CIRCL - Operational Statistics

CIRCL operational statistics

The operational statistics cover the activities related to the incident response activities of CIRCL especially in regards to the reporting (e.g. incident reports, request for analysis or support during computer security incident) and notifications (e.g. take-down notification, notification about vulnerability) from/to third parties. The statistics exclude automatic structured notifications and information exchange happening via threat intelligence platforms such as the CIRCL MISP information sharing platform or any other automatic exchange setup with partners.

In this section some statistics are presented about incidents handled by CIRCL between 2011 and 2017. During this time frame the attackers evolved, forcing CIRCL to adapt its internal procedures. Although the reporting to CIRCL is not mandatory, the reporting behaviour of constituents has changed. On one hand, the reputation of CIRCL increased, thereby increasing the amount of reporting to CIRCL. On the other hand, due to the trainings such as Introduction to incident response, forensic analysis and many others offered by CIRCL, have helped local organisations build up their own incident response capacities thereby reducing the number of reported incidents. This makes comparing the statistics of successive years challenging. Tickets are no indicators for the overall workload as there are some tickets that are very resource intensive whereas others are quickly solved. Nevertheless, the workload for the overall triage of the tickets is increasing and showing an increase in diversity when it comes to attacker practices.


Tickets can contain one or more incidents and only represent the reporting or notification which was performed by CIRCL analysts.

Number of tickets per year

CIRCL - Number of tickets per year

Number of tickets per month

CIRCL - Number of tickets per month

State of tickets per year

CIRCL - Number of tickets per month

Categories of tickets

CIRCL - Categories of tickets

In the above graph the categories of the various incidents are shown. The handling of information leaks is a recurrent task, meaning that CIRCL has been continuously discovering information leaks since 2012 which is mainly due to the operation of data-mining and leak monitoring software capable of fetching unstructured data, including information leaks (e.g. CIRCL develops a software to discover information leaks called AIL). However, the human triage of these potential leaks is time consuming. SQL injections where frequently reported by people up until 2012 and whilst people in general did not stop reporting SQL injections but they reported less. XSS and other vulnerabilities are regularly reported but the activity is quite irregular. In 2013, a peak in system compromises can be explained by the implementation of automated detection of compromised systems in information leaks. The volume of support for denial of service attacks has been quite constant with a few exceptions. In 2013 CIRCL gave a lot of support to international CSIRT communities. In 2015, attacker groups such as Armada Collective and DD4BC were active in Luxembourg by blackmailing their victims. Malware and system compromises have been omnipresent during the last six years. In the time frame of 2011 to 2015 CIRCL was mainly confronted with industrial espionage software. In 2015 compromised systems were analyzed by CIRCL containing malware often targeting enterprise banking solutions. Malware running on mobile phones have also been regularly reported since December 2016. Spam and scams are constantly reported. In 2012 the first fake Microsoft callers were reported tricking their victims into providing them with remote access to their machines and charging service fees, a recurring scam reappearing from time to time. Phishing campaigns are also regularly observed in Luxembourg, targeting international organisations, attacks which were also observed in other countries since 2013. The malware category includes all malicious binaries that CIRCL gathers via reporting (it doesn’t include automatic collection of malware samples).

CIRCL - Categories of tickets

2018 Details of Ticket Categories

CIRCL - Categories of tickets

CIRCL - Categories of tickets

CIRCL - Categories of tickets

CIRCL - Categories of tickets

CIRCL - Categories of tickets

CIRCL - Categories of tickets

CIRCL - Categories of tickets

Sector of activities

The topics are almost equally distributed, covering the private sector. It not only shows that CIRCL is well established in all relevant areas but also that the above mentioned types of incidents are global occurance. CIRCL also supports individuals in computer incidents although this task is not in its mandate’s primary objectives. The classification of the sector of activity is broad to avoid the disclosure of specific victims.

CIRCL - Sector of Activities

Raw data

The operational statistics are also available in JSON format if you want to process it for further analysis or data mining.

The raw data is generated every month. The ticket number is converted using a HMAC value with a unique random key generated at each run. This allows to do correlation without leaking the ticket number associated.

Raw data JSON Format

The raw data is in JSON format and it’s an array composed of JSON objects.

    "ticketNum": "8182e326f634c4d48a60a469ce59cc71",
    "action": "4",
    "comment": "open",
    "date": "2011-01-31 10:08:08"

The action table defines the manual action associated to a ticket:

id Name
1 State
2 Constituency
3 State
4 State
5 State
6 Description
7 Resolution
9 Function
10 Classification
11 How Reported
12 Reporter Type
13 IP
14 Netmask
15 Port
16 Where Blocked
17 Customer
18 Customer
19 Response
20 Topic

The value is not distributed for a matter of confidentiality but the change of state is given for statistical purposes.

Use of the operational statistics

CIRCL operational statistics can be freely reused according to the distribution rules described below. We also recommend to reference this page if you use the statistics for a publication or a report.


TLP:WHITE information may be distributed without restrictions. The document and the Open Data mentioned are licensed under an international CC-BY 4.0.


  • Version 1.3 January 14th, 2019 - 2018 full generation + clarification to the JSON format
  • Version 1.2 August 17th, 2018 - partial 2018 statistics generated - monthly statistics added
  • Version 1.1 January 3rd, 2018 - 2017 statistics generated
  • Version 1.0 October 10th, 2017 Initial version TLP:WHITE.