2007
08
09
10
11
12
13
14
14
15
16
17
18
Estonia is hit with a month-long wave of DDoS attacks that take down most domestic websites
Dmytro Oleksiuk aka Cr4sh sells BlackEnergy, a DDoS botnet tool, on Russian-language hacker forums for $40
Idaho National Laboratory’s Project Aurora demonstrates that it is possible to destroy a diesel generator by sending malicious code to the protective relay
● Russia● Sandworm● USA● other
First cyberwar
As a prelude to and in coordination with physical attacks, Russia hits Georgia with four days of DDoS attacks controlled using BlackEnergy
First time a country openly combines hacker disruption with traditional warfare
NSA’s Stuxnet malware accelerates Iran’s nuclear enrichment centrifuges until they destroy themselves
Crossed line from digital hacking to physical sabotage
Benjamin Delpy releases Mimikatz, a program that uses Windows’ WDigest feature to pull and decrypt credentials from memory
Delpy posts source code for Mimikatz on GitHub and it becomes a universal tool in the hacker toolkit
CyberBerkut disrupts Ukraine’s elections
iSight Partners discovers a 5+ year espionage campaign by a Russian group they name Sandworm, which used a variant of BlackEnergy to target NATO and Ukraine
ICS-CERT reports that Sandworm had penetrated and performed reconnaissance against critical infrastructure targets in Ukraine, Poland, and the USA
Sandworm brings down systems at media companies, the country’s largest railway company, and Kiev’s main airport in Ukraine using all-purpose BlackEnergy for access and reconnaissance, Mimikatz for further access, and KillDisk for data destruction
Sandworm takes down power grid in western Ukraine for six hours again using BlackEnergy, Mimikatz, and KillDisk
First known blackout caused by hackers; crossed line from military to civilian
19
Olympic Destroyer malware destroys Olympic’s staff’s domain controllers
White House releases statement tying NotPetya to Russia, condemning the attack, acknowledging Russia’s cyberwar in Ukraine, and promising consequences
US DOJ indicts twelve GRU hackers for interfering in the 2016 US elections: nine from unit 26165 (suspected to be Fancy Bear) and three from unit 74455 (suspected to be Sandworm)
US Treasury announces new sanctions against nineteen people and five organizations in Russia
Cozy Bear and Fancy Bear penetrate the US Democratic National Committee and leak stolen documents to disrupt US elections and shift attention away from the blackout attacks in Ukraine
Shadow Brokers breach NSA’s Equation Group and release stolen hacking tools, some of which exploit zero-days, to embarrass the NSA and put a mirror up to American accusations of reckless hacking
Shadow Brokers release IP addresses of NSA staging servers
Ukraine receives even broader wave of attacks, probably rooted in BlackEnergy footholds secured the previous year then expanded using Mimikatz
Ukraine attacks culminate in a one hour blackout achieved using ddl’s dubbed Industroyer or Crash Override
Second-ever piece of code in the wild to directly attack the physical world
Bad Rabbit malware attack primarily hits Russian websites, which is speculated to be a smoke screen, and some targeted infrastructure in Ukraine
Shadow Brokers release 20+ of the NSA’s hacking tools, including EternalBlue, which exploits a zero-day in practically every version of Windows prior to Windows 8
WannaCry ransomware, attributed to North Korean hacker group Lazarus, spreads globally using EternalBlue until accidentally deactivated
NotPetya, a direct descendant of the KillDisk attacks starting 2015 but combined with EternalBlue, starts spreading in Ukraine and is soon worldwide
Most damaging malware in history at $4B in damages
Most damaging malware in history at $10B in damages