Anatomy of the attacks the industry keeps coming back to

China's IE zero-day campaign that named the APT era

A Chinese state-linked espionage group breached at least 34 organizations — including Google, Adobe, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical — using a previously unknown Internet Explorer use-after-free zero-day (CVE-2010-0249). Operators delivered the Hydraq remote-access trojan via spear-phishing links to a Taiwan-hosted exploit page, then exfiltrated source code and accessed Gmail accounts of Chinese human-rights activists. Google's January 12, 2010 public disclosure by Chief Legal Officer David Drummond marked the first time a major corporation publicly attributed a nation-state cyberattack — and effectively created the APT era.

The first known cyber weapon designed to cause physical destruction

Stuxnet was a precision cyber weapon that silently infiltrated the air-gapped Natanz uranium-enrichment facility via infected USB drives carried by Iranian contractors. Once inside, it identified Siemens S7-315/417 PLCs controlling IR-1 centrifuge cascades, reprogrammed them to destroy rotors through extreme speed cycling, and simultaneously replayed falsified normal telemetry to SCADA operators — all while remaining invisible for months. Roughly 1,000 of Natanz's ~9,000 IR-1 centrifuges were replaced between late 2009 and late 2010.

Iranian wiper that crippled Saudi Aramco

On August 15, 2012 — the eve of Lailat al Qadr, the holiest night of the Islamic year — a three-component wiper malware called Disttrack (Shamoon) detonated across Saudi Aramco's network, destroying approximately 30,000 workstations in hours. The dropper propagated via hardcoded stolen domain credentials and SMB admin shares; the wiper component leveraged a legitimate EldoS RawDisk kernel driver to overwrite Master Boot Records and file contents with fragments of a burning American flag JPEG. Saudi Aramco spent roughly two weeks restoring operations and reportedly purchased a significant fraction of the global hard-drive supply to rebuild. Shamoon 2 returned in November 2016 (targeting Saudi organizations during another Islamic holiday weekend) and Shamoon 3 appeared in December 2018, underscoring the long-running and operationally disciplined nature of this Iranian threat cluster.

Fraudulent SWIFT MT103 transfers via SWIFT Alliance Access abuse

Lazarus Group operators spent roughly a year inside Bangladesh Bank's network mapping SWIFT operations before submitting ~35 fraudulent MT103 messages on 4–5 Feb 2016 (Bangladesh's weekend, when staff were absent). The malware patched the in-memory SWIFT Alliance Access software to suppress database-integrity checks and silenced the local confirmation printer. $81M reached four fictitious accounts at RCBC in Manila and was laundered through Philippine casinos. Approximately $850M was attempted; most was blocked by New York Fed compliance filters.

North Korea's coercive cyber response to a Hollywood comedy

In response to Sony Pictures' film 'The Interview' — a comedy depicting the assassination of Kim Jong-un — North Korea's Lazarus Group penetrated Sony's network months in advance, exfiltrating an estimated 100 TB of data before detonating the Destover wiper on November 24, 2014. Skull imagery appeared on Sony workstations bearing the 'Guardians of Peace' (#GOP) tag. Destover used the same EldoS RawDisk driver technique as the Shamoon wiper to overwrite MBRs and obliterate raw disk sectors, rendering thousands of Sony machines unbootable. Unreleased films, executive emails, employee Social Security numbers, and salary records were leaked publicly. The FBI attributed the attack to North Korea within three weeks; a 2018 DOJ indictment named a specific North Korean operator.

21.5 million cleared-personnel records to Chinese intelligence

In two overlapping intrusions spanning nearly a year, China MSS-affiliated actors compromised the U.S. Office of Personnel Management and exfiltrated the most sensitive personnel database in the U.S. government. Using credentials stolen from a KeyPoint Government Solutions contractor, attackers installed PlugX and Sakula RATs, located the background-investigation repository, and exfiltrated approximately 21.5 million SF-86 security-clearance forms — including 5.6 million sets of fingerprints — along with 4.2 million federal employee personnel records. The SF-86 files contained decades of intimate personal data on cleared personnel and their families, giving Chinese intelligence a near-complete map of the U.S. national-security workforce.

Sandworm's two-act demonstration of cyber-induced blackout — BlackEnergy in 2015, Industroyer in 2016

In two successive December strikes, Sandworm — Russia's GRU Unit 74455 — proved that cyberattacks could physically darken cities. On 23 December 2015, operators at three Ukrainian electricity distribution companies (Prykarpattyaoblenergo, Kyivoblenergo, and Chernivtsioblenergo) watched helplessly as remote intruders opened breakers across their substations, cutting power to roughly 225,000 customers for up to six hours. The adversary then deployed KillDisk to destroy SCADA workstations and flooded customer call centers with telephone denial-of-service to mask the chaos. Exactly one year later, on 17 December 2016, a new malware framework called Industroyer (also named CrashOverride) struck the Ukrenergo transmission substation north of Kyiv — the first publicly known malware capable of natively speaking industrial control-system protocols (IEC-101, IEC-104, IEC 61850, OPC DA) to command breakers directly, without requiring a human operator. Together, the two attacks constitute the most consequential cyber operations against civilian power infrastructure ever documented.

Two GRU/SVR intrusions, one election-interference operation

In summer 2015 Russia's SVR (Cozy Bear / APT29) quietly penetrated the Democratic National Committee network and sustained near-invisible access for almost a year. In March 2016 GRU Unit 26165 (Fancy Bear / APT28) forced its own way in through spear-phishing — including a credential-harvesting email that successfully compromised Clinton campaign chairman John Podesta's Gmail account. The GRU team deployed X-Agent (CHOPSTICK) on DNC hosts and X-Tunnel for encrypted exfiltration, ultimately stealing tens of thousands of emails. CrowdStrike disclosed the breach on June 14 2016; the next day the persona 'Guccifer 2.0' emerged claiming credit and releasing documents. WikiLeaks subsequently published the stolen archives. The operation became the most consequential cyber-enabled influence campaign in U.S. electoral history.

EternalBlue worm ransomware — global outbreak May 2017

WannaCry exploited CVE-2017-0144 (EternalBlue), an NSA-developed SMB exploit leaked by ShadowBrokers in April 2017 and left unpatched on vast swaths of Windows infrastructure. The worm self-propagated across port 445 with zero user interaction, encrypting ~200,000 systems across 150 countries in under 96 hours. A researcher's accidental killswitch domain registration halted the first wave; no supply chain or credential theft was needed — raw exploit-and-encrypt at scale.

Destructive wiper masquerading as ransomware

Sandworm weaponized a trojanized update to M.E.Doc — Ukraine's dominant tax-accounting software — to detonate a wiper across Ukraine and the global supply chain simultaneously. NotPetya encrypted Master File Tables and overwrote MBRs with an unrecoverable fake ransom note, causing an estimated $10 billion in worldwide damage. It was the most destructive cyberattack in history at the time.

PLA's bulk-PII heist via unpatched Apache Struts

Members of China's PLA 54th Research Institute exploited a publicly disclosed but unpatched Apache Struts vulnerability (CVE-2017-5638) in Equifax's consumer dispute portal to gain an initial foothold. Over 76 days they pivoted through an unsegmented database tier, ran approximately 9,000 queries across 51 databases, and exfiltrated the personally identifiable information of roughly 148 million Americans — the largest theft of consumer financial data in U.S. history. A misconfigured SSL inspection certificate that had been expired for 19 months left Equifax's egress IDS effectively blind throughout the entire operation.

First malware engineered to defeat safety-instrumented systems — designed to enable physical destruction and loss of life

Xenotime / TEMP.Veles spent over a year burrowing from a Saudi petrochemical facility's corporate IT network into its operational technology environment before deploying TRITON — a custom Python framework that reverse-engineered Schneider Electric's proprietary TriStation protocol and spoke directly to Triconex Safety Instrumented System (SIS) controllers. The objective was to disable the plant's last line of protection against catastrophic industrial accidents, enabling physical destruction and potential loss of life. A coding flaw in the injected shellcode caused an unintended safety trip in August 2017, shutting the plant down safely and alerting defenders — the only thing that prevented a potentially catastrophic outcome. TRITON remains the first known malware purpose-built to attack and subvert safety instrumented systems.

Sandworm's false-flag wiper at the PyeongChang opening ceremony

Sandworm pre-positioned inside PyeongChang 2018 partner networks months before the Winter Olympics, then detonated a wiper precisely as the Opening Ceremony began on February 9, 2018. The attack took down the official Pyeongchang2018.com ticketing website, stadium Wi-Fi, press-centre printers, and the official mobile app — sabotaging the spectacle in real time. The malware was deliberately seeded with forged code artifacts pointing at Lazarus Group (DPRK), APT3, and APT10 to frustrate attribution. Kaspersky GReAT later unpicked the layered deception through PE rich-header analysis, exposing one of the most sophisticated false-flag operations in cyber history.

Mass exploitation of on-premises Microsoft Exchange Server

A chain of four Exchange CVEs — no credentials required — let attackers bypass authentication, escalate to SYSTEM, and drop web shells on tens of thousands of internet-facing Exchange servers. Microsoft shipped out-of-band patches on March 2 2021; within hours, dozens of separate threat actors began mass-scanning unpatched servers. By some estimates 250,000+ Exchange servers were compromised globally before patching could catch up. Hafnium opened the door; the broader internet walked through it.

Supply-chain compromise of SolarWinds Orion

A trojanized Orion update reached ~18,000 SolarWinds customers. A small subset — including U.S. federal agencies and Microsoft — were selected for hands-on follow-on, pivoting from on-prem networks into Microsoft 365 and Azure via forged SAML tokens.

Ransomware attack on critical U.S. fuel infrastructure

A DarkSide affiliate used a single leaked VPN password — pulled from a dark-web credential dump — to access Colonial Pipeline's IT network. No MFA was required. Within nine days, ~100 GB of data had been exfiltrated and DarkSide ransomware had encrypted IT systems. Colonial preemptively halted its 5,500-mile OT pipeline, cutting ~45% of East Coast fuel supply for five days, triggering shortages and panic buying across the U.S. Southeast. Colonial paid a 75 BTC (~$4.4 M) ransom on May 8; the FBI recovered $2.3 M on June 7.

PRC state-sponsored pre-positioning in U.S. critical infrastructure

Volt Typhoon infiltrated U.S. critical-infrastructure networks — spanning communications, energy, transportation, and water/wastewater — using exclusively living-off-the-land (LOTL) techniques: no custom malware, only signed Windows binaries. All command-and-control traffic was routed through a botnet of compromised end-of-life SOHO routers (the KV-botnet) so it appeared as ordinary U.S. residential traffic. The assessed purpose is not espionage but pre-positioning: establishing durable, covert access that could enable disruptive action on command.

Mass exfiltration via pre-auth SQL injection in a shared MFT appliance

Cl0p exploited a pre-authentication SQL-injection zero-day (CVE-2023-34362) in Progress Software's MOVEit Transfer managed file-transfer appliance. Because MOVEit is deployed as a shared internet-facing service by third-party data processors, a single compromised appliance exposed dozens of downstream client organizations. Cl0p did not encrypt any data — it bulk-downloaded files and coerced payment by threatening to publish stolen records on its dark-web leak site, ultimately affecting ~2,700 organizations and ~95 million individuals.

Lazarus pulls off the first publicly documented cascading software supply-chain compromise

Lazarus operators compromised a 3CX employee's machine by having them install a trojanized build of Trading Technologies' X_Trader software — itself a prior supply-chain compromise. That initial access let operators pivot into 3CX's build environment and inject a backdoor into the signed 3CXDesktopApp Electron installer, which 3CX then distributed through its official update channel to roughly 600,000 customer organisations worldwide. The trojanized app downloaded second-stage URLs hidden inside base64-encoded data appended to ICO files hosted on GitHub, then deployed the IconicStealer infostealer. SentinelOne, CrowdStrike, and Sophos EDRs alerted on March 22 2023. Mandiant's final analysis confirmed the cascading vendor-A-to-vendor-B-to-customers chain — a structural first in publicly documented supply-chain intrusions.

A stolen consumer signing key forges enterprise mail access for 25 organizations

Storm-0558 exploited two compounding failures inside Microsoft's identity infrastructure to read email from approximately 25 organizations — including the U.S. State Department and Commerce Department — without ever phishing a single victim employee. The actor first obtained a 2021-era Microsoft Account (MSA) consumer signing key via a crash dump that had been inadvertently moved from an isolated production signing system onto the corporate network, where it was later accessible after Storm-0558 compromised a Microsoft engineer's corporate account. A separate token-validation logic flaw in Microsoft Authentication Library (MSAL) and related systems then caused enterprise Azure AD / Entra ID token verification to incorrectly accept tokens signed with the consumer key. Together, these allowed the actor to forge valid Outlook Web Access and Exchange Online tokens for any Azure AD tenant — a structural identity-layer compromise with no endpoint malware required. Detection came only when a U.S. State Department analyst noticed anomalous MailItemsAccessed audit events — events gated behind the M365 E5 license tier, a restriction CISA would later force Microsoft to lift for all tenants.

A 10-minute help-desk call freezes the Vegas Strip

Scattered Spider — a loose collective of English-speaking young adults communicating via the 'Comm' underground — exploited the weakest link in enterprise identity: the human help desk. In roughly ten minutes on September 7, 2023, an attacker impersonating an MGM Resorts employee convinced the Okta-contracted help desk to reset MFA, surrendering Okta Super Admin credentials. Over the following days the group laterally moved into MGM's VMware ESXi hypervisor infrastructure and detonated ALPHV/BlackCat ransomware. Slot machines went dark, room-key systems failed, websites went offline, and MGM's casino floors were operationally degraded for roughly ten days. MGM refused to pay; the incident cost the company approximately $100 million per its October 5, 2023 SEC 8-K filing. Caesars Entertainment, hit by the same group weeks earlier, paid approximately $15 million of a $30 million ransom demand — disclosed in its September 14, 2023 SEC 8-K.

ALPHV's $22M exit-scam and the longest US healthcare outage in modern memory

On February 12, 2024, an ALPHV/BlackCat affiliate authenticated to Change Healthcare's Citrix remote-access portal using stolen credentials — no multi-factor authentication was required. Over nine days the affiliate moved laterally, harvested credentials, and exfiltrated an estimated 6 TB of protected health information before detonating ransomware on February 21. Change Healthcare — which routes roughly one-third of all U.S. healthcare claims — took systems offline immediately, triggering the longest and most consequential healthcare-IT outage in modern U.S. history. Pharmacies could not fill prescriptions, hospitals could not bill, and thousands of smaller providers ran out of cash within weeks. UnitedHealth Group (UHG) paid approximately $22 million in Bitcoin to ALPHV in early March 2024, whereupon ALPHV performed an exit scam — stealing the payment from its own affiliate 'Notchy', faking an FBI seizure, and going dark. RansomHub then surfaced in April 2024, claiming to hold the same data and threatening UHG again. UHG's October 2024 disclosure confirmed approximately 190 million individuals had PHI or PII exposed — the largest healthcare data breach in U.S. history.

A three-year social-engineering operation to backdoor sshd on every Linux distro

An unknown actor operating as 'Jia Tan' (GitHub: JiaT75) spent roughly two years cultivating trust in the xz-utils open-source project before inserting a cryptographically authenticated backdoor into the release tarballs of versions 5.6.0 and 5.6.1. Disguised as test fixture files, the payload was extracted at build time by a malicious Bash script in m4/build-to-host.m4, which injected a rogue object file into liblzma. Because Debian and RPM-family distributions patch OpenSSH to link libsystemd — which in turn links liblzma — every sshd process on affected rolling/testing distributions loaded the compromised library. The backdoor used IFUNC resolver hooking to intercept OpenSSL's RSA_public_decrypt function, enabling the attacker to authenticate to any targeted host using a private Ed448 key never made public. The attack was discovered by Andres Freund on March 28–29, 2024, while investigating anomalous SSH latency during unrelated PostgreSQL benchmarking.