Methodology
This catalog tracks documented incidents of foreign authoritarian state interference against democratic states. Each entry aggregates reporting from government statements, security-firm analysis, court documents, and credible journalism into a single structured record.
Scope
The tracker focuses on operations attributed to five state actors: Russia, China, Iran, North Korea, and Belarus. An incident qualifies when reporting attributes an operation to one of these state actors and that operation targets a democratic country, its institutions, its citizens abroad, or its infrastructure.
We group interference into six operational types:
- Cyber Operations
- Network intrusions, DDoS, data theft, destructive attacks, supply chain compromise.
- Kinetic Operations
- Sabotage, assassination, surveillance, jamming.
- Information Operations
- Inauthentic amplification, fabricated content, hack-and-leak, impersonation.
- Malign Finance
- Covert funding, sanctions evasion, corruption.
- Political & Civic Subversion
- Agent recruitment, transnational repression, infiltration, front organizations.
Pipeline
1. Collection
A feed manager polls RSS feeds, Google News queries, the GDELT Global Knowledge Graph, and OCCRP Aleph on rolling intervals. Article bodies are extracted directly from publishers where possible (Google News redirects are unwrapped so the real article is retrieved).
2. Classification
Each collected article is classified by an LLM (Claude Haiku) as relevant or irrelevant to the scope above, with a confidence score and initial threat-actor / incident-type labels. Irrelevant articles are retained for a 90-day audit window and then purged.
3. Grafting and Generation
Relevant articles pass through a grafting stage: each is compared against existing incidents from the last two weeks, and if a match is confirmed by the LLM it's attached as an additional source on that incident. Articles with no match flow to generation, which clusters them by embedding similarity and creates new incident records via Claude Sonnet. A lightweight post-generation dedup pass merges close duplicates automatically.
4. Review
Every generated incident lands in a pending-review queue and is
triaged by an analyst before publication. Analysts can approve,
defer, reject, or merge incidents. Only incidents in the
approved state appear on this public site.
Confidence and attribution
Each incident carries a confidence assessment (high,
medium, low) reflecting the strength of the
attribution evidence at the time of generation. A high confidence
mark generally requires a government statement, indictment, or a
corroborated security-firm analysis; lower confidence indicates
single-source reporting or unresolved attribution.
Attribution is recorded at the state level (e.g., russia) rather than at the sub-unit level (e.g., GRU, APT28). Named sub-units and operators surface as entities on the incident record instead.
Timeline semantics
Incidents show a single year when they began and concluded in the same year. A range ("2022 — 2024") indicates a multi-year campaign. "Ongoing" only appears when no end date has been established — a running disinformation operation, an unresolved sanctions regime, or an active infrastructure compromise. Year-over-year volume charts count each active year for multi-year campaigns, so totals reflect actual sustained activity rather than just new onsets.
Caveats
The catalog is a secondary source — every record points back to the primary reporting that informed it. Dates reflect the earliest date mentioned in source reporting and may shift as new information surfaces. Attribution inherits the strength of its primary sources; when governments disagree or reporters dispute a claim, the incident reflects the preponderance of credible reporting and is flagged for review when new conflicting evidence appears.
If you believe an incident is mischaracterized or missing, email info@isdglobal.org.
← Back to the tracker