A survey of cyber threat attribution: Challenges, techniques, and future directions

The escalating sophistication of cyberattacks, exemplified by supply chain compromises, AI-driven obfuscation, and politically motivated campaigns, makes accurate attribution a critical yet elusive challenge for national security and economic stability. The inability to reliably trace attacks to their source undermines deterrence, distorts policy responses, and erodes trust in digital ecosystems. Traditional methods struggle with the sheer volume of digital evidence, rapidly evolving adversary tactics, and the inherent complexities of cross-border operations. Moreover, existing literature often provides fragmented analyses, focuses narrowly on cyber threat intelligence sharing or specific threat types, or predates significant advancements in AI/ML tailored for attribution. This survey offers a comprehensive, interdisciplinary review of cyber threat attribution, bridging these critical gaps by systematically analyzing its multifaceted dimensions: technical, legal, geopolitical, social, and economic. Employing a rigorous, PRISMA-ScR compliant methodology that included structured screening and quality assessment across six major databases, we critically appraise current techniques and identify a paradigm shift toward data-driven, intelligent approaches. A key contribution is our novel taxonomy, which structures attribution research by attribution confidence & granularity (the Level of attribution), analytical domains (the “How” and “Where” of evidence processing) and adversarial motivation & profile (the “Why” and “Who”), providing a crucial framework for systematic cross-study comparisons in a complex field. Our findings underscore the transformative potential of emerging AI/ML techniques, particularly graph neural networks, in automating analysis, identifying subtle patterns, and extracting crucial insights from vast datasets, thereby revolutionizing attribution accuracy. This research provides actionable insights for practitioners and policymakers, offering a comprehensive roadmap to advance cyber defense and foster a more resilient and secure global digital ecosystem.<p></p>