Operations Timeline

Moonlight Maze (1996-1999, attributed)

Agent.BTZ (Pentagon USB worm, 2008)

Persistent POS compromise campaigns across US retail (2008–2017)

GhostNet - 1,295 infected computers in 103 countries (2009, linked operations)

Google breach - source code and Gmail accounts of Chinese dissidents (2009)

Natanz centrifuge destruction - 1,000+ centrifuges damaged (2009–2010)

IE zero-day (CVE-2010-0249) exploitation at scale

Operation Payback (RIAA/MPAA DDoS, 2010)

Stuxnet (joint with Unit 8200, 2010)

HBGary Federal breach and email release (2011)

Flame malware (2012)

Japan aerospace and defense sector campaigns (2012–present)

Mandiant APT1 report exposure (2013)

Sustained campaign against Indian armed forces since 2013

Turkish government email leak - corruption documents published (2013)

Continuous Ukraine targeting since 2014 annexation of Crimea

Sony Pictures hack (2014)

Anti-ISIS website takedowns and account reporting (2015–2016)

Bundestag breach (2015)

HDD firmware persistence (2015)

OpISIS following Paris attacks (2015)

SEC charges against alleged operators (2015)

Ukraine power grid attacks (2015, 2016)

Bangladesh Bank $81M SWIFT heist (2016)

Bangladesh Bank SWIFT heist ($81M, 2016)

DNC breach (2016, separate from APT28)

DNC hack and email leak (2016)

Operation Cloud Hopper - global MSP compromise (2016–2017)

Operation Daybreak (2016)

WADA doping agency hack (2016)

French election interference (2017)

NotPetya global wiper (2017, $10B+ damage)

Operation Erebus (2017)

US electric grid intrusions (2017-2018, DHS/FBI alert)

WannaCry ransomware (2017)

Banco de Chile $10M theft (2018)

British Airways breach - 380,000 payment cards skimmed (2018)

DNSpionage campaign (DNS hijacking, 2018)

Olympic Destroyer (2018 Winter Olympics)

Olympic Destroyer (2018)

Operation Parliament - senior government officials across Middle East (2018)

Researchers accidentally infected own systems with BADNEWS RAT (2018)

UK, US, Russian government entity targeting (2018)

US Navy contractor breach - submarine warfare data theft (2018)

US, UK, Australia, Canada, Japan advisory (2018)

Asus Live Update supply chain attack (2019)

BMW and Toyota network intrusions (2019)

Georgia election infrastructure (2019)

Hijacking Iranian APT34 infrastructure (2019)

Leaked toolset published by Lab Dookhtegan (2019)

Mass VPN exploitation campaign (Pulse Secure, Fortinet, Citrix 2019-2020)

US Treasury OFAC sanctions (2019) - first ransomware group sanctioned

Biden and Trump campaign phishing (2020)

COVID-19 themed lures targeting Tibetan organizations (2020)

COVID-19 vaccine research targeting (2020)

COVID-19 vaccine research targeting (2020)

COVID-19 vaccine research targeting (2020)

Secondary exploitation of SolarWinds victim networks (2020–2021)

SolarWinds Orion supply chain compromise - SUNBURST backdoor (2020)

SolarWinds SUNBURST (2020)

Targeting of 2020 US presidential campaigns

US hospital attacks during COVID-19 pandemic (2020)

Vatican network compromise ahead of China–Holy See negotiations (2020)

Accellion FTA zero-day campaign - financial and government sectors (2021)

Chinese nuclear energy organization spearphishing (2021)

Claimed access to Israeli defense infrastructure (2021–2022)

Colonial Pipeline - US East Coast fuel supply disruption (May 2021)

Europol/FBI global takedown operation (January 2021)

Iowa-based grain cooperative NEW Cooperative ransomware attack (2021)

Iranian railway hack - fake delay messages and board disruption (2021)

JBS Foods $11M ransom (2021)

Kaseya VSA supply chain attack (1,500+ companies, 2021)

Log4Shell exploitation campaign (December 2021)

Myanmar government targeting after 2021 coup

Pivot to Noberus/ALPHV ransomware affiliate (2021–2022)

ProxyLogon - Microsoft Exchange 0-day exploitation (March 2021)

Resurrected by TrickBot operators in late 2021

Simultaneous compromise of 13 global telecom providers (CrowdStrike 2021)

US critical infrastructure pre-positioning (2021-present)

US state government systems compromise (2021)

$625M Ronin Network crypto theft (2022)

0ktapus campaign - 130+ orgs via Okta credential phishing (2022)

CISA advisory on Iran MOIS operations (2022)

CISA advisory specifically warning education sector (2022)

FBI infiltration of Hive - decryption keys provided to 300+ victims (2022)

Internal chat logs leaked by Ukrainian researcher (2022)

Iranian steel plant cyberattack causing physical fire (2022)

Israeli critical infrastructure targeting (2022)

Los Angeles Unified School District attack - student mental health records leaked (2022)

Mexican military leak - 6TB of SEDENA emails (2022)

Most prolific ransomware group 2022-2024

Nvidia source code theft - 1TB including DLSS (2022)

Post-invasion surge: thousands of phishing attacks per week (2022)

Romanian and Lithuanian government DDoS (2022)

Russia leaks following Ukraine invasion (2022)

Russian banking system DDoS campaigns (2022–present)

Twilio and Cloudflare phishing campaign (2022)

Ukrainian military credential harvesting operations (2022)

US airport websites DDoS (2022)

WhisperGate wiper attack (January 2022, days before Russian invasion)

Aliquippa, PA water authority - Unitronics PLC compromise (Nov 2023)

Boeing data leak (2023)

British Library attack (2023, months-long disruption to national services)

ChatGPT outages (2023)

CISA emergency alert for water sector (Dec 2023)

City of Oakland ransomware attack (2023, state of emergency declared)

DOJ and Europol operation dismantled infrastructure (Jan 2023)

Five Eyes joint advisory (2023)

Forged Microsoft authentication tokens to access US government email (2023)

GhostLocker ransomware deployment (2023 pivot)

GoAnywhere MFT zero-day - 130+ organizations (2023)

Israel water facility SCADA system claims (2023)

JumpCloud supply chain breach (2023, 1 million+ businesses exposed)

Microsoft 365, Outlook, Teams DDoS - 30,000+ customers impacted (June 2023)

MOVEit zero-day exploitation - 2,000+ organizations, 62M+ individuals (2023)

Router firmware backdoor campaign (NSA/CISA advisory 2023)

Royal Mail UK attack (2023)

UK Conservative Party donors and MPs credential harvest (2023)

US DoJ charges against IcedID operators (2023)

US DoJ indictments of FSB officers (2023)

US Treasury and congressional websites targeting (2023)

$42M+ ransom collected (FBI 2024 advisory)

210+ victims in first 6 months (FBI advisory August 2024)

260,000-device SOHO botnet (FBI disruption 2024)

Ascension Health attack (2024, 140 hospitals disrupted nationwide)

AT&T breach (2024, 73 million customer records)

Breach of AT&T, Verizon, T-Mobile CALEA wiretap systems (2024)

Change Healthcare attack - disrupted US pharmacy systems nationwide (2024)

Change Healthcare attack (2024, $22M ransom paid, national prescription disruption)

Lurie Children's Hospital Chicago (2024, pediatric care disrupted)

Malicious npm packages deployed via GitHub (2024)

Microsoft senior leadership email access (2024)

Muleshoe Texas water facility manipulation (2024)

Operation Cronos law enforcement takedown (2024)

Targeting of US 2024 presidential campaigns

US DoJ indictment of Sudanese national (2024)

US Treasury Department breach (2024, SilkTyphoon)

US Treasury sanctions on IRGC Cyberspace Battalion officers (2024)