The Biggest Cyber Attacks of All Time
Even before the turn of the millennium—back when computers ran on diesel oil and weighed more than we did—computer hacks were becoming internationally significant events. In 1989, for example, two teenagers managed to disrupt a NASA shuttle launch all the way from Australia. A decade later, a pornography-spreading virus infected 100,000 computers in its first five days, leading to around one billion dollars in damages worldwide.
In recent years, hacks have only become larger and more dangerous—less the fodder of geeky teenagers than of governments and sophisticated cybercrime organizations. In 2014 a hack on Sony Pictures caused widespread hysteria that a North Korean terrorist attack might occur on American soil. A year later, nearly 40 million people were exposed as users of Ashley Madison—a site for cheating spouses—after activists leaked the company’s databases on the dark web. In 2016, Russian military intelligence leaked emails from the Democratic National Committee, and leaked the Hillary Clinton campaign, altering the trajectory of America’s presidential election.
While there’s no single metric for determining the “biggest,” what follows are five of the most significant cyber attacks ever committed (in no particular order). These attacks have led to major financial losses, affected international relations in sensitive parts of the world, and altered the course of history.
1. Stuxnet (2010)
Stuxnet is the most significant computer hack that has ever occurred.
It was groundbreaking in its concept and genius in design. It has become the anchor point for the entire field of industrial control systems security. Most importantly of all: Stuxnet succeeded in fundamentally shifting the balance of power in the world, permanently changing the course of history ever since.
The first insight of Stuxnet was that software could be used as a weapon in the first place. While basement hackers had long since come up with innovative ways to disrupt governments and corporations before the mid-2000s, cyber was never used as a weapon of war before the United States and Israel combined in an operation known covertly as “Olympic Games,” which produced the worm we now know as Stuxnet.
Stuxnet was first introduced into the Natanz uranium enrichment facility by somebody with physical access to the site. This is a crucial point. The control systems used to operate those facilities were air gapped, meaning they did not connect to the internet. The internet is how 99.9% of malware spreads, as it’s what connects our computers with one another. Air gapped computers are secluded, and so an individual had to actually insert an infected USB into a computer at the site.
Once loaded, Stuxnet wormed its way through the internal network until it reached its target: the programmable logic controllers (PLCs) that determined the speed of spin for Uranium subterfuges. The details get quite complex, and are beyond the scope of this article, but suffice it to say: by manipulating their spin, the worm was able to quite literally destroy these highly delicate machines which were crucial to the nuclear development process. Estimates suggest that between November 2009 and January 2010, Stuxnet destroyed around 1,000 subterfuges.
Most sneakily of all: while machines were falling apart, the Iranian scientists monitoring them had no clue what was going on. Basically, Stuxnet was designed to tell the human operators “everything’s fine” while everything was very much not fine.
Stuxnet was eventually discovered as a result of a programming error which caused it to spread around the world to many unintended targets. By that time, it had managed to take years off of Iran’s nuclear progress.
Photo Credit: Maddas / Shutterstock
2. Yahoo (2013-14)
There’s a little story from the annals of cybersecurity history which, perhaps better than anything else, epitomizes the state Yahoo was in in the mid-2010s. It goes like this:
In September, 2013, a little infosec firm called High-Tech Bridge probed Yahoo’s web infrastructure for security holes.
It’s common practice for large companies to pay cyber researchers and hackers who can uncover security flaws in their systems—the term for this is “bug bounties,” and they can range anywhere from a few hundred to many thousands of dollars, depending on the size of the company and how significant the flaw is. In just a few days, the researchers at High-Tech Bridge had uncovered four critical vulnerabilities in multiple Yahoo web domains. These vulnerabilities could have allowed hackers to take over any Yahoo account they wished, in only a few steps. In other words, these were the kind of bugs that companies like Yahoo pay big money to fix.
The researchers took their findings to Yahoo on the 23rd. Two days later, Yahoo thanked them, and offered a bounty as reward:
25 dollars in store credit. And a Yahoo t-shirt.
The incident came to be known as “T-Shirt Gate.” Around the community, security professionals lashed out at the injustice: 25 dollars on a bounty that would be worth many thousands at any other major tech company. It was a clear sign that Yahoo didn’t invest in or care much about security.
And that lack of care came home to roost. The very same year, all 3 billion Yahoo user accounts had been accessed in a breach. It was the largest personal data breach, by volume, in history. Then in 2014, just one year later, 500 million Yahoo accounts were hacked for the second time around.
Probability dictates that you, reading this now, were affected by one or both of those incidents. Additionally, it goes without saying that some of those 3 billion accounts belonged to high-value government and military personnel.
By all accounts, both breaches were entirely preventable. We know less about who perpetrated the first (largely because Yahoo’s logs were erased, thereby evaporating the evidence necessary for attribution), but the second hack was carried out by just a few people. Two Russian FSB agents had contracted a prolific hacker named Aleksey Belan, who did almost all the work on his own.
None of those three Russians faced any kind of repercussions, but a 22-year-old Canadian who played a relatively minor role in the matter was arrested in Ontario and later indicted by the U.S. Department of Justice.
3. Equifax (2017)
To a credit reporting agency, you are not a customer. You are a product.
The business model is pretty simple. Companies that sell expensive things—cars, houses, wedding rings and so on—want to know whether you’re going to be able to pay them if they hand you a loan. Equifax provides those companies with a dossier about your financial (and sometimes personal) history, allowing them to make a decision as to whether they want to give you a loan.
There are practical benefits to this arrangement. Without a credit system, we’d have no way of, say, purchasing a car, without tens of thousands of dollars in cash on hand.
But there are severe implications to a system which treats human beings the way Exxon treats oil. If our personal information is the raw material Equifax uses to reap profits, Equifax has a natural incentive to collect as much of it as possible. And because you’re not the one paying them, Equifax has no particular obligation to you—they need not heed your concerns over privacy or security.
The end result of all of this is that Equifax (as well as Experian and TransUnion, the other two major credit bureaus) has nearly as much information about you as the federal government. They have your name, date of birth, addresses present and past, your criminal history, your social security number, all of your credit cards and bank accounts...and on and on.
In 2017 an attacker siphoned all that information out of Equifax’s databases. Just under 150 million people—including, but not limited to the large majority of adult Americans—lost their most sensitive personal and financial information to an unknown entity.
The potential for damage was immense. Anyone with that kind of data could have quite easily committed identity fraud, or worse, on behalf of any of those victims. If the hackers’ motivations were financial, they could’ve made an absolute fortune selling it all on the dark net. So, strangely enough, every American should be counting their lucky stars that the attackers were later revealed to be Chinese state actors.
Never before in history has a Chinese attack on the United States felt so good!
Photo Credit: dennizn / Shutterstock
4. Mt. Gox (2011)
Few people know the story of Mt. Gox, because it only impacted the relatively small community of cryptocurrency early adopters. But when viewed from a modern lens, you could argue that this incident caused the greatest financial loss in cybersecurity history by some measure.
In 2011, Mt. Gox was the place to buy and sell Bitcoin. Based in Tokyo, it handled around 70 percent of all Bitcoin transactions worldwide. Bitcoin wasn’t as well known nor as valuable then as it is today—it only being a two-year-old currency at the time—but the sheer volume of trading over this one exchange still made it a high-value target.
And CEO Mark Karpeles was not the right person to handle that kind of pressure. Just 28 years old at the time, he was perhaps one of the most enigmatic chief executives you’ll ever come across. He did official business on a bouncy ball. He was, by some accounts, much more focused on designing his never-opened “Bitcoin Cafe” than running the most important company in crypto. And, more than anything, Mark was obsessed with quiche. His adventures with quiche are well documented.
In February 2014, Mt. Gox went dark. By the end of the month, it was revealed that they’d lost around 850,000 of their users’ Bitcoin: valued at around 450 million dollars at the time. Only 200,000 was recovered the following month.
The saga that followed was ugly. Mark was accused of stealing the money for himself, and was arrested the following year for embezzlement. He spent a year in Japanese prison where he was held in solitary confinement, reportedly interrogated day and night so that he’d finally confess to the theft. But despite the pressure, he didn’t confess.
It was only in 2017 when authorities arrested a Russian cybercriminal named Alexander Vinnik, while he was on vacation with his family in Greece. Vinnik, it appeared, had either stolen or laundered a significant amount of the stolen Bitcoin.
Still today, that 650,000 missing Bitcoin has not been recovered. As of this writing, it’s worth around 25 billion U.S. dollars.
Photo Credit: Primakov / Shutterstock
5. SolarWinds (2020)
In asymmetric warfare, a lesser entity can achieve great damage against its stronger opponent using stealth, guerrilla tactics and terrorism. Typically the stronger side has more to lose, making them an easy mark for quick hits.
Russia is no longer on par with the United States militarily, economically, or in most other respects. And yet, year after year, they break new ground by inventing some of the cleverest, most damaging hacks known to the world.
Take APT29, codename “Cozy Bear,” one of the Russian cyber espionage groups being tied to the recent SolarWinds data breach. It may be that they just pulled off one of the largest data breaches ever, successfully compromising tens of thousands of targets including multiple U.S. federal agencies, from the Department of Commerce to the Treasury. If it were the only thing they’d ever accomplished, they’d still go down as one of the great hacking collectives of our time. But Cozy Bear were prolific long before 2020. They’ve hacked the Pentagon, American think tanks, and, famously in 2016, the Democratic National Committee. In short: this one group has caused more damage on U.S. soil than just about any entity in the world, all from the comfort of their lodgings in Moscow.
SolarWinds may be their best work yet. Rather than attack their intended targets head-on, the hackers identified a popular IT vendor—SolarWinds—as an inroad. The one billion dollar company provides IT software to so many major corporations and federal agencies, so by breaching SolarWinds’ build system, the attackers were able to successfully transmit malware to their many clients all without anyone having the slightest clue. Seemingly normal software updates, sent from SolarWinds, were in fact harboring malicious code that allowed the attackers persistent access into these highly sensitive computer systems.
It’ll take months, and possibly even years to learn of the full extent of the SolarWinds hack. But the real question now is: how will the United States government respond?
Photo Credit: Travel_with_me / Shutterstock
Written by Nathaniel Nelson for Knockaround.