State and State-sponsored Information Attackz
The timeline spans the early 2000s and finishes in December 2020.
This timeline uses category bands. There are seven categories. Five of these categories are reserved for the major players in information attack. The 6th category, "Other," refers to other States that do not have their own category bands. The 7th category, "Int'l Information Treaties" highlights the lack of binding international law in the chaotic information space. Lastly, this timeline is not an exhaustive list of all State and State-sponsored information attacks.;xNLx;;xNLx;Enjoy!
2004-11-01 00:32:33
China spies on U.S. defense
Type: C. Means: N/A. "Chinese hackers exfiltrated national security information from Naval Air Weapons Station China Lake, including weapons test and design data, and stealth aircraft data. CSIS.
2005-08-01 00:32:33
Titan Rain . . . APT1 early activity?
Type: C. Means: N/A. Titan rain (revealed in 2005 but the series of attacks is estimated to have started in 2003. See "Titan Rain", CFR (Aug. 2005) https://on.cfr.org/3gVFbCU. Titan Rain targeted U.S. military contractors and various other military related departments and agencies. See id.
2006-05-01 20:47:06
APT1: A China Cyber Espionage Unit
Type: C. Attack Lifecycle and Methods: Initial recon (after receipt of assignment), initial compromise (spearphishing), establish foothold (initiate outbound connections to the intruder's C2 server), escalate privileges (obtains password hashes, then cracks the hash), internal recon (utilizes batch scripts and command shells), move laterally (using the credentials previously acquired), maintain presence by installing backdoors, use legitimate VPN credentials, and log in to web portals (last three steps repeat themselves as many times as necessary), complete mission (pack desired files and information into an archive file and exfiltrate). Other names: Comment Crew, Comment Group, Shady Rat (possibly). Infrastructure used: hop point systems before accessing target via Remote Desktop. See "APT1: Exposing One of China's Cyber Espionage Units", Mandiant (Feb. 2013). https://bit.ly/2IsiXMf.
2007-05-01 00:32:33
Russia DDoS on Estonia
Type: A. Means: DDoS (Distributed Denial of Service) via Botnet. In one of the more noteworthy cyber-attacks, Russia DDoS-ed Estonia. The attack denied Estonians access to online banking, media, and governmental services. Damien McGuinness, "How a Cyber Attack Transformed Estonia", BBC News (Apr. 27, 2017). Since the attack, Estonia has become the center for NATO cybersecurity through its Cooperative Cyber Defence Centre of Excellence (CCDOE).
2007-09-01 20:08:17
Israel disrupts Syrian air defense systems
Type: I, A. Means: "Suter" airborne network attack system. Israel bombed a site in Syria that was an alleged nuclear materials facility. The mystery of the bombing run was that the Isreali jets were not detected by the Syrian's air defense systems. Instead of jamming the air defense systems, Israel utilized a technology similar to the "Suter" airborne network attack system. This technology "allows users to invade communications networks, see what enemy sensors see and even take over as systems administrator so sensors can be manipulated into positions where approaching aircraft can't be seen." David A. Fulghum & Douglas Barrie, "Israel used electronic attack in an air strike against Syrian mystery target", ABC News (Oct. 08, 2007).
2007-09-29 03:22:18
French officials say they were hacked by actors in China
Type: C. Means: N/A Francis Delon, the Secretary General of France's National Defence Office said, "Chinese hackers had 'penetrated outer levels' of state computer systems." Further, Delon clarified that although the attackers were located in China, he did not confirm that the attackers were affiliated with the Chinese People's Liberation Army ("PLA"). See John Leyden, France Blames China for Hack Attacks, The Register (Sep. 2007).
2008-04-01 03:22:18
Afghanistan accuses German BND of spying on emails
Type: C. Means: N/A. It was revealed that the BND, the German intelligence service, spied on emails between a reporter and an Afghan politician. The largest issue of this attack was the BND's supposed "breach of press freedom." See DW staff, "Afghan at Center of Spy Affair Says Life at Risk, DW (Apr. 2008) https://bit.ly/2IwABOD.
2008-05-01 03:22:18
India accuses China of mapping its networks
Type: C. Means: N/A. Indian government officials claimed that the espionage campaign, which they suspect is being orchestrated by China, is aimed at "constantly scanning and mapping India's official networks." The officials are concerned that the attacks are concerned about the attack's espionage aspect and the potential that the attackers could disable the networks in the event of an armed conflict. See Indrani Bagchi, China Mounts Cyber Attacks on Indian Sites, TOI (May 2008). https://bit.ly/2UjhV7x
2008-06-01 20:52:20
WEAPON: STUXNET - Digital Weapon with physical effects
Type: D. Means: Stuxnet malware, USB autorun vulnerability, printer vulnerability. The first (known) digital weapon to be unleashed on a State by a State was Stuxnet and is suspected of being a created by the United States and Israel. Stuxnet was not only unprecedented in complexity but also caused physical damage. Target: Stuxnet targeted a specific type of programmable logic controller (PLC), which is a computer used to control industrial machinery, and when it was delivered to a new computer that was not of the specific type of PLC it was looking for, Stuxnet would disable itself and become inert (harmless) code. More specifically, Stuxnet hunted for the Siemens S7-315-2 PLCs, which was used by Iran to control its nuclear centrifuges to enrich uranium. Delivery: Stuxnet had to jump an air gap to reach its target. An air gap is a term used for when a computer is not connected to the internet. Thus, Stuxnet's creators knew it had to infect a computer that was not connected to the internet. How did it do it? Infected USB sticks. Stuxnet used multiple zero-days (vulnerabilities that were previously not known), one of which was the autorun feature on a USB stick. Essentially, the infected USB stick would get plugged into an air gapped computer, which would autorun certain functions on the USB stick. Stuxnet used this autorun feature to deliver itself onto the air gapped PLCs. See generally Kim Zetter, "Countdown to Zero-Day" (2014). Spread: also USB sticks and a complicated vulnerability that has to do with computers connected to printers. AoO: Once Stuxnet infected a computer, it would run through a check list. If certain criteria were met, Stuxnet would release its payload. The payload: in simple terms, Stuxnet would command the PLC to tell the centrifuge to spin at a higher rate than was optimal for enriching uranium and then slow back down. This slowed down the enrichment process and sometimes destroyed the centrifuge. Meanwhile, Stuxnet would report to the engineer operating monitoring the centrifuges that all systems were normal. Stuxnet eventually spread outside its intended target and across the world. It took multiple research teams years to unravel Stuxnet. See Id.
2008-06-03 20:52:20
China infiltrates Coca-Cola
Type: C, I. Means: Spearphishing Attackers sent an email to Coca-Cola's deputy president for the Pacific region, Paul Etchells. The email sent to Etchells posed as a legitimate email from Coca-Cola's chief executive. Etchells clicked on the email, which downloaded a keylogger program onto his device. From there, the attackers stole email and password information and granted themselves administrative privileges on Coca-Cola's network. The timing of the attack suggests that the attack came from China state-sponsored attackers, because Coca-cola "was looking to acquire the China Huiyuan Juice Group for about $2.4bn. . . [which] would have been the largest foreign takeover of a Chinese company." Coca-Cola 'Targeted' by China in Hack Ahead of Acquisition Attempt, BBC (Nov. 2012) https://bbc.in/36ACp18.
2008-08-07 01:52:38
Russia invades Georgia, combines kinetic and digital attacks
Type: A. Means: DDoS. Russia invaded Georgia in August 2008. Weeks before the invasion, Russia began DDoS-ing Georgian websites. On the morning of the invasion, websites like "stopgeorgia.ru sprang up with a list of sites to attack, instructions on how to do it and even an after-action report page." See David J. Smith, "Russian Cyber Strategy and the War Against Georgia", Atlantic Council (Jan 2014) https://bit.ly/2Uzv2kT. This highlights the issue of States using non-state actors for malicious cyber operations. While Russia denies ordering the attacks and some researchers have followed the attacks back to a criminal organization within Russia, the greater issue is what happens if Russia did order these attacks. The effective control test (discussed in the introduction notes of this timeline) would not be enough to attribute the DDoS attacks to Russia. Why is this important? Russia invaded Georgia, why should it matter who is responsible for the DDoS attacks? The answer is best provided through a hypothetical scenario: what if there is evidence of Russia giving attackers access to information weapons capable of causing death, injury, or destruction. How can Russia be held legally responsible for these actions? This issue is something to keep in mind while you navigate the rest of this timeline.
2009-03-01 20:52:20
Canadian researchers uncover Chinese espionage program
Type: C. Means: various forms of entry, then installed malware capable of sending and receiving data. After 10 month investigation, SecDev Group and the Munk Centre for International Studies at the University of Toronto revealed an espionage campaign being carried out by Chinese sponsored attackers. The campaign reportedly spread to the government networks of 103 States. The program earned the name GhostNet and was found to have infiltrated "1,295 computers, many belonging to embassies, foreign ministries and other government offices." See "Canadian Research Uncovers Cyber Espionage Network", CBC (Mar. 2009) https://bit.ly/38GRQHG.
2009-12-15 15:31:19
Operation Aurora - Google Attacked
Type: C. Means: Users would access a malicious website (sent by phishing/spearphishing or some other means). Utilized encryption techniques to download the malicious programs, which included a backdoor masquerading as an SSL connection. The malware was later named "Hydraq." After gaining a foothold in Google's system, the attackers would exfiltrate data via hijacked C&C servers located throughout the U.S. and Taiwan. See Kim Zetter, "Google Hack Attack Was Ultra Sophisticated, New Details Show", Wired (Jan. 2010) https://bit.ly/35ITJlq. Although the attacker has not been confirmed, Google did determine that the attack came from China. Further, in response to the attack, Google said it would no longer censor the search results of users located in China. See Kim Zetter, "Google to Stop Censoring Search Results in China After Hack Attack", Wired (Jan 2010) https://bit.ly/35JhMRp.
2009-12-18 14:50:14
Iranian Cyber Army enters the scene
Type: A. Means: Altered DNS records In one of their first attacks, the Iranian Cyber Army altered the DNS records for Twitter. Users attempting to access Twitter would be sent to a different website that displayed a message in scrambled English. Users were only redirected to the website for about an hour. The website contained a message (translation): "Iranian Cyber Army THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY iRANiAN.CYBER.ARMY@GMAIL.COM U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To.... NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA? WE PUSH THEM IN EMBARGO LIST Take Care." See Carl Franzen, "Who Was Behind the 'Iranian Cyber Army' Twitter Attack?", The Atlantic (Dec. 2009) https://bit.ly/3kK7JQ3. However, some researchers have doubted whether the Iranian Cyber Army is sponsored by Iran. Some researchers even cast doubt on whether the attackers are indeed Pro-Iranian and suggest that this may be a false flag operation instead. See id.
2010-01-10 14:50:14
Iranian Cyber Army #2
Type: A. Means: Hijacked DNS. In a very similar attack to the one directed at twitter, the ICA targeted the Chinese search engine Baidu. See Dancho Danchev, "Baidu DNS record hijacked by Iranian Cyber Army", ZDNet (Jan 2010) https://zd.net/3lLZS5N.
2010-02-01 20:57:30
Weapon: FLAME - Sophisticated Espionage
See Alexander Gostev, "The Flame: Questions and Answers", Kaspersky Lab: SecureList (May 2012) https://bit.ly/3f8zNvf. Flame is one of the most sophisticated cyberweapons and is suspected of being created by the same teams who created Stuxnet and Duqu. However, while Flame is sophisticated like Stuxnet and Duqu, it is a different type of weapon. Target/Goal: Although Flame does not have specific target most of the infected systems were located in Iran. Delivery: first infection vector is unknown. Notably, Flame was capable of jumping airgaps by infecting a USB stick, being plugged into an air gapped device, stealing information and putting it on the USB stick, and then sending it to C&C servers once the it was plugged back into an internet connected device. Spread: Flame exploits some of the same vulnerabilities exploited by Stuxnet. These include the MS10-061 printer vulnerability (explained in detail in the Stuxnet time event), infected USB sticks (autorun and Euphoria vulns), remote job tasks, and infected computers infecting others. Replication was commanded rather than self-replication. Payload: espionage/information theft. Specifically, Flame could record audio via a device's microphone, take screenshots (sometimes app-initiated screenshots, i.e. some instant messaging apps could trigger a screenshot), capture keystrokes, and download documents. After capturing audio or screenshots, Flame would compress the file into a public-source library and send it to its C&C servers. Attribution: Initially unkown but suspected of being a "parallel project" to Stuxnet and Duqu. A parallel project is essentially two projects with the same target but different philosophies/methods of targeting. Therefore, if one project is discovered and the victim expels that project (removes its backdoors and remote access capabilities), then the second project, which perhaps uses different backdoors and remote access implants, would not also be compromised. In 2015, Kaspersky Lab concluded that Flame was created by the same teams as Stuxnet and Duqu, which is generally accepted to have been the U.S. and Israel. See Mary-Beth Samekh, "Lessons Learned from Flame, Three Years Later", Kaspersky Lab: SecureList (May 2015) https://bit.ly/2ILhYGy.
2010-12-04 20:44:02
Pakistan hacks Indian CBI
Type: A, D. Means: N/A A group, calling themselves the Pakistani Cyber Army hacked into the Indian CBI website and erased non-sensitive information. See PTI "CBI Website Hacked by 'Pakistani Cyber Army'", Times of India (Dec. 2010) https://bit.ly/36LDO5f.
2010-12-31 00:00:00
China hacks U.S. Chamber of Commerce
Type: C. Means; N/A. "For more than a year, hackers with ties to the Chinese military have been eavesdropping on U.S. Chamber of Commerce officials involved in Asia affairs." Pierre Thomas & Olivia Katrandjian, "Chinese Hack into U.S. Chamber of Commerce", ABC News (Dec. 2011) https://abcn.ws/3fdZsCQ.
2011-01-01 18:18:36
Canadian agencies hacked
Type: C, A. Means: N/A The attack "gave hackers access to highly classified information and also forced the Finance Department and Treasury Board . . . off the internet." Greg Weston, "Foreign Hackers Attack Canadian Government", CBC (Feb 2011) https://bit.ly/32Z0ldz.
2011-03-01 06:59:54
Multi-stage Lockheed Martin Attack
Type: C. Means: stolen RSA SecurID tokens. This attack is best explained in two parts. Part I, was an attack on RSA, a security firm that manufactures the SecureID login function. The RSA attackers are suspected to have "got the algorithm for the current tokens." Mathew J. Schwartz, "Lockheed Martin Suffers Massive Cyberattack", DarkReading (May 2011) https://bit.ly/3lKDh9W. Part II was using the remote SecureID tokens to gain access to Lockheed Martin's network. From there, the details are murky but Lockheed Martin claim to have detected the attack immediately and took measures to protect its data and employees. See id.
2011-07-01 21:00:02
Japanese Parliament attacked
Type: C. Means: Trojan Japanese legislators were forced to conduct business on personal computers after a trojan was discovered on its government networks. The Trojan seemed to be active for months, first being detected in July. See Paul Roberts, "Japanese Parliament Struggling to Address Hack, Data Theft" ThreatPost (Oct. 2011) https://bit.ly/38S5JmF.
2011-09-20 23:55:54
Mitsubishi, Japanese Weapons Developer attacked
Type: C. Means: spearphishing "Japan's top weapons maker has confirmed it was the victim of a cyber attack reportedly targeting data on missiles, submarines and nuclear power plants." "Japan Defence Firm Mitsubishi Heavy in Cyber Attack", BBC News (Sept. 2011) https://bbc.in/36JGhwW. Despite finding viruses on more than 80 of its servers, Japanese officials claimed that no important information was accessed or exfiltrated. See id. Chinese language script was found in the attack but this is not enough to blame China for the attack. Of course, China denies being involved in any way and its Foreign Ministry spokesman was quoted saying, "China is one of the main victims of hacking . . . Criticizing China as being the source of hacking attacks not only is baseless, it is not beneficial for promoting international co-operation for internet security." Id.
2011-09-22 11:11:41
U.S. Air Force Drones hacked
Type: C. Means: N/A, keystroke logger function. Although the Air Force's drone missions were not interrupted, they did admit that the malware had "accessed classified data and [is] allowing that sensitive information [to] be hijacked and transmitted over the open internet." Robert Johnson, "The US Drone Fleet is Fully Infected by a Computer Virus", Business Insider (Oct. 2011) https://bit.ly/3nuyvxM.
2012-02-01 20:57:30
China steals F-35 technology from U.S.
Type: C. Means: N/A China was able to hack into Lockheed Martin's servers in 2009 and contributed to the attacker's ability to carry out this 2012 attack. In the 2009 attack, the attackers, which are not necessarily the same attackers here, stole 24,000 confidential files. In 2012, the "stolen files were instructions enabling the attackers to extract sensitive data and become 'invisible witnesses to online meetings and technical discussions.'" Matt Liebowitz, "Did Chinese Hackers Delay America's Next Fighter Jet?", NBC News (Feb. 2012) https://nbcnews.to/2UsameC.
2012-03-01 20:57:30
Iran hacks BBC News
Type: A. Means: DDoS "48 hours after it revealed a huge spike in audience for its Persian TV service" and after BBC boasted about its successful Farsi language service, BBC reported it suffered a "sustained attack." The attack denied BBC access to its email services and coincided with reported "jamming of BBC services into Iran." Josh Halliday, "BBC fears Iranian cyber-attack over its Persian TV Service, The Guardian (Mar. 2012) https://bit.ly/32JArdH.
2012-05-01 20:57:30
PLA Unit 61398 targets U.S. infrastructure
Type: C, I, A Means: spearphishing. In an un successful attempt, PLA Unit 61398 (featured throughout this timeline and also known as "Comment Crew" and "Shanghai Group") sent a spearphishing attack to Digital Bond, "a small security firm that specializes in industrial-control computers." The email was disguised as an email coming from a superior discussing critical infrastructure security weaknesses, but the employee did not click on the file attached to the email. After analyzing the attachment, Digital Bond realized that the link "contained a remote-access tool that would have given the attackers control over the employee's computer and potentially given them a front-row seat to confidential information about Digital Bond's clients, which include a major water project, a power plant and a mining company." David Sanger et al., "Chinese Army Unit is Seen as Tied to Hacking Against U.S.", N.Y. Times (Feb. 2013) https://nyti.ms/2IygfUY (detailing Unit 61398's hacking activities against various western countries).
2012-08-01 12:41:44
Operation Ababil
Type: A, I. Means: DDoS via data centers and encryption requests. The attackers, a hacker group named Izz ad-Din al-Qassam, were able to hijack a data centers (large groups of networked computer servers; i.e. a cloud) to conduct a DDoS attack on multiple U.S. banks. The attackers gained control of these data centers by using a malware called "Itsoknoproblembro," which "was designed to evade detection by antivirus programs." By using data centers infected with the malware, which are dubbed "bRobots," the geographic origin of the attackers' command and control center was more difficult to pinpoint. Another reason that this DDoS was more significant was that it targeted the online banking industry, which encrypts customers' online transactions. An encryption request further taxes a system when it is already facing an unexpected amount of traffic. Researchers noted that the flood of network traffic was far greater than the 2007 DDoS attacks on Estonia. U.S. officials expressed confidence that Iran was responsible for the attacks but offered little technical evidence to support their claim. Iran, of course, denies any involvement. See Nicole Perlroth & Quentin Hardy, "Bank Hacking Was the Work of Iranians, Officials Say", N.Y. Times (Jan 2013) https://nyti.ms/32HPiWg.
2012-08-15 12:41:44
Saudi Aramco Attack
Type: D. Means: Shamoon virus, insider threat. The Shamoon virus, also called Wiper, would erase or wipe a computer's hard drive and replace that data with an image of a burning American flag. The malware was introduced into the system by a "company insider, or insiders, with privileged access to Aramco's network. The virus could have been carried on a USB memory stick that was inserted into a PC." Nicole Perlroth, "In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back", N.Y. Times (Oct. 2012) https://nyti.ms/32Z06zr. Once inserted, the malware waited to deliver its payload until 11:08 a.m.. After the attack, researchers from Symantec found clues that suggested Iran was responsible for the attack and that Iran was attempting to shift blame to either the U.S. or someone else. For example, the code referenced the "Arabian Gulf," but Iran uses "Persian Gulf" to describe that body of water. Further, the Flame malware (discussed previously) targeted the Iranian oil industry. See id.
2012-09-29 17:59:43
RasGas attacked
Type: A. Means: Unknown RasGas, a Qatari gas producer was hit with a an attack that affects office systems. Details on this attack were difficult to find but it occurred within weeks of the Shamoon attack on Saudi Aramco. See "Compromise of Saudi Aramco and RasGas", Council on Foreign Relations (Aug. 2012) https://on.cfr.org/2UGj9d1.
2012-10-25 23:07:35
APT12 - N.Y. Times fends off repeated attacks
Type: C. Means: Researchers not 100% sure but suspect a spearphishing attack that resulted in remote access software being downloaded onto the network. From there, spied on the activities and correspondence of one of the reporters. On 25 October 2012, the N.Y. Times published a report on Wen Jiabao, then China's Prime Minister. The report detailed the incredible amount of wealth that Jiabao accumulated through business transactions. See David Barboza, "Billions in Hidden Riches for Family of Chinese Leader" N.Y. Times (Oct. 2012) https://nyti.ms/32N0pNo. The Times hired security firm Mandiant to help monitor and identify the attackers. To achieve this, Mandiant monitored the attackers for months, learning what exploits they used and if they had setup any backdoors. The attackers followed a work schedule that coincided with Beijing working hours and attempted to mask their IP addresses by using university networks. The attackers had set up three back doors to use as a "digital base camp" and from there, the attackers located the The Times's domain controller "that contains user names and hashed, or scrambled, passwords for every Times employee." After cracking password hashes, the attackers gained access to more computers and "installed 45 pieces of custom malware." This installed software included a program that searched for Barboza's - the author of the aforementioned report - emails and files. Furthermore, Mandiant concluded that the attackers were after names of people that gave information to Barboza for his article. Mandiant concluded that based on "the malware used, the command and control centers compromised and the hacker's techniques" The Times had been attacked by APT12. See Nicole Perlroth, "Hackers in China Attacked The Times for Last 4 Months", N.Y. Times (Jan. 2013) https://nyti.ms/3pr4twC.
2013-01-01 23:07:35
Operation Ababil #2
Type: A. Means: DDoS via datacenters Operation Ababil #2, like #1, attacked the U.S. banking industry. The attackers, Izz ad-Din al-Qassam, claim they are conducting these attacks in response to "an anti-Islam video that mocked the Prophet Muhammad, and pledged to continue its campaign until the video was scrubbed from the Internet." The term Ababil refers to "a story in the Koran in which Allah sends swallows to defeat an army of elephants dispatched by the King of Yemen to attack Mecca in A.D. 571." See Nicole Perlroth & Quentin Hardy, "Bank Hacking Was the Work of Iranians, Officials Say", N.Y. Times (Jan 2013) https://nyti.ms/3kA4n1Y.
2013-01-01 23:07:35
China steals more U.S. defense, weapon systems information
Type: C. Means: N/A "The Defense Science Board, a senior advisory group made up of government and civilian experts" drafted a report to Pentagon and defense industry officials that explained multiple defense-related network breaches. Included in the breaches were weapons system designs for the V-22 Osprey, Aegis, F/A-18 jet, THAAD, PAC-3, and the Littoral Combat Ship. The results of this attack are two-fold. First, it allows the attackers to gain information on the design and software of its potential enemies' weapon systems, and therefore gain a battlefield advantage. Second, it allows the attackers to steal research and design information instead of spending the resources to gain the research through non-espionage means. Essentially, it creates a "free-rider" dynamic that allows the attackers to benefit from the research and expenditures of their adversary. The report did not conclude the identity of the attackers, but U.S. officials claim the breaches are part of China's espionage campaign against U.S. defense technology. See Ellen Nakashima, "Confidential Report Lists U.S. weapons system designs compromised by Chinese Cyberspies", Washington Post (May 2013) https://wapo.st/36EL9Dk.
2013-01-31 07:39:46
China compromises U.S. Dams
Type: C. Means: N/A. "An unauthorized user traced to China hacked the [National Inventory of Dams] database in January but wasn't discovered until sometime in April." This attack had scarce details but the potential fallout of sensitive dam data could be a serious issue. There are over 8,000 major dams in the U.S.. See Ryan W. Neal, "Chinese Hackers Infriltrate U.S. Army Database, Compromise Safety of Thousands of Dams", IB Times (May 2013) https://bit.ly/35PMzMr.
2013-03-20 20:56:55
DarkSeoul: South Korean TV and Banking denied acces
Type: A. Means: DarkSeoul, a malware that evades South Korean anti-virus programs and "renders computers unusable." The South Korean government was hesitant to attribute the attack to North Korea but they are the suspected perpetrator. On the geopolitical level, the attack arrived just as the U.S. and South Korean militaries were conducting joint exercises. Further, days before this attack, North Korea attributed an attack to South Korea and the United States. Although, on a technical level, the IP addresses that directed the attack suggested China, or at least someone located in China, was responsible. On the operational level, "the attackers made no effort to disguise the malware." Attackers that hide their tracks usually indicates a higher level of sophistication, and therefore possibly state-sponsorship. Although, could the attackers by not disguising the malware be trying to send a clear message? This attack may not have been state sponsored but is included in this timeline as an example of how attribution can be difficult and how different layers of an attribution analysis can point to different actors. See Choe Sang-Hun, "Computer Networks in South Korea are Paralyzed in Cyberattacks", N.Y. Times (Mar. 2013) https://nyti.ms/35wrgPO.
2013-05-31 02:38:09
Patriotic Hackers or State-Sponsored?
Type: I, C. Means: N/A. In 2013, the Syrian Electronic Army became very active. This group is loyal to Syrian President Basha al-Assad but it is unclear whether they are sponsored by Syria. In this attempted attack, the Syrian Electronic Army ("SEA") targeted the Israeli water supply. See John Leyden, "'Syrian Electronic Army' fails to crack Israeli water system", The Register (May 2013) https://bit.ly/3fkupFv. Because it not well reported that the SEA is state-sponsored, their subsequent attacks are not listed on this timeline. However, they are an active group that targets in and outside Syria, mostly focusing on victims that oppose al-Assad. See generally Kenneth Geers & Ayed Alqartah, "Syrian Electronic Army Hacks Major Communications Websites", FireEye (Jul. 2013) https://bit.ly/334qvvu.
2013-06-05 09:54:42
Edward Snowden Leaks NSA Surveillance Program
Type: C. Means: insider attack. This attack was not State sponsored but is notable. A contractor working for Booz Allen Hamilton and loaned to National Security Agency exfiltrated documents from a top secret database. See generally Paul Szoldra, "This is everything Edward Snowden revealed in one yera of unprecedented top-secret leaks", Business Insider (Sep. 2016) https://bit.ly/3924iC1.
2013-06-25 10:50:37
Near Korean War Anniversary, North Korea hacks South Korea
Type: A. Means: N/A North Korea again shuts down South Korea website (unknown methods). Here, the attack left a message on the downed websites that praised Kim Jung Un. The message also said that the attack was perpetrated by the hacktivist group Anonymous, who denies being involved. See "Cyber Attack Hits South Korea Websites", BBC News (Jun. 2013) https://bbc.in/36VOIVZ.
2013-09-05 23:50:36
Chinese hackers use Sykipot Trojan to target US civil aviation firms
Type: C. Means: Spearphishing, then established SSL connection via Sykipot Trojan. The Sykipot backdoor was first detected six years prior to this attack. Once the attacker gains access to a system, "it esablishes an SSL connection to a C&C server from which additional malware is downloaded, thin installed and run on the victim's machine." In this instance, Chinese attackers, which is who the Sykipot malware is usually associated with, targeted the U.S. civil aviation sector. See Zeljka Zorz, "Sykipot-wielding attackers now targeting US civil aviation firms", HelpNetSecurity (Sep. 2013) https://bit.ly/36XDFLR.
2013-09-27 06:36:10
Snowden leaks reveal U.S. hacked Germany's Chancellor
Type: C. Means: N/A. From Snowden's leaks, it was revealed that the NSA had tapped Angela Merkel's phone. Germany conducted an investigation into the matter but it fizzled out years later. The U.S. did not deny spying on her cell phone but assured that "it was not currently spying on her phone calls and would not do so in the future." Eyder Peralta, "Germany Closes Probe Into Alleged U.S. Hacking of Merkel's Phone", NPR (Jun. 2015) https://n.pr/2UIFEyd.
2013-09-27 06:36:10
Iran hacks unclassified U.S. Navy computers
Type: C. Means: N/A. "U.S. officials said Iran hacked unclassified Navy computers in recent weeks in an escalation of Iranian cyberintrusions targeting the U.S. military. See Julian E. Barnes & Siobhan Gorman, "U.S. Says Iran Hacked Navy Computers", The Wall Street Journal (Sep. 2013) https://on.wsj.com/335SdIh. Although this attack only hacked into "unclassified computers," it is notable. If hackers could secure a foothold in this unclassified network (via a backdoor), there is a possibility that they could move laterally and/or escalate their privileges. See id.
2013-11-01 16:21:15
The United States Office of Personnel Management is compromised
Type: C. Means: The federal agency responsible for staffing the U.S. federal government, the U.S. Office of Personnel Management ("OPM") was compromised. An agency like the OPM is a foreign adversary's ideal target: centralized data and personal information on thousands of individuals working or applying for federal government jobs and security clearances. In Nov. 2013, an attacker dubbed X1 breached the OPM system. X1 did not gain access to the personnel records but was able to exfiltrate manuals and information on the network's architecture. A month later, two contractors, USIS and KeyPoint (contractors that used OPM servers to conduct background checks) were breached. A few months later, OPM recognized that its systems were compromised. Thinking the actors were contained in one portion of the network, OPM allowed the hackers to remain there to figure out who they were. Although, the attackers did attempt to purge them when they attempted to download keylogger malware onto one of the computers. The purge was unsuccessful, because the attackers (this one named "X2by," who is presumably working with X1 or is the same individual) had established another foothold in another portion of OPM's networks that was unaffected by the attempted purge. From here, X2 escalated his privileges. Essentially, OPM's login system contained a vulnerability, and X2 used a program, Mimikatz, that exploited the vulnerability and provided X2 with a memory dump of hashes of user credentials that were recently used to log onto OPM's network. A hash is a way to disguise the plaintext form of a password. After exploiting another vulnerability, where a user could authenticate by using a plain text username and password's hash credential, X2 was able to escalate to root access. See Cyril Saade et al., "OPM Data Breach" at https://bit.ly/3lzqYwS. Root access is where a person has administrator level access and is therefore unrestricted in movement and privileges. Once at root access levels, X2 downloaded the PlugX malware (remote access), which allowed the attackers to begin exfiltrating data. Who did it? No group has claimed responsibility but researchers have pointed out that the PlugX backdoor "is associated with Chinese-language hacking groups that have attacked political activists in Hong Kong and Tibet." Josh Fruhlinger, "The OPM Hack Expalined: Bad Security Practices meet China's Captain America", CSO (Feb 2020) https://bit.ly/3pvnpKI.
2014-02-10 00:00:00
Iran hacks Las Vegas Casino
Type: I, D. Means: Unknown Why is Iran hacking Sheldon Adelson's Sands Corp. Casinos? In October, 2013, Adelson, a strong supporter of Israel, said on a TV interview that the United States should not negotiate with Iran. Adelson continued, saying that the U.S. should drop a nuclear bomb in the desert of Iran and "then you say, 'See! The next one is in the middle of Tehran. So, we mean business. You want to be wiped out?" See Maya Shwayder, "Adelson: US should drop atomic bombs on Iran", The Jerusalem Post (Oct. 2013) https://bit.ly/35G9rxS. Months later, Iranian actors wiped hard drives and stole customer's social security numbers. See Natasha Bertrand, "Iranian Hackers Paralyzed Billionaire Sheldon Adelson's Las Vegas Casino", Business Insider (Dec 2014) https://bit.ly/35Kkje9.
2014-05-14 20:47:06
U.S. indicts Five Chinese Military Hackers for Cyber Espionage
Type: C. Means: Spearphishing, purchased domain names, masking IP addresses, etc,. In the first criminal indictment filed against state actors for hacking, the Department of Justice accused five Chinese military personnel of various illegal hacking activities. In a years long scheme, the hackers would steal proprietary information and trade secrets from U.S. companies. The attackers would then pass this information to state-owned Chinese businesses in the same industry as the U.S. victim company. This sharing of information enabled an unfair commercial advantage for Chinese companies, which would flood U.S. markets with products they were able to produce without enduring the costly research and development stages of industrial machinery and factory architecture. See "U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage", DOJ (May 2014) https://bit.ly/38KKWBA.
2014-08-31 07:29:17
North Korea attack U.K. television network
Type: C. Means: N/A. A U.K. television company discovered North Korea hackers in their systems. The company was set to release a new drama series that followed a "British nuclear scientist taken prisoner in North Korea." The series was not released. See Gordon Corera, "UK TV Drama About North Korea Hit by Cyber-Attack", BBC News (Oct 2017) https://bbc.in/390nDDT. This attack is significant because it shows a State's ability to suppress free speech in other States by way of intimidation. In this instance, it was reported that the series was not released because of a funding issue. See id.
2014-09-20 19:57:29
China hacks U.S. weather systems, satellites
Type: C. Means: N/A. The National Oceanic and Atmospheric Administration ("NOAA") is the U.S. federal agency responsible for monitoring the conditions of oceans and atmospheres to gather data on weather patterns and predictions. As a result of the attack, satellites were unable to gather information for a brief time. See Mary Pat Flaherty et al., "Chinese Hack U.S. weather systems, satellite network", The Washington Post (Nov. 2014) https://wapo.st/3kYB3mg.
2014-10-13 19:57:29
Sandworm Campaign uses Zero-Day to hack NATO, Ukraine
Type: C. Means: Zero-Day: Windows CVE-2014-4114 vulnerability, spearphishing.
2014-11-01 06:18:37
The Sony Hack
Type: D, A, C. Means: spearphishing (most likely), ransomware. The attack largely centers around the film "The Interview," a creation of Seth Rogan. The movie is critical of North Korea and its leader Kim Jung Un. At one point in the movie, Kim Jung Un's head explodes. The North Korea government cautioned against releasing the movie and made threats against the U.S. and Sony. See generally Choe Sang-Hun, "North Korea Warns U.S. Over Film Mocking Its Leader", N.Y. Time (Jun 2014). https://nyti.ms/2UPaJAk. After infecting the Sony systems, the attackers stole at least 100 terabytes of data and deleted a significant portion too. "Sony workers became aware of the breach after an image of a red skull suddenly appeared on screens company-wide with a warning that Sony's secrets were about to be spilled." Kim Zetter, "Sony Got Hacked Hard: What We Know and Don't Know So Far", Wired (Dec. 2014) https://bit.ly/3fmDj5s. While the FBI attributes the attack to North Korea, some researchers and information security journalists question that the hack came from North Korea. See id. Sony ultimately released the film online on Dec. 25, 2014.
2015-01-08 11:03:00
Information Attack with Physical effects
Type: D. Means: Spearphishing. Germany released a report "that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in 'massive' - though unspecified - damage." Kim Zetter, "A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever", Wired (Jan 2015) https://bit.ly/35U5sxL. The attackers were able to gain access to the steel mill's business network. From there, the attackers were able to move into the "access systems controlling plant equipment." Id. It is a truly naive information security practice to have one's business network not segmented from its industrial control systems. Some say that segmenting the network by either air gap or firewall is a better practice. Experts seem to disagree about what is standard for securing a system to responsible level. See id. Of course, no system is truly "secure."
2015-02-05 00:33:11
Snowden Leaks continue to reveal secret programs
Type: C. Means: Babar malware, EvilBunny trojan. "Babar was first mentioned in documents from Canadian intel agency CSEC (Communications Security Establishment Canada) leaked Edward Snowden. They were published by Le Monde and later, with few redactions, by Der Spiegal." John Leyden, "Babar the Elephant: Another Malware Plague With A Cute Name", The Register (Feb. 2015) https://bit.ly/398HRv5. Babar was an espionage tool aimed at "Iranian science and technology organizations but it was also aimed at French-speaking media organizations, targets in former French colonies and the European Financial Association." Id. While this time event is not about an attack, it is about a State, France, creating an espionage tool through digital means.
2015-04-25 00:33:11
Russian hack White House Unclassified Networks
Type: C. Means: N/A. Specific details of this attack are difficult to find. What we do know is that attackers gained access to Obama's unclassified email correspondence. While the information is unclassified, the information is considered sensitive, such as his schedule, meetings, whereabouts, etc.. The attackers also compromised unclassified networks in the Defense and State Departments. See Michael S. Schmidt & David E. Sanger, "Russian Hackers Read Obama's Unclassified Emails, Officials Say", N.Y. Times (Apr. 2015) https://nyti.ms/2Hm1Ef0.