacks on people, organizations, and society. As a first step, information is collected on the harm and impact of cyberattacks as they are reported by the source of the information. Insofar as it is possible, quantitative data is documented, such as the duration of a given impact or the number of individuals affected.

Listed below are core categories of harm or impact documented when the information is available: geographical, operational, temporal, communication, informational / data, financial, societal, psychological, digital, physical (on people such as injury / death) and re-victimization.

How are the attribution of incidents reported?

The Institute does not conduct its own attribution of incidents to identify the actor(s) involved but documents the attribution efforts by others to link a particular individual, group or state to a specific incident. The challenges and complexity in the attribution of cyberattacks can be summarized in a four-tiered approach: technical, political, legal, and self attribution, of a cyberattack to an actor(s).

  • Technical attribution: determining who or what is responsible for an attack based on the analysis of technical artifacts (e.g. through forensics analysis). A core step in this process is associating the attack to specific software (e.g. malware strain), hardware (e.g. a server), code or modus operandi.
  • Political attribution: determining or disclosing who is the party(s) responsible for an attack (such as a nation state, State-sponsored group, or criminal group) by a State based on analysis, assessment and/or judgment.
  • Legal attribution: determining who is responsible for an attack based on technical means to identify the origin of the attack and legal criteria in order to ascribe legal consequences and / or other sanctions (e.g. through a court of law or through the application of sanctions). Attribution of a cyberattack under international law may trigger the application of IHL, State responsibility, and/or a response in self-defense.
  • Self attribution: some threat actors publicly disclose a cyberattack and attribute themselves as the actor behind the attack. They often do this by publishing data extracted as a result of an incident on dedicated websites. Although not as formal a category of attribution as the other three, it remains one of the ways in which actors involved are documented.

Data sources

What is the source of data used?

For the purpose of this timeline, the Institute collects publicly available (open source) information on cyberattacks through the monitoring of:

  • news / media outlets,
  • government, CERTs, cybersecurity companies and civil society organizations’ reports, advisories and blogs, and
  • social media feeds, among other sources.

Every identified incident, and the associated content, is reviewed by at least two Institute analysts and, wherever possible, the incident is linked to at least two separate sources of information. Analysts continuously scan for information on previous incidents to update the timeline on societal harm and attribution which is often reported significantly after the actual incident.

How is data accuracy and reliability ensured?

As there is a reliance on publicly available data, the data on documented cyberattacks has been given a classification of certainty based on the reliability of the information source. The classification levels are as follows:

  • Confirmed: attacks in this category are based on official government reports/records, official press releases by the targeted organization or official letters addressed to customers by the target organization or the government.
    In cases where an incident has been self-attributed by a threat actor and a government entity has confirmed the attack, it will be classified as confirmed.
  • Probable: attacks in this category are based on media reports of a press conference by the targeted organization, social media communication by the targeted organization or quotes from the targeted organization’s staff in media articles.
    In cases where an incident has been self-attributed by a threat actor, and the attack has been corroborated by a third-party through independent research or the analysis of stolen data, this is also classified as a probable incident.
    Incidents identified and reported on as a result of a technical/forensics investigation will also be classified as probable.
  • Possible: attacks in this category are based on media reports with no direct reference to primary source information. This can be in the form of a news article that mentions a letter sent to patients or a blog post that references a statement published by the targeted organization, but no direct record of this material is available.
    This category also includes data published by a threat actor online with no further corroborating information.

The CyberPeace Institute does not publicly document data related to ‘Hearsay’ incidents which contain uncorroborated information originating from a third party, i.e. as a result of media reporting of the allegation by a third party.

© CyberPeace Institute 2022. This site and its contents - text, graphics and images - are fully owned by the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva. Contents can be cited and reproduced provided that the CyberPeace Institute is referenced as author and copyright holder.