One of the questions which always comes up when looking at attack data is “who is attacking?”

In the 2018 NTT Security Global Threat Intelligence Report (GTIR), analysts took a look at the source of attacks. The US was the single most common attack source against targets worldwide. Attacks sourcing from IP addresses within the US ranked first against targets globally due to significant number of activity focused on the Americas and APAC region, and followed by noteworthy impact to EMEA and Japan. Since attack sources within the US have consistently ranked high for all six years we have been doing this report, this really comes as no surprise.

But attribution is not that simple; the fact that most of the attack sources appear to come from the US does not mean that there are 17 million cybercriminals sitting in the US attacking every other country in the world. Yes, there really are a lot of attacks originating from attackers residing within the US. This is likely due to the US having mature infrastructure, with a wide variety of Internet Service Providers (ISPs) and web-hosts to leverage. However, significant number of attacks which originated from IP addresses within the US are from cybercriminals who are located elsewhere – they may be sitting in Brazil, Russia, China, or Turkmenistan (yes, we saw attacks from Turkmenistan IP addresses), but they just happen to be using resources from the US to perform their attacks.

China is another country which appears as a common attack source – ranked second against the Americas, APAC, and globally, and ranked first against EMEA targets. But, for the most part, other than the US and China, most attack sources are in the same region or country as the target – in other words, targets in EMEA tend to be attacked by sources in EMEA, and targets in APAC tend to be attacked by sources in APAC.

The exceptions are few, and that helps make them interesting. Why is Netherlands the third most common attack source globally – appearing in the top five sources against APAC, Americas and Japan (and only 0.25% out of the top five against EMEA)? For the same reason that the US usually dominates – Netherlands has great internet infrastructure, and diverse ISPs and hosting providers.

Compromised systems, valid hosting (often purchased with stolen credit cards), hosted exploit kits and botnets are all available tools for cyber criminals. Such options make it easier for attackers to maximize the use of resources local to the target, maximize the use of great bandwidth, and obfuscate their trail, regardless of where the cybercriminal is actually physically sitting.

The 2018 NTT Security GTIR adds some more analysis and discussion of attack sources, along with trends observed by analysts when looking at the types of attacks used by different attack sources, as well as the industries targeted by those sources. Download the report here.