Since the early 1970s, when the first computer virus was created, which spurred the creation of the first anti-virus program, malware and cyberattacks have evolved rapidly, leaving cybersecurity struggling to keep pace. Close to 50 years later, breaches show no sign of stopping as the attack surface continues to balloon and costs associated with compromises have reached a new threshold of $3.92 million. To help visualize the evolution of cyberattacks and understand how we, as defenders, must adapt accordingly, let’s examine a subset of high-profile, documented attacks.
1998 – Kosovo
In addition to bombing campaigns, the US military utilized cyberattacks to reduce the effectiveness of Serbian air defense systems.
1998 – CIH
CIH, otherwise known as Chernobyl, was a virus that overwrote critical systems data. The virus was created by a Taiwanese student at Tatung University to supposedly test the effectiveness of antivirus software. The moniker, Chernobyl, is derived from the program’s activation date of April 26 – the anniversary of the Chernobyl meltdown.
2008 – Georgia
In the summer of 2008 amidst the Russo-Georgian War, Russian forces launched a significant, joint arms campaign against Georgian targets. The attacks’ cyber operations included defacement of public and private websites through DDoS attacks, resulting in overloaded site of the Georgian president. The traffic directed at the website included the phrase “win+love+in+Rusia”.
2008 – Operation Buckshot Yankee
Labeled as “the most significant breach of US military computers ever” by a Pentagon official, the 2008 cyberattack on the United States started when an infected USB flash drive was left in the parking lot of a Department of Defense facility at a base in the Middle East. The computer code then spread stealthily through US military computer networks and readied itself to transfer military data to enemy hands. Although it was never disclosed whether the effort successfully obtained relevant files, the Pentagon spent nearly 14 months cleaning the worm in a defense process called, “Operation Buckshot Yankee.”
2010 – Stuxnet
Believed to have been created by the United States and Israel, Stuxnet was a malicious computer worm designed to cripple Iran’s nuclear program. Unlike previous attacks that focused on stealing information, Stuxnet focused on physical damange, causing centrifuges responsible for enriching uranium to tear themselves apart.
2013 – Dark Seoul
In March 2013, North Korean hackers utilized “DarkSeoul” malware to attack banks and television stations in South Korea. The cyberattack impaired over 32,000 computers and servers and caused US $750 million in economic damage alone.
2014 – Sony Entertainment
Also believed to have been carried by North Korean hackers, this attack against Sony used a variant of the Shamoon wiper malware to erase the company’s computer infrastructure. During the hack, the group pressured Sony to withdraw its then-upcoming film, The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un.
2014 – German Steel Mill
Using spear phishing and sophisticated social engineering techniques to gain access to the industrial control system (ICS) of a German steel mill, attackers prevented a blast furnace from being shut down properly, resulting in “massive damage to the plant.” Similar to Stuxnet, this hack was a cyberattack designed to cause physical destruction of equipment.
2015 – TV5Monde
In April 2015, hackers believed to be associated with the Russian government breached the French television network, impairing internal administrative and support systems. French investigators later concluded that the attack was a test of the same sorts of cyber-weaponry that were used to switch off power stations in Ukraine.
2015 – Black Energy
Russian attackers successfully compromised information systems of three power stations in Ukraine, leaving over 230,000 people without power for up to 6 hours. The cyberattack was initiated with spear-phishing emails containing BlackEnergy malware.
2016 – Crashoverride
Also referred to as Industroyer, Crashoverride is a malware considered to have been used in the cyberattack on Ukraine’s power grid in December 2016. The malware cut off power in portions of Kiev for an hour and is the first ever known malware specifically designed to attack electrical grids.
2017 – NotPetya
As a newer variant of Petya, NotPetya uses EternalBlue, an exploit that takes advantage of a vulnerability in Windows’ Server Message Block protocol (EternalBlue was also used by WannaCry earlier in 2017). The malware harvests passwords and uses other techniques to spread to other computers on the same network. Although it is still classified as ransomware, the encryption routine was modified so the malware could not technically revert its changes. This characteristic along with the relative low unlock fee of $300, suggests that this attack was more focused on damaging devices and less on generating profit.
Examining just a handful of cyberattacks is enough to suggest the plethora of attack vectors assailants can exploit. Additionally, there are plenty of reports and data that indicate that the problem will continue to worsen. As defenders, we are naturally at a disadvantage, and this is exacerbated by the fact that close to 80% of IT and security teams have a negative relationship. The possibility of an imminent breach is no longer a question of “if” but rather a question of “when.”
The batch of notable cyberattacks described above is a small section of the VMware Carbon Black 2020 Cybersecurity Outlook Report. The research incorporated original threat data comprised of the VMware Carbon Black customer footprint, the VMware Carbon Black User Exchange, publicly available samples and detonations, VMware Carbon Black Endpoint Standard results (cross-referenced with internally developed tools and SIEMs), and original dark web research. If you are interested in better understanding common techniques for various malware categories and improving security efficacy through increased focus on high-value tactics and procedures, read the full report using the link below: