Cracking the Code: Learning from Five Cyber Threats

As history tells us, there will always be a new cyber attack just around the corner. To paraphrase an old adage, there are two types of companies: those who have experienced a cyber attack and those who will experience a cyber attack. The real difference lies in one’s preparation and response.

Many tout using a guide or maturity model (e.g., NIST, HIPPA, or SANS) as a first step to protecting your organization’s data and systems. However, if we recall the Pareto Principle, aka the 80-20 rule, which asserts that in business, 80% of outcomes can be attributed to 20% of causes, we know that risk is found in the unprotected details. To find true protection, one must pursue all of the risks: the 20% is progressively harder and often where the failure point can be found. Think of it this way: when securing your home, you wouldn’t lock 80% of the entry points and not worry about securing the back door or the bedroom window, would you? The same is true of your data and systems; securing some of them is not enough.

The severity of a cyber attack is determined by how much harm it causes. In business, we classify these harms by:

  • Financial: revenue is lost, and money spent on recovery
  • Reputational: customers are less confident in your ability to handle their business
  • Operational: company operations are slowed or stopped

While it is important to expend effort protecting your firm from an attack, it is equally important to plan what to do once an incident occurs. This is an especially difficult task because the type of attack may be unknown. Below are five distinct real-life cyber attacks that were ground-breaking in their own right at the time. 

#1 The Morris Worm (1988)

Robert Morris created the first-ever worm, often referred to as the Morris Worm, when he was a 23-year-old student at Cornell. His motive was not to steal sensitive data as his worm had no payload. He created this worm as a harmless experiment, but things quickly escalated when his worm crawled to 100,000 machines, cost millions of dollars in damages, and was at the center of attention of the news cycle. The FBI launched an investigation into Morris, and he was the first person convicted by a jury to have violated the 1986 Computer Fraud and Abuse Act. He received a fine, probation, and an order to complete 400 hours of community service instead of facing jail time. The Morris Worm code poses no threat today, but it created the foundation of worms, being the precursor for every single worm in the cyber domain. More about the Morris Worm.

#2 The Moonlight Maze (2000)

Moonlight Maze was the code name given to a cyber attack in 2000 that stole classified data from NASA, the Department of Energy, and the Pentagon, among others. The Moonlight Maze operators “stole so much information that if printed on paper, it would stand three times higher than the Washington Monument” and is the longest-lasting example of an Advanced Persistent Threat (APT) cyber attack in history spanning two years. Penguin Turla, later renamed Turla, is the Russian-based APT group responsible for the Moonlight Maze incident, which infected victims in 45 countries. The Moonlight Maze operators stole sensitive data on U.S. maps of military installations, troop configurations, and military hardware designs, highlighting how devastating cyberattacks can be on U.S. National Security interests. Turla continues to conduct cyber attacks. More about the Moonlight Maze.

#3 WikiLeaks (2011)

WikiLeaks, a nonprofit organization, is notorious for publishing sensitive and classified information, particularly on U.S. government sources. In 2011, WikiLeaks fell victim to a cyber-attack where an encrypted file containing all the 251,287 U.S. diplomatic cables was posted on the web, with the file’s password. The cyber-attack endangered informants at the U.S. State Department. This jeopardized U.S. foreign policy goals as secret information, ranging from how the U.S. would respond to the Arab Spring Uprisings in Tunisia to a list of U.S. informants on the Taliban, was made available to U.S. adversaries, causing serious national security concerns. More about WikiLeaks.

#4 BlackEnergy Malware (2015)

BlackEnergy is a malware toolkit best known for the December 2015 cyber attack against Ukrainian critical infrastructure. Sandworm Team, associated with the Russian General Staff Main Intelligence Directorate (GRU), utilized this malware to cause power outages by exploiting the vulnerabilities of existing remote industrial control systems via VPN connections. This cyber attack affected three Ukrainian regional electric power distribution companies, impacting 225,000 customers. KillDisk, a disk-wiping tool that is a component of BlackEnergy Malware, erased the files on the target systems that corrupted the Ukrainian organization's master boot record, making recovery difficult. BlackEnergy Malware is an important tool for adversarial states, enabling their APT groups, criminal groups, and hackers to cause destruction, impacting thousands of innocent civilians. This emphasizes the need for nations to protect their critical infrastructure from this and other malware. 

#5 Colonial Pipeline Attack (2021)

The financially motivated APT group Fin7, commonly known as Carbon Spider, used their own Darkside Ransomware program to infiltrate the Colonial Pipeline. The attackers got into the network on May 6, 2021, through an exposed password for a Colonial Pipeline VPN account. The hackers stole 100 gigabytes of data within a two-hour period, negatively impacting production for 6 days until a $4.4 million ransomware was paid. President Joe Biden declared a national emergency on May 9, 2021, as the pipeline is one of the largest and most vital oil pipelines in the U.S. The shutdown of the Colonial Pipeline, which transports oil from the Gulf of Mexico to the U.S. East Coast, through its 5,000 miles (about twice the width of the U.S.) of pipelines, affected consumers and airlines making it the largest publicly disclosed cyber-attack against critical infrastructure in the U.S. More about the Colonial Pipeline Attack. 

While the level of sophistication and motives have changed over the years, the one consistency is that incredible damage is done when victims are caught off guard. Tomorrow’s attacker and their strategy may not be clear today, but there is still much you can do to secure your assets and create a contingency plan should the worst happen.