Skip to content

Famous Cybersecurity Incidents

Estimated time to read: 15 minutes

Big Cybersecurity incidents

Several types of incident records and technics are related to the software supply chain; some originate from states, and others from private actors.

State actor or State-sponsored

The term "state actor" in the context of cyber attacks refers to individuals or groups conducting cyber operations on a nation-state's behalf. They are often part of the state's intelligence or military organisations but can also include contractors or groups indirectly supported by the state. The level of support the state provides can vary widely, from full control and direction to simply tolerating or encouraging the group's activities.

State actors can conduct cyber attacks for a variety of reasons, including:

Espionage Cyber espionage involves stealing information from other governments, businesses, or individuals. This can include anything from military plans and political strategies to trade secrets and intellectual property.

Sabotage Cyber attacks can cause physical damage or disruption to infrastructure, as seen in the Stuxnet attack on Iranian nuclear facilities or the NotPetya malware's widespread disruption.

Influence operations Cyber operations can be used to spread disinformation or propaganda, to influence public opinion or political processes, as seen in the alleged Russian interference in the 2016 US presidential election.

Preparation for future attacks State actors may infiltrate systems to gather information or establish a presence that could be used in future attacks.

State-sponsored cyber attacks are often more sophisticated and harder to defend against than attacks by non-state actors. They can afford to invest in developing new techniques and technologies and may have the patience to spend months or years infiltrating a target network. Attribution can also be challenging, as state actors usually go to great lengths to conceal their activities and can leverage a range of technical and non-technical means to mislead investigators.

State actors can significantly threaten national security, economic security, and individual privacy. Consequently, countering this threat is a top priority for many governments, involving defensive measures, international cooperation, legal action, and, in some cases, offensive cyber operations.

State-sponsored cyber-attacks that have caused significant impact

Stuxnet Probably the most famous case of a state-sponsored attack, the US and Israel allegedly developed the Stuxnet worm to damage Iran's nuclear program. The worm targeted Siemens industrial control systems, causing physical damage to Iran's nuclear facilities.

SolarWinds This attack, suspected to be from Russia's foreign intelligence service, the SVR, was identified in December 2020. The threat actors were able to compromise the network monitoring software, Orion, from the company SolarWinds. This allowed them to infiltrate the systems of thousands of SolarWinds' clients, including many US government agencies.

Duke (APT29 or Cozy Bear) Duke is a threat group suspected of being associated with the Russian government and has been active for over a decade. They've been linked to a number of attacks, most notably on the Democratic National Committee in 2016.

APT10 (Red Apollo) Believed to be sponsored by the Chinese government, APT10 has been linked to numerous cyber espionage campaigns. Their Operation Cloud Hopper targeted IT service providers, allowing them to infiltrate multiple organisations through a single compromise.

WannaCry This ransomware attack in 2017 caused significant disruption worldwide. The US, UK, and Australia have all attributed the attack to North Korea.

APT28 (Fancy Bear) This is another threat group believed to be linked to the Russian government. They've been associated with many high-profile attacks, including against the German Parliament, the French television station TV5Monde, and the World Anti-Doping Agency.

Operation Aurora In 2009, a coordinated series of attacks targeted multiple major corporations, including Google. The attacks originated from China, aimed at stealing intellectual property, and were notable for their sophistication.

DarkHotel A suspected South Korean espionage campaign, DarkHotel targets specific individuals in luxury hotels. The attackers use spear phishing and malicious downloads to access the target's systems.

CCleaner In 2017, the popular system cleaning software CCleaner was compromised in a supply chain attack. The attackers were able to insert malicious code into a version of the software, leading to approximately 2.27 million downloads of the infected program. The attack allowed the threat actors to gain remote control of infected machines, but they appeared interested in a relatively small number of high-value targets. The attack was attributed to APT17, a group thought to be associated with the Chinese government.

NotPetya NotPetya was a destructive malware attack that started in Ukraine in 2017 but quickly spread worldwide. It was initially believed to be a ransomware attack, but it was later determined that the main purpose of the malware was to cause disruption rather than to generate profit. The malware targeted Microsoft Windows-based systems, encrypting the master boot record to render the system inoperable. The attack caused billions of dollars in damage and was attributed to the Russian military.

Kingslayer The Kingslayer attack was a supply chain attack against the software update process of a popular server management software produced by Alt-N Technologies. The attackers were able to compromise the company's servers and replace legitimate software updates with their own malicious versions, potentially compromising any system that downloaded the updates. This incident took place around 2015-2016.

SimDisk SimDisk is a Trojan associated with the APT group DarkHotel, which is believed to have links to South Korea. SimDisk was used in targeted attacks against entities in North Korea and Japan. The malware can steal personal information and act as a backdoor, allowing the attackers to execute commands on the infected system.

ShadowPad ShadowPad is a sophisticated cyberespionage tool first discovered in 2017. It was found to be part of a supply chain attack against software produced by the South Korean company NetSarang. Once installed, ShadowPad gives the attackers complete control over the infected system. The attack was attributed to APT41, a group with suspected links to the Chinese government.

Remember that attribution in cyber attacks is complex and sometimes controversial. Even when there's strong evidence linking an attack to a particular state, the state in question may deny involvement, and proving their involvement conclusively can be challenging.

Hijacking

Hijacking refers to the practice of manipulating software updates to distribute malicious code. This insidious attack exploits users' trust in software vendors and the update process.

State actors or other highly capable adversaries often carry out these attacks due to the level of sophistication required. They need to compromise the update server or the software build process, which often requires significant resources and expertise. They might also need to steal or forge digital certificates to make the malicious update appear legitimate.

Once the malicious update is installed, the attackers can execute various actions, such as installing a backdoor, stealing data, or causing disruption. In some cases, the malware can propagate further within the network or to connected devices.

Flame Discovered in 2012, Flame (also known as Flamer or Skywiper) is a sophisticated piece of malware believed to have been developed by a nation-state for cyber espionage purposes. The flame was spread through multiple mechanisms, including forged Microsoft update certificates.

Stuxnet This worm targeted Iran's nuclear program and was reportedly spread partly via updates to a Siemens industrial control system.

CCleaner 1 and 2 The CCleaner attacks involved inserting malicious code into legitimate software updates.

NotPetya Although NotPetya is more famous for its ransomware-like functionality, it initially spread via a compromised update to the M.E.Doc tax accounting software widely used in Ukraine.

Adobe pwdum7v71 refers to a malicious Adobe Flash update that distributed the Bad Rabbit ransomware in 2017.

Webmin In 2019, the popular web-based system configuration tool Webmin was compromised. A backdoor was inserted into a legitimate update, allowing attackers to execute commands with root privileges.

PlugX PlugX is a remote access Trojan (RAT) often used by APT groups. It has been distributed via multiple methods, including compromised updates.

SolarWinds The SolarWinds hack, discovered in 2020, involved inserting a backdoor into updates of the Orion software. The attackers, believed to be Russians, were able to infiltrate thousands of organisations that used the software, including numerous U.S. government agencies.

ShadowHammer In this attack discovered in 2018, hackers infected a version of the ASUS Live Update utility pre-installed on most ASUS computers. This allowed the attackers to distribute malware to potentially millions of users, although they were only interested in a relatively small number of specific targets.

XcodeGhost In this case, Chinese developers unknowingly used a compromised version of Apple's Xcode development environment, creating numerous malicious iOS apps. This was not strictly an update hijacking attack, but it's similar to compromising the software supply chain to distribute malware.

Code signing

Code signing is a technique used to verify the authenticity and integrity of software. It uses a form of public key cryptography and a digital certificate issued by a trusted certificate authority. The software publisher signs the code with their private key, and the user's system checks this signature using the publisher's public key. If the code has been tampered with or comes from an untrusted source, the signature check will fail, and the system will warn the user or refuse to install the software.

Undermining code signing is a key objective for attackers who wish to carry out a software supply chain attack. If they compromise the code signing process, they can make their malicious software appear as legitimate updates or installations, tricking the user's system into accepting and running the malicious code.

A few techniques the attackers might use:

Stealing the publisher's private key If the attackers can steal the private key used for code signing, they can sign their own malicious software and make it appear as if it comes from a legitimate publisher.

Compromising the build or update process If the attackers can insert their code into the software before it is signed, the malicious code will be part of the signed package. This is what happened in the CCleaner and SolarWinds attacks.

Exploiting weaknesses in the code signing or verification process If there's a bug or design flaw in the way code signing or verification is done, attackers might be able to bypass the checks or make unsigned or incorrectly signed code appear legitimate.

Some examples of attacks where code signing was undermined:

ShadowHammer In the ShadowHammer attack, the attackers were able to compromise the ASUS Live Update utility and make their malicious updates appear legitimate.

Naid/McRAT This type of Trojan is used in many sophisticated attacks, often associated with the APT group known as APT1 or Comment Crew, which has been linked to China. In some cases, the Trojan was distributed via signed updates or software.

BlackEnergy 3 The BlackEnergy malware has been used in a variety of attacks, including against industrial control systems. One variant of the malware included a signed driver to help evade detection.

Stuxnet The Stuxnet worm, used to attack Iranian nuclear facilities, used several stolen digital certificates to sign its components.

D-Link In 2015, the electronics manufacturer D-Link accidentally published its private code signing keys, which could have been used to sign malicious software.

Flame The Flame malware used an advanced cryptographic attack to forge a Microsoft code signing certificate.

Suckfly The Suckfly group, believed to be a nation-state actor, stole code signing certificates from South Korean software companies and used them to sign their own malware.

Open-source compromise

Open-source compromise involves attackers infiltrating open-source software repositories or libraries to introduce malicious code. Many organisations and developers rely on these open-source resources so that the compromise can have a broad impact. There are typically two main tactics attackers use in open-source compromise:

Compromising the Code The attacker gains access to an open-source project and directly modifies its code, inserting a backdoor or other malicious functionality.

Typosquatting: The attacker creates a malicious package with a name similar to a popular package. When a developer accidentally mistypes the name of the package they intended to use, they get the malicious package instead.

Cdorked/Darkleech This sophisticated Apache HTTP server compromise replaced the legitimate Apache binary with a malicious version.

RubyGems Backdoor Attackers uploaded malicious versions of several popular RubyGems libraries. The malicious code was also included when these libraries were included in a project.

HackTask This backdoor was found in a Python library called "hacktask". It was uploaded to the PyPI repository and mimicked a legitimate package.

Colourama Colourama is a Python library for coloured terminal text. It was copied and uploaded to the PyPI repository under "colourama", a typographical variant of the original, containing a backdoor.

JavaScript 2018 Backdoor A backdoor was found in the "getcookies" module in the npm (Node Package Manager) repository in 2018.

PyPI Repository Attack Multiple incidents have occurred where attackers have uploaded malicious packages to the Python Package Index (PyPI), either under typo-squatted names or by compromising existing packages.

event-stream Incident This involved a popular npm package called "event-stream". The maintainer of the package transferred it to another user, who later inserted a malicious payload into the package intended to steal cryptocurrency.

Bootstrap-sass Incident In 2019, a backdoor was found in the "bootstrap-sass" RubyGem, a popular library used in Ruby and Rails applications.

Webmin In 2019, the source code for the Webmin administrative interface was compromised, inserting a backdoor into the product.

M.E.Doc The M.E.Doc software, widely used in Ukraine for tax preparation, was compromised at the source code level. This was used as a launch point for the destructive NotPetya malware.

It's worth noting that while these examples demonstrate that open-source software can be compromised, it doesn't necessarily mean that open-source software is inherently less secure. The openness of the code often means that vulnerabilities can be found and fixed more quickly. However, it does highlight the importance of good security practices, like two-factor authentication and rigorous code review, in open-source development.

App Store attacks

App store attacks refer to the distribution of malicious apps through official or third-party app stores. These attacks generally use one of two strategies:

Creating Malicious Apps: Attackers create new apps that appear legitimate and useful but contain hidden malicious functionality. These apps are then submitted to app stores, and if they pass the review process, they can be downloaded and installed by unsuspecting users.

Compromising Existing Apps Attackers find ways to inject malicious code into existing, legitimate apps. This can be done by compromising the app's development or update process or tricking developers into incorporating a malicious library or tool.

Here are a few examples of app store attacks:

Sandworm’s Android attack The Sandworm APT group, believed to be linked to Russia, has targeted Android devices with several malicious apps. One such app was distributed via the official Google Play Store and contained a remote access Trojan (RAT).

ExpensiveWall ExpensiveWall was malware found in over 50 apps in the Google Play Store, downloaded millions of times. It sent fraudulent premium SMS messages and charged users' accounts without their knowledge.

BankBot BankBot is a type of Android banking Trojan. It was found in numerous apps in the Google Play Store, including apps posing as legitimate banking apps, flashlight apps, game apps, and more.

Gooligan Gooligan was a malware campaign that infected over a million Google accounts by 2016. It was spread via dozens of apps in third-party Android app stores.

XcodeGhost XcodeGhost was a malicious version of Apple's Xcode development environment. Chinese developers unknowingly used it to build apps distributed through Apple's App Store. This resulted in the creation of numerous malicious iOS apps.

Judy Judy was an adware campaign found in 41 apps in the Google Play Store, with millions of downloads. It generated fraudulent clicks on advertisements to generate revenue.

Skygofree Skygofree is a sophisticated Android spyware distributed through fake mobile network operator websites. It was not directly distributed through an app store, but its sophistication and capabilities are worth mentioning.

HummingBad HummingBad was malware found in over 20 apps in third-party Android app stores. It established a persistent rootkit on Android devices, installed fraudulent apps, and generated fraudulent ad revenue.

The above incidents underline the importance of only downloading apps from trusted sources, checking app reviews and permissions, and keeping devices and apps updated to the latest versions. Security solutions for mobile devices can also help detect and prevent such threats.

Hafnium attacks

In March 2021, Microsoft announced that a state-sponsored group from China, which they named Hafnium, was exploiting zero-day vulnerabilities in on-premises versions of Microsoft Exchange Server. These vulnerabilities allowed the group to access email accounts and install additional malware for long-term access to the victims' environments. This led to widespread concern and urgent patching, as numerous organisations use Microsoft Exchange Server worldwide.

The four vulnerabilities exploited in these attacks are

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange, allowing the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. CVE-2021-26857 is an insecure deserialisation vulnerability in the Unified Messaging service. Insecure deserialisation is where a program deserialises untrusted user-controllable data. CVE-2021-26858 and CVE-2021-27065 post-authentication arbitrary file write vulnerabilities in Exchange. If Hafnium could authenticate with the Exchange server, they could use these vulnerabilities to write a file to any path on the server.

Microsoft reported that the attacks primarily targeted entities in the United States across a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs.

Exchange Server ProxyLogon attacks

Later in 2021, a new wave of attacks was seen exploiting the same vulnerabilities in unpatched Exchange servers in a campaign known as ProxyLogon. While it's not entirely clear whether these attacks were state-sponsored, they demonstrated a high level of interest in these vulnerabilities from sophisticated threat actors.

In response to these incidents, Microsoft released out-of-band security updates and urged customers to apply them immediately to protect against these attacks. These incidents underline the importance of prompt patching and the potential risks of exposed internet-facing infrastructure.