Operations Timeline

Moonlight Maze (1996-1999, attributed)

Agent.BTZ (Pentagon USB worm, 2008)

Persistent POS compromise campaigns across US retail (2008–2017)

GhostNet - 1,295 infected computers in 103 countries (2009, linked operations)

Google breach - source code and Gmail accounts of Chinese dissidents (2009)

Natanz centrifuge destruction - 1,000+ centrifuges damaged (2009–2010)

IE zero-day (CVE-2010-0249) exploitation at scale

Operation Aurora (2010, jointly attributed)

Operation Payback (RIAA/MPAA DDoS, 2010)

Stuxnet (joint with Unit 8200, 2010)

HBGary Federal breach and email release (2011)

Flame malware (2012)

Japan aerospace and defense sector campaigns (2012–present)

New York Times intrusion (2012-2013)

Sustained CIS-region diplomatic targeting since 2012

Bit9 trust certificate breach (2013)

DeputyDog campaign (2013)

European Ministries of Foreign Affairs intrusions (2013)

Mandiant APT1 report exposure (2013)

Sustained campaign against Indian armed forces since 2013

Turkish government email leak - corruption documents published (2013)

Continuous Ukraine targeting since 2014 annexation of Crimea

Forbes.com watering hole (2014)

Sony Pictures hack (2014)

Anti-ISIS website takedowns and account reporting (2015–2016)

Bundestag breach (2015)

FireEye attribution report (April 2015)

HDD firmware persistence (2015)

Operation Clandestine Wolf (Internet Explorer 0-day, 2015)

OpISIS following Paris attacks (2015)

SEC charges against alleged operators (2015)

Ukraine power grid attacks (2015, 2016)

Bangladesh Bank $81M SWIFT heist (2016)

Bangladesh Bank SWIFT heist ($81M, 2016)

Citizen Lab disclosure of dissident targeting (2016)

DNC breach (2016, separate from APT28)

DNC hack and email leak (2016)

ICAO compromise via supply-chain pivot (2016)

Operation Cloud Hopper - global MSP compromise (2016–2017)

Operation Daybreak (2016)

Repurposed NSA EternalSynergy exploit (2016-2017)

WADA doping agency hack (2016)

Boyusec / Wu Yingzhuo / Dong Hao DOJ indictment (2017)

CVE-2017-11882 Equation Editor exploitation

French election interference (2017)

NotPetya global wiper (2017, $10B+ damage)

Operation Erebus (2017)

UK government service provider supply-chain compromise (2017)

US electric grid intrusions (2017-2018, DHS/FBI alert)

WannaCry ransomware (2017)

Banco de Chile $10M theft (2018)

British Airways breach - 380,000 payment cards skimmed (2018)

DNSpionage campaign (DNS hijacking, 2018)

Olympic Destroyer (2018 Winter Olympics)

Olympic Destroyer (2018)

Operation Parliament - senior government officials across Middle East (2018)

Researchers accidentally infected own systems with BADNEWS RAT (2018)

UK, US, Russian government entity targeting (2018)

US Navy contractor breach - submarine warfare data theft (2018)

US, UK, Australia, Canada, Japan advisory (2018)

Asus Live Update supply chain attack (2019)

BMW and Toyota network intrusions (2019)

Georgia election infrastructure (2019)

Hijacking Iranian APT34 infrastructure (2019)

Leaked toolset published by Lab Dookhtegan (2019)

Mass VPN exploitation campaign (Pulse Secure, Fortinet, Citrix 2019-2020)

Reuters Project Raven investigative reporting (2019)

Targeting of Hong Kong universities and political organizations (2019-2020)

US Treasury OFAC sanctions (2019) - first ransomware group sanctioned

Aria-body loader campaigns (Check Point disclosure 2020)

Biden and Trump campaign phishing (2020)

COVID-19 themed lures targeting Tibetan organizations (2020)

COVID-19 vaccine research targeting (2020)

COVID-19 vaccine research targeting (2020)

COVID-19 vaccine research targeting (2020)

Secondary exploitation of SolarWinds victim networks (2020–2021)

SolarWinds Orion supply chain compromise - SUNBURST backdoor (2020)

SolarWinds SUNBURST (2020)

Targeting of 2020 US presidential campaigns

Trend Micro Earth Akhlut attribution report (2020)

US hospital attacks during COVID-19 pandemic (2020)

Vatican network compromise ahead of China–Holy See negotiations (2020)

Accellion FTA zero-day campaign - financial and government sectors (2021)

Chinese nuclear energy organization spearphishing (2021)

Claimed access to Israeli defense infrastructure (2021–2022)

Colonial Pipeline - US East Coast fuel supply disruption (May 2021)

Demodex Windows kernel-mode rootkit (Kaspersky disclosure 2021)

Europol/FBI global takedown operation (January 2021)

Iowa-based grain cooperative NEW Cooperative ransomware attack (2021)

Iranian railway hack - fake delay messages and board disruption (2021)

JBS Foods $11M ransom (2021)

Kaseya VSA supply chain attack (1,500+ companies, 2021)

Log4Shell exploitation campaign (December 2021)

Microsoft DCU domain seizure operation (December 2021)

Myanmar government targeting after 2021 coup

Pivot to Noberus/ALPHV ransomware affiliate (2021–2022)

ProxyLogon - Microsoft Exchange 0-day exploitation (March 2021)

ProxyLogon Exchange exploitation against Eastern European targets (2021)

Resurrected by TrickBot operators in late 2021

Simultaneous compromise of 13 global telecom providers (CrowdStrike 2021)

Transportation and healthcare campaigns (Trend Micro disclosure 2021)

US critical infrastructure pre-positioning (2021-present)

US state government systems compromise (2021)

$625M Ronin Network crypto theft (2022)

0ktapus campaign - 130+ orgs via Okta credential phishing (2022)

CISA advisory on Iran MOIS operations (2022)

CISA advisory specifically warning education sector (2022)

Decade-long surveillance of Southeast Asian governments (SentinelOne disclosure 2022)

F5 BIG-IP exploitation including CVE-2022-1388

FBI infiltration of Hive - decryption keys provided to 300+ victims (2022)

Internal chat logs leaked by Ukrainian researcher (2022)

Iranian steel plant cyberattack causing physical fire (2022)

Israeli critical infrastructure targeting (2022)

Log4Shell exploitation against US municipalities (2022)

Los Angeles Unified School District attack - student mental health records leaked (2022)

Mexican military leak - 6TB of SEDENA emails (2022)

Most prolific ransomware group 2022-2024

Nvidia source code theft - 1TB including DLSS (2022)

Post-invasion surge: thousands of phishing attacks per week (2022)

Romanian and Lithuanian government DDoS (2022)

Ronin bridge $625M theft (March 2022, attributed)

Russia leaks following Ukraine invasion (2022)

Russian banking system DDoS campaigns (2022–present)

Secureworks and Microsoft public attribution (2022)

Twilio and Cloudflare phishing campaign (2022)

Ukrainian military credential harvesting operations (2022)

US airport websites DDoS (2022)

WhisperGate wiper attack (January 2022, days before Russian invasion)

WhisperGate wiper deployment against Ukraine (January 2022)

Aliquippa, PA water authority - Unitronics PLC compromise (Nov 2023)

Boeing data leak (2023)

British Library attack (2023, months-long disruption to national services)

ChatGPT outages (2023)

CISA emergency alert for water sector (Dec 2023)

Citrix Bleed (CVE-2023-4966) opportunistic exploitation

City of Dallas attack disrupting municipal services (May 2023)

City of Oakland ransomware attack (2023, state of emergency declared)

DOJ and Europol operation dismantled infrastructure (Jan 2023)

ESET public disclosure (August 2023)

Five Eyes joint advisory (2023)

Forged Microsoft authentication tokens to access US government email (2023)

GhostLocker ransomware deployment (2023 pivot)

GoAnywhere MFT zero-day - 130+ organizations (2023)

Idaho National Laboratory employee data leak (November 2023)

Israel water facility SCADA system claims (2023)

JumpCloud supply chain breach (2023, 1 million+ businesses exposed)

Lehigh Valley Health Network patient data leak (2023)

Mandiant APT43 disclosure (March 2023)

Microsoft 365, Outlook, Teams DDoS - 30,000+ customers impacted (June 2023)

Minneapolis Public Schools breach and data leak (2023)

MOVEit zero-day exploitation - 2,000+ organizations, 62M+ individuals (2023)

NATO unclassified portal data dump (2023)

Post-October-2023 emergence with Israel-focused intrusions

Qlik Sense vulnerability exploitation as initial access (2023)

Rapid victim disclosure cadence beginning mid-2023

Rebrand from Royal to BlackSuit (mid-2023)

Router firmware backdoor campaign (NSA/CISA advisory 2023)

Royal Mail UK attack (2023)

Telecom backbone intrusions across 2023-2024 (Trend Micro disclosure)

Toyota Financial Services intrusion (2023)

UK Conservative Party donors and MPs credential harvest (2023)

US DoJ charges against IcedID operators (2023)

US DoJ indictments of FSB officers (2023)

US Treasury and congressional websites targeting (2023)

Yamaha Motor Philippines breach (2023)

$42M+ ransom collected (FBI 2024 advisory)

210+ victims in first 6 months (FBI advisory August 2024)

260,000-device SOHO botnet (FBI disruption 2024)

Ascension Health attack (2024, 140 hospitals disrupted nationwide)

AT&T breach (2024, 73 million customer records)

Breach of AT&T, Verizon, T-Mobile CALEA wiretap systems (2024)

Change Healthcare attack - disrupted US pharmacy systems nationwide (2024)

Change Healthcare attack (2024, $22M ransom paid, national prescription disruption)

Cisco Nexus 0-day exploitation (CVE-2024-20399)

Continued public-sector targeting through 2024-2025

CrowdStrike public disclosure at Fal.Con 2024

Free decryptor released after public pressure (July 2024)

Group disbandment announcement (July 2024)

Indonesia National Data Center attack (June 2024) — 282 government services impacted

Lurie Children's Hospital Chicago (2024, pediatric care disrupted)

Lynx rebrand and code reuse (mid-2024)

Malicious npm packages deployed via GitHub (2024)

Microsoft senior leadership email access (2024)

Muleshoe Texas water facility manipulation (2024)

NHS Scotland (Dumfries and Galloway) breach (2024)

Operation Cronos law enforcement takedown (2024)

Pivot to data-extortion-only branding as 'World Leaks' (2024)

Re-emergence with refined toolkit (Sygnia tracking 2024)

Schneider Electric Sustainability Business division breach (January 2024)

Synnovis pathology services attack causing NHS surgery cancellations (June 2024)

Targeting of US 2024 presidential campaigns

Three-year stealth intrusion of large Asian enterprise (Sygnia 2024 disclosure)

Transition to ransomware-as-a-service operations (late 2024)

US DoJ indictment of Sudanese national (2024)

US Treasury Department breach (2024, SilkTyphoon)

US Treasury sanctions on IRGC Cyberspace Battalion officers (2024)

CISA #StopRansomware joint advisory (AA25-071A, 2025)

Operator arrests in Thailand (February 2025)

Tata Technologies breach (early 2025)