The following graphics illustrate the frequency with which the U.S. government deploys sanctions and indictments to combat malicious cyber activity conducted for the benefit or at the behest of China, Russia, Iran, or North Korea. This dataset can help analysts understand how the United States employs these tools and why it does so against certain cyber threat actors but not others. The dataset facilitates the discussion of questions such as, “Why are both sanctions and indictments used against some targets but not others? Are the differences in usage related to the type of cyber operation, the evidence available, the nature of the U.S. relationship with the relevant nation-state, or some other consideration?” Through such discussion, analysts can assess more effectively whether sanctions and indictments are effective tools to punish or deter malicious cyber activity.
FDD’s Center on Cyber and Technology Innovation created these visualizations and is making the underlying data publicly available so that others can build on this effort by pairing these data and graphics with additional tools and information. The visualization is interactive and can be filtered according to the nationality and type of the malicious actors. Users can also export the data in their desired format.
This data includes only those cases that have an explicit cyber component and excludes those in which cyber was a tangential or negligible part of the operation. For example, this dataset does not include instances of intellectual property theft conducted nearly exclusively through physical access to systems and personnel.
This dataset does not distinguish between malicious actors operating independently from state authorities and those acting under the express order of a foreign government. Attribution, particularly as it relates to determining who ordered an operation, requires information beyond what may be included in public statements accompanying the sanctions or indictments. Additionally, cyber operatives may work for government entities while concurrently engaging in criminal activities. For example, the Department of Justice made no mention of state-sponsorship in its indictment of the Iranian individual responsible for the hack and extortion of HBO, but he was also later indicted as part of an espionage operation conducted by the Islamic Republic of Iran. Where possible, the dataset makes note of cyber operations that the U.S. government has expressly attributed to nation states.
The data itself reveals interesting patterns. To date, it appears that the United States has used Treasury’s financial sanctions authorities and Department of Justice indictments in different ways for different threat actors. For example, while North Korean hackers are often considered more prolific and capable than their Iranian counterparts, the number of sanctions and indictments against actors from the DPRK is far less than the number of actors from Iran that the U.S. has targeted. Additionally, in the case of Chinese-backed cyber operations, Washington appears to have chosen to rely nearly exclusively on criminal indictments rather than pairing indictments with financial sanctions as the Trump administration has done particularly in the case of Russian operations. Cross-analysis using multiple variables such as the country of origin, type of actor, year, type of sanctions, and type of statute may reveal additional patterns.
The data itself does not provide an answer as to whether particular statutes or executive orders are used more often than others to punish or prosecute cybercrimes because a certain type of cybercrime is more prevalent or because the evidentiary threshold is easier to meet. That type of analysis rests upon the judgment of the policymakers and legal scholars.
For the purposes of this dataset, the term “malicious cyber operations” encompasses cybercrime, cyber espionage, cyber-enabled economic warfare, information warfare, and other types of cyberattacks. For a deeper discussion on the definitions of types of cyberattacks, see “Framework and Terminology for Understanding_ Cyber-Enabled Economic Warfare.”