Data & Methodology

The types of information collected

We collect publicly available information in order to better understand the harm and impact of cyberattacks and operations, and who is responsible for them, in the context of the ongoing war between Ukraine and Russia. We have carefully selected our data collection scope and the associated indicators – in this section we shed light on what these are.

What types of cyber incidents are documented?

Incidents that fall under the umbrella of cyberattacks and operations as defined by the CyberPeace Institute, notably, any incident conducted by a threat actor using a computer network or system with the intention to disrupt, disable, destroy, control, manipulate, surveil or extract a computing environment/infrastructure and/or data.

Incidents documented to date include, but are not limited to, malware (including wiper malware), distributed denial of service (DDoS), malspam, information operations, hack and leak, account takeover and website defacements.

We refer to incidents as campaigns when they meet all of the following conditions.

  • An incident is linked to the same threat actor and occurred within an 8-hour period:
    • targeting more than two entities simultaneously within the same country, or
    • targeting one entity more than twice.
  • Or, an incident targeted the same entity for more than two consecutive days.
  • Or, an incident that has targeted more than two entities in more than two countries is linked to the same threat actor using the same modus operandi.

When, during a campaign, a threat actor targeted entities in multiple sectors, we create an incident record for each sector, not for each entity targeted.

What specific criteria is used when selecting the types of victims and targets to document?

Data collection is concentrated on, but not limited to, incidents targeting and/or impacting civilians, civilian objects (including private companies), and infrastructure ensuring the delivery of essential services to civilians. There is no data collection on cyber incidents against military objects, in as far as it is possible to differentiate these from incidents against civilian objects.

In relation to the international armed conflict in Ukraine, we have used the following definitions in line with the rules of International Humanitarian Law (IHL):

  • Civilians: persons who are not members of the armed forces.
  • Civilian objects: all objects that are not military objectives.
  • Infrastructure: objects ensuring the delivery of essential services to civilians.
What sectors are included in the documentation of attacks ?

The priority focus for data collection is on cyber incidents impacting institutions and facilities in the following sectors as per the United Nations International Standard Industrial Classification of All Economic Activities naming convention:

  • Agriculture, forestry and fishing [Agriculture]
  • Content and media [Media]
  • Education [Education]
  • Electricity, gas, steam and air conditioning supply [Energy]
  • Financial and insurance activities [Financial]
  • Human health and social work activities [Health]
  • Information and Communication Technology [ICT]
  • Manufacturing [Manufacturing]
  • Mining and quarrying [Mining]
  • Public administration and defense; compulsory social security [Public administration]
  • Transportation and storage [Transportation]
  • Water supply; sewerage, waste management and remediation activities [Water]
  • Wholesale and retail trade; repair of motor vehicles and motorcycles [Trade]

At an incident-level, all targeted entities have been classified under the respective sector. In aggregating data for analysis, any targeted entities that are not within the above list are grouped under the category ‘Other’. When the sector is unknown, this is recorded as ‘Unknown’.

The words in [square brackets] are the terms used throughout this site when referring, for example, to specific sectors in graph labels.

What is the geographical scope of data collection?

Data collection relates to cyber incidents in the context of the Russian-Ukrainian war including incidents in Ukraine, the Russian Federation and other countries. It is important to note that there are particular challenges in verifying and/or confirming incidents, particularly in the Russian Federation and Belarus.

Although it’s not always possible to confirm if a specific cyberattack or operation has been committed with political, military, activist and/or strategic motives related to the conflict, this forms the basis of the scope of the data collection.

For example, incidents are documented relating to:

  • the leak of data from Russian organizations committed in the name of pro-Ukrainian activism,
  • the disruption of services after a country took a public political or economic position on the conflict or provided military aid,
  • collateral damage in a third country that spills over from an incident originally targeting an entity in either the Russian Federation or Ukraine.
What date period does the data collection cover?
The incidents collected begin in January 2022. The date of the latest update is available under the menu Attack Details.
How is the harm caused by cyber incidents documented?

Analyzing the harm and impact of cyberattacks is at the heart of the CyberPeace Institute’s work. The Institute is currently developing indicators and a methodology to document and measure the harm and impact of cyberattacks on people, organizations, and society. As a first step, information is collected on the harm and impact of cyberattacks as they are reported by the source of the information. Insofar as it is possible, quantitative data is documented, such as the duration of a given impact or the number of individuals affected.

Listed below are core categories of harm or impact documented when the information is available: geographical, operational, temporal, communication, informational / data, financial, societal, psychological, digital, physical (on people such as injury / death) and re-victimization.

How are the attribution of incidents reported?

The Institute does not conduct its own attribution of incidents to identify the actor(s) involved but documents the attribution efforts by others to link a particular individual, group or state to a specific incident. The challenges and complexity in the attribution of cyberattacks can be summarized in a four-tiered approach: technical, political, legal, and self attribution, of a cyberattack to an actor(s).

  • Technical attribution: determining who or what is responsible for an attack based on the analysis of technical artifacts (e.g. through forensics analysis). A core step in this process is associating the attack to specific software (e.g. malware strain), hardware (e.g. a server), code or modus operandi.
  • Political attribution: determining or disclosing who is the party(s) responsible for an attack (such as a nation state, State-sponsored group, or criminal group) by a State based on analysis, assessment and/or judgment.
  • Legal attribution: determining who is responsible for an attack based on technical means to identify the origin of the attack and legal criteria in order to ascribe legal consequences and / or other sanctions (e.g. through a court of law or through the application of sanctions). Attribution of a cyberattack under international law may trigger the application of IHL, State responsibility, and/or a response in self-defense.
  • Self attribution: some threat actors publicly disclose a cyberattack and attribute themselves as the actor behind the attack. They often do this by publishing data extracted as a result of an incident on dedicated websites. Although not as formal a category of attribution as the other three, it remains one of the ways in which actors involved are documented. We distinguish between two types of self attributed incidents, substantiated and unsubstantiated. The former includes claims of attacks supported with corroborating information (e.g., proof of disruption of the services of the victim organization). Although those claims have limited reliability, they are included in our database to identify emerging threats and trends. The unsubstantiated claims are self attributed incidents with no proof, those are excluded from our public database.

Data sources

What is the source of data used?

For the purpose of this timeline, the Institute collects publicly available (open source) information on cyberattacks through the monitoring of:

  • news / media outlets,
  • government, CERTs, cybersecurity companies and civil society organizations’ reports, advisories and blogs, and
  • social media feeds, among other sources.

Every identified incident, and the associated content, is reviewed by at least two internal analysts and, wherever possible, the incident is linked to at least two separate sources of information. We continuously scan for information on previous incidents to update the timeline on societal harm and attribution which is often reported significantly after the actual incident.

How is data accuracy and reliability ensured?

As there is a reliance on publicly available data, the data on documented cyberattacks has been given a classification of certainty based on the reliability of the information source. The classification levels are as follows:

  • Confirmed: attacks in this category are based on official government reports / records, official press releases by the targeted organization, official letters addressed to customers by the target organization or the government, or social media communication by the targeted organization.
    In cases where an incident has been self-attributed by a threat actor and a government entity has confirmed the attack, it will be classified as confirmed.
  • Probable: attacks in this category are based on media reports of a press conference by the targeted organization, social media communication by the targeted organization or quotes from the targeted organization’s staff in media articles.
    In cases where an incident has been self-attributed by a threat actor, and the attack has been corroborated by a third-party through independent research or the analysis of stolen data, this is also classified as a probable incident.
    Incidents identified and reported on as a result of a technical/forensics investigation will also be classified as probable.
  • Possible: attacks in this category are based on media reports with no direct reference to primary source information. This can be in the form of a news article that mentions a letter sent to patients or a blog post that references a statement published by the targeted organization, but no direct record of this material is available.
    This category also includes data published by a threat actor online with no further corroborating information.

The CyberPeace Institute does not publicly document data related to ‘Hearsay’ incidents which contain uncorroborated information originating from a third party, i.e. as a result of media reporting of the allegation by a third party.