Hero Image

Cyber Disruptions Dataset

Collection of Case Studies of Disruptive Counter-Cyber Operations

Disruptive Counter-Cyber Operations: from 1987 until 2019

Over the past two decades, there have been numerous defensive operations to disrupt malicious cyber activity by hacktivists, criminals, and nation-state actors. Disruption operations seek to affect the adversary’s decision-making processes and impose additional costs. Such operations include a wide range of actions, from releasing indicators of compromise and naming-and-shaming, to botnet and infrastructure takedowns, to indictments and sanctions, and may be conducted outside of the defender’s own network with the intent to interrupt adversary cyber offense and espionage.

This website provides a unique dataset of over 100 cases of defensive operational disruption over the last 30 years, from 1987 until today. The underlying paper by Healey, Jenkins and Work also provides a framework for categorizing disruption operations and their effects – along with detailed descriptions for several of these case studies coded to the framework – so that researchers and practitioners can measure their impact using a common terminology.

Incident Definition

Disruptive counter-cyber operations are positive steps for defeating a specific cyber adversary, usually taken by defenders in response to a specific attack or campaign, and they often directly disrupt an adversary’s technology; the main action is typically either outside of the defender’s own network or based on specific intelligence about how that adversary operates. This is only a general description, as each element of that description contains important exceptions, so we will examine each part individually:

  1. Positive steps to defeat a specific cyber adversary, usually but not always conducted online. It would not include best-practice defensive measures, such as patching computers, unless specifically intended to defeat a particular adversary that is known or suspected to be targeting that vulnerability. Disruptive operations are generally marked by active contention with an Adversary.
  2. Usually taken by a defender, such as a government, cybersecurity, or technology company, or the victim of an attack. There are rare exceptions, such as examples of so-called red-on-red operations where two maliciously motivated actors contest control of infrastructure for their own objectives that remain at odds with the victim’s interests.
  3. Taken in response to a specific cyber attack or campaign to disrupt an adversary’s ability to continue ongoing action. This distinguishes it from offensive cyber effects operations (which may come before, during, or after a campaign and serve different purposes), pure retaliation (which is meant to punish for past, not disrupt ongoing, behavior), or deterrence-by-punishment (which is intended primarily to punish an adversary to change their decision calculus). This framework is only, for now, interested in disrupting cyber activities (such as disruptive attacks or intrusions) and not influence or information operations. We include some actions, such as law-enforcement indictments, in this framework, which may take place well after a campaign. However, these share enough other characteristics with other disruptive operations to be usefully included.
  4. Often directly disrupt an adversary’s technology and typically the main action is outside of the defender’s own network or based on specific intelligence about how the adversary operates. A botnet takedown disrupts technology outside the network of most defenders, while cybersecurity companies and infrastructure sectors share, routinely and at massive scale, their insights of adversary groups to block their efforts on defenders’ internal networks.

Access The Dataset

  • * Motivation of the disrupted adversary, whether criminal, hacktivist, espionage, or strategic attack: Motivation is coded based on contemporaneous reporting assessment by the security researchers, commercial intelligence firms, or government actors involved in the action. While this potentially omits later understanding of complex motivations developed through deeper historical analysis, it does capture the then-dominant consensus views and therefore the key influences involved in disruption actions at the time when these decisions were taken. In a few cases, the disruption was not related to targeting an adversary but had another purpose, such as inoculation, essentially intruding into others’ vulnerable devices to pre-emptively patch them against the truly malicious. Those cases are coded as vulnerability reduction.

    ** Actor conducting the disruption (industry, government, or public-private partnerships): A small number of cases are red-on-red incidents between malicious adversary operators. Those coded as government can be further specified as intelligence, military, law enforcement (LE), or national Computer Emergency Response Teams (CERT). However, to date, we have only documented LE cases.

    Note: The dataset is skewed toward open-source reporting, as industry and law enforcement often disclose operations for public relations value. Longer-term exploitation of targeted adversary infrastructure through counter-cyber network exploitation (CCNE) operations is likely underrepresented, including in LE cases where employment of active network investigative techniques may have preceded takedown actions. The use of such techniques has been documented in multiple contexts, but, due in no small part to continuing legal controversy, these actions are rarely highlighted in post-takedown case summaries. The dataset also omits routine takedown operations intended to counter ephemeral abuse and simple malicious hosting, as is commonly used in phishing, drive-by malware distribution, secondary payload staging, exfiltration drops, or other tactical functions by actors who anticipate prompt pressure upon use, and therefore are rotated with relatively high frequency. (The dynamics of this tactical level chase are well captured in the “Pyramid of Pain” analytic construct.) Red-on-red cases are also likely underrepresented, due to limited observation and unwillingness of victims to provide any public disclosure.

  • Healey, Jenkins & Work (2020), Defenders Disrupting Adversaries: Framework, Dataset, and Case Studies of Disruptive Counter-Cyber Operations. 12th International Conference on Cyber Conflict: '20/20 Vision - The Next Decade'. Tallinn, Estonia. 26-29 May 2020.

  •   Jason Healey is a Senior Research Scholar in the Faculty of International and Public Affairs and Adjunct Professor of International and Public Affairs at the School of International and Public Affairs, Columbia University. He is also a Senior Fellow with the Cyber Statecraft Initiative at the Atlantic Council, where he was the program's founding director. He has published several academic articles, essays, and books on the topic of cyber security and has advised on security measures for corporate, government, and military institutions. He has been identified as the first historian of cyber conflict.
      JD Work serves as the Bren Chair for Cyber Conflict and Security at the Marine Corps University, where he leads research to develop the theory, practice, and operational art of the cyber warfighting function, and to explore the wider role of the cyber instrument in national security strategy and the future defense competition and stability problem space. Mr. Work has over two decades experience working in cyber intelligence and operations roles for the private sector and US government.
      Neil Jenkins leads the CTA’s analytic efforts, focusing on the development of threat profiles, adversary playbooks, and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy, and operational planning for both the public and private sectors.