📚 Real-World Cyber Incidents

WannaCry was a worldwide cyberattack that targeted computers running Microsoft Windows by encrypting data and demanding ransom payments in Bitcoin. The attack exploited a vulnerability in Windows SMB protocol using the EternalBlue exploit, allegedly developed by the NSA and leaked by the Shadow Brokers hacking group.

• Entry Point: EternalBlue exploit targeting SMBv1 vulnerability (MS17-010)
• Propagation: Self-replicating worm capability spreading across networks
• Payload: Encryption of user files with RSA-2048 and AES-128 algorithms
• Ransom Demand: $300-$600 in Bitcoin per infected machine

Equifax, one of the three largest credit reporting agencies, suffered a massive data breach that exposed sensitive personal information of 147 million people. The breach was caused by an unpatched vulnerability in Apache Struts, a web application framework, despite a patch being available for months.

• Vulnerability: CVE-2017-5638 in Apache Struts 2 framework
• Exploitation: Remote code execution through crafted HTTP requests
• Access Period: Attackers had access for 76 days undetected
• Data Exfiltration: Encrypted traffic to hide data theft

Colonial Pipeline, which supplies 45% of fuel consumed on the US East Coast, was forced to halt operations after a ransomware attack by the DarkSide cybercrime group. The company paid $4.4 million in ransom to restore operations, though $2.3 million was later recovered by the FBI.

• Initial Access: Compromised VPN account using stolen credentials
• No MFA: VPN account lacked multi-factor authentication
• Lateral Movement: Attackers moved through corporate network to IT systems
• Ransomware: DarkSide ransomware deployed across network

The SolarWinds Orion platform compromise was one of the most sophisticated cyberattacks ever discovered. Attackers, believed to be Russian state-sponsored group APT29 (Cozy Bear), inserted malicious code into legitimate software updates, compromising approximately 18,000 organizations including US government agencies and Fortune 500 companies.

• Supply Chain Compromise: Malware injected into SolarWinds Orion build process
• Sunburst Backdoor: Trojanized DLL file in legitimate software updates
• Stealth Tactics: Dormancy periods, domain generation algorithms, legitimate-looking traffic
• Lateral Movement: SAML token forgery to access cloud resources

Target suffered a massive data breach during the holiday shopping season when attackers gained access through a third-party HVAC vendor's credentials. The breach compromised 40 million credit and debit card accounts and 70 million customer records, making it one of the largest retail breaches in history.

• Initial Access: Phishing email to HVAC vendor (Fazio Mechanical)
• Vendor Compromise: Stolen credentials for Target's vendor portal
• Network Pivot: Lateral movement from vendor network to POS systems
• Malware: Custom POS RAM scraping malware (BlackPOS)

NotPetya was a devastating cyberattack initially targeting Ukraine but spreading globally, causing over $10 billion in damages. Unlike ransomware, it was a destructive wiper designed to permanently destroy data. It spread through a compromised update to Ukrainian accounting software M.E.Doc and used EternalBlue and Mimikatz for propagation.

• Initial Vector: Trojanized update to M.E.Doc accounting software
• Propagation: EternalBlue exploit, PSExec, and WMI for spreading
• Credential Theft: Mimikatz to extract credentials from memory
• Destruction: MBR overwrite making systems unrecoverable

Marriott International discovered unauthorized access to the Starwood guest reservation database that had persisted since 2014 - four years before discovery. The breach compromised personal information of up to 500 million guests, including passport numbers, making it one of the largest hospitality breaches ever.

• Initial Compromise: Starwood systems breached in 2014, before Marriott acquisition
• Persistence: Attackers maintained access through merger and integration
• Data Exfiltration: Guest records including passport numbers and payment cards
• Attribution: Likely nation-state actor (China-linked APT)