This report describes how cyber operations classified as state supported take place and how it by attribution can be determined that they actually were state supported. It is also described on what basis cyber operations are considered sophisticated. Since an equal sign is often put between state support and sophistication, the techniques for attribution overlap to some part with the techniques used to find out if an operation was sophisticated. Together, this provides a basis for identifying which cyber operators that are of special interest to the Swedish Armed Forces in terms of defence and active capabilities. The report also describes trends for cyber operations, such as which states often appear to be attackers and which recur as victims. However, the techniques for attribution have shortcomings in terms of long and weak chains of evidence where rebuttals are sometimes even ignored. The report therefore suggests that future research examines how easy it is to assess attribution and whether attackers can protect themselves from attribution techniques. The operations' modi operandi generally holds a relatively low degree of sophistication and what is highlighted by various pundits as sophisticated is rarely impressive. The report thus provides suggestions for future research that more closely explores how states want to act in the cyber domain, including in terms of long-term goals and targeting. In addition, studies on cyber weapons procurement are proposed as well as on what can be said about the types of cyber operations that are not even discovered.