Blog post

Where do the most hackers come from?

By Lawrence Pingree | March 08, 2013 | 4 Comments

Recently, there have been a lot of stories surrounding the Chinese and hackers originating from their intelligence agency.  Although I do not want to diminish the findings of a particular technology company that disclosed some of their own investigations, I do believe it is necessary to draw some attention towards  locations of the globe where  many of the attacks actually originate to be fair.  It is fairly well known  by most security professionals that the best hackers on the planet often originate from Russia,  however it is  more newsworthy to talk about  a country such as China whom we trust with many of our manufacturing facilities and research and development activities and have greater resources at their disposal if they intended to inflict harm.

There certainly political motivations for talking about China  and I think it’s fair to say  they are certainly many participants in the global stage of cyber security and intelligence gathering.  In fact, the United Stateshas a long history with its intelligence agencies for performing signals intelligence (SIGINT).  I would like to point out  that as far as sophistication goes, the United States is unmatched with its intelligence gathering capabilities and extends this capability across the globe with an extensive  array of spy satellites and listening stations with strong support of several other countries.  It does not strike me as odd  or newsworthy that governments across the planet attempt to track each other’s  military capabilities and monitor situations through signal intelligence and other intelligence gathering capabilities.  These activities are a necessary function to enable transparency across borders between governments and be ready if another country is planning some sort of attack.  I do think however it is important to mention that I believe that all countries should uphold  strong intellectual property rules in order to maintain fair competition  which creates a dynamic that encourages new developments and technologies and enables fair competition across the globe.

Now lets turn to some of the data often known  “behind the scenes”  that many security practitioners know and consistently defend against. Deutsche Telecom publishes a real-time dashboard of hacking attacks detected by its global network of attack sensors known as a “honey net”. As many practitioners know, a “honey net” the reference to honey is an analogy to how one might attract a bear in the woods, the bear being the hacker in the case of a “honey net”. For some fun, I used some statistics from the Deutsche Telecom dashboard located at to provide data points for some basic analysis. At the time of this writing, the total number of attacks detected over the last month globally were 30,144,538 when tallying the “Top 5 of Attack Types (Last month)” table. They also publish a table called “Top 15 of Source Countries (Last month)” with detected attack values which I found interesting but I wanted to extract percentages so I used those values and threw them into excel to calculate percentage values by top 15 countries and the following is my output.

Attacks by percentage of total global attack detections.

Russian Federation 2,402,722 7.97%
Taiwan, Province of China 907,102 3.01%
Germany 780,425 2.59%
Ukraine 566,531 1.88%
Hungary 367,966 1.22%
United States 355,341 1.18%
Romania 350,948 1.16%
Brazil 337,977 1.12%
Italy 288,607 0.96%
Australia 255,777 0.85%
Argentina 185,720 0.62%
China 168,146 0.56%
Poland 162,235 0.54%
Israel 143,943 0.48%
Japan 133,908 0.48%
7,407,348 24.61%


As you can see with this quick analysis, roughly 24.61% of total detected attacks were from the top 15 attacking countries and roughly 8% of all attacks came from the Russian Federation and only half a percent came from China. So the question is, who will you pay most attention to?

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Dude, what planet you landed from? 🙂 Since when the connection src IP = attack origin?

    • Lawrence Pingree says:

      Agree with you completely, what is indesputable is the attack origination detected by these sensors certainly largely originate from those IP addresses (with exception of spoofed DOS attacks). The real trouble is attribution is largely based on making assumptions. A good hacker or intelligence agency would understand attribution and account for that by using bounce hosts for their attacks, bots can be controlled from anywhere and code can be developed using keyboard styles of another country to throw off investigations. Generally misinformation can easily send attribution the wrong way and therefore one must take attribution with a significant level of questionability.

  • Pierre Renault says:

    Lawrence – the Deutch Telecom data appears to show statistics of firewall activity. I note the vectors to be SMB/NetBIOS, etc. this would be a far different representation of the data put out two weeks ago from Mandiant – this report is describing the APT threat vector. It would be hard to draw conclusions regarding phase 1 attacks stopped at the firewall versus phase 3 attacks that…
    …are successful in the organization and are now beaconing back to China. I would be very interested in correlations of what we are actually discussing here. It would appear that your article is focusing on first stage data in the EU, while the other source is well beyond that.

    • Lawrence Pingree says:

      Hi Pierre,
      TI don’t believe the data is firewall data, I believe its a honeypot network from my understanding and the point is that the greatest volume of threat data in their dashboard originates from Russia whether first stage, second stage or multi stage this is still relevant. Most external attacks are levied against SMB since that is a common windows port open on internet connected home network machines when no firewall is present. The point of my blog posting is to demonstrate that all countries have attackers, but there are a greater number of attacks lodged from certain source countries. There are many countries that originate advanced forms of malware (bot net or otherwise) to call out just China as the APT1 report does is missing the other side of the entire attack landscape which is why I posted this entry. There are plenty of bonets hosted out of every country in the world with “beconing” back to C&C servers also all over the world. This is a global problem and not something you can pin on just one nation state IMHO. My Chinese clients call me for the same problems that my United States or Latin American clients do and its not all just from China, many attackers are right here in the United States 🙂 Mind you that this particular dashboard is likely more oriented towards Germany and Eastern Europe since it is a German telecom’s portal. The Plixer internet threat center website shows another perspective where more threats appear in the United States but each of these dashboards will certainly have a different attack landscape profile for a variety of reasons (geo-political etc). Since we don’t have a United States national Intrusion Prevention System, we don’t really have completely accurate statistics from just a United States only perspective. Secondly, I was not attempting to diminish the importance or relevance of the APT1 report. The problem is attribution is difficult or possibly impossible if you factor in the ability to “fake” origination of payload, proxy bouncing, TOR network anonymization and many other techniques to obfuscate final attribution.