</> INTRODUCTION
As technology continues to advance, cyber-attacks are becoming more sophisticated and have become a significant threat to countries, organizations, and individuals worldwide. State actors often sponsor or carry out these attacks to achieve political, military, or economic objectives.
To better understand the trends and characteristics of sponsored cyber operation incidents from 2005 to 2022, we will analyze a dataset of such incidents. Through this analysis, we aim to provide valuable insights into the nature of these attacks and explore potential machine learning approaches to identify patterns and groups of incidents with similar characteristics. Our findings could help organizations and governments enhance their cybersecurity strategies and protect against future cyber threats.
</> DATA DESCRIPTION
The data was collected from Kaggle. Some exploratory data cleaning was done on the data using Microsoft Excel to make the data better for analysis and creation of insights. The updated data is hosted on my GitHub. Ultimately, the primary data source was the Council on Foreign Relations, an independent and nonpartisan American think tank specializing in U.S foreign policy and international relations.
</> METHODOLOGY AND RESULTS
The programming language used in this project is python, with the following libraries: pandas, numpy, plotly, seaborn, matplotlib, geopy, folium and scikit learn. The code to this project is here.
Before the data was analyzed, the data was cleaned and preprocessed. This involves removing irrelevant columns, handling missing values, and transforming the data into a format suitable for analysis. Also, we perform a Machine Learning algorithm called Latent Dirichlet Allocation (LDA) to identify topics from the description of cyber operation incidents.
First, we visualized the cyber operation incident over time with a linear graph which is represented below (Figure 1.)
Figure 1: Figure showing the trend of cyber operation incident over the years.
The graph shows a clear increase in the number of incidents over time, with a noticeable surge in incidents starting around 2014. From the graph, we can see that the number of cyber operation incidents steadily increased from 2005 to around 2014, with a few spikes in incident counts in the intervening years. However, starting around 2016, the number of incidents began to increase much more rapidly and reached a peak in 2018, with over 60 incidents recorded in that year. This began the rapid increase in cyber operation. This suggests that cyber operations are becoming more prevalent and sophisticated over time.
The target category that has been prevalent since 2005 till 2022. Figure 2 gives more insight into the category.
Figure 2: chart showing the target of the attack.
Based on the resulting plot, the government is still the most common target of cyber operations incidents, followed by the private sector and the military . military accounts for a smaller number of incidents in the provided dataset. This underscores the importance of prioritizing cybersecurity measures and training for government and private sectors, as well as civil society.
Figure 3: Various attack type carried out by Threat actors.
Figure 3. reveals that the most frequently observed attack type across the years is espionage, accounting for more than half of all recorded incidents perpetrated by threat actors. Notably, this trend aligns with the strategic objectives of many state-sponsored attackers who use covert means to access sensitive intelligence. Moreover, the prevalence of other attack types, such as denial of service, data destruction, financial theft, and sabotage underscores the diverse range of motives and objectives behind sponsored cyber-operations.
Figure 4: Types of cyber operations incidents over Time
The plot (Figure 4) shows the trends in the number of cyber operations incidents over time by type. It reveals that the most common types of incidents are espionage and theft, followed by disruption and defacement. The number of incidents of espionage and theft has been consistently higher than other types, indicating that these types are more prevalent and perhaps easier to carry out. The number of incidents of disruption and defacement has also increased over time, possibly due to the growing importance of technology and dependence on digital infrastructure in various sectors. The plot also shows a significant increase in cyber operations incidents starting around 2014, which corresponds to the surge in internet usage and widespread adoption of digital technologies in various sectors.
Figure 5: Map showing the state sponsored threat actors
The map generated shows the distribution of Cyber Operations incidents sponsored by various countries. From the map it is seen that most of the operation is coming from Europe and Eastern Asia. A chart was also created to create insight on the various continents of the state sponsored cyber attack was generated from (Figure 6).
Figure 6: Cyber-attack sponsors by region
The analysis revealed that North America and Europe were the most active regions in sponsoring cyber-attacks, with North America having the highest number of incidents. East Asia and the Middle East were also prominent sponsors of cyber-attacks, while South Asia, Southeast Asia, and Africa had a relatively smaller number of incidents. The result shows that the threat of cyber-attacks is not limited to specific regions or countries, as attackers can operate from anywhere in the world. The findings suggest that cybersecurity measures should be implemented globally to ensure the protection of critical infrastructure, businesses, and individuals.
Since 2005, thirty-four countries have been suspected of sponsoring cyber operations. China, Russia, Iran, and North Korea sponsored 77 percent of all suspected operations. Figure 7. Shows the top 5 sponsors by country of cyber operation.
Figure 7: Top sponsors by percentage of Incidents
Because of the nature of the data, so much insight could not be derived from various machine learning models. Nevertheless, topic model was carried out using Latent Dirichlet Allocation (LDA) on the descriptions of the cyber operations incidents’ dataset. The goal is to identify the main topics that emerge from the data.
First, we clean the text data by removing non-alphabetic characters, converting it to lowercase, and splitting the text into individual words. We then create a document-term matrix using CountVectorizer, which counts the frequency of each word in each document. Next, we fit the LDA model to the document-term matrix with 5 topics. We print the top 10 words for each topic to gain an understanding of the main themes in the dataset. Finally, we assign each incident to a topic based on the highest probability for that topic and visualize the distribution of incidents across topics using a countplot.
Figure 8: Distribution of Cyber Operations Incident Topics
The results show that the main topics of cyber operations incidents are:
Topic 0: Malware and hacking attacks.
Topic 1: Data theft and breaches
Topic 2: Espionage and state-sponsored attacks
Topic 3: Financial fraud and theft
Topic 4: Denial of Service attacks and infrastructure disruption
By understanding the main topics of cyber operations incidents, organizations and governments can prioritize their cybersecurity efforts and take appropriate measures to protect against these threats.
</> CONCLUSION
Overall, the analysis showed that the USA, China, Russia, Iran, and North Korea were the top sponsors of cyber operations between 2005 and 2022, accounting for more than 50% of all incidents in the dataset. These sponsors were also found to be the top sponsors in most of the categories, indicating that they were involved in a wide range of cyber operations. However, it is important to note that the data only includes incidents that have been attributed to a specific sponsor, and many incidents may have gone unattributed or misattributed, making the analysis only a representation of the known incidents.
click here for the jupyter notebook
click here for the github repository
Thank you for taking the time to read my article; your attention and support are greatly appreciated. It is my desire to share my ideas and thoughts with you, and I hope you find my content interesting and informative.
If you enjoyed reading my article, I encourage you to subscribe to receive future updates. By subscribing, you’ll never miss a post and you’ll be the first to know about my latest content.
Top comments (1)
Nice article