The Congressional Research Service released an updated inventory of significant cyberattacks against the United States spanning 2012 through 2025. The document, R46974, catalogues operations attributed to nation-states and foreign criminal actors with primary-source citations, drawing on indictments, grand jury findings, and official government statements. It is not a comprehensive threat ledger. It is a curated record of what the U.S. government has been willing to say publicly, which makes its silences as instructive as its disclosures.
The report organizes attacks into two categories. The first covers campaigns attributed to actors operating on behalf of nation-states — China, Russia, North Korea, and Iran account for the full roster. The second covers foreign criminal actors seeking personal financial gain, ranging from ransomware affiliates to botnet operators to business email compromise rings. The distinction matters operationally: nation-state actors tend to run longer, more patient campaigns oriented toward intelligence collection and infrastructure access, while criminals move faster toward monetization and are less likely to deploy novel zero-day techniques.
The Director of National Intelligence’s annual threat assessments, cited throughout the report, have consistently flagged all four adversary nations as leading cyber threats. What the CRS record adds is specificity — named APT identifiers, perpetrating entities, campaign dates, and the legal instruments used to establish attribution. An indictment unsealed by DOJ carries more evidentiary weight than a press briefing from a national security official, and the report is careful to reflect those gradations.
Attribution methodology receives its own section. Investigators combine tradecraft analysis, malware forensics, infrastructure mapping, and signals intelligence to construct attribution claims, then assign a confidence level. High confidence means no viable alternative theory survives scrutiny. Moderate confidence leaves open the possibility of alternative actors. Low confidence means the evidence points somewhere specific but contains significant gaps. Adversaries understand this framework and invest in complicating it — using new infrastructure per campaign, scrubbing logs, and routing operations through proxy networks.
The practical consequence for enterprise security teams is that this document represents the floor of known activity, not the ceiling. Every operation listed cleared a high threshold of public evidentiary disclosure. Countless others, presumably including some of greater sensitivity, remain classified or were never surfaced through indictment. Organizations that model their threat landscape around what has been formally attributed are operating with an incomplete picture by design. The CRS record is useful precisely because it anchors the public conversation to verified events rather than speculation — but it was never intended to substitute for classified threat intelligence.
The thirteen-year span of documented activity makes one trend unmistakable: the operational tempo of both state and criminal actors has accelerated, the target set has expanded from government networks to critical infrastructure and healthcare, and the financial ambitions of criminal groups have grown from thousands to hundreds of millions of dollars per campaign. The infrastructure of American digital life is contested space, and the CRS report is the government’s own acknowledgment of that fact.