In computers and computer networks an attack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset. A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices. An attacker is a person or process that attempts to access data, functions or other restricted areas of the system without authorization, potentially with malicious intent. Depending on context, cyberattacks can be part of cyberwarfare or cyberterrorism. A cyberattack can be employed by nation-states, individuals, groups, society or organizations. A cyberattack may originate from an anonymous source.
A cyberattack may steal, alter, or destroy a specified target by hacking into a susceptible system. Cyberattacks can range from installing spyware on a personal computer to attempting to destroy the infrastructure of entire nations. Legal experts are seeking to limit the use of the term to incidents causing physical damage, distinguishing it from the more routine data breaches and broader hacking activities.
Cyberattacks have become increasingly sophisticated and dangerous.
Since the late 1980s cyberattacks have evolved several times to use innovations in information technology as vectors for committing cybercrimes. In recent years, the scale and robustness of cyberattacks has increased rapidly, as observed by the World Economic Forum in its 2018 report: "Offensive cyber capabilities are developing more rapidly than our ability to deal with hostile incidents."
The increasing dependencies of modern society on information and computers networks (both in private and public sectors, including military) has led to new terms like cyber attack and cyberwarfare.
CNSS Instruction No. 4009 define a cyber attack as:
Cyberwarfare utilizes techniques of defending and attacking information and computer networks that inhabit cyberspace, often through a prolonged cyber campaign or series of related campaigns. It denies an opponent's ability to do the same, while employing technological instruments of war to attack an opponent's critical computer systems. Cyberterrorism, on the other hand, is "the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population". That means the end result of both cyberwarfare and cyberterrorism is the same, to damage critical infrastructures and computer systems linked together within the confines of cyberspace.
Three factors contribute to why cyber-attacks are launched against a state or an individual: the fear factor, spectacularity factor, and vulnerability factor.
The spectacularity factor is a measure of the actual damage achieved by an attack, meaning that the attack creates direct losses (usually loss of availability or loss of income) and garners negative publicity. On February 8, 2000, a Denial of Service attack severely reduced traffic to many major sites, including Amazon, Buy.com, CNN, and eBay (the attack continued to affect still other sites the next day). Amazon reportedly estimated the loss of business at $600,000.
Vulnerability factor exploits how vulnerable an organization or government establishment is to cyber-attacks. Organizations without maintenance systems my be running on old servers which are more vulnerable than updated systems. An organization can be vulnerable to a denial of service attack, and a government establishment can be defaced on a web page. A computer network attack disrupts the integrity or authenticity of data, usually through malicious code that alters program logic that controls data, leading to errors in output.
Professional hackers, either working on their own or employed by the government or military service, can find computer systems with vulnerabilities lacking the appropriate security software. Once those vulnerabilities are found, they can infect systems with malicious code and then remotely control the system or computer by sending commands to view content or to disrupt other computers. There needs to be a pre-existing system flaw within the computer such as no antivirus protection or faulty system configuration for the viral code to work. Many professional hackers will promote themselves to cyberterrorists where a new set of rules govern their actions. Cyberterrorists have premeditated plans and their attacks are not born of rage. They need to develop their plans step-by-step and acquire the appropriate software to carry out an attack. They usually have political agendas, targeting political structures. Cyber terrorists are hackers with a political motivation, their attacks can impact political structure through this corruption and destruction. They also target civilians, civilian interests and civilian installations. As previously stated cyberterrorists attack persons or property and cause enough harm to generate fear.
An attack can be active or passive.
An attack can be perpetrated by an insider or from outside the organization;
The term "attack" relates to some other basic security terms as shown in the following diagram:
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+ | An Attack: | |Counter- | | A System Resource: | | i.e., A Threat Action | | measure | | Target of the Attack | | +----------+ | | | | +-----------------+ | | | Attacker |<==================||<========= | | | | i.e., | Passive | | | | | Vulnerability | | | | A Threat |<=================>||<========> | | | | Agent | or Active | | | | +-------|||-------+ | | +----------+ Attack | | | | VVV | | | | | | Threat Consequences | + - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
A resource (both physical or logical), called an asset, can have one or more vulnerabilities that can be exploited by a threat agent in a threat action. As a result, the confidentiality, integrity or availability of resources may be compromised. Potentially, the damage may extend to resources in addition to the one initially identified as vulnerable, including further resources of the organization, and the resources of other involved parties (customers, suppliers).
The attack can be active when it attempts to alter system resources or affect their operation: so it compromises integrity or availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises confidentiality.
A threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado).
A set of policies concerned with information security management, the information security management systems (ISMS), has been developed to manage, according to risk management principles, the countermeasures in order to accomplish to a security strategy set up following rules and regulations applicable in a country.
An attack should led to a security incident i.e. a security event that involves a security violation. In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached.
In order to detect attacks, a number of countermeasures can be set up at organizational, procedural and technical levels. Computer emergency response team, information technology security audit and intrusion detection system are example of these.
An attack usually is perpetrated by someone with bad intentions: black hatted attacks falls in this category, while other perform penetration testing on an organization information system to find out if all foreseen controls are in place.
The attacks can be classified according to their origin: i.e. if it is conducted using one or more computers: in the last case is called a distributed attack. Botnets are used to conduct distributed attacks.
Other classifications are according to the procedures used or the type of vulnerabilities exploited: attacks can be concentrated on network mechanisms or host features.
Some attacks are physical: i.e. theft or damage of computers and other equipment. Others are attempts to force changes in the logic used by computers or network protocols in order to achieve unforeseen (by the original designer) result but useful for the attacker. Software used to for logical attacks on computers is called malware.
The following is a partial short list of attacks:
In detail, there are a number of techniques to utilize in cyber-attacks and a variety of ways to administer them to individuals or establishments on a broader scale. Attacks are broken down into two categories: syntactic attacks and semantic attacks. Syntactic attacks are straightforward; it is considered malicious software which includes viruses, worms, and Trojan horses.
A virus is a self-replicating program that can attach itself to another program or file in order to reproduce. The virus can hide in unlikely locations in the memory of a computer system and attach itself to whatever file it sees fit to execute its code. It can also change its digital footprint each time it replicates making it harder to track down in the computer.
A worm does not need another file or program to copy itself; it is a self-sustaining running program. Worms replicate over a network using protocols. The latest incarnation of worms make use of known vulnerabilities in systems to penetrate, execute their code, and replicate to other systems such as the Code Red II worm that infected more than 259 000 systems in less than 14 hours. On a much larger scale, worms can be designed for industrial espionage to monitor and collect server and traffic activities then transmit it back to its creator.
A Trojan horse is designed to perform legitimate tasks but it also performs unknown and unwanted activity. It can be the basis of many viruses and worms installing onto the computer as keyboard loggers and backdoor software. In a commercial sense, Trojans can be imbedded in trial versions of software and can gather additional intelligence about the target without the person even knowing it happening. All three of these are likely to attack an individual and establishment through emails, web browsers, chat clients, remote software, and updates.
Semantic attack is the modification and dissemination of correct and incorrect information. Information modified could have been done without the use of computers even though new opportunities can be found by using them. To set someone into the wrong direction or to cover your tracks, the dissemination of incorrect information can be utilized.
There were two such instances between India and Pakistan that involved cyberspace conflicts, started in 1990s. Earlier cyber attacks came to known as early as in 1999. Since then, India and Pakistan were engaged in a long-term dispute over Kashmir which moved into cyberspace. Historical accounts indicated that each country's hackers have been repeatedly involved in attacking each other's computing database system. The number of attacks has grown yearly: 45 in 1999, 133 in 2000, 275 by the end of August 2001. In 2010, Indian hackers laid a cyber attack at least 36 government database websites going by the name "Indian Cyber Army". In 2013, Indian hackers hacked the official website of Election Commission of Pakistan in an attempt to retrieve sensitive database information. In retaliation, Pakistani hackers, calling themselves "True Cyber Army" hacked and defaced ~1,059 websites of Indian election bodies.
According to the media, Pakistan's has been working on effective cyber security system, in a program called the "Cyber Secure Pakistan" (CSP). The program was launched in April 2013 by Pakistan Information Security Association and the program has expanded to country's universities.
Within cyberwarfare, the individual must recognize the state actors involved in committing these cyber-attacks against one another. The two predominant players that will be discussed is the age-old comparison of East versus West, China's cyber capabilities compared to United States' capabilities. There are many other state and non-state actors involved in cyberwarfare, such as Russia, Iran, Iraq, and Al Qaeda; since China and the U.S. are leading the foreground in cyberwarfare capabilities, they will be the only two state actors discussed.
But in Q2 2013, Akamai Technologies reported that Indonesia toppled China with portion 38 percent of cyber attack, a high increase from 21 percent portion in previous quarter. China set 33 percent and US set at 6.9 percent. 79 percent of attack came from Asia Pacific region. Indonesia dominated the attacking to ports 80 and 443 by about 90 percent.
China's People's Liberation Army (PLA) has developed a strategy called "Integrated Network Electronic Warfare" which guides computer network operations and cyberwarfare tools. This strategy helps link together network warfare tools and electronic warfare weapons against an opponent's information systems during conflict. They believe the fundamentals for achieving success is about seizing control of an opponent's information flow and establishing information dominance. The Science of Military and The Science of Campaigns both identify enemy logistics systems networks as the highest priority for cyber-attacks and states that cyberwarfare must mark the start if a campaign, used properly, can enable overall operational success. Focusing on attacking the opponent's infrastructure to disrupt transmissions and processes of information that dictate decision-making operations, the PLA would secure cyber dominance over their adversary. The predominant techniques that would be utilized during a conflict to gain the upper hand are as follows, the PLA would strike with electronic jammers, electronic deception and suppression techniques to interrupt the transfer processes of information. They would launch virus attacks or hacking techniques to sabotage information processes, all in the hopes of destroying enemy information platforms and facilities. The PLA's Science of Campaigns noted that one role for cyberwarfare is to create windows of opportunity for other forces to operate without detection or with a lowered risk of counterattack by exploiting the enemy's periods of "blindness", "deafness" or "paralysis" created by cyber-attacks. That is one of the main focal points of cyberwarefare, to be able to weaken your enemy to the full extent possible so that your physical offensive will have a higher percentage of success.
The PLA conduct regular training exercises in a variety of environments emphasizing the use of cyberwarfare tactics and techniques in countering such tactics if it is employed against them. Faculty research has been focusing on designs for rootkit usage and detection for their Kylin Operating System which helps to further train these individuals' cyberwarfare techniques. China perceives cyberwarfare as a deterrent to nuclear weapons, possessing the ability for greater precision, leaving fewer casualties, and allowing for long ranged attacks.
In the West, the United States provides a different "tone of voice" when cyberwarfare is on the tip of everyone's tongue. The United States provides security plans strictly in the response to cyberwarfare, basically going on the defensive when they are being attacked by devious cyber methods. In the U.S., the responsibility of cybersecurity is divided between the Department of Homeland Security, the Federal Bureau of Investigation, and the Department of Defense. In recent years, a new department was created to specifically tend to cyber threats, this department is known as Cyber Command. Cyber Command is a military subcommand under US Strategic Command and is responsible for dealing with threats to the military cyber infrastructure. Cyber Command's service elements include Army Forces Cyber Command, the Twenty-fourth Air Force, Fleet Cyber Command and Marine Forces Cyber Command. It ensures that the President can navigate and control information systems and that he also has military options available when defense of the nation needs to be enacted in cyberspace. Individuals at Cyber Command must pay attention to state and non-state actors who are developing cyberwarfare capabilities in conducting cyber espionage and other cyber-attacks against the nation and its allies. Cyber Command seeks to be a deterrence factor to dissuade potential adversaries from attacking the U.S., while being a multi-faceted department in conducting cyber operations of its own.
Three prominent events took place which may have been catalysts in the creation of the idea of Cyber Command. There was a failure of critical infrastructure reported by the CIA where malicious activities against information technology systems disrupted electrical power capabilities overseas. This resulted in multi-city power outages across multiple regions. The second event was the exploitation of global financial services. In November 2008, an international bank had a compromised payment processor that allowed fraudulent transactions to be made at more than 130 automated teller machines in 49 cities within a 30-minute period. The last event was the systemic loss of U.S. economic value when an industry in 2008 estimated $1 trillion in losses of intellectual property to data theft. Even though all these events were internal catastrophes, they were very real in nature, meaning nothing can stop state or non-state actors to do the same thing on an even grander scale. Other initiatives like the Cyber Training Advisory Council were created to improve the quality, efficiency, and sufficiency of training for computer network defense, attack, and exploitation of enemy cyber operations.
On both ends of the spectrum, East and West nations show a "sword and shield" contrast in ideals. The Chinese have a more offensive minded idea for cyberwarfare, trying to get the pre-emptive strike in the early stages of conflict to gain the upper-hand. In the U.S. there are more reactionary measures being taken at creating systems with impenetrable barriers to protect the nation and its civilians from cyber-attacks.
According to Homeland Preparedness News, many mid-sized U.S. companies have a difficult time defending their systems against cyber attacks. Around 80 percent of assets vulnerable to a cyber attack are owned by private companies and organizations. Former New York State Deputy Secretary for Public Safety Michael Balboni said that private entities "do not have the type of capability, bandwidth, interest or experience to develop a proactive cyber analysis."
In response to cyber-attacks on April 1, 2015, President Obama issued an Executive Order establishing the first-ever economic sanctions. The Executive Order will impact individuals and entities ("designees") responsible for cyber-attacks that threaten the national security, foreign policy, economic health, or financial stability of the US. Specifically, the Executive Order authorizes the Treasury Department to freeze designees' assets.
According to Ted Koppel's book, in 2008, the United States in collaboration with Israel, ran a cyberattack on Iran's nuclear program, becoming "the first to use a digital weapon as an instrument of policy".
A series of powerful cyber attacks began 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms.
The 2007 cyberattacks on Estonia were a series of cyberattacks which began on 27 April 2007 and targeted websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves in Tallinn. The attacks triggered a number of military organizations around the world to reconsider the importance of network security to modern military doctrine. The direct result of the cyberattacks was the creation of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn.
A whole industry is working trying to minimize the likelihood and the consequence of an information attack.
For a partial list see: Computer security software companies.
They offer different products and services, aimed at:
Many organizations are trying to classify vulnerability and their consequence: the most famous vulnerability database is the Common Vulnerabilities and Exposures.
Computer emergency response teams are set up by government and large organization to handle computer security incidents.
Once a cyber-attack has been initiated, there are certain targets that need to be attacked to cripple the opponent. Certain infrastructures as targets have been highlighted as critical infrastructures in time of conflict that can severely cripple a nation. Control systems, energy resources, finance, telecommunications, transportation, and water facilities are seen as critical infrastructure targets during conflict. A new report on the industrial cybersecurity problems, produced by the British Columbia Institute of Technology, and the PA Consulting Group, using data from as far back as 1981, reportedly has found a 10-fold increase in the number of successful cyber-attacks on infrastructure Supervisory Control and Data Acquisition (SCADA) systems since 2000. Cyberattacks that have an adverse physical effect are known as cyber-physical attacks.
Control systems are responsible for activating and monitoring industrial or mechanical controls. Many devices are integrated with computer platforms to control valves and gates to certain physical infrastructures. Control systems are usually designed as remote telemetry devices that link to other physical devices through internet access or modems. Little security can be offered when dealing with these devices, enabling many hackers or cyberterrorists to seek out systematic vulnerabilities. Paul Blomgren, manager of sales engineering at cybersecurity firm explained how his people drove to a remote substation, saw a wireless network antenna and immediately plugged in their wireless LAN cards. They took out their laptops and connected to the system because it wasn't using passwords. "Within 10 minutes, they had mapped every piece of equipment in the facility," Blomgren said. "Within 15 minutes, they mapped every piece of equipment in the operational control network. Within 20 minutes, they were talking to the business network and had pulled off several business reports. They never even left the vehicle."
Energy is seen as the second infrastructure that could be attacked. It is broken down into two categories, electricity and natural gas. Electricity also known as electric grids power cities, regions, and households; it powers machines and other mechanisms used in day-to-day life. Using U.S. as an example, in a conflict cyberterrorists can access data through the Daily Report of System Status that shows power flows throughout the system and can pinpoint the busiest sections of the grid. By shutting those grids down, they can cause mass hysteria, backlog, and confusion; also being able to locate critical areas of operation to further attacks in a more direct method. Cyberterrorists can access instructions on how to connect to the Bonneville Power Administration which helps direct them on how to not fault the system in the process. This is a major advantage that can be utilized when cyber-attacks are being made because foreign attackers with no prior knowledge of the system can attack with the highest accuracy without drawbacks. Cyberattacks on natural gas installations go much the same way as it would with attacks on electrical grids. Cyberterrorists can shutdown these installations stopping the flow or they can even reroute gas flows to another section that can be occupied by one of their allies. There was a case in Russia with a gas supplier known as Gazprom, they lost control of their central switchboard which routes gas flow, after an inside operator and Trojan horse program bypassed security.
Financial infrastructures could be hit hard by cyber-attacks as the financial system is linked by computer systems. is constant money being exchanged in these institutions and if cyberterrorists were to attack and if transactions were rerouted and large amounts of money stolen, financial industries would collapse and civilians would be without jobs and security. Operations would stall from region to region causing nationwide economical degradation. In the U.S. alone, the average daily volume of transactions hit $3 trillion and 99% of it is non-cash flow. To be able to disrupt that amount of money for one day or for a period of days can cause lasting damage making investors pull out of funding and erode public confidence.
A cyberattack on a financial institution or transactions may be referred to as a cyberheist. These attacks may start with phishing that targets employees, using social engineering to coax information from them. They may allow attackers to hack into the network and put keyloggers on the accounting systems. In time, the cybercriminals are able to obtain password and keys information. An organization's bank accounts can then be accessed via the information they have stolen using the keyloggers. In May 2013, a gang carried out a US$40 million cyberheist from the Bank of Muscat.
Cyberattacking telecommunication infrastructures have straightforward results. Telecommunication integration is becoming common practice, systems such as voice and IP networks are merging. Everything is being run through the internet because the speeds and storage capabilities are endless. Denial-of-service attacks can be administered as previously mentioned, but more complex attacks can be made on BGP routing protocols or DNS infrastructures. It is less likely that an attack would target or compromise the traditional telephony network of SS7 switches, or an attempted attack on physical devices such as microwave stations or satellite facilities. The ability would still be there to shut down those physical facilities to disrupt telephony networks. The whole idea on these cyber-attacks is to cut people off from one another, to disrupt communication, and by doing so, to impede critical information being sent and received. In cyberwarfare, this is a critical way of gaining the upper-hand in a conflict. By controlling the flow of information and communication, a nation can plan more accurate strikes and enact better counter-attack measures on their enemies.
Transportation infrastructure mirrors telecommunication facilities; by impeding transportation for individuals in a city or region, the economy will slightly degrade over time. Successful cyber-attacks can impact scheduling and accessibility, creating a disruption in the economic chain. Carrying methods will be impacted, making it hard for cargo to be sent from one place to another. In January 2003 during the "slammer" virus, Continental Airlines was forced to shut down flights due to computer problems. Cyberterrorists can target railroads by disrupting switches, target flight software to impede airplanes, and target road usage to impede more conventional transportation methods. In May 2015, a man, Chris Roberts, who was a cyberconsultant, revealed to the FBI that he had repeatedly, from 2011 to 2014, managed to hack into Boeing and Airbus flights' controls via the onboard entertainment system, allegedly, and had at least once ordered a flight to climb. The FBI, after detaining him in April 2015 in Syracuse, had interviewed him about the allegations.
Water as an infrastructure could be one of the most critical infrastructures to be attacked. It is seen as one of the greatest security hazards among all of the computer-controlled systems. There is the potential to have massive amounts of water unleashed into an area which could be unprotected causing loss of life and property damage. It is not even water supplies that could be attacked; sewer systems can be compromised too. There was no calculation given to the cost of damages, but the estimated cost to replace critical water systems could be in the hundreds of billions of dollars. Most of these water infrastructures are well developed making it hard for cyber-attacks to cause any significant damage, at most, equipment failure can occur causing power outlets to be disrupted for a short time.
Important thinking about the tactical and legal concepts of cyber-warfare is taking place in a former Soviet barracks in Estonia, now home to NATO’s “centre of excellence” for cyber-defence. It was established in response to what has become known as “Web War 1”, a concerted denial-of-service attack on Estonian government, media and bank web servers that was precipitated by the decision to move a Soviet-era war memorial in central Tallinn in 2007.
The 2007 cyberattacks on Estonia (Estonian: 2007. aasta küberrünnakud Eesti vastu) were a series of cyberattacks which began on 27 April 2007 and targeted websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves in Tallinn.
Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred. Research has also shown that large conflicts took place to edit the English-language version of the Bronze Soldier's Wikipedia page.Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. The case is studied intensively by many countries and military planners as, at the time it occurred, it may have been the second-largest instance of state-sponsored cyberwarfare, following Titan Rain.As of January 2008, one ethnic-Russian Estonian national has been charged and convicted.During a panel discussion on cyber warfare, Sergei Markov of the Russian State Duma has stated his unnamed aide was responsible in orchestrating the cyber attacks. Markov alleged the aide acted on his own while residing in an unrecognised republic of the former Soviet Union, possibly Transnistria. On 10 March 2009 Konstantin Goloskokov, a "commissar" of the Kremlin-backed youth group Nashi, has claimed responsibility for the attack. Experts are critical of these varying claims of responsibility. The direct result of the cyberattacks was the creation of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia.2013 South Korea cyberattack
On 20 March 2013, three South Korean television stations and a bank suffered from frozen computer terminals in a suspected act of cyberwarfare. ATMs and mobile payments were also affected. The South Korean communications watchdog raised their alert level on cyber-attacks to three on a scale of five. North Korea has been blamed for similar attacks in 2009 and 2011 and was suspected of launching this attack as well. South Korean officials linked the incident to a Chinese IP address, which increased suspicion of North Korea as "[i]ntelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks." Malware related to the attack is called "DarkSeoul" in the computer world and was first identified in 2012. The Financial Services Commission of South Korea said that Shinhan Bank reported that its Internet banking servers had been temporarily blocked and that Jeju Bank and NongHyup reported that operations at some of their branches had been paralyzed after computers were infected with viruses and their files erased. Woori Bank reported a hacking attack, but said it had suffered no damage. Computer shutdowns also hit companies including the Korean Broadcasting System, Munhwa Broadcasting Corporation, and YTN.The South Korean government asserted a Pyongyang link in the March cyberattacks, which has been denied by Pyongyang. A 50-year-old South Korean man identified as Mr. Kim is suspected to be involved in the attack.2016 Dyn cyberattack
The 2016 Dyn cyberattack was a series of distributed denial-of-service attacks (DDoS attacks) on October 21, 2016, targeting systems operated by Domain Name System (DNS) provider Dyn. The attack caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. The groups Anonymous and New World Hackers claimed responsibility for the attack, but scant evidence was provided.As a DNS provider, Dyn provides to end-users the service of mapping an Internet domain name—when, for instance, entered into a web browser—to its corresponding IP address. The distributed denial-of-service (DDoS) attack was accomplished through a large number of DNS lookup requests from tens of millions of IP addresses. The activities are believed to have been executed through a botnet consisting of a large number of Internet-connected devices—such as printers, IP cameras, residential gateways and baby monitors—that had been infected with the Mirai malware.2017 Westminster cyberattack
The 2017 Westminster cyberattack occurred on 23 June 2017, when an unauthorised attempt was made to gain access to email accounts belonging to a number of politicians at the United Kingdom's Houses of Parliament.The incident was followed by an attempt to hack accounts belonging to politicians at the Scottish Parliament in August 2017.2017 cyberattacks on Ukraine
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.2018 Atlanta cyberattack
The city of Atlanta, Georgia was the subject of a massive cyberattack which began in March 2018. The city recognized the attack on Thursday, March 22, 2018, and publicly acknowledged it was a ransomware attack.
Due to Atlanta's national importance as a transportation and economic hub, the attack received wide attention and was notable for both the extent and duration of the service outages caused. Many city services and programs were affected by the attack, including utility, parking, and court services. City officials were forced to complete paper forms by hand.On November 26, a grand jury indicted two Iranian hackers, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, for the attack. The Department of Justice alleged that Savandi and Mansouri are part of the SamSam group; that the SamSam group is based out of Iran; and that the pair created SamSam Ransomware, the malware used in the attack. There are no affiliations with the government of Iran.CyberBerkut
CyberBerkut (Russian: КиберБеркут, Ukrainian: КіберБеркут) is a modern organized group of pro-Russian hacktivists. The group became locally known for a series of publicity stunts and distributed denial-of-service (DDoS) attacks on Ukrainian government, and western or Ukrainian corporate websites..December 2015 Ukraine power grid cyberattack
The December 2015 Ukraine power grid cyberattack took place on 23 December 2015 and is considered to be the first known successful cyberattack on a power grid. Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to the end consumers.
Most affected were consumers of «Prykarpattyaoblenergo» (Ukrainian: Прикарпаттяобленерго; servicing Ivano-Frankivsk Oblast): 30 substations were switched off, and about 230 thousand people were left without electricity for a period from 1 to 6 hours.At the same time consumers of two other energy distribution companies, «Chernivtsioblenergo» (Ukrainian: Чернівціобленерго; servicing Chernivtsi Oblast) and «Kyivoblenergo» (Ukrainian: Київобленерго; servicing Kyiv Oblast) were also affected by a cyberattack, but at a smaller scale. According to representatives of one of the companies, attacks were conducted from computers with IP addresses allocated to the Russian Federation.Dexter (malware)
Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.In December 2013, researchers discovered StarDust, a major revision of Dexter, which compromised 20,000 cards in active campaign hitting US merchants.
It was one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers' credit and debit card payments.DoublePulsar
DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar. He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system. Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.EternalBlue
EternalBlue, sometimes stylized as ETERNALBLUE, is an exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017. The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017 and reported to be used as part of the Retefe banking trojan since at least September 5, 2017.Evercookie
Exactis LLC is a data broker established in 2015 and based in the U.S state of Florida. The firm reportedly handles business and consumer data in an effort to refine targeted advertising.ISeeYou
iSeeYou is a security bug affecting iSight cameras in some Apple laptops.Mahdi (malware)
Mahdi is computer malware that was initially discovered in February 2012 and was reported in July of that year. According to Kaspersky Lab and Seculert (an Israeli security firm which discovered the malware), the software has been used for targeted cyber espionage since December 2011, infecting at least 800 computers in Iran and other Middle Eastern countries. Mahdi is named after files used in the malware and refers to the Muslim figure.Metulji botnet
The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the "Butterfly Bot", making it, as of June 2011, the largest known botnet.It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.Mirai (malware)
Mirai (Japanese: 未来, lit. 'future') is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.The source code for Mirai was published on Hack Forums as open-source. Since the source code was published, the techniques have been adapted in other malware projects.Petya (malware)
Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.
Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to distinguish it from the 2016 variants, due to these differences in operation. In addition, although it purports to be ransomware, this variant was modified so that it is unable to actually revert its own changes.WannaCry ransomware attack
The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit developed by the US National Security Agency (NSA) for older Windows systems that was released by The Shadow Brokers a few months prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. WannaCry also took advantage of installing backdoors onto infected systems.
The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of a kill switch that prevented infected computers from spreading WannaCry further. The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country.
In December 2017, the United States, United Kingdom and Australia formally asserted that North Korea was behind the attack.A new variant of WannaCry ransomware forced Taiwan Semiconductor Manufacturing Company (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018. The virus spread to 10,000 machines in TSMC's most advanced facilities.