The Attacks That
Shaped History

“The world's first known digital weapon targeting physical infrastructure.”

Stuxnet was a groundbreaking piece of malware — a joint operation by the NSA and Israel's Unit 8200 cybersecurity corps. It exploited four zero-days simultaneously, traveled via USB drives into the air-gapped Natanz nuclear facility, and covertly manipulated Siemens industrial control systems to spin centrifuges at destructive speeds while reporting normal operation to operators. When eventually discovered by Kaspersky Lab in 2010, it fundamentally changed the world's understanding of cyber warfare — demonstrating that code could cause kinetic, physical destruction of critical infrastructure. The 'Pandora's Box' of cyber weapons was now open.

“A ransomware pandemic that paralyzed global healthcare and critical services.”

WannaCry was a devastating combination of ransomware and worm capabilities. It used EternalBlue — an NSA-developed exploit for Windows SMB (leaked by Shadow Brokers) — to self-propagate across networks without user interaction. North Korea's Lazarus Group repurposed this leaked NSA exploit to build a global cyberweapon. The UK's National Health Service was among the worst affected — hospitals turned away patients, cancelled surgeries, and diverted ambulances because critical systems were encrypted. Microsoft had released a patch (MS17-010) 59 days before WannaCry struck — but millions of unpatched systems remained vulnerable. Marcus Hutchins, a 22-year-old security researcher, accidentally stopped the attack by registering a hardcoded kill-switch domain.

“The most sophisticated supply chain attack in history — compromising the US government itself.”

The SUNBURST attack, attributed to Russia's SVR intelligence service, was a masterpiece of patience and precision. Attackers infiltrated SolarWinds' build pipeline and inserted malicious code (SUNBURST backdoor) into Orion software updates. Organizations that installed the updates — including the most sensitive US government agencies — were unknowingly backdoored for months. The attackers used careful techniques: a 2-week dormancy period, mimicking legitimate SolarWinds network traffic, and targeting only high-value victims. The breach was discovered not by government agencies, but by FireEye (now Mandiant) while investigating their own breach. It fundamentally reshaped how the industry thinks about software supply chain security and was a catalyst for SBOM (Software Bill of Materials) requirements.

“The breach that exposed the financial identities of 147 million Americans.”

The Equifax breach remains one of the most consequential identity theft events in US history. Attackers exploited a known, unpatched vulnerability in Apache Struts (CVE-2017-5638) — a patch had been available for two months before the breach. Attackers had access to Equifax systems for 76 days before detection, exfiltrating data of 147 million Americans. The company's response was widely criticized: its breach notification website was itself flagged as a phishing site, and Equifax staff tweeted a wrong URL for the notification site. US DOJ later indicted four members of Chinese military intelligence unit PLA 54938, framing the breach as part of a broader intelligence collection campaign targeting American financial data.

“A Russian cyber weapon disguised as ransomware that became the most destructive cyberattack in history.”

NotPetya was not ransomware — it was a destructive wiper masquerading as ransomware, deployed by Russia's GRU military intelligence unit Sandworm against Ukraine. It spread via a trojanized update to Ukrainian accounting software M.E.Doc and used the same EternalBlue exploit as WannaCry — combined with credential-stealing tools — to propagate with devastating speed across corporate networks globally. Shipping giant Maersk lost all 45,000 PCs and had to reinstall an entire global IT infrastructure in 10 days. Merck's manufacturing was disrupted so severely that US pharmaceutical supply chains were affected. NotPetya demonstrated that cyber weapons, once released, have catastrophic and uncontrollable collateral damage. Several US courts and NATO formally designated NotPetya as a 'wartime act.'

“The attack that shut down 45% of the US East Coast's fuel supply for six days.”

The DarkSide ransomware attack on Colonial Pipeline became the defining critical infrastructure cyberattack of the decade. Using a single compromised VPN credential (with no MFA) found on the dark web, attackers gained entry and deployed ransomware against Colonial's billing and IT systems. In response to uncertainty about whether operational technology systems were also affected, Colonial proactively shut down 5,500 miles of pipeline — immediately creating fuel shortages across the US Southeast. Panic buying, gas station queues, and airline schedule disruptions followed within hours. Colonial ultimately paid a $4.4M ransom in Bitcoin. The U.S. DOJ later recovered $2.3M of the Bitcoin using a law enforcement-controlled private key — a landmark crypto seizure. The attack directly triggered Biden's Executive Order on cybersecurity and mandatory OT/ICS security reporting.

“The largest DDoS attack in history powered by internet-connected cameras and routers.”

Mirai was revolutionary because it didn't target servers or PCs — it targeted poorly secured Internet of Things (IoT) devices like IP cameras and home routers. By constantly scanning the internet for devices using factory-default usernames and passwords, it rapidly amassed an army of over 600,000 infected devices. The creators originally built Mirai to dominate the lucrative Minecraft server hosting market by DDoS-ing competitors. However, on October 21, 2016, Mirai was weaponized against Dyn, a major DNS provider. The resulting 1.2 Terabits per second (Tbps) flood essentially broke the internet for the East Coast of the United States. The source code was later released on Hack Forums, leading to countless variants that still plague the internet today.

“A catastrophic vulnerability in a ubiquitous, open-source logging tool that broke the internet.”

Log4Shell (CVE-2021-44228) was a zero-day vulnerability in Apache Log4j, a Java-based logging utility used in everything from enterprise software and cloud services to Minecraft servers. The flaw allowed an attacker to execute arbitrary code simply by tricking the application into logging a specifically crafted text string. Because of how deeply embedded Log4j was in software supply chains, finding and patching it was a nightmare. Within hours of its public disclosure, attackers were actively scanning the internet and exploiting vulnerable systems to deploy ransomware, cryptominers, and establishing backdoors for long-term espionage.

“Military-grade mobile spyware that silently turns smartphones into ultimate surveillance devices.”

Pegasus, developed by Israeli cyber-arms firm NSO Group, represents the pinnacle of mobile exploitation. Unlike traditional malware requiring a victim to click a link, modern Pegasus relies on 'zero-click' exploits—often delivered via a missed WhatsApp call or a silent iMessage containing a malicious image file (like the FORCEDENTRY exploit). Once installed, it grants operators total control over an iOS or Android device: turning on the microphone and camera, reading encrypted encrypted messages (Signal, WhatsApp) before they are encrypted, and tracking location down to the meter. Although NSO claims it is only sold to governments to fight terrorism, investigations by Amnesty International and Citizen Lab proved widespread abuse against civil society.

“The theft of the master seeds for the world's most ubiquitous two-factor authentication tokens.”

In early 2011, attackers compromised RSA Security, the company behind the ubiquitous SecurID hardware tokens (the key fobs generating random numbers for VPN logins). The attack began with a simple spear-phishing email containing a malicious Excel spreadsheet (exploiting an Adobe Flash zero-day) sent to low-level RSA employees. Once inside, attackers navigated the network to steal the highly guarded 'seed values' for RSA's tokens. By combining a seed value with a user's PIN, attackers could generate valid 2FA codes on demand. Soon after the breach, attackers used these exact stolen seeds to bypass VPN security and penetrate U.S. defense contractor Lockheed Martin's network.

“The catastrophic theft of sensitive background check data for millions of US federal employees.”

The breach of the US Office of Personnel Management (OPM) is considered one of the most damaging espionage operations in US history. Attackers, widely attributed to China, compromised OPM's incredibly outdated legacy systems (some running COBOL and lacking basic encryption or MFA). They stole essentially the entire database of SF-86 forms—the 127-page documents required for secret and top-secret security clearances. This data provided a hostile intelligence service with an unparalleled roadmap for targeting, blackmailing, and recruiting American intelligence officers, military personnel, and diplomats. The breach forced the US government to re-evaluate how it managed and secured classified personnel data.

“A massive, coordinated ransomware attack executed through managed service providers (MSPs).”

During the US Fourth of July weekend in 2021, the REvil ransomware gang executed a highly sophisticated supply chain attack targeting Kaseya VSA, a remote monitoring and management tool used by IT service providers (MSPs). By exploiting a zero-day vulnerability in the VSA software, the attackers pushed an automated, malicious update that bypassed antivirus and deployed ransomware simultaneously to thousands of endpoints worldwide across hundreds of different companies. Victims ranged from a Swedish supermarket chain (unable to open its cash registers) to schools and local dental offices. It demonstrated a terrifying evolution: combining nation-state level zero-day supply chain exploitation with criminal ransomware monetization.