{"id":3287,"date":"2025-09-18T11:05:38","date_gmt":"2025-09-18T09:05:38","guid":{"rendered":"https:\/\/trustlab.upct.es\/?p=3287"},"modified":"2025-09-22T10:02:21","modified_gmt":"2025-09-22T08:02:21","slug":"the-biggest-cyberattacks-in-history-key-cases-and-what-we-learned","status":"publish","type":"post","link":"https:\/\/trustlab.upct.es\/en\/2025\/09\/18\/the-biggest-cyberattacks-in-history-key-cases-and-what-we-learned\/","title":{"rendered":"The Biggest Cyberattacks in History: Key Cases and What We Learned"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Ranking Methodology: criteria (cost, reach, criticality, persistence)<\/h2>

To rank the \u201cbiggest cyberattacks in history,\u201d I applied four criteria that, combined, give a truer picture than a single damage figure:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n
Ranking methodology for the biggest cyberattacks<\/caption>\r\n
Criterion<\/th>\r\n Definition<\/th>\r\n Indicators<\/th>\r\n Weight<\/th>\r\n <\/tr>\r\n <\/thead>\r\n
Cost<\/th>\r\n Direct and indirect impact<\/td>\r\n \u20ac lost, fines, litigation<\/td>\r\n 35%<\/span><\/td>\r\n <\/tr>\r\n
Reach<\/th>\r\n Countries\/sectors affected<\/td>\r\n # organizations, countries<\/td>\r\n 25%<\/span><\/td>\r\n <\/tr>\r\n
Criticality<\/th>\r\n Infrastructure and outages<\/td>\r\n Time out of service<\/td>\r\n 25%<\/span><\/td>\r\n <\/tr>\r\n
Persistence<\/th>\r\n Stealth and complexity<\/td>\r\n Days undetected, 0-days<\/td>\r\n 15%<\/span><\/td>\r\n <\/tr>\r\n <\/tbody>\r\n<\/table>\r\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

2010\u20132025 Timeline: from industrial sabotage to a global wiper<\/h2>

  • 2007\u20132008:<\/strong> DDoS attacks on Estonia<\/strong> and Georgia<\/strong> open the door to \u201cdigital support\u201d in conflicts.<\/p><\/li>

  • 2010:<\/strong> Stuxnet<\/strong> proves malware can damage industrial equipment<\/strong> (ICS\/OT).<\/p><\/li>

  • 2013\u20132014:<\/strong> Yahoo<\/strong> breaches (billions of accounts) escalate concern over PII<\/strong>.<\/p><\/li>

  • 2014:<\/strong> Sony Pictures<\/strong> brings a highly public political<\/strong> dimension.<\/p><\/li>

  • 2015\u20132016:<\/strong> Power cuts in Ukraine<\/strong> reveal operations against critical infrastructure<\/strong>.<\/p><\/li>

  • 2017:<\/strong> The black swan year. WannaCry<\/strong> (global ransomware) and NotPetya<\/strong> (supply-chain wiper) reset the rules.<\/p><\/li>

  • 2019\u20132020:<\/strong> Large-scale supply chain<\/strong> compromises (SolarWinds<\/strong>) with a focus on espionage.<\/p><\/li>

  • 2021\u20132025:<\/strong> Cartelized ransomware, double extortion<\/strong>, attacks on SaaS\/IT providers<\/strong>, and campaigns mixing crime and geopolitics.<\/p><\/li><\/ul>

    For me, 2017 was the turning point: NotPetya<\/strong> made it painfully clear we\u2019re not as resilient<\/strong> as we think, and that a single critical dependency (accounting\/tax, logistics, IT) can freeze half a country.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t
    \n\t\t\t\t\t

    Top 10 Historic Cyberattacks (with takeaways)<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    1) NotPetya (2017) \u2014 the wiper that froze Ukraine and rippled worldwide<\/h2>

    What happened.<\/strong> Attackers compromised the update mechanism of M.E.Doc<\/strong> (widely used Ukrainian tax software). The payload unpacked as a worm: credential dumping<\/strong> with Mimikatz, lateral movement via EternalBlue\/EternalRomance<\/strong>, then MBR tampering<\/strong> and disk encryption patterns that made recovery infeasible. The ransom note was camouflage\u2014no working decryptor<\/strong> existed.<\/p>

    Why it mattered.<\/strong> It turned a niche supplier into a single point of failure<\/strong> for a country, then leapt globally through multinational networks. It showed how \u201cIT housekeeping\u201d issues (flat networks, legacy SMB, over-privileged service accounts) can become national-scale outages<\/strong>.<\/p>

    TTPs to know.<\/strong> Supply-chain compromise; signed or trusted updates; LSASS access; SMB\/RPC lateral movement; scheduled tasks and PsExec; destructive MBR\/boot changes.<\/p>

    Detection clues.<\/strong> Unusual outbound traffic after updates; spikes in SMB sessions; LSASS handle access; sudden creation of scheduled tasks across many hosts; fake \u201cdisk repair\u201d messages before reboot.<\/p>

    What would have changed the outcome.<\/strong><\/p>

    • Strict network segmentation<\/strong> and deny-by-default<\/strong> for SMB between segments.<\/p><\/li>

    • LSA Protection\/LAPS<\/strong>, tiered admin and PAWs to contain creds.<\/p><\/li>

    • Immutable backups<\/strong> + frequent restore drills; golden-image rebuilds.<\/p><\/li>

    • Supplier due diligence<\/strong>: signed updates, SBOM, build integrity evidence.<\/p><\/li><\/ul>

      Personal note: identifying the perfc<\/code> kill switch<\/strong> (read-only file) proved how a tiny technical detail can buy time when everything else is on fire.<\/p><\/blockquote>

      2) WannaCry (2017) \u2014 planet-scale ransomware at worm speed<\/h2>

      What happened.<\/strong> Automated exploitation of SMBv1<\/strong> (EternalBlue) delivered ransomware that self-propagated with minimal human interaction. Critical services (including healthcare) were hit within hours.<\/p>

      Why it mattered.<\/strong> It was the clearest demonstration that patch latency<\/strong> on internet-reachable or internally widespread protocols translates directly into business downtime<\/strong>.<\/p>

      TTPs to know.<\/strong> SMBv1 remote code execution; basic persistence; rapid encryption of common extensions; crude but effective worming logic.<\/p>

      Detection clues.<\/strong> Surges in port 445 traffic; anomalous scanning from a single host to many; sudden spikes in file rename\/write operations.<\/p>

      What would have changed the outcome.<\/strong><\/p>

      • Retiring SMBv1<\/strong> and hardening SMB.<\/p><\/li>

      • Accelerated patching<\/strong> for edge-exposed services; maintenance windows sized to risk.<\/p><\/li>

      • EDR rules for worm-like behavior; isolation playbooks to quarantine first, ask later<\/strong>.<\/p><\/li><\/ul>

        3) Stuxnet (2010) \u2014 the first industrial cyber-weapon<\/h2>

        What happened.<\/strong> Multi-stage malware leveraged several 0-days<\/strong> and stolen certificates to infiltrate air-gapped environments via USB, then targeted PLC logic<\/strong> to subtly alter physical processes while spoofing operator screens.<\/p>

        Why it mattered.<\/strong> It proved malware can cause physical degradation<\/strong> without obvious alarms, and that engineering workstations<\/strong> and ladder logic are part of the threat surface.<\/p>

        TTPs to know.<\/strong> LNK and Print Spooler 0-days (historically), code-signing abuse, PLC payloads, rootkits for ICS.<\/p>

        Detection clues.<\/strong> Unexpected ladder logic changes; mismatches between telemetry and HMI displays; unsigned\/odd drivers on engineering hosts.<\/p>

        What would have changed the outcome.<\/strong><\/p>

        • IT\/OT segregation<\/strong>, jump-server patterns, unidirectional gateways.<\/p><\/li>

        • Change control specific to PLC projects<\/strong>; out-of-band validation of sensor data.<\/p><\/li>

        • Application allow-listing and driver signing enforcement on engineering stations.<\/p><\/li><\/ul>

          4) SolarWinds (2020) \u2014 supply-chain espionage<\/h2>

          What happened.<\/strong> A trusted enterprise IT platform shipped trojanized updates<\/strong>, granting covert access to thousands of networks. Post-compromise, operators used living-off-the-land techniques to remain stealthy.<\/p>

          Why it mattered.<\/strong> It showed that a single vendor build pipeline<\/strong> can become a force multiplier for long-term, low-noise espionage<\/strong> across public and private sectors.<\/p>

          TTPs to know.<\/strong> Build system tampering; signed malicious DLLs; SAML token abuse; selective C2 with very low noise.<\/p>

          Detection clues.<\/strong> Rare parent-child process chains on the platform\u2019s services; unusual Azure AD\/IdP token flows; beaconing with long sleep intervals.<\/p>

          What would have changed the outcome.<\/strong><\/p>

          • Build integrity<\/strong> (isolated signers, reproducible builds, attestations).<\/p><\/li>

          • SBOM<\/strong> distribution; update telemetry<\/strong> and anomaly scoring.<\/p><\/li>

          • Zero Trust<\/strong> on east-west traffic and identity; continuous verification of IdP assumptions.<\/p><\/li><\/ul>

            5) Yahoo (2013\u20132014) \u2014 the largest account breach<\/h2>

            What happened.<\/strong> Attackers harvested account data at unprecedented scale by chaining app weaknesses, credential weaknesses, and token\/session handling issues.<\/p>

            Why it mattered.<\/strong> It reset expectations about the scope and longevity<\/strong> of PII breaches and their valuation impact<\/strong> years later.<\/p>

            TTPs to know.<\/strong> Session fixation\/forgery patterns; weak hashing for legacy datasets; credential stuffing follow-ons.<\/p>

            Detection clues.<\/strong> Anomalous authentication patterns from shared ASNs; token reuse outside expected lifetimes; high-volume profile reads.<\/p>

            What would have changed the outcome.<\/strong><\/p>

            • Argon2\/bcrypt<\/strong> with strong parameters; rotate legacy hashes.<\/p><\/li>

            • Risk-based authentication<\/strong> and anomaly detection.<\/p><\/li>

            • Session lifecycle hygiene and key rotation by default.<\/p><\/li><\/ul>

              6) Equifax (2017) \u2014 known vulnerability, massive impact<\/h2>

              What happened.<\/strong> An internet-facing application with a known critical vulnerability<\/strong> remained unpatched; attackers exfiltrated sensitive PII through the app layer.<\/p>

              Why it mattered.<\/strong> It showcased how asset discovery gaps<\/strong> and weak patch governance can eclipse any number of downstream controls.<\/p>

              TTPs to know.<\/strong> Web RCE, web shells, data staging and exfil over HTTPS.<\/p>

              Detection clues.<\/strong> Odd user-agent strings; long-lived HTTPS sessions to little-known hosts; spikes in DB reads off business hours.<\/p>

              What would have changed the outcome.<\/strong><\/p>

              • Continuous asset inventory<\/strong>; SLA-driven patching<\/strong> by CVSS + exploitability.<\/p><\/li>

              • Runtime protection (WAF\/RASP<\/strong>) tuned to the stack.<\/p><\/li>

              • Tabletop exercises focused on PII breach response<\/strong>.<\/p><\/li><\/ul>

                7) Sony Pictures (2014) \u2014 leaks and destructive sabotage<\/h2>

                What happened.<\/strong> Social engineering and footholds led to domain-wide expansion, data theft<\/strong>, and destructive wiping<\/strong> of many endpoints\/servers, plus staged leaks to maximize reputational harm.<\/p>

                Why it mattered.<\/strong> It mixed destruction<\/strong> with information operations<\/strong>, forcing organizations to plan for technical + PR + legal<\/strong> crises in parallel.<\/p>

                TTPs to know.<\/strong> Phishing, credential reuse, domain escalation, data staging, wiper deployment.<\/p>

                Detection clues.<\/strong> Sudden large SMB copies; archival utilities running on non-backup hosts; mass creation of scheduled tasks; spikes in endpoint reimages.<\/p>

                What would have changed the outcome.<\/strong><\/p>

                • Tiered admin<\/strong> and PAWs; DLP with meaningful policies.<\/p><\/li>

                • Data segmentation and need-to-know<\/strong> access.<\/p><\/li>

                • A communications crisis plan<\/strong> rehearsed with legal and PR.<\/p><\/li><\/ul>

                  8) Estonia (2007) \u2014 country-scale DDoS<\/h2>

                  What happened.<\/strong> A wave of coordinated DDoS<\/strong> knocked out government portals, banks, and media sites, overwhelming upstream capacity and local infra.<\/p>

                  Why it mattered.<\/strong> It was an early lesson in national digital resilience<\/strong> and the need for pre-arranged DDoS partnerships<\/strong>.<\/p>

                  TTPs to know.<\/strong> Botnet-driven volumetric floods; application-layer requests at scale; reflector\/amplifier abuse.<\/p>

                  Detection clues.<\/strong> Sudden surges from diverse global IPs; SYN floods; spikes in 502\/503s; upstream congestion alerts.<\/p>

                  What would have changed the outcome.<\/strong><\/p>

                  • Contracts with scrubbing centers<\/strong>; anycast<\/strong> and geo load-balancing.<\/p><\/li>

                  • Rate-limiting and caching strategies; crisis comms channels outside the primary domain.<\/p><\/li><\/ul>

                    9) Georgia (2008) \u2014 hybrid-warfare prelude<\/h2>

                    What happened.<\/strong> DDoS and defacements aligned with kinetic operations to degrade information flows and public confidence.<\/p>

                    Why it mattered.<\/strong> It established cyber as a standard theatre<\/strong> in geopolitical crises, pressuring response coordination across civil, military, and private operators.<\/p>

                    TTPs to know.<\/strong> Website defacement chains; DDoS; opportunistic compromises of media\/government CMS.<\/p>

                    Detection clues.<\/strong> Admin logins from atypical geos; spikes in web POSTs; DNS tampering attempts.<\/p>

                    What would have changed the outcome.<\/strong><\/p>

                    • Inter-agency exercises<\/strong>; pre-approved fallback sites and broadcast channels.<\/p><\/li>

                    • Managed DNS with locked registrar settings<\/strong>; WAF\/CDN failover plans.<\/p><\/li><\/ul>

                      10) Cadena SER (2019) \u2014 local but consequential newsroom outage<\/h2>

                      What happened.<\/strong> Ransomware<\/strong> disrupted editorial systems, forcing manual workflows and impacting broadcasting schedules.<\/p>

                      Why it mattered.<\/strong> A reminder that media uptime is public-interest infrastructure<\/strong> and that newsroom IT often mixes legacy stacks with modern SaaS.<\/p>

                      TTPs to know.<\/strong> Phishing footholds; lateral movement to file servers; rapid encryption of shared volumes.<\/p>

                      Detection clues.<\/strong> Burst of file renames; spikes in CPU\/disk on NAS; EDR flags for mass encryption patterns.<\/p>

                      What would have changed the outcome.<\/strong><\/p>

                      • Hardened endpoint baselines<\/strong> and privilege hygiene<\/strong>.<\/p><\/li>

                      • Segregated broadcast-critical<\/strong> segments with restrictive ACLs.<\/p><\/li>

                      • Practiced manual continuity<\/strong> and image-based rapid restore for studios.<\/p><\/li><\/ul><\/blockquote>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                        \n\t\t\t\t
                        \n\t\t\t\t\t\t\t\t\t

                        How Major Attacks Spread: worms, exploits, and lateral movement<\/h2>

                        Large-scale impact rarely comes from a single phish. It\u2019s the automation + reach<\/strong> that turns a foothold into a crisis.<\/p>

                        • Worms:<\/strong> automate discovery and exploitation (e.g., WannaCry\/NotPetya). Once inside, they scan, replicate, and trigger encryption or wiping with minimal human input.<\/p><\/li>

                        • Credentials:<\/strong> tools like Mimikatz<\/strong> harvest credentials from memory (LSASS) and cached secrets. Without LSA Protection<\/strong>, tiered admin<\/strong>, and LAPS<\/strong>, one endpoint can unlock the whole estate.<\/p><\/li>

                        • Network exploits:<\/strong> SMB\/RDP\/VPN bugs accelerate spread across flat networks. Old protocols (SMBv1) and weak segmentation are force multipliers.<\/p><\/li>

                        • ATT&CK tactics:<\/strong> Lateral Movement<\/strong> (Pass-the-Hash\/Ticket, PsExec, WMI), Privilege Escalation<\/strong>, Defense Evasion<\/strong> (tamper AV\/EDR), and stealthy Command & Control<\/strong> (long sleep intervals, domain fronting).<\/p><\/li><\/ul>

                          From experience, the bottleneck isn\u2019t \u201cdetection exists?\u201d but reaction speed<\/strong>. If your EDR shouts while the network still allows free east-west movement, the attacker wins on velocity<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                          \n\t\t\t\t
                          \n\t\t\t\t\t\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n
                          How they spread \u2014 and how to stop them<\/caption>\r\n
                          Technique<\/th>\r\n How it works<\/th>\r\n Signals<\/th>\r\n Defense<\/th>\r\n <\/tr>\r\n <\/thead>\r\n
                          Phishing \/ Social engineering<\/th>\r\n Delivers payload or harvests creds via email\/SMS<\/td>\r\n Unusual clicks, obfuscated attachments<\/td>\r\n Training, sandboxing, DMARC\/DKIM\/SPF<\/td>\r\n <\/tr>\r\n
                          Supply-chain compromise<\/th>\r\n Trojanized updates or tampered dependencies<\/td>\r\n Odd traffic post-update, hash\/signature mismatches<\/td>\r\n Signed updates, SBOM, build-integrity attestations<\/td>\r\n <\/tr>\r\n
                          Exploiting remote services<\/th>\r\n SMB\/RDP\/VPN flaws; internet-exposed edge<\/td>\r\n Port 445\/3389 spikes; mass auth attempts<\/td>\r\n Patching, disable SMBv1, MFA, segmentation<\/td>\r\n <\/tr>\r\n
                          Credential dumping<\/th>\r\n Reads LSASS; extracts hashes\/tickets<\/td>\r\n LSASS access, known IOCs<\/td>\r\n LSA Protection, EDR\/XDR, LAPS, tiered admin<\/td>\r\n <\/tr>\r\n
                          Lateral movement<\/th>\r\n PsExec\/WMI; Pass-the-Hash\/Ticket<\/td>\r\n Admin remote tools on unusual hosts<\/td>\r\n Micro-segmentation, MFA, block unneeded protocols<\/td>\r\n <\/tr>\r\n
                          Persistence<\/th>\r\n Tasks\/services\/registry run at boot<\/td>\r\n New autoruns without change tickets<\/td>\r\n Change control, application allow-listing<\/td>\r\n <\/tr>\r\n
                          Exfiltration<\/th>\r\n HTTP(S) or DNS tunneling<\/td>\r\n Traffic to rare domains; volume anomalies<\/td>\r\n DLP, proxy inspection with governance<\/td>\r\n <\/tr>\r\n
                          Wiper \/ MBR overwrite<\/th>\r\n Irreversible data\/boot corruption<\/td>\r\n Fake \u201cdisk repair\u201d banner; mass reboots<\/td>\r\n Immutable backups; immediate isolation<\/td>\r\n <\/tr>\r\n
                          Stealthy C2<\/th>\r\n Long sleeps; blends with legit traffic<\/td>\r\n Periodic beacons; odd JA3\/UA fingerprints<\/td>\r\n Threat intel, reputation blocking, EDR<\/td>\r\n <\/tr>\r\n
                          Living off the Land<\/th>\r\n Native tools (PowerShell, WMI) abused<\/td>\r\n Signed scripts in unusual contexts<\/td>\r\n ConstrainedLanguage, logging, allow-listing<\/td>\r\n <\/tr>\r\n <\/tbody>\r\n<\/table>\r\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                          \n\t\t\t\t
                          \n\t\t\t\t\t\t\t\t\t

                          Supply-chain attacks: the M.E.Doc lesson and why SMEs are targets<\/h2>

                          Uncomfortable truth:<\/strong> your security equals that of your weakest supplier<\/strong>. In my case, watching a mandatory tax app turn into a beachhead was a wake-up call. SMEs often think \u201cWhy would anyone target us?\u201d The answer: you\u2019re the bridge<\/strong> to larger prey.<\/p>

                          What to demand from suppliers<\/strong> (and write into contracts):<\/p>

                          • Evidence of build security<\/strong> (isolated signers, protected pipelines, reproducible builds).<\/p><\/li>

                          • SBOM<\/strong> and vulnerability advisories; patching SLAs<\/strong> by criticality.<\/p><\/li>

                          • Audit rights<\/strong>, security questionnaires with proof, and a Plan B<\/strong> if the update channel is compromised.<\/p><\/li>

                          • Incident notification SLAs<\/strong> with secure channels and contact trees.<\/p><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                            \n\t\t\t\t
                            \n\t\t\t\t\t\t\t\t\t

                            Actionable lessons: what we wish we\u2019d had before<\/strong> the disaster<\/h2>

                            1. Segmentation & micro-segmentation<\/strong> (default-deny SMB between segments).<\/p><\/li>

                            2. Identity security:<\/strong> MFA<\/strong> everywhere, LAPS<\/strong>, tiered admin<\/strong>, PAWs<\/strong> for privileged work.<\/p><\/li>

                            3. Accelerated patching<\/strong> for internet-exposed services and lateral-movement vectors.<\/p><\/li>

                            4. Immutable backups<\/strong> + quarterly restore drills<\/strong> with real RTO\/RPO.<\/p><\/li>

                            5. EDR\/XDR<\/strong> tuned for credential dumping<\/strong> and lateral movement<\/strong>.<\/p><\/li>

                            6. Application allow-listing<\/strong> on critical servers and sensitive endpoints.<\/p><\/li>

                            7. Centralized telemetry<\/strong> (SIEM) and response playbooks<\/strong> rehearsed.<\/p><\/li>

                            8. SecDevOps<\/strong> and supply-chain hardening (signatures, SBOM, attestations).<\/p><\/li>

                            9. Zero Trust<\/strong>: verify explicitly; assume breach; limit blast radius.<\/p><\/li>

                            10. Culture & training<\/strong>: tabletop exercises, clear roles, decision rights.<\/p><\/li><\/ol>

                              From experience: segmenting<\/strong> and practicing restores<\/strong> isn\u2019t glamorous, but it saves businesses<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

                              \n\t\t\t\t
                              \n\t\t\t\t\t\t\t\t\t

                              Tables of interest<\/h2>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                              \n\t\t\t\t
                              \n\t\t\t\t\t\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n
                              Timeline (2007\u20132025): evolution of major cyberattacks<\/caption>\r\n
                              Year<\/th>\r\n Case<\/th>\r\n Category<\/th>\r\n Impact<\/th>\r\n <\/tr>\r\n <\/thead>\r\n
                              2007<\/th>\r\n Estonia<\/td>\r\n DDoS<\/td>\r\n Disruption of government\/financial services<\/td>\r\n <\/tr>\r\n
                              2008<\/th>\r\n Georgia<\/td>\r\n Hybrid warfare<\/td>\r\n DDoS\/defacement during hostilities<\/td>\r\n <\/tr>\r\n
                              2010<\/th>\r\n Stuxnet<\/td>\r\n ICS\/OT<\/td>\r\n Physical damage to industrial equipment<\/td>\r\n <\/tr>\r\n
                              2013\u20132014<\/th>\r\n Yahoo<\/td>\r\n Data breach<\/td>\r\n User accounts compromised at massive scale<\/td>\r\n <\/tr>\r\n
                              2014<\/th>\r\n Sony Pictures<\/td>\r\n Wiper + leaks<\/td>\r\n Large-scale leaks and device wiping<\/td>\r\n <\/tr>\r\n
                              2015\u20132016<\/th>\r\n Ukraine power outages<\/td>\r\n Critical infrastructure<\/td>\r\n Interruptions to electricity supply<\/td>\r\n <\/tr>\r\n
                              2017<\/th>\r\n WannaCry<\/td>\r\n Ransomware<\/td>\r\n Worldwide spread via SMBv1<\/td>\r\n <\/tr>\r\n
                              2017<\/th>\r\n NotPetya<\/td>\r\n Wiper<\/td>\r\n Global shutdowns and domino effects<\/td>\r\n <\/tr>\r\n
                              2020<\/th>\r\n SolarWinds<\/td>\r\n Supply chain<\/td>\r\n Persistent access across many organizations<\/td>\r\n <\/tr>\r\n
                              2021\u20132025<\/th>\r\n Trends<\/td>\r\n Cartelized ransomware<\/td>\r\n Double extortion; attacks on SaaS\/IT providers<\/td>\r\n <\/tr>\r\n <\/tbody>\r\n<\/table>\r\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                              \n\t\t\t\t
                              \n\t\t\t\t\t\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n
                              Top 10 biggest cyberattacks (with vector and key lesson)<\/caption>\r\n
                              Rank<\/th>\r\n Case (year)<\/th>\r\n Vector<\/th>\r\n Reach<\/th>\r\n Type<\/th>\r\n Lesson<\/th>\r\n <\/tr>\r\n <\/thead>\r\n
                              1<\/th>\r\n NotPetya (2017)<\/td>\r\n Supply chain (M.E.Doc)<\/td>\r\n Global, multi-sector<\/td>\r\n Wiper<\/span><\/td>\r\n Segmentation + immutable backups<\/td>\r\n <\/tr>\r\n
                              2<\/th>\r\n WannaCry (2017)<\/td>\r\n SMBv1 exploit (EternalBlue)<\/td>\r\n Global<\/td>\r\n Ransomware<\/span><\/td>\r\n Accelerate critical patching<\/td>\r\n <\/tr>\r\n
                              3<\/th>\r\n Stuxnet (2010)<\/td>\r\n 0-days \/ USB \/ ICS<\/td>\r\n OT\/SCADA<\/td>\r\n Industrial sabotage<\/span><\/td>\r\n Segregate IT\/OT; monitor engineering<\/td>\r\n <\/tr>\r\n
                              4<\/th>\r\n SolarWinds (2020)<\/td>\r\n Compromised update<\/td>\r\n Many orgs, public\/private<\/td>\r\n Espionage<\/span><\/td>\r\n Signatures, SBOM, build integrity<\/td>\r\n <\/tr>\r\n
                              5<\/th>\r\n Yahoo (2013\u20132014)<\/td>\r\n Credentials\/API<\/td>\r\n Billions of accounts<\/td>\r\n Data breach<\/span><\/td>\r\n Strong hashing & anomaly detection<\/td>\r\n <\/tr>\r\n
                              6<\/th>\r\n Equifax (2017)<\/td>\r\n Unpatched web vuln (Struts)<\/td>\r\n Consumer PII<\/td>\r\n Data breach<\/span><\/td>\r\n Vuln mgmt & tuned WAF<\/td>\r\n <\/tr>\r\n
                              7<\/th>\r\n Sony Pictures (2014)<\/td>\r\n Phishing \/ destructive actions<\/td>\r\n Media & entertainment<\/td>\r\n Wiper + leaks<\/span><\/td>\r\n DLP, segregation, crisis comms<\/td>\r\n <\/tr>\r\n
                              8<\/th>\r\n Estonia (2007)<\/td>\r\n Coordinated DDoS<\/td>\r\n Country services<\/td>\r\n DDoS<\/span><\/td>\r\n Scrubbing, anycast, redundancy<\/td>\r\n <\/tr>\r\n
                              9<\/th>\r\n Georgia (2008)<\/td>\r\n DDoS \/ defacement<\/td>\r\n Government & media<\/td>\r\n Hybrid warfare<\/span><\/td>\r\n Inter-agency crisis readiness<\/td>\r\n <\/tr>\r\n
                              10<\/th>\r\n Cadena SER (2019)<\/td>\r\n Ransomware<\/td>\r\n Spanish media<\/td>\r\n Ransomware<\/span><\/td>\r\n Business continuity for newsrooms<\/td>\r\n <\/tr>\r\n <\/tbody>\r\n<\/table>\r\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                              \n\t\t\t\t
                              \n\t\t\t\t\t\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n
                              How they spread \u2014 and how to stop them<\/caption>\r\n
                              Technique<\/th>\r\n How it works<\/th>\r\n Signals<\/th>\r\n Defense<\/th>\r\n <\/tr>\r\n <\/thead>\r\n
                              Phishing \/ Social engineering<\/th>\r\n Delivers payload or harvests creds via email\/SMS<\/td>\r\n Unusual clicks, obfuscated attachments<\/td>\r\n Training, sandboxing, DMARC\/DKIM\/SPF<\/td>\r\n <\/tr>\r\n
                              Supply-chain compromise<\/th>\r\n Trojanized updates or tampered dependencies<\/td>\r\n Odd traffic post-update, hash\/signature mismatches<\/td>\r\n Signed updates, SBOM, build-integrity attestations<\/td>\r\n <\/tr>\r\n
                              Exploiting remote services<\/th>\r\n SMB\/RDP\/VPN flaws; internet-exposed edge<\/td>\r\n Port 445\/3389 spikes; mass auth attempts<\/td>\r\n Patching, disable SMBv1, MFA, segmentation<\/td>\r\n <\/tr>\r\n
                              Credential dumping<\/th>\r\n Reads LSASS; extracts hashes\/tickets<\/td>\r\n LSASS access, known IOCs<\/td>\r\n LSA Protection, EDR\/XDR, LAPS, tiered admin<\/td>\r\n <\/tr>\r\n
                              Lateral movement<\/th>\r\n PsExec\/WMI; Pass-the-Hash\/Ticket<\/td>\r\n Admin remote tools on unusual hosts<\/td>\r\n Micro-segmentation, MFA, block unneeded protocols<\/td>\r\n <\/tr>\r\n
                              Persistence<\/th>\r\n Tasks\/services\/registry run at boot<\/td>\r\n New autoruns without change tickets<\/td>\r\n Change control, application allow-listing<\/td>\r\n <\/tr>\r\n
                              Exfiltration<\/th>\r\n HTTP(S) or DNS tunneling<\/td>\r\n Traffic to rare domains; volume anomalies<\/td>\r\n DLP, proxy inspection with governance<\/td>\r\n <\/tr>\r\n
                              Wiper \/ MBR overwrite<\/th>\r\n Irreversible data\/boot corruption<\/td>\r\n Fake \u201cdisk repair\u201d banner; mass reboots<\/td>\r\n Immutable backups; immediate isolation<\/td>\r\n <\/tr>\r\n
                              Stealthy C2<\/th>\r\n Long sleeps; blends with legit traffic<\/td>\r\n Periodic beacons; odd JA3\/UA fingerprints<\/td>\r\n Threat intel, reputation blocking, EDR<\/td>\r\n <\/tr>\r\n
                              Living off the Land<\/th>\r\n Native tools (PowerShell, WMI) abused<\/td>\r\n Signed scripts in unusual contexts<\/td>\r\n ConstrainedLanguage, logging, allow-listing<\/td>\r\n <\/tr>\r\n <\/tbody>\r\n<\/table>\r\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                              \n\t\t\t\t
                              \n\t\t\t\t\t\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n
                              Supplier security checklist (software supply chain)<\/caption>\r\n
                              Control<\/th>\r\n What to require<\/th>\r\n Evidence<\/th>\r\n Frequency<\/th>\r\n <\/tr>\r\n <\/thead>\r\n
                              Build integrity<\/th>\r\n Signed releases; isolated build\/signing<\/td>\r\n Hash + build report\/attestation<\/td>\r\n Per release<\/td>\r\n <\/tr>\r\n
                              SBOM<\/th>\r\n Component list & versions<\/td>\r\n SPDX\/CycloneDX SBOM<\/td>\r\n Quarterly<\/td>\r\n <\/tr>\r\n
                              Vulnerability management<\/th>\r\n SLAs by criticality; EMER fixes<\/td>\r\n Patch compliance report<\/td>\r\n Monthly<\/td>\r\n <\/tr>\r\n
                              Access & privileges<\/th>\r\n Least privilege; SSO\/MFA<\/td>\r\n Access matrix & reviews<\/td>\r\n Semiannual<\/td>\r\n <\/tr>\r\n
                              Logging & telemetry<\/th>\r\n Update\/build logs; secure retention<\/td>\r\n Signed logs; retention policy<\/td>\r\n Continuous<\/td>\r\n <\/tr>\r\n
                              Incident notification<\/th>\r\n Time-bound alerts; secure channel<\/td>\r\n Contractual clause + runbook<\/td>\r\n On incident<\/td>\r\n <\/tr>\r\n
                              Pentest \/ audit<\/th>\r\n Internal & external testing<\/td>\r\n Report + remediation proof<\/td>\r\n Annual<\/td>\r\n <\/tr>\r\n
                              Dependency hygiene<\/th>\r\n SCA; CVE alerting<\/td>\r\n SCA report<\/td>\r\n Per build<\/td>\r\n <\/tr>\r\n <\/tbody>\r\n<\/table>\r\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
                              \n\t\t\t\t\t
                              \n\t\t\t\t
                              \n\t\t\t\t
                              \n\t\t\t\t\t\r\n