NSA Mike Waltz accidentally added The Atlantic's editor-in-chief Jeffrey Goldberg to a group chat labeled "Houthi PC small group" on Signal. The chat included SecDef Pete Hegseth sharing attack sequencing, weapons systems, and timing for US strikes in Yemen. Goldberg published the chat. The incident raised serious questions about government officials discussing classified operations on commercial messaging apps rather than secured government systems. Several cabinet members claimed the information was not classified.

A threat actor using the alias "rose87168" posted Oracle Cloud authentication data, LDAP entries, and customer SSO credentials on dark web forums, offering to sell data from 140,000+ tenants. Oracle initially denied any breach. Researchers and affected companies confirmed data authenticity. The attacker exploited a vulnerable Oracle login endpoint (login.us2.oraclecloud.com running Oracle Access Manager 11.1.2.3.230). Oracle later acknowledged a breach of a "legacy environment" without confirming details publicly.

Lazarus compromised a Safe{Wallet} developer's machine to inject malicious JavaScript into the Safe front-end served specifically to Bybit. When Bybit executed a routine transfer, the malicious UI showed the correct destination while the underlying transaction was manipulated to transfer $1.5B to attacker-controlled addresses. Bybit CEO Ben Zhou livestreamed the incident response. Lazarus laundered funds through THORChain. The US, UK, and Australia issued advisories. Total Lazarus crypto theft exceeds $6B lifetime.

Young DOGE engineers obtained root access to Treasury's Bureau of the Fiscal Service (controlling federal payments), SSA systems (60M beneficiary records), IRS databases (tax records for all Americans), and USAID systems. At least one DOGE staffer had a prior cybersecurity conviction. Federal judges issued temporary restraining orders. Multiple Inspector General offices opened investigations. Privacy advocates argued the access violated the Privacy Act. Career government security officials described the access as unprecedented and creating serious counterintelligence risks.

Attackers exploited a zero-day in BeyondTrust remote support software and obtained an API key to access Treasury's cloud environment. They accessed workstations used by OFAC — the sanctions designations office — which is particularly sensitive given China's desire to understand impending sanctions targeting Chinese entities. Treasury Secretary Yellen was among individuals whose unclassified email may have been accessed.

Salt Typhoon accessed CALEA-mandated lawful interception infrastructure — systems designed for government wiretap orders — inside AT&T, Verizon, and Lumen. They read metadata and content for calls involving senior US government officials including Trump and Harris campaign members. Critically, they accessed lists of individuals under US law enforcement surveillance, potentially exposing US intelligence sources and methods. FBI Director Wray called it "the most significant cyber espionage campaign in history." No carrier has confirmed full eviction.

Attackers used infostealer logs to find credentials for Snowflake accounts belonging to hundreds of companies. Snowflake had not enforced MFA. Ticketmaster (560M users), AT&T (nearly all US customers), Santander, and 163 other companies were breached. The attackers demanded ransoms. A Canadian national was arrested in cooperation with US law enforcement. AT&T paid a $370K ransom to delete stolen call records.

The attacker built a persona, "Jia Tan," over two years contributing quality code to XZ Utils while socially engineering the exhausted maintainer. The final payload, hidden in test files and activated only by a specific build toolchain, would have allowed remote code execution on millions of Linux servers via SSH. A Microsoft engineer noticed slightly elevated CPU usage in an unrelated performance test, preventing catastrophic compromise. The persona was assessed by researchers as likely a nation-state operation given the operational sophistication.

Attackers gained access via a Citrix portal with no MFA. Change Healthcare processes 15B healthcare transactions annually — 40% of US health insurance claims. Pharmacies could not process prescriptions, hospitals couldn't verify coverage, providers couldn't get paid. UHG paid ALPHV $22M in ransom. ALPHV then exit-scammed its affiliate, who subsequently joined RansomHub and demanded additional payment — double extortion. Total records exposed: 100M Americans.

APT29 used password spraying against a legacy non-production test tenant account with no MFA. From there, they pivoted to access email accounts of Microsoft's senior leadership, cybersecurity, and legal teams. Critically, they accessed communications about what Microsoft knew of the SVR's own operations. The attackers also found authentication secrets (OAuth tokens, API keys) shared via email that enabled access to some customer systems. HPE disclosed a related breach by the same group.

Volt Typhoon used living-off-the-land (LOTL) techniques — legitimate system tools like netsh, wmic, ntdsutil — to blend in with normal traffic. They built a covert relay network using compromised SOHO routers (Cisco, Netgear, ASUS) to proxy traffic, making attribution and blocking extremely difficult. CISA, FBI, NSA issued joint advisory warning the pre-positioning was not intelligence collection but preparation to "disrupt or destroy critical infrastructure" in event of US-China conflict.

CVE-2024-21887 (command injection) and CVE-2023-46805 (auth bypass) were chained to achieve unauthenticated remote code execution on Ivanti Connect Secure (formerly Pulse Secure). CISA itself was forced to take offline its own IVANTI-connected systems. The Cybersecurity and Infrastructure Security Agency — the US government's cybersecurity authority — being compromised via the same vulnerability class it warned others about was symbolically significant. Multiple APT groups exploited simultaneously.

Scattered Spider (suspected US/UK teenagers) found an MGM IT employee on LinkedIn, then called the help desk impersonating them to reset credentials. Within 10 minutes of help desk contact, they were inside. MGM refused to pay ransom and shut down critical systems, taking down hotel check-ins, slot machines, digital room keys, and ATMs across multiple properties for 10 days. Caesars paid approximately $15M of a $30M ransom demand. Five US citizens were indicted.

Midnight Blizzard created Microsoft 365 tenants with IT support-themed display names (e.g., "Microsoft Identity Protection") and initiated Teams chats with targets, convincing them to approve MFA prompts. The technique exploited legitimate cross-tenant communication features in Teams. Approximately 40 organizations globally were targeted, including government agencies in the US and EU. Microsoft later imposed restrictions on external Teams communication in response.

Storm-0558 acquired a Microsoft account signing key through an unknown method and used it to forge authentication tokens for Microsoft's cloud email service. This gave access to ~25 organizations including the US State Department. Commerce Secretary Gina Raimondo's email — she oversees export controls on Chinese tech — was specifically accessed. The breach was discovered by State Department security teams who noticed unusual access patterns. The cryptographic signing key should have been isolated and protected — how it was obtained remains a Microsoft security failure under investigation.

Cl0p mass-exploited CVE-2023-34362, a SQL injection vulnerability in MOVEit Transfer. The group had likely stockpiled the zero-day for months, deploying it simultaneously against hundreds of targets over Memorial Day weekend. Unlike typical ransomware, Cl0p focused exclusively on data exfiltration and extortion without encryption. US federal agencies including the Department of Energy and CDPH were hit. The hack ultimately affected 77M+ people.

Attackers obtained credentials from an IT contractor's machine. Medibank refused to pay ransom. Attackers released health claim data including mental health, drug abuse, and HIV treatment records on the dark web in batches. The breach drove Australia to significantly increase its cyber investment and cooperation with Five Eyes partners. Australian Federal Police later attributed the attack to Russian nationals. Following Optus (11M records) and Medibank breaches, Australia raised maximum fines for data breaches to $50M AUD.

Attackers purchased employee credentials from a dark web broker, then bombarded the employee with MFA push notifications until they accepted. Once inside, they discovered a PowerShell script containing hardcoded admin credentials to Uber's PAM solution, giving total access. The attacker announced the breach in Uber's own Slack. An 18-year-old British national was later arrested. Uber's former CSO Joe Sullivan was also facing federal charges for covering up a 2016 breach.

A two-stage attack first stole source code and technical information, then used that to target a DevOps engineer's home system to steal credentials to an AWS S3 bucket containing customer vault exports. The exported vaults contained URLs in plaintext and passwords encrypted with AES-256. LastPass's 2022 communications were widely criticized for downplaying the severity. Subsequent $35M crypto thefts were linked to cracked LastPass vaults.

OFAC designated Tornado Cash and its associated addresses, alleging it was used by Lazarus Group to launder $455M from the Ronin hack and hundreds of millions more. The sanction of an open-source smart contract protocol (rather than a company) was legally controversial. Two Tornado Cash developers were arrested in the Netherlands and US. The action signaled US intent to pursue crypto laundering infrastructure regardless of its decentralized nature.

Conti attacked multiple Costa Rican government agencies simultaneously, crippling the Ministry of Finance's tax and customs system for weeks and disrupting $200M+ in daily trade. President Chaves declared a national emergency immediately upon taking office. Conti subsequently attacked Costa Rica's Social Security Fund (CCSS), taking down its HR systems. Conti threatened to overthrow the government. The group disbanded weeks later, believed to be rebranding due to post-Ukraine data leak.

The Lazarus Group pivoted heavily to cryptocurrency theft after 2018, developing specialized capabilities including trojanized crypto wallets and fake job applications. The Ronin Network hack ($625M) in March 2022 — the largest single crypto theft — was conducted by compromising 5 of 9 validator nodes. UN Panel of Experts assessed North Korea stole $3B in crypto 2017-2023. The February 2025 Bybit hack ($1.5B) by Lazarus was the largest single crypto heist in history.

Hours before the February 24 invasion, Russia deployed AcidRain wiper against Viasat KA-SAT satellite modems, disabling Ukrainian military communications and thousands of European wind turbines. WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper were deployed in waves against Ukrainian infrastructure. Microsoft's Digital Crimes Unit provided unprecedented real-time intelligence sharing. Despite massive Russian cyber effort, Ukraine's cyber resilience surprised analysts — largely attributed to pre-war cooperation with US/EU cyber agencies.

CVE-2021-44228 allowed unauthenticated remote code execution via a single malicious string in any logged field. Log4j is embedded in hundreds of thousands of products from Apple iCloud to Twitter to AWS services. CISA Director Jen Easterly called it "the most serious vulnerability I have seen in my decades-long career." Nation-state actors from China, Iran, North Korea, and Russia all began exploitation within 24 hours of disclosure. Belgian Defense Ministry was among the first government victims.

The Iran-Israel shadow cyber conflict intensified post-2020. Iran's Agrius group (Sand Worm-linked) deployed Fantasy and Apostle wipers against Israeli logistics and insurance firms. Israel cyber operations reportedly disrupted Iranian gas stations (October 2021) and a Shahid Rajaee port. Iranian actors later hit Israeli hospital systems and the Shirbit insurance company, leaking sensitive data. The conflict represents sustained gray-zone cyber warfare below the threshold of open conflict.

ProxyShell (CVE-2021-34473, 34523, 31207) built on ProxyLogon's architecture. Security researcher Orange Tsai demonstrated the chain at Black Hat 2021. Within days, ransomware operators began mass scanning and exploitation. LockFile ransomware appeared specifically targeting Exchange servers. The rapid ransomware follow-on to vulnerability disclosures became a recognized pattern that defenders needed to prioritize patch timelines around.

REvil exploited a zero-day in Kaseya VSA (remote monitoring software used by MSPs) to push ransomware to all managed endpoints simultaneously. The attack launched hours before the July 4th US holiday weekend. 1,500 businesses in 17 countries were encrypted, including Swedish grocery chain Coop (which closed 800 stores). REvil demanded $70M for a universal decryptor. Days after the attack, REvil's infrastructure went dark — believed to be US/RU law enforcement pressure.

DarkSide gained access via a compromised VPN password (no MFA). Colonial preemptively shut down the pipeline — the OT network itself was not directly attacked. The shutdown of 5,500 miles of pipeline (45% of East Coast fuel supply) caused gas shortages in 12 states, panic buying, and a spike in fuel prices. Colonial paid $4.4M ransom within hours. DOJ recovered $2.3M of the payment by seizing the crypto wallet private key. Biden declared national emergency.

An attacker accessed the Oldsmar water treatment plant's HMI via remote desktop software (TeamViewer). The attacker moved the sodium hydroxide (lye) dosing setpoint from 111 parts per million to 11,100 ppm — a potentially lethal level. An operator watching the screen noticed the cursor moving and reversed the change within seconds. Investigation found the plant used a 32-bit Windows 7 workstation (EOL since 2020), had shared TeamViewer credentials, and no firewall between IT and OT networks.

HAFNIUM initially used four chained zero-days (ProxyLogon: CVE-2021-26855, 26857, 26858, 27065) to access on-premise Exchange servers and install web shells. Microsoft's patch release on March 2 triggered a feeding frenzy — at least 10 different threat actor groups began mass exploitation within hours. At peak, 30,000 US organizations were compromised in a single day. CISA issued emergency directive 21-02. Ransomware groups followed weeks later.

Emotet was the world's most dangerous malware botnet — a spam/dropper service that delivered TrickBot, QBot, and ransomware to millions of machines. Operation LADYBIRD involved authorities from the Netherlands, Germany, US, UK, France, Lithuania, Canada, and Ukraine. They seized 700+ C2 servers and deployed a benign "Emotet.dll" update to all infected systems that uninstalled the malware on April 25, 2021. Emotet later resurfaced in November 2021.

FireEye noticed unusual access patterns and reported the theft of their red team toolkit to FBI. Investigation revealed they were a victim of the SolarWinds Orion backdoor. FireEye shared 300+ countermeasures publicly and with the government. President Biden later imposed sanctions on Russia and expelled 10 diplomats. SolarWinds CEO testified to Congress. The campaign is considered the broadest and most sophisticated Russian cyber espionage campaign ever conducted against the US.

APT29 accessed SolarWinds' build environment and inserted SUNBURST malware into the Orion IT monitoring software update pipeline. The backdoor lay dormant for 14 days post-installation before activating, used domain generation algorithms and traffic blending to evade detection, and had a hard-coded kill switch for Kaspersky installations. Approximately 100 companies and 9 US government agencies were deeply compromised. Discovered by FireEye after noticing their own red team tools were stolen.

DoppelPaymer ransomware (later determined to be targeted at Düsseldorf University rather than the hospital) encrypted 30 servers. The hospital was unable to admit emergency cases. A patient requiring urgent care was rerouted to a hospital 30km away and died. German prosecutors opened a negligent homicide investigation — believed to be the first ransomware-related homicide investigation. The attackers provided decryption key without ransom when informed a hospital was hit.

Attackers called Twitter employees pretending to be IT support, convincing them to provide credentials to internal tools. They then used the admin panel to take over high-profile verified accounts — including Barack Obama, Joe Biden, Elon Musk, and Apple — to post Bitcoin scam links. $120K was collected before Twitter froze all verified accounts from tweeting for hours. The 17-year-old mastermind (Graham Clark) was sentenced to three years in a juvenile facility.

The UK NCSC, Canadian CSE, and US NSA/CISA issued a joint advisory attributing attacks on vaccine development organizations to APT29. Tactics included spearphishing, custom malware (WellMess, WellMail), and exploitation of Citrix, Pulse Secure, Fortinet VPN vulnerabilities. The Russian government denied involvement. The theft was assessed as seeking to obtain vaccine data before Russia's own Sputnik V development succeeded.

Ghostwriter compromised government and media websites to publish fabricated articles attributed to real officials, including fake quotes from NATO military commanders about withdrawing troops. The operation predated the 2022 invasion and focused on undermining support for NATO and EU in Eastern Europe. Mandiant attributed the operation to Belarus's GRU-linked cyber actors. Operations intensified significantly in the weeks before the February 2022 invasion.

The breach began in 2014 in Starwood's network, two years before Marriott acquired Starwood. Despite standard acquisition due diligence, the backdoor was not found. Marriott inherited it. Exposed data included passport numbers, travel dates, arrival/departure, and payment card information — a counterintelligence goldmine for tracking government and military personnel travel patterns. UK's ICO fined Marriott £18.4M. The US formally attributed the hack to China's Ministry of State Security in 2020.

TRITON targeted Triconex Safety Instrumented System (SIS) controllers, which are the last line of defense against catastrophic industrial accidents. Attackers spent two years in the network before deploying TRITON. A programming error caused the SIS to trip into safe mode, alerting operators and preventing what would have been a catastrophic explosion. FireEye later linked the malware development to the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government research institute.

NotPetya was distributed via a trojanized update to M.E.Doc, Ukrainian accounting software used by 80% of businesses operating in Ukraine. Unlike ransomware, it had no functional payment mechanism — decryption was impossible. It spread globally via EternalBlue, credential harvesting (Mimikatz), and legitimate Windows admin tools. Maersk lost 45,000 PCs and 4,000 servers; they reinstalled an entire global IT infrastructure in 10 days. The US, UK, EU, and Australia formally attributed the attack to GRU.

WannaCry used EternalBlue (MS17-010) — a stolen NSA exploit leaked by Shadow Brokers — to spread without user interaction across unpatched Windows systems. The UK NHS was hardest hit, canceling 19,000 appointments and ambulances. A "kill switch" domain registered by security researcher Marcus Hutchins halted propagation within 24 hours. Microsoft had released a patch (MS17-010) two months prior but millions of systems remained unpatched.

Attackers exploited CVE-2017-5638 in Apache Struts — a publicly known vulnerability with a patch available for two months. Equifax's security team failed to patch the system. Attackers ran 9,000 SQL queries over 76 days, exfiltrating data in 30 separate encrypted archives. Equifax's security monitoring certificate had expired 19 months prior, blinding their detection systems. DOJ indicted four members of the PLA's 54th Research Institute.

NHS ran Windows XP on many systems — an OS that Microsoft had stopped supporting in 2014. NHS Digital had warned trusts months earlier about the vulnerability, but many failed to patch. 80 out of 236 NHS Trusts were infected. 19,000 appointments and operations were canceled. Ambulances were diverted away from hospitals. Emergency patients were turned away. A UK government investigation found the NHS had ignored critical security warnings for years.

Industroyer (also known as Crash Override) was the first malware since Stuxnet designed to directly attack power grids. Unlike Stuxnet targeting PLCs, Industroyer spoke native ICS protocols (IEC 101, IEC 104, IEC 61850, OPC DA) allowing direct interaction with substation equipment. A fifth component targeted safety systems. The attack caused a 1-hour blackout in northern Kiev affecting ~200,000 people. ESET and Dragos jointly discovered and analyzed the malware.

Three college students built Mirai to target Minecraft servers, then released the source code publicly. The October 21 Dyn attack reached 1.2 Tbps — the largest DDoS ever recorded at the time. Mirai compromised IoT devices (cameras, DVRs, routers) by scanning for default credentials. The public release of source code spawned dozens of Mirai variants still in use today.

Both GRU (APT28) and SVR (APT29) independently penetrated DNC networks. APT29 entered first in 2015 via spearphishing. APT28 followed in March 2016. GRU officers (later indicted) created personas "Guccifer 2.0" and DCLeaks to distribute stolen documents. WikiLeaks coordinated release timing to maximize electoral impact. The Mueller investigation indicted 12 GRU officers by name for this operation.

APT38 spent nearly a year inside Bangladesh Bank's network, studying SWIFT messaging patterns and operator behavior. They submitted 35 fraudulent transfer requests through the Fed's legitimate SWIFT terminal late on a Thursday. A $951M theft was prevented only by a typographical error ("fandation" instead of "foundation") that triggered a manual review. $81M reached accounts in the Philippines and was largely laundered through casinos.

Cloud Hopper targeted MSPs as a force multiplier — compromising one provider gave access to dozens of clients. APT10 stole hundreds of gigabytes of intellectual property from aviation, satellite, pharma, oil & gas, and government clients. The US, UK, Australia, Canada, Japan, and EU jointly attributed the operation to China's Ministry of State Security (Tianjin Bureau). The operation persisted for at least three years before being publicly exposed.

Sandworm used spearphishing to deliver BlackEnergy malware months before the attack. On December 23, attackers simultaneously opened breakers at multiple substations, launched a telephone denial-of-service against the utility's call center to slow response, and deployed KillDisk to wipe operator workstations. A follow-on attack in December 2016 used Industroyer/Crash Override malware targeting the Kiev transmission grid.

Attackers accessed OPM networks for over a year. They stole Standard Form 86 records containing deeply personal information: foreign contacts, mental health history, drug use, financial data, and fingerprints for 5.6M cleared individuals. The SF-86 data is considered a goldmine for foreign intelligence services to recruit, blackmail, or identify undercover officers. DIA later attributed foreign contacts being burned to this breach.

Attackers gained access via a spearphishing email to a system administrator. Anthem stored all data unencrypted — industry standard "encrypt at rest" practices were not followed. Stolen records contained SSNs, employment data, income data, names, addresses, and birthdays. DOJ later indicted a Chinese national linked to the breach. The data was assessed as primarily valuable for counterintelligence purposes — identifying intelligence community employees enrolled in Anthem plans rather than financial fraud.

Lazarus Group deployed the WhiskeyBravo wiper alongside a massive exfiltration of 100TB of data including unreleased films, executive emails, employee Social Security numbers, and salary data. The hackers threatened theaters showing "The Interview," causing Sony to briefly cancel the release. The Obama administration publicly attributed the attack to North Korea — a rare formal attribution — and imposed sanctions.

Attackers infiltrated Target's network through credentials stolen from an HVAC subcontractor. They installed BlackPOS malware on point-of-sale systems across 1,797 stores. The breach ran undetected for three weeks during the holiday shopping season. Target's security monitoring tools flagged the activity but alerts were not escalated. CEO and CIO resigned following congressional hearings.

The breach occurred in 2013-2014 but was not disclosed until 2016-17. Initially reported as 500M accounts, it was revised to encompass all 3 billion Yahoo accounts. DOJ indicted two FSB officers (Baratov and Belan) in 2017 — the first US indictment of Russian government intelligence officers for hacking. FSB used criminal hackers as contractors. The breach impacted Verizon's $4.8B acquisition of Yahoo, reducing the price by $350M.

Shamoon overwrote the master boot record and replaced files with an image of a burning US flag. Saudi Aramco was forced to disconnect from the internet for over a week and resorted to buying hard drives from neighboring countries. The attack is considered one of the most destructive cyberattacks in history. A follow-on Shamoon 2 campaign targeted Saudi government agencies in 2016.

Attackers sent a phishing email with an embedded Flash zero-day to RSA employees. The breach extracted seed records for tens of millions of SecurID tokens — the core authentication secret. Months later, attackers used forged tokens to breach Lockheed Martin's network. RSA spent $66M on remediation and replaced tokens for government and defense clients.

Stuxnet exploited four Windows zero-days simultaneously — unprecedented at the time. The worm spread via USB drives and specifically sought Siemens S7-315 PLCs connected to specific frequency converters. It manipulated centrifuge speeds to cause physical damage while reporting normal operation to operators. Estimated to have destroyed roughly 1,000 centrifuges and set back Iran's nuclear program by 1-2 years.

Attackers exploited a zero-day in Internet Explorer to gain access to Google's corporate infrastructure. Google discovered the attackers accessed the Gmail accounts of Chinese human rights activists and the source code repository for many Google products. The disclosure led Google to threaten to exit China, which it ultimately did in search operations. Analysts attributed the operation to the Chinese military.