Recap Workshop ‘Command and Control under the Cyber Radar: Untangling the Complexities of Attribution of State-Driven Cyber Operations’

On 19 March 2025, Evgeni Moyakine , Associate Professor IT Law, organized the workshop ‘Command and Control under the Cyber Radar: Untangling the Complexities of Attribution of State-Driven Cyber Operations’. He did so together with his student-assistant Wendy Grooten, a Master’s student IT Law, and the Jantina Tammes School of Digital Society, Technology and AI. The event was held in the House of Connections in Groningen and was funded by the Jantina Tammes School Early Career Researcher Prize received by Moyakine in 2024.

Cyber attribution

At the moment, malicious State-backed cyber-attacks constitute a major threat to the Netherlands and other European countries. They target not only civilian objects and infrastructure but also critical national infrastructure and they can result in significant material and immaterial damage. Many of those cyber operations are carried out by individuals and private organizations acting on behalf of States and it is highly challenging to effectively attribute them under international law.

The workshop addressed the critical issue of attribution of such offensive cyber operations, serving as a platform for experts from diverse disciplines and interested students to share their knowledge and expertise, develop new skills and explore innovative approaches to cyber attribution. It explored the legal, political, and technical dimensions of cyber attribution, while initiating discussions among participants and providing them with valuable networking opportunities. Through interdisciplinary collaboration, specialists and students aimed to understand existing attribution frameworks and think together about more effective strategies for identifying and responding to State-backed cyber activities.

Political considerations

The first guest speaker at the workshop was Anne Aagten, an expert from the Clingendael Institute in The Hague. In her role of an Academy Program Fellow, she develops and co-ordinates training programs for diplomats and other internationally operating professionals in the diplomacy and security and capacity building programs of the Clingendael Academy and provides trainings related to international law and cybersecurity.

In her presentation, Anne emphasized the increasingly politized nature of attribution in cyberspace and skillfully explored its political intricacies by focusing on State-level deliberations and diplomatic response options. After having examined the UN normative framework as a starting point for attribution and response, she clarified who the main actors are involved in the attribution process at the tactical, operational and strategic/political levels and who can be held accountable.

Importantly, Anne not only introduced a sophisticated Cyber Diplomatic toolbox developed at the Clingendael Institute but also presented concrete examples of cyber-attacks. Those were the 2018 cyber intrusion attempt targeting the Organization for the Prohibition of Chemical Weapons and the incident involving the deployment of Coathanger malware uncovered by the Dutch Ministry of Defence and the Dutch intelligence and security services in 2024.

Technical attribution

Then, Jayanthi Ramamoorthy, Ph.D. candidate in Digital Forensics and Cybersecurity at Sam Houston State University in the United States, delved into the complexities of technical attribution. As an exceptionally skilled cybersecurity researcher and educator specializing in malware detection, reverse engineering, and forensic analysis with more than two decades of experience in software development and security engineering, she published extensively on APT malware, system call analysis, and anomaly-based threat detection.

Located in a different time zone, Jayanthi gave an informative online presentation about the technical challenges of cyber attribution. She explained the main characteristics of the so-called ‘Advanced Persistent Threats’ (APTs) that are usually orchestrated by well-funded and skilled threat actors, typically connected to nation-States and organized cybercrime groups. They are generally known for their stealthy and sophisticated nature, target specific regions or industries, last over extended periods and are supported by States or well-resourced (criminal) organizations.

In addition to providing a comprehensive study of the Coathanger incident, Jayanthi investigated a variety of malware and other tools that are associated with certain APT actors and brought attention to the difficulties involved with technical attribution.

Legal aspects

Building on the technical analysis of the US-based expert, Evgeni Moyakine offered insights into the legal aspects of attribution of malicious cyber operations to States. He explained what the doctrine of State responsibility is and stressed that cyber incidents do not occur in a legal vacuum. States remain bound by international law and have not only rights but also obligations that they are required to comply with. If those rules and principles are violated, they should and can encounter appropriate legal repercussions.

Evgeni elaborated in his contribution on the most relevant modes of legal attribution and delineated the control theories articulated by international judicial bodies and legal experts for imputing the unlawful conduct of private persons and entities operating in the digital domain with varying degrees of State cooperation. Presenting a number of exemplary instances of cyber-attacks executed with significant participation by nation-States, he investigated whether the application of existing customary international law rules can lead to international responsibility of those countries.

Ultimately, he summarized his key findings and suggested possible avenues for future research and developments in this area, such as the creation of international or regional attribution mechanisms.

Plenary session

The workshop concluded with an interactive plenary session led by Evgeni Moyakine with the kind assistance of Anne Aagten, featuring a thorough analysis and discussion of two carefully designed cases. During this ‘hands-on experience’, the in-person participants were presented with a real-world case study of the Coathanger campaign, while the online participants looked into a fictitious scenario based on the deployment of the Stuxnet worm, the ‘world’s first digital weapon’, that had sabotaged the nuclear program of Iran and was discovered in 2010.

The discussions were both in-depth and thought-provoking and focused on technical and legal challenges posed by these cyber incidents. They also led to different questions concerning imputation of malicious cyber operations, such as “Is the use of malware similar to Stuxnet considered to be the use of force under international law?”, “Under what circumstances and to what extent can digital espionage activities constitute a breach of international obligations of States?” and “What are the most relevant types of legal attribution that injured States could resort to?”. The participants not only actively proposed solutions to address these complexities but also debated potential political responses from the affected countries.

The exchange of insights and perspectives was engaging and enlightening and fostered a rich dialogue that underscored the multifaceted nature of cyber conflict and attribution and highlighted the need for ongoing cross-sector collaboration and constructive discussions to navigate numerous ever-evolving challenges in this field.

---

This article was published by the Faculty of Law.

• Read more news by the Faculty of Law.