IMCAFS

 Home

inventory of major network security events since 2010

Posted by punzalan at 2020-03-07
all

The second decade of the 21st century is about to pass. In the past decade, what important cyber security events have taken place? Let's review them together.

We have witnessed a large number of security incidents in the past decade, such as data leakage, hacker attacks, espionage between ethnic countries, almost uninterrupted money interest cybercrime and malware that caused the system to crash. The following is a chronological list of major cybersecurity events since 2010. We need not indulge in the past major data leakage events or hacker actions, but should focus on their technologies, from which we can foresee the future trend of network security, so that experts can understand the paradigm change in the field of network security.

2010

Seismic net

Seismonet, a computer worm developed jointly by the United States and Israel, aims to destroy Iran's nuclear weapons program.

The worm is designed to destroy SCADA equipment used in Iran's nuclear fuel enrichment process. The attack successfully destroyed SCADA equipment in many parts of Iran. Although countries will take other means to attack each other before 2010, the "Earthquake Network" is the first network security event that shocked the world, from a single information data theft to the destruction of physical facilities, which marks a new stage of network warfare.

Aurora: Google hacked

Little is known that even Google, the Internet giant, has been attacked by back-end infrastructure. This is a cyber security incident later called operation aurora. Besides Google, more than 20 companies have been attacked, including Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman and Dow Chemical. Operation Aurora attacks actually occurred in the 2000s, but were only discovered in early 2010.

"Press release" hackers

Between 2010 and 2015, a group of five eastern European men invaded several news agencies and stole upcoming press releases. The group used the inside information they obtained to predict the changes in the stock market and conducted transactions that netted more than $100 million. The Department of Justice (DOJ) and the securities and Exchange Commission (SEC) began to crack down on members of the organization in 2016.

2011

Lulzsec and "50 days of lulzsec"

The influence of lulzsec on today's hacker activities cannot be ignored. The group likes to invade well-known companies and then show off its achievements on the Internet. They carry out "lulzsec's 50 days" activities and other attacks. Now there are a group of hacker groups imitating lulzsec's eye-catching activities, such as lizards, new world hackers, teamp0ison, CWA, etc. However, lulzsec is still the best one among others, mainly because they attack well-known targets, such as fox, hbgary, PBS, CIA and Sony.

Diginotar hacking changed the development of browser

Diginotar hacking is a little-known incident since 2011, which ultimately improves the way browsers, certification authorities (CAS) and the Internet work.

In 2011, Iranian hackers were found to have hacked into diginotar, the Dutch CA provider, and used its devices to issue SSL forged certificates, popular websites including Google and gmail. Iranian hackers then used certificates to intercept encrypted HTTPS traffic and monitor more than 300000 Iranians.

An investigation revealed the Dutch company's shocking security incidents and business practices, and its certificates were declared "untrusted" by many browser developers and operating system developers. The hack made Google, browser makers and other tech giants more alert, and then revolutionized the whole process of issuing SSL / TLS certificates. Many of the procedures developed after the diginotar hack have continued to this day.

Sony Playstation hackers and large scale disconnection

In the spring of 2011, Sony announced that hackers had stolen the details of 77 million Playstation network users, including personal identity information and financial details. Today, that number seems trivial, but at the time it was one of the biggest hacking events in the world.

For Sony, it was a disaster. In order for engineers to fix the security breach, the company had to shut down the Playstation network for 23 days. So far, this is still the longest repair period in PSN history. The company lost money due to its disconnection. But security incidents followed, and some users began to pay attention to credit card fraud and filed class action. Then, the company offered users a large number of free Playstation 3 games to attract customers again, but this made them lose more.

The Sony PSN 2011 hacking is remarkable because it shows that if a company doesn't have proper security investment, the possible losses caused by hackers are far beyond your imagination. Another reason is that since then, there has been a trend that companies have begun to add new terms of service, forcing users to abandon their right to sue after a security incident. Sony is not the first to use such terms, but they have become popular since then, and many other companies have added similar terms.

2012

Shamoon and its destructive power

Shamoon (also known as disttrack), originated in Iran, is a kind of malware, which can be considered as the direct result of the shock network attack two years ago. Having first-hand knowledge of destructive malware, Iran has created its own "cyber weapon", which was first deployed in 2012.

The malware was mainly used to clean up data, and shamoon destroyed more than 35000 workstations on Saudi Aramco's Saudi Aramco network, paralyzing the company for weeks. At that time, it was reported that Saudi Aramco purchased most of the world's hard disks as much as possible to replace the infected PC cluster. In spite of the supplier's efforts to meet the market demand, this still led to the price increase of hard disk drive.

Variants of the malware were discovered in subsequent years, mainly deployed in active or oil and gas related companies.

Flame - the most complex malware ever

Kaspersky found flame malware related to the equation group. Flame is considered to be the most advanced and complex malware ever.

When Kaspersky found region two years later in 2014, although more complex malware had emerged, flame's discovery revealed the technical and capability gap between the US cyber Arsenal and the tools used by other national organizations.

Later, the Washington Times reported that flame, like ZHENWANG, belongs to the same group of hacker tools, mainly for Iran. Since then, the malware has not been found, but it is still considered to be the key object of cyber espionage in the world.

2013

Snowden incident

Snowden's leak may be the most important cyber security incident in a decade. The incident exposed the global surveillance network established by the United States and its "five eye alliance" after the September 11 attacks.

Snowden incident made Russia, Iran and other countries set up their own surveillance departments, and strengthened foreign intelligence collection, which led to the increase of the whole network espionage activities.

At present, many countries are willing to tout concepts such as "National Internet" or "Internet sovereignty" in order to rationalize the monitoring and network censorship of their citizens. It all began in 2013 when Snowden exposed the black curtain of the national security agency to the world.

Target hackers

In December 2013, retail giant target admitted that malware embedded in POS system has helped hackers collect payment card details of about 40 million users, which makes POS malware known.

There have been incidents of POS malware before, but this is the first time that large retailers have such a large scale of data leakage. Other retailers will follow in the next few years, and through continuous reporting, the world will find out how hackers can trade stolen cards on websites called "card stores" to create clone cards and empty user bank accounts.

Adobe attack

In November 2013, Adobe admitted that hackers had stolen data from more than 153 million users. The data is dumped online, and the user password is almost immediately cracked and restored to plain text format. Over the years, this event has urged people to adopt the strong password hash function.

Banning the "Silk Road"

The Silk Road, a dark net Market hosted by tor and used to sell illegal products, was banned in 2013, which is the first case against the dark net market. This proves to the world that the law's net is long and simple. After the fall of the Silk Road, other dark net markets have sprung up, but they have not survived for a long time. Most of them either disappear automatically (administrators roll money and run away) or are banned by law enforcement.

Have I Been Pwned?

"Have I been Pwned?" was launched in December 2013 with the idea of providing users with a simple way to check whether they are affected by Adobe data disclosure. Now it has become a brand of its own.

The site allows users to see if their user name or email is included in the leaked data. At present, the website contains databases from more than 410 hacked websites, as well as information about more than 9 billion accounts. The site is deployed in Firefox, password manager, corporate back-end, and even some government systems. Managed by Troy hunt, an Australian security expert, the site has made a significant contribution to improving the security situation of global organizations.

2014

North Korean hackers invading Sony

In 2014, Sony film and television entertainment company was hacked, and North Korean hackers were exposed for the first time. What is known is that they are also very good at hacking technology. The hackers who launched the attack called themselves "peacekeepers" (later known as Lazarus Square), and they were related to North Korea's intelligence agencies.

The purpose of the hacking was to force the production company to give up releasing a film called "killing Kim Jong Un", a comedy about the assassination plot against North Korean leader Kim Jong Un. Hackers have broken the company's internal network and leaked data and private e-mail online.

The Sony incident was only initiated by small-scale hackers, but it made the network security companies in the world understand the hacker ability of North Korea, and in the next few years for many other security incidents, they advocated learning the insight of North Korean hackers to do a good job in network security protection.

Before the incident, North Korean hackers mainly invaded its southern residents. Following President Obama's hacking and sanctions, their hacking activities have spread all over the world, and North Korea has become one of the most active participants in cyber espionage and cyber crime.

Celebgate

So far, cybersecurity companies have taken celebgate (also known as the fappening) as an example for training in spear phishing courses, and told employees about the consequences of users not paying attention to the effectiveness of password reset email.

As early as 2014, a small number of hackers sent fake password reset emails to celebrities to trick stars into entering Gmail or icloud passwords on phishing websites. Hackers use these credentials to access accounts, find pornographic or nude pictures and videos, and then spread them online. Other "fappening" waves occurred in the following years, but the first occurred in the summer of 2014.

Carbank's invasion of the bank

For years, experts and users have argued that hackers looking for money often look at consumers, store retailers or companies. However, reports of carbanak (also known as anunak or fin7) indicate that for the first time, hacking organizations that steal money directly from banks have been found.

Reports from Kaspersky Lab, fox it and Group IB show that the organization is very advanced. It can penetrate the bank's internal network, hide for weeks or months, and then withdraw money through swift bank transactions or coordinated ATMs. According to statistics, the group has stolen more than $1 billion from the black banks, which is the largest number of hackers so far.

Mt. GOx invasion

Mt. GOx is not the first cryptocurrency exchange in the world to be hacked, but it is still the largest victim of cyber attack in cryptocurrency ecosystem. However, the hacker who launched the attack is still a mystery. At the beginning of 2014, 850000 bitcoins were stolen, now worth more than $6.3 billion. At that time, Mt. GOx was the world's largest cryptocurrency exchange.

After this incident, hackers realized that they could make huge profits through trading platform, because compared with traditional banks, their security protection ability is weak. In the following years, there were hundreds of similar hacking incidents, but Mt. GOx was still the main cause of such incidents.

Phineas Fisher

In the summer of 2014, the hacker Phineas Fisher first exposed that he likes to invade companies engaged in the production of spyware and surveillance tools. He invaded the ghack group in 2014 and gamma group in 2015. He also published internal documents and source code of spyware tools obtained from the two companies, and even some 0day vulnerabilities.

Documents and codes released by Phineas exposed the company's black curtain of selling spyware and surveillance tools to governments around the world. While there are tools to catch criminals, some of them are related to authoritarian regimes, whose leaders use spyware to spy on dissidents, journalists and political opponents.

Heartbleed

Heartbled vulnerability in OpenSSL is one of the rare security vulnerabilities. An attacker can use this vulnerability to retrieve encryption keys from a public server that can be used to decrypt traffic or authenticate on a less secure system.

The vulnerability was exploited within a few days of its public disclosure and has triggered a series of hacking attacks since 2014. Despite repeated warnings, some server operators have yet to fix their OpenSSL vulnerabilities in time. At the time of public disclosure, about 500000 Internet servers were vulnerable, and some would take years to fix if they were compromised.

2015

Ashley Madison data breach

In the past ten years, there have been thousands of data leakage events. If the most important data leakage event is mentioned, Ashley Madison is elected as the data leakage event.

The incident took place in July 2015, when a hacker organization claiming to be the impact team released Ashley Madison's internal database, a social networking site dedicated to dating married people.

Today, most of the leaks are user names and passwords that users registered at the beginning of the 21st century, and users don't even remember them. But the impact of Ashley Madison's data breach is far more than that. It has revealed many people's privacy.

Users registered on the site are threatened with blackmail, and even commit suicide after the data is made public. This is one of the few cyber security incidents that directly lead to people's death.

Anthem and opm hackers

Both kinds of hacking events were exposed in 2015, with Anthem in February and opm in June. Hackers stole 78.8 million medical records from anthem and 21.5 million records from U.S. government officials.

SIM card exchange

Sim exchange is a strategy in which a hacker calls a mobile telecommunication company and induces the mobile operator to transfer the victim's phone number to the SIM card controlled by the attacker. Reports of attacks using SIM exchange for the first time date back to 2015. Initially, hackers used SIM exchange attacks to reset passwords on social media accounts, hijack popular user names and resell them online.

Later, hackers gradually realized that they could also use the technology to access encrypted currency or bank accounts, thus stealing a lot of money from them, and SIM card exchange attacks became more and more popular. Since then, the technology has become more and more common, with American Telecom agreeing that users can migrate their phone numbers without going to the store in person, making it the most vulnerable compared to most parts of the world.

Dd4bc and Armada

2015 is also a year of DDoS blackmail. The technology was pioneered and widely spread by the dd4bc group, which sends e-mails to bitcoin paying companies, otherwise they will attack the company's infrastructure and destroy key services through DDoS attacks.

Europol arrested members of the group in early 2016, but the practice of dd4bc was plagiarized by an organization calling itself armada collective, so it spread more widely. The strategy first used by dd4bc and armada collective in 2015 and 2016 is still in use today, which is the core of many DDoS attacks today, and allows some attack targets to enter the repair period.

Invasion of Ukraine's power grid

In December 2015, hacker's network attack on Ukraine's power grid caused a large-scale blackout in western Ukraine, which is the first successful case of using the network to operate the power grid.

In this attack, hackers used a kind of malware called black energy, and a similar attack was carried out the next year (December 2016). Even a more sophisticated malware, called industrier, was used in the second attack, leaving one in five residents of the Ukrainian capital without power.

Although seismon and shamoon were the first cyber attacks against industrial targets, the two incidents in Ukraine were the first to affect the general public, making people aware of the dangers that cyber attacks may pose to a country's critical infrastructure.

After Russia invaded Crimea Peninsula in early 2014, these two attacks are only the prelude to a series of hacker attacks against Ukraine by Russian hackers. Other cyber security incidents include the gradual outbreak of notpetya and bad rabbit blackmail software in 2017.

The group behind the attack is known as the "sand bug" and is considered part of the Russian military intelligence agency. Sandform, written by Andy Greenberg, an online security editor, details the organization's hacking.

2016

Bank of Bangladesh online robbery

In February 2016, hackers attempted to steal $1 billion from a Bangladeshi bank, but only $81 million was finally stolen due to typographical errors.

At first, we thought it was a hacker with poor intrusion technology, but later we found that it was initiated by the elite hackers in North Korea, who were behind the attempt to commit cyber robbery. In general, the Bank of Bangladesh's hacking activities have a huge impact on the banking industry. Hacking led to a comprehensive security update of swift, an international trading system used to transfer funds between different banks. Second, swift banned North Korea from using its system, a decision that has far-reaching implications.

The two decisions jointly pushed Pyongyang's hackers to turn to cryptocurrency exchanges, from which they allegedly stole hundreds of millions of dollars, which the North Korean government then used to prepare its nuclear weapons program.

Panama documents

In April 2016, a team of well-known investigative journalists released a large and extensive report called Panama document, which exposed how the rich people in the world, including businessmen, celebrities and politicians, used the privileges of tax havens to evade taxes.

The report is believed to be the most influential of its kind, and the main source of the article is mossack Fonseca law firm in Panama. Although reporters said they received anonymous data, many people believed that hackers used the loopholes in WordPress and Drupal websites to access the internal network of the firm and steal the data.

DNC hackers

In the spring of 2016, the DNC acknowledged hacking as it began publishing emails and documents stolen from the organization's servers, calling itself guccifer 2.0. Through electronic forensics, it was later found that DNC was not only invaded by one hacker, but also by two Russian cyber espionage organizations, namely, fancy bear (apt28) and cozy bear (apt29).

The data stolen by hackers during the invasion is used for well planned intelligence operations, with the purpose of influencing the upcoming US presidential election. It's hard to judge whether the whole thing is successful or not, but some people think it's successful. Hacking often occurs, often in waves.

Yahoo data disclosure to the public

2016 was a terrible year for Yahoo. The company announced two data breaches in four months, including one that later turned out to be the largest in the history of the Internet.

The two events are related in a strange way. Here is the timeline of the event:

In July 2016, a hacker started selling Yahoo user data on the dark Internet.

In September 2016, Yahoo was investigating whether the data of hackers selling users is real-time, and found and disclosed a data leakage event in 2014, which affected 500 million users.

Yahoo blamed "national hackers" for the leak, which turned out to be true. In 2017, U.S. authorities accused the Russian government of requiring hackers to invade Yahoo's network.

Ironically, when investigating the 2014 data leak, Yahoo also tracked the source of user data sold on the dark web.

This can be traced back to a security breach in 2013, when Yahoo initially said it affected 1 billion users. In 2017, Yahoo updated its data to 3 billion yuan, becoming the most influential data leakage event in history.

Data leakage year (peace of mind)

Yahoo's two leaks are only one part of the few public leaks in 2016, but 2016 can be called "data leakage year". In this year, companies affected by new and old vulnerabilities include twitter, LinkedIn, Dropbox, MySpace, Tumblr, fling.com, vk.com, ok.ru, rambler.ru, adultfriendfinder, Badoo, QIP, etc.

More than 2.2 billion user records have been exposed, and most of them are sold in hacker forums and the dark Internet market. Most leaks are due to data traffickers such as peace_of_mind, tessa88 and leakedsource.

Shadow broker

Between August 2016 and April 2017, a group of hackers who called themselves "shadow brokers" joked on the Internet. The auction even released the cyber attack tools developed by the equation group (code name of the National Security Agency (NSA)).

These network attack tools are extremely advanced. Once they are published, there will be a big stir. A month after the last shadow broker leak, one of the tools, which exploits the Microsoft SMB protocol vulnerability known as eternal blue, became the main engine driving wannacry's global blackmail outbreak. To this day, the shadow broker's behind the scenes is still not found.

Mirai and the nightmare of the Internet of things

In early September 2016, a blog article introduced Mirai, a Linux malware used to invade routers and intelligent Internet of things devices. In the next three months, after using Mirai to launch some large-scale DDoS attacks, it has become one of the most famous malware in the world.

Mirai's source code is open on the Internet and is one of the most extensive malware families today. Most of the IOT / DDoS botnets are based on Mirai's source code. Mirai makes people pay attention to the security of the Internet of things.

2017

Three software blackmail outbreaks

Referring to the blackmail software outbreak in 2017, three of them have to be mentioned, including wannacry in mid May, notpetya in late June and bad rabbit in late October. These three kinds of extortion software are all developed by the government in support of hackers, but for different reasons.

Wannacry was developed by North Korean hackers to infect companies and extort ransoms in preparation for the financing of the sanctioned Pyongyang regime, while notpetya and bad rabbit are cyber weapons used to disrupt Ukrainian operations, the result of the conflict between Russia and Ukraine.

These organizations did not expect to trigger a global software blackmail outbreak. But the problem is that they used the eternal blue released by shadow brokers. At that time, they didn't know the flaw very well, and the harm of extortion software was unexpected for developers.

Ironically, although notpetya and bad rabbit were developed in Russia, the ultimate loss to Russian enterprises was the greatest.

Vault7 data leakage

Vault7 incident is a relatively positive data leakage of WikiLeaks. It is a group of documents describing the CIA's cyber weapons. Vault7 never contained any source code. But the leak gave some insight into the CIA's technological capabilities, including tools for invading iPhones, computer operating systems, mainstream browsers and even smart TVs. At the time, Wikileaks said it had received vault7 data from the whistleblower, who was later revealed to be Joshua Adam Schulte.

Enlightenment of mongodb

As always, the system administrator does not set a password for the database exposed on the Internet. In 2017, hackers began to turn their attention to such companies. Mongodb apocalypse, started in late December 2016, but began to surge in January of the following year. Hackers visited the database, deleted the content and left a ransom record, and asked to use encrypted currency to return (nonexistent) data.

The first wave of attacks targeted mongodb servers, but later hackers expanded to other database technologies, such as mysql, Cassandra, Hadoop, elastic search, PostgreSQL, etc. By the end of the year, attacks were gradually reduced, but new problems came, that is, misconfigured databases were still unprotected on the Internet.

At the end of 2017, a new kind of security researchers, known as "vulnerability searchers", came into being, that is, those groups who look for open databases and contact the leakers to let them know that their sensitive information has been leaked. In the following years, most of the security vulnerabilities and data leakage events were discovered by the "vulnerability searchers", rather than the hackers who exposed their data after the invasion.

Equifax data disclosure

In 2017, hackers stole personal details of more than 145.5 million Americans, Britons and Canadians from Equifax's system. But Equifax hackers are still a mystery.

Despite the fact that the fact that the company failed to repair the server's serious vulnerabilities was investigated afterwards, it is still unknown whether the invasion is behind the scenes and its motives. Whoever attacked one of the three largest consumer credit reporting agencies in the United States could be on the 10-year list.

Encryption hijacking

The rise and fall of encryption hijacking can be directly related to coinhive. Coinhive is a web service that can mine cryptocurrencies through JavaScript and can be added to any website as a file.

Hacker organizations place password hijacking scripts anywhere they can run JavaScript, such as infected websites, video game modules, router control panels, browser extensions, etc.

From September 2017 to March 2019, coinhive was shut down, and encryption hijacking (also known as smuggling and mining) is still the bane of Internet users, slowing down the speed of browsers and leading to the growth of CPU utilization, even if the technology is not particularly profitable.

2018

Cambridge analytics and Facebook fall out of favor

Before 2018, most of the people who had comments on Facebook often complained that its timeline algorithm would bury friends' posts in useless information piles or slowly loaded UI. The Cambridge analytica incident, which took place in early 2018, also revealed the real reason why people hate social networks and their data hoarding practices. The scandal is just one of many in the coming months, revealing how data analytics companies abuse Facebook's easy-to-use user data to create personal data and then sell it to political parties to influence public opinion and manipulate elections.

In many people's eyes, Facebook has gone from being in touch with friends to being full of political propaganda disguised as memes of the Internet and false information disguised as news reports.

Meltdown, spectrum and CPU side channel attacks

The details of the meltdown and spectrum vulnerabilities were first disclosed on January 2, 2018. They exposed a problem in the hardware of most CPUs, which may allow hackers to steal the currently running data inside the CPUs.

Although these two vulnerabilities are not the easiest to exploit and there are no attack reports, meltdown & spectrum exposes the fact that many CPU manufacturers trade data security for speed and performance. Even if some people still call these two vulnerabilities "stunt hackers", they have fundamentally changed the design and manufacturing methods of today's CPU.

Mageart becomes mainstream

Since 2016, there has been a mageart attack (also known as network plunder or electronic plunder), but by 2018, the attack has become increasingly fierce, British Airways, Newegg, inbetta, etc. have reported the remarkable hacker attacks of mageart.

The rationale behind these attacks is simple, but it's hard to understand why it took so many years to catch on. Hackers can destroy online stores, leave malicious codes that record payment card information, and then send the information back to the attacker's server.

There have been several variants of the original mageart attack, but since the beginning of 2018, the mageart attack is undoubtedly one of the most serious network threats today, and has been bothering online shoppers. Many people can't tell whether online stores are safe or not.

In addition to ATM separation and POS malware, mageart attack is the main method for cyber criminals to obtain people's financial data.

Data leakage of Marriott Hotel

Although it is not as big as Yahoo's $3 billion, due to its huge scale, the data leakage of Marriott has also attracted people's attention. The vulnerability was disclosed in November 2018, affecting more than 500 million customers, and the company reduced the number to 383 million months after the survey was completed. As in most cases, post analysis shows that the company's network is destroyed by common technologies and tools, which could be easily found and prevented.

2019

"Big game hunting" blackmail software

Although blackmail software has existed since 2010, the new blackmail software "big game hunting" is particularly active in 2019.

"Big game hunting" refers to extortion software developed by attackers only for large targets (such as corporate networks) rather than for small groups like home users. Hackers can ask for more funds from the target enterprises, not only lose user information.

The term "big game hunting" was proposed by crowdstrike in 2018 to describe several strategies of extorting software gangs. At present, there are more than ten groups engaged in this strategy.

"Big game hunting" ransomware attacks surged in 2019, with hosting service providers, US schools, US local governments and large companies recently transferred to Europe taking the lead.

Gnosticplayers

The hacker who became famous in 2019 is gnosticlayers. He imitated the plot of peace_of_mind and tessa88 in 2016, invaded the company and began to sell its data in the dark network market.

The companies influenced by gnosticlayers include canva, gfycat, 500px, evite, etc. Hackers claimed responsibility for more than 45 intrusions and data leaks, affecting more than 1 billion users.

Capital one data disclosure

The capital one incident disclosed in July 2019 affected more than 100 million Americans and 6 million Canadians.

The data leaked through the vulnerability is not publicly shared on the Internet, so most of the users who have stolen the data are likely to be safe, but the incident is still of concern. The suspect behind the incident was a former Amazon Web Services employee accused of illegally accessing capital one's AWS server to retrieve data as well as data from 30 other companies, according to an investigation.

The investigation is still ongoing, and if it does, it will introduce a new threat category for the organization, that is, malicious insiders working for supply chain providers.

*Reference source: ZDNet, sandra1432 compilation, reprint please indicate from freebuf.com

Wonderful recommendation

© 2023