Fact Book

FOR THE TALLINN UNIVERSITY OF TECHNOLOGY
WITH THE SUPPORT OF MICROSOFT NV
ENEKEN TIKK
KRISTINE HOVHANNISYAN
MIKA KERTTUNEN
MIRVA SALMINEN
CYBER
CONFLICT
FACTBOOK:
EFFECT-CREATING
STATE-ON-STATE
CYBER OPERATIONS
TARTU-TALLINN-JY VÄSKYLÄ-ROVANIEMI
2019
1
CYBER POLICY INSTITUTE
for the Tallinn University of Technology

with the support of Microsoft NV
ENEKEN TIKK KRISTINE HOVHANNISYAN MIKA KERTTUNEN MIRVA SALMINEN
CYBER CONFLICT FACTBOOK:

EFFEC T-C RE AT IN G S TAT E-O N-S TAT E C Y B ER O PER AT I O N S
Tartu-Tallinn-Jyväskylä-Rovaniemi
2019
Acknowledgments
The authors of the Factbook are indebted to Louis Léonet, Vias Lustig and Christopher Spirito for their comments and feedback to
draft versions. Any omissions and errors are ours.
ISBN 978-952-69341-0-5 (nid.)

ISBN 978-952-69341-1-2 (PDF)
Table of Contents
Introduction........................................................................................................................................................................................................ 6
1 Cyber-attacks against Estonia ........................................................................................................................................................................ 8
2 Cyber-attacks accompanying the Russo-Georgian War. ............................................................................................................................ 10
3 Fourth of July cyber-attacks. ........................................................................................................................................................................ 13
4 Defacement of Baidu search engine............................................................................................................................................................ 15
5 Burma............................................................................................................................................................................................................. 16
6 Stuxnet. .......................................................................................................................................................................................................... 18
7 Operation Cupcake........................................................................................................................................................................................ 21
8 Ten Days of Rain. ........................................................................................................................................................................................... 22
9 DDoS attacks against the US financial institutions (operation Ababil)....................................................................................................... 23
10 Flame............................................................................................................................................................................................................ 24
11 Cyber-attacks against Saudi Aramco.......................................................................................................................................................... 25
12 DarkSeoul..................................................................................................................................................................................................... 27
13 German Steel Mills...................................................................................................................................................................................... 30
14 Sands Casino................................................................................................................................................................................................ 31
15 Sony Pictures Entertainment...................................................................................................................................................................... 33
16 TV5Monde. .................................................................................................................................................................................................. 35
17 Power Outage in Ukraine............................................................................................................................................................................ 36
19 Bangladesh Bank Heist................................................................................................................................................................................ 40
4
20 Democratic National Committee e-mail leak (DNC Hack)........................................................................................................................ 42
21 Shamoon 2.0................................................................................................................................................................................................ 44
22 Montenegro election hack . ....................................................................................................................................................................... 45
23 Qatar News Agency .................................................................................................................................................................................... 47
24 Left of the Launch........................................................................................................................................................................................ 49
25 NotPetya . .................................................................................................................................................................................................... 50
26 Trisis/Triton.................................................................................................................................................................................................. 54
27 WannaCry (WannaCrypt, WanaCrypt0r, WCrypt, or WCRY).................................................................................................................... 56
28 Disruption of Daesh activities..................................................................................................................................................................... 59
29 Olympics Destroyer..................................................................................................................................................................................... 61
30 Disruption of the activities of the Internet Research Agency.................................................................................................................. 63
31 Cryptocurrency Exchange Raids................................................................................................................................................................. 65
32 US Cyber Command Operation against Iran’s Paramilitary/Intelligence networks................................................................................ 67
Additional Readings.......................................................................................................................................................................................... 68
5
Introduction
Cyber Conflict Factbook is to provide students, scholars and policymakers with objective information on attacks and operations,
where states have been observed to project power by intentionally using ICT/cyber means. In academic education, governmental
policy-making and cyber diplomacy, we have noticed the lack of systematic, methodologically justified and non-biased analysis.
Instead, politically motivated argumentation and speedy, generalized illustrations occupy the space. The arguments of "cyber
conflict", "cyber warfare" and "cyber war" too rarely come with truthful evidence, and too often risk becoming self-fulfilling
propositions. The Factbook 0.5 is our first step to fill that lacunae.
This first edition of the Factbook focuses of effect-creating cyber-attacks. Effect generally refers to a "result of a cause or
agent".1 In this version of the Factbook, we have examined known state cyber operations which have resulted in changes in the
condition or behaviour2 of the targeted system or environment. This approach aligns with the US policy documents and military
doctrines.3 Consequently, this stage of our work excludes known instances of espionage and intelligence operations as well as some
reported attempts of cyber-attacks where effect did not materialize and thus remain speculative (such as the case of OPCW in 2018).
Despite usual claims of the invisibility of cyber capabilities and operations, we claim that effect-creating attacks can be detected and
documented. On the one hand, the very purpose of creating effects entails some observability. On the other hand, defacements
of government websites, denial of online services and data access as well as physical effects of cyber-attacks can be observed and
have been reported. Even if incidents are not disclosed by involved governments or organizations, the private sector, the public and
media have done their share to bring these events to light. We hope the Factbook to spark further exchange and transparency on
the state of international cyber affairs.
1 Longman Webster English College Dictionary (1984). Harlow, Longman.

2 Department of Defense (2019) Dictionary of Military and Associated Terms. Joint Publication JP 1-02 (as of June 2019).
3 Joint Chiefs of Staff (2018) JP 3-12 Cyberspace Operations, p. II-7.
6
The first iteration of the Factbook opens eight elements of the cyber operations that the Council of Foreign Relations (CFR) has
classified as denial-of-service, defacement, sabotage or data destruction in the CFR Cyber Operations Tracker4: (1) name, (2) year(s)
during which the incident occurred, (3) context and background, (4) timeline5, (5) target, (6) effects, (7) attribution and (8) the private
sector involvement in the discovery, mitigation, analysis or consequences of the operation. The CSIS Significant Cyber Incident List6
and Dyadic Cyber Incident and Dispute Dataset7 methodology, terminology and entries have been consulted. The Factbook team has
conducted independent research on all included incidents and built factual descriptions of the events. The Factbook is accompanied
by extensive references for further research and analysis.
The main sources used to identify the facts of each incident included news outlets, expert research, official statements and legal
documents. Where possible, priority was given to the facts and circumstances identified and established in indictments and other
legal documents. Second priority was assigned to official and/or government statements on the issue. Further, first-hand comments
(target/victim, experts involved in detection, mitigation or investigation) were considered, followed by focused research papers and
professional blogs. Finally, media reports were considered to enhance the information or fill in the gaps on aspects not covered by
any other sources.
4 Available at www.cfr.org.
5 All references are given in local time.
6 Available at www.csis.org.
7 Available at https://drryanmaness.wixsite.com/cyberconflict/cyber-conflict-dataset.
7
1 Cyber-attacks against Estonia
2007
Background and context On April 26 and 27, 2007 street riots8 occurred in the Estonian capital, Tallinn, in conjunction with the
government decision to change the location of a Soviet-era World War II/Great Patriotic War memorial.
These riots were accompanied by cyber-attacks, with an initial "emotionally motivated" phase between
April 27-299 and with coordinated cyber-attacks between April 30 and May 18, targeting both public and
private sector websites.
Timeline10 On April 27, Estonian government institutions and news portals were targeted by denial-of-service
(DoS), defacement and spam attacks that continued until April 29.
On April 30, cyber-attacks against private sector electronic communications provider took place
affecting Domain Name Servers (DNS) and routers. On May 4, denial-of-service attacks continued
intensively against websites and DNS.
On May 8, at 11PM (which is May 9, II World War Victory Day 00:00 in Moscow), a distributed denial-
of-service (DDoS) attack started against Estonian government websites. It continued throughout May 9
and 10, and then ended abruptly.
On May 15, government websites and several Estonian banks were experiencing a strong DDoS
8 http://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html
9 E. Tikk, K. Kaska, L. Vihul. (2010) International Cyber Incidents: Legal Considerations. Tallinn, Cooperative Cyber Defence Centre of Excellence,, p. 18.
Online Source: https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf
10 The timeline is based on https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf, p. 18.
8
Timeline attack, which started at noon and continued until midnight.
(Continues)
On May 18, another wave of DDoS attacks against governmental websites occurred.11
Target Private and public sectors, including governmental institutions’ websites, media platforms and private sector
websites.
Effects Effects on both private and public sectors. About 58 sites were down, particularly on May 9. Estonian banking
services suffered disruptions.12
Attribution Cyber-attacks involved political motivation.13 The Estonian Minister of Defence in a Government’s press
conference pointed out that the cyber-attacks "originate from outside Estonia, mainly from Russia".14 According
to Radio Free Liberty/ Radio Liberty article published in March of 2009, Sergei Markov, a State Duma Deputy
from the pro-Kremlin Unified Russia party, stated that the Estonian attacks had been carried out by his assistant
as part of "a reaction from civil society".15
Involved private Arbor Networks16, F-Secure17

sector actors
11 https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf
12 https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf
13 R. Ottis (2008) Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective. Tallinn, Cooperative Cyber Defence
Centre of Excellence. Online Source: https://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf
14 https://www.valitsus.ee/et/uudised/valitsuse-pressikonverentsi-stenogramm-10052007
15 https://www.rferl.org/a/Behind_The_Estonia_Cyberattacks/1505613.html; https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf
16 J. Nazario (2018) Politically Motivated Denial of Service Attacks. Arbor Networks, United States. Online Source: https://ccdcoe.org/up-
loads/2018/10/12_NAZARIO-Politically-Motivated-DDoS.pdf
17 https://www.f-secure.com/weblog/archives/00001183.html
9
2 Cyber-attacks accompanying the Russo-Georgian War
2008
Background and South Ossetia and Abkhazia have been parts of an unresolved internal conflict within Georgia for years.
context Over the years, Russia has demonstrated an interest in supporting the separation of these two regions from
Georgia.
In 2008, the tensions in South Ossetia escalated to the point that Georgian army was sent to take control
over the situation. In support to South Ossetia, Russian troops then trespassed the Russian-Georgian border.
In parallel to military tensions, Georgia’s information infrastructure was experiencing DDoS attacks,
defacements and rerouting of Internet traffic. The president’s official website was defaced; the central
government’s website, the website of the Ministry of Foreign Affairs and the Ministry of Defence were down;
and some private sector websites were hijacked.18
Timeline The initial signs of cyber-attacks were identified on July 19, 2008 affecting the President’s, Mikheil
Saakashvili, website.19
On August 8, 2008 website of the Georgian President was down for 24 hours because of a DDoS attack.20
18 https://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyber-war.html
19 Stephen W. Korns and Joshua E. Kastenberg (2009) Georgia’s Cyber Left Hook, p. 64.
Online Source: https://apps.dtic.mil/dtic/tr/fulltext/u2/a636632.pdf
https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf, p. 69.
10
Timeline Later on "the homepages for the Ministry of Foreign Affairs and Ministry of Defence, the Georgian news
(Continues) portals such as Georgia Online (apsny.ge), News.ge, but also non-Georgian, but Georgia-sympathetic
news sites and online discussion forums were also attacked".21 On the early morning of August 9, largest
commercial bank of Georgia, the TBC, experienced a cyber-attack.22
On August 10, a non-profit security organization ShadowServer reported new attacks against .ge sites: the
website of the Georgian Parliament and the President were hit with http-flood attacks", as were various non-
governmental websites.23
The President’s website was restored by August 11, "but the central government[‘s] site as well as ministries"
websites mentioned above still remained down and some commercial websites were also hijacked".24 On the
same day, the President’s website became defaced.
By August 12, the attack model changed towards using a Microsoft Windows batch file that was designed to
attack Georgian websites. It was distributed and encouraged to use on Russian forums, blogs, and websites.25
On August 13, large-scale Internet Control Message Protocol (ICMP) traffic from numerous Russian
computers continued.
On August 27, the scale of the cyber-attacks increased.
By August 28, most of the attacks were successfully mitigated.26
21 https://www.gfsis.org/blog/view/970
22 https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf, p. 70.
11
Target Georgian Government websites (President, Parliament, ministries, local government of Abkhazia), the news and
media sites, online discussion forums and financial institutions.27
Effects The availability of information systems was vital at the time, because military activities were on-going. There
was a need for keeping the public informed about the status of the conflict, but due to the disruption caused by
cyber-attacks the use of those platforms was nearly impossible.28
Attribution The Georgian Ministry of Foreign Affairs reported that a cyber warfare campaign by Russia was "seriously
disrupting many Georgian websites, including that of the Ministry of Foreign Affairs".29
Involved private Arbor Networks30, Renesys31

sector actors
28 http://www.ismlab.usf.edu/isec/files/Georgia-Cyber-Attack-NATO-Aug-2008.pdf
30 J. Nazario, Politically Motivated Denial of Service Attacks, Arbor Networks, United States. Online Source: https://ccdcoe.org/uploads/2018/10/12_
NAZARIO-Politically-Motivated-DDoS.pdf
31 https://dyn.com/blog/georgia-clings-to-the-net/; https://dyn.com/blog/internet-year-in-review-2008/
12
3 Fourth of July cyber-attacks
2009
Background and context A botnet of more than 150,000 machines predominately concentrated in South Korea launched a DDoS
attack against almost four dozen targets in South Korea and the United States.32 The attacks have been
later associated with the cyber espionage campaign "Operation Troy", a series of cyber-espionage
conducted between 2009 and 2013 by North Korea-affiliated hackers.33
Timeline July 4, 2009 US websites targeted.

July 7 and 8, South Korean websites targeted.
July 10, the second phase of the attack started, in which the botnet encrypted files and then started
deleting them.
Target US and South Korean governments
Effects Files with extensions: .xml, .xls, .ppt, .doc, .pdf, .c, .cpp deleted and encrypted prior to the deletion. The
malware was programmed to overwrite the first 512 bytes of each attached storage device with a string
beginning with "Memory of Independence Day" wiping out the master boot records (MBR) and volume
boot records on infected botnet machines, essentially leaving the data non-recoverable and preventing
the re-booting of the infected devices.34
32 https://securingtomorrow.mcafee.com/wp-content/uploads/2011/07/McAfee-Labs-10-Days-of-Rain-July-2011.pdf
33 https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf
13
Attribution Attributed to Lazarus Group, a threat group that has been associated with the North Korean
government.35
Involved private sector McAfee36

actors
35 https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
36 https://securingtomorrow.mcafee.com/wp-content/uploads/2011/07/McAfee-Labs-10-Days-of-Rain-July-2011.pdf; on attribution see
https://www.us-cert.gov/ncas/alerts/TA17-164A.
14
4 Defacement of Baidu search engine
2010
Timeline On January 12, 2010 Baidu, China’s search engine, became unavailable.
Baidu users were redirected to a site displaying an Iranian flag and a political message in Farsi:
"This site has been hacked by Iranian Cyber Army".37 According BBC, who referred to Chines media,
the site was down for at least four hours. "This morning, Baidu’s domain name registration in the
United States was tampered with, leading to inaccessibility," Baidu said in a statement.38
Target The most popular Chinese search engine.
Effects Unavailability of the search engine for a short period of time.
Attribution Iranian Cyber Army, associated with Iran’s Islamic Revolutionary Guard Corps, a branch of the
country’s military forces39, took the responsibility.
Involved private sector actors Renesys40
37 http://news.bbc.co.uk/2/hi/technology/8453718.stm
38 http://news.bbc.co.uk/2/hi/technology/8453718.stm
39 https://theconversation.com/following-the-developing-iranian-cyberthreat-85162
40 https://dyn.com/blog/baidu/
15
5 Burma
2010
Background and context Burmese opposition had witnessed several targeted cyber-attacks on their websites since 2007.
Additionally, there was an Internet shutdown in Burma.41 In 2010, the DDoS attacks ahead of the
General Elections were targeting opposition websites again.
Timeline In September 2010, Burmese opposition media websites were under DDoS attacks.42
On October 25, a massive DDoS attack targeted Burma’s main internet provider, just before the
General Elections that were about to take place on November 7, 2010.43
DDoS attacks continued throughout November. The intensity of the attack varied from 0.5 to 10-15
Gbit/s.44
Target The Mizzima News website, the Democratic Voice of Burma website, the Irrawaddy website, and
the Internet provider.
41 N.Villeneuve & M.Crete-Nishihata (2011) Control and Resistance: Attacks on Burmese Opposition Media, p.157.
Online Source: http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-chapter-08.pdf
42 http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-chapter-08.pdf
43 https://www.bbc.com/news/technology-11693214
44 https://www.npr.org/sections/thetwo-way/2010/11/04/131070830/myanmar-s-internet-under-cyberattack
16
Effects Unavailability of specific online media outlets and agencies, and the internet blockage, caused
problems for the private sector to provide services to customers.45 An official from the only
telecommunications operator, the MPT, stated that distributed-denial-of-service (DDoS) attacks on
the local servers, originating from different sources, were overloading the network.46
Attribution It is not certain who could have been behind the cyber-attacks, although it is believed that the
military or the government itself could have been involved.47
Involved private sector actors Arbor Networks48
45 https://web.archive.org/web/20101105211505/http://www.mmtimes.com/2010/news/547/news54716.html
46 https://web.archive.org/web/20101105211505/http://www.mmtimes.com/2010/news/547/news54716.html
47 N.Villeneuve & M.Crete-Nishihata (2011) Op.cit., p.158, p.170.
48 https://www.theregister.co.uk/2010/11/03/myanmar_ddos_attacks/
17
6 Stuxnet
2010
Background and context Iran has been pressured in various ways to shut down its nuclear program. Stuxnet could have been
a time winning event before the negotiations of 2015 on limiting nuclear activities and allowing
international inspectors to visit the plant.49 Stuxnet is known as a malicious computer worm that
discovered in the Natanz Nuclear Plant in Iran. The worm had been active for at least one year prior
to its discovery in 2010. The first five targets were Iranian companies related to the Iranian nuclear
development facilities.50
Timeline On June 17, 2010 Sergey Ulasen, the head of an anti-virus division of a Belarussian computer
security firm called VirusBlokAda, discovered that one of his client’s computers located in Iran
was caught in a reboot loop.51 The investigation showed that an exploit was using a zero-day
vulnerability in Windows Explorer.
On July 12, VirusBlokAda went public with their discovery as Microsoft was preparing the patch.
On July 15, a cyber security blogger Brian Krebs released information about Stuxnet on his
website.52
49 https://www.bbc.com/news/world-middle-east-33521655
50 https://www.kaspersky.com/resource-center/infographics/stuxnet
51 https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/s
52 https://www.reuters.com/article/us-cyberattack-iran-idUSTRE7B10AV20111202
18
Timeline In October, Iran’s Intelligence Minister mentioned that a number of "Nuclear spies" were arrested
(Continues) connected to Stuxnet.53
In November, Iran’s President Mahmoud Ahmadinejad disclosed publicly that due to a cyber-attack
the plant’s centrifuges were damaged.
Target The Natanz Nuclear Plant in Isfahan, Iran.
Effects The SCADA systems of the plant were affected and caused damage to about 1,000 centrifuges.54
Attribution Evidence suggests nation-states were behind the attack due to the scale of resources required to
build code of such complexity and its targets: specifically, Israel and the United States of America.55
In June 2012, two sources unleashed the role of the US and Israel in Stuxnet. The first source was
the "Confront and Conceal"56 the book on Obama’s Foreign Policy, and the New York Times News
article.57
In October 2016, Yahoo published an article revealing General James Cartwright’s (ret.) testimony in
the Federal Court on disclosing government covert actions against Iran.58
53 https://isssource.com/stuxnet-loaded-by-iran-double-agents/
54 https://www.bbc.com/timelines/zc6fbk7#z32pycw
55 Kim Zetter (2014) Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.
56 David E. Sanger (2012) Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power. New York, Random House.
57 David E. Sanger (2012) Obama Order Sped Up Wave of Cyberattacks Against Iran. The New York Times (1 June)
https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?mtrref=www.yahoo.com&g-
wh=223F443BEF0B6C9D6D9A43643CFB8F8D&gwt=pay&assetType=REGIWALL
58 https://www.yahoo.com/news/obamas-favorite-general-pleads-guilty-in-leak-probe-002646501.html
https://dailycaller.com/2016/10/18/obamas-favorite-general-charged-for-leaking-cia-op/ | "Obama’s General’ Pleads Guilty to Leaking Stuxnet
19
Attribution On September 2, 2019 Yahoo broke the news that the Dutch had been assisting the delivery of
(Continues) the exploit to the Nanatz plant.59
Involved private sector actors Symantec60, McAfee61, ESET62, Kaspersky63, Ralph Langner64, VirusBlokAda65
Operation https://foreignpolicy.com/2016/10/17/obamas-general-pleads-guilty-to-leaking-stuxnet-operation/
59 https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html?guccounter=1&-
guce_referrer=aHR0cHM6Ly9zbGF0ZS5jb20vbmV3cy1hbmQtcG9saXRpY3MvMjAxOS8wOS9zdHV4bmV0LW5ldGhlcmxhbmRzLWFsbGllcy10cnVtc-
C1jeWJlcmF0dGFjay5odG1s&guce_referrer_sig=AQAAADTvjruyovogLVayZ4myRMJ676m3RVPjXvWdREczqw6Rg7FA6azzxnrCYKAd8-Rfzw9gPyTvWX-
NTbuhHrR_UCA9e5RFbYVtKAmjOQRTnTMbkNTDyvIgJKaGnz9IssCxuv3h02hA66nsWshNbdW6s0xXcdty00k3Z-G4PaklGlc2e
60 https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
61 https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-stuxnet.html
62 https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf
63 https://securelist.com/the-echo-of-stuxnet-surprising-findings-in-the-windows-exploits-landscape/65367/; https://media.kasperskycontenthub.
com/wp-content/uploads/sites/43/2018/03/08080805/Kaspersky_Lab_KSN_report_windows_usage_eng.pdf
64 https://www.langner.com/stuxnet/
65 https://www.f-secure.com/weblog/archives/new_rootkit_en.pdf
20
7 Operation Cupcake
2010
Background and context According to an unnamed UK government source, the officers of the UK’s Government
Communications Headquarters (GCHQ) replaced content, arguably bomb-making instructions,
of an online jihadist magazine, Inspire, with a cupcake recipe, as "part of cyber war against
terrorists".66 The British Secret Intelligence Service and GCHQ launched this operation as an
attempt to disrupt efforts by al-Qaeda in the Arabian Peninsula to recruit "lone-wolf" terrorists
with a new English-language magazine.67
Timeline 2010 – the actual incident.

2011 – reporting by Telegraph.
Target Al-Qaeda, a broad-based militant Islamist organization founded in the late 1980s.
Effects Content of website changed.
Attribution UK self-attribution through a government leak.
66 https://www.theguardian.com/uk/2011/jun/02/british-intelligence-ruins-al-qaida-website
67 https://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html
21
8 Ten Days of Rain
2011
Background and context Starting on March 4, 2011 DDoS attacks were targeting South Korean government websites as
well as the network of U.S. Forces Korea.68 The DDoS attacks had clearly defined targets and a
finite window of operation preconfigured to 10 days.69 McAfee noted that the incident "very
closely" resembled the 4th of July attacks of 200970 and later concluded that the attacks were part
of a bigger cyber espionage campaign, dubbed "Operation Troy".71
Target South Korean Government
Attribution Attributed to Lazarus Group.72
Involved private sector actors McAfee73
72 https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
22
9 DDoS attacks against the US financial institutions (operation Ababil)
2011-2013
Background and context From December 2011 to May 2013, DDoS attacks were directed against 46 US major financial
institutions and financial-sector corporations on at least 176 days.74 The US Attorney General stated
that the US "will not allow any individual, group, or nation to sabotage American financial institutions or
undermine the integrity of fair competition in the operation of the free market".75
Target US financial sector.
Effects Hundreds of thousands of customers were unable to access their accounts online, victim institutions
incurred tens of millions of dollars in remediation costs.
Attribution On September 18, 2012 an Iran-affiliated hacker group called Izz ad-Din al-Qassam Cyber Fighters
claimed responsibility.76
The US Government attributed the campaign to individuals and organizations working for the Iranian
Government.77
74 https://www.justice.gov/opa/file/834996/download, page 4.
75 https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
76 https://pastebin.com/mCHia4W5
77 https://www.justice.gov/opa/file/834996/download
23
10 Flame
2012
Background and context The malware was discovered after the International Telecommunications Agency (ITU) asked
Kaspersky Lab to "analyse data on malicious software across the Middle East in search of the
data-wiping virus reported by Iran".78 Iran’s National Computer Emergency Response Team
(CERT) posted a security alert stating that it believed the Flame was responsible for "recent
incidents of mass data loss" in the country".79
Target This malware was found in the Middle East, including Iran, Lebanon, Syria, and Israel.
Effects Data loss by thousands of victims across private companies and academia.
Attribution Equation Group, linked to the US National Security Agency (NSA).80
Involved private sector actors Kaspersky Lab81
78 https://www.reuters.com/article/net-us-cyberwar-flame/powerful-flame-cyber-weapon-found-in-iran-idUSBRE84R0E420120528
80 https://www.kaspersky.com/about/press-releases/2015_equation-group-the-crown-creator-of-cyber-espionage;
https://www.forbes.com/sites/thomasbrewster/2015/02/16/nsa-equation-cyber-tool-treasure-chest/#572b427e417f;
https://www.reuters.com/article/us-usa-cyberspying/russian-researchers-expose-breakthrough-u-s-spying-program-idUSKBN0LK1QV20150216
81 https://securelist.com/the-flame-questions-and-answers-51/34344/
24
11 Cyber-attacks against Saudi Aramco
2012
Background and context Saudi Arabia’s national oil company was hit by the Shamoon82 malware that affected around 30,000
workstations.83 An anti-oppression hacker group was reported to have taken responsibility.84 They
justified this attack as a revenge for the "crimes and atrocities taking place in various countries around
the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon [and] Egypt"
committed by the Al-Saud regime. 85
Timeline On August 15, 2012 Saudi Arabia’s national oil company was hit by the malware. The network and
services were inoperational for 10 days after the incident.86
Target Aramco, the Saudi Arabian Oil Company that is "Saudi Arabia’s national petroleum concern, a producer,
manufacturer, marketer and refiner of crude oil, natural gas, and petroleum products".87
82 "The virus acquired the name Shamoon in the malware analysis community due to a string of a folder name within the malware executable", C.Bronk
& E.Tikk-Ringas (2013) The Cyber Attack on Saudi Aramco. Survival, Global Politics and Strategy, 81-96, DOI: 10.1080/00396338.2013.784468,
https://www.tandfonline.com/doi/abs/10.1080/00396338.2013.784468 Online Source for the working paper: https://scholarship.rice.edu/bit-
stream/handle/1911/92672/ITP-pub-WorkingPaper-ShamoonCyberConflict-020113.pdf?sequence=1&isAllowed=y; https://cyber-peace.org/wp-con-
tent/uploads/2013/06/Shamoon-the-Wiper-Copycats-at-Work-Securelist.pdf
83 https://www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis/
84 Bronk & Tikk-Ringas (2013) Op.cit.
87 Bronk & Tikk-Ringas (2013) Op.cit.
25
Effects About 30,000 workstations infected and inoperable for several days.
Attribution Cutting Sword of Justice, a hacktivist group, claimed responsibility for the attack.88 This case drew
attention as the tools and the scalability of the incident surpassed "ordinary" hacktivist actions.89
Involved private sector Symantec90, Imperva91, Naked Security by SOPHOS92

actors
89 https://www.imperva.com/blog/the-significance-of-the-aramco-hack/
90 The Shamoon Attacks, 2012. Online Source: https://www.symantec.com/connect/blogs/shamoon-attacks
91 https://www.imperva.com/blog/the-significance-of-the-aramco-hack/
92 https://nakedsecurity.sophos.com/2012/08/17/targeted-destructive-malware-explained-trojmdrop-eld/
26
12 DarkSeoul93
2013
Background and On March 20, 2013, at approximately 2PM South Korea suffered a cyber-attack that disrupted the services
context of several major banks and broadcasters.94 The attack happened when American and South Korean military
forces were conducting joint exercises in the Korean Peninsula. Only weeks before, North Korea had accused
the South Korea and its US allies for attacking its networks and causing an internet outage of multiple days
that affected the country’s estimated several thousand internet users, mostly believed to be government
officials.95
The DarkSeoul incident is by circumstantial evidence attributed to North Korea.96
Timeline The remote-access Trojan was compiled on January 26, 2013.

The component to wipe the master boot record (MBR) of numerous systems was compiled on January 31.
The initial victim within the organization was spear-phished with a remote-access Trojan. This likely occurred
before March 20 and possibly weeks prior to the attack.
93 https://www.helpnetsecurity.com/2013/07/08/dissecting-operation-troy-cyberespionage-in-south-korea/
94 https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Dark_Seoul_Cyberattack.pdf
95 https://www.theguardian.com/world/2013/mar/20/south-korea-under-cyber-attack
96 https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war; Kong Ji
Young, Lim Jong In and Kim Kyoung Gon(2019) The All-Purpose Sword: North Korea’s Cyber Operations and Strategies. In: T. Minárik, S. Alatalu, S.
Biondi, M. Signoretti, I. Tolga and G. Visky (eds.) 2019 11th International Conference on Cyber Conflict: Silent Battle. Tallinn, NATO CCD COE Publica-
tions.
27
Timeline The dropper was compiled on March 20, hours before the attack occurred.
(Continues)
The dropper was distributed to systems across the victim organizations, and, within minutes of execution, the
MBRs were wiped. This occurred around 2 PM Seoul time on March 20.97
Target South Korea
Effects About 48,000 computers were affected making services inaccessible. The victim organizations needed weeks
to fully restore all functions.98
Attribution Shortly after the attack was discovered, the "NewRomanic Cyber Army Team" and the "Whois Crew", two
different, heretofore unknown hacker groups took responsibility.99
Investigators in Seoul reported their initial findings suggested that North Korea’s military-run Reconnaissance
General Bureau was responsible.100 Researchers later established the attack was "the outgrowth of a multi-
year cyber-espionage campaign waged by the North Korean government".101
South Korean officials initially pointed to a Chinese IP address, but later backed from this attribution.102 In April
2013, South Korea’s Internet & Security Agency spokesman announced that 22 of the addresses used in the
98 https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Dark_Seoul_Cyberattack.pdf
99 https://www.sans.org/reading-room/whitepapers/warfare/tracing-lineage-darkseoul-36787, page 6, ref to Dell SecureWorks
101 https://www.sans.org/reading-room/whitepapers/warfare/tracing-lineage-darkseoul-36787
102 https://www.darkreading.com/attacks-and-breaches/south-korea-changes-story-on-bank-hacks/d/d-id/1109211;
https://www.bbc.com/news/world-asia-21873017
28
Attribution attack had been utilized by North Korean hackers since 2009.103
(Continues)
The US has attributed the DarkSeoul incident to the Lazarus Group (see 4th of July attacks).104 McAfee
concluded that a single group has been behind a series of threats targeting South Korea since October 2009.105
involved private Symantec106, McAfee107, Avast108

sector actors
103 https://en.yna.co.kr/view/AEN20130410007352320
104 https://www.justice.gov/opa/press-release/file/1092091/download
105 https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf , page 17.
106 https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war
107 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-mal-
ware-families/;
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf
108 https://blog.avast.com/2013/03/19/analysis-of-chinese-attack-against-korean-banks/
29
13 German Steel Mills
2014
Timeline The 2014 German Federal Office for Information Security (Bundesamt für die Sicherheit in der
Informstionstechnik, BSI) made reference to a deliberate attack against a German steel manufacturing
company.109 The story broke on December 17, 2014 when the report was published.
Target An unidentified steel mill.
Effects The BSI report noted an impacted furnace and referred to massive damage to the system.110 SANS Institute, a
globally known research and education organization, concluded that the combined impact may have resulted
in a Loss of Control for plant operators and possible malicious control leading to physical destruction.111
Attribution No official or other attribution has been made. According to SANS, BSI has referred to the attack as an
advanced persistent threat (APT).112
Involved private SANS Institute113, Sentryo114

sector actors
109 https://www.bsi.bund.de/DE/Publikationen/Lageberichte/bsi-lageberichte.html, page 31.

110 https://www.bsi.bund.de/DE/Publikationen/Lageberichte/bsi-lageberichte.html, page 31.
111 https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf
114 https://www.sentryo.net/cyberattack-on-a-german-steel-mill/
30
14 Sands Casino
2014
Background and context A central person in this case is Sheldon Adelson, a person close to Israeli Prime Minister Benjamin
Netanyahu and a major Republican donor, who, in October 22, 2013 at Yeshiva University in New York
City, suggested that the US should use nuclear weapons on Iran to impose its demands from a position
of strength.115 Adelson is one of the owners of Las Vegas Sands casino, a corporation with close to 14bn
USD revenue in 2013.
Timeline Since November 2013, Iranian hackers were probing the systems of Adelson’s Las Vegas Sands casino.116
By February 9, 2014, they acquired the login credentials of a senior computer systems engineer.
On February 10, thousands of computers on Sands networks were wiped clean of files.
The incident was exposed by Bloomberg in a story on December 12, 2014.117
Target Las Vegas Sands Casino, a US corporation.
Effects Bloomberg estimated that recovering data and fixing and replacing equipment cost $40 million.118
115 https://www.jpost.com/Diplomacy-and-Politics/Adelson-US-should-drop-atomic-bomb-on-Iran-329641
116 https://www.bloomberg.com/news/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas#p1
117 https://www.bloomberg.com/news/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas
118 https://www.bloomberg.com/news/articles/2015-02-26/iran-behind-cyber-attack-on-adelson-s-sands-corp-clapper-says
31
Attribution In a statement on worldwide cyber threats, US Director of National Intelligence attributed the incident
to Iran.119
Involved private sector Dell SecureWorks120

actors
119 https://fas.org/irp/congress/2015_hr/091015clapper.pdf, page 4

120 https://securityaffairs.co/wordpress/31039/malware/iranian-hackers-wiped-sands-corp-casino.html
32
15 Sony Pictures Entertainment
2014
Background and context Sony Pictures Entertainment (SPE) supported the production and distribution of The Interview, a
Hollywood movie ridiculing a North Korean dictator and regime.
Timeline Sony Pictures Entertainment computers were infiltrated in October 2014 and the following weeks
personal and sensitive information was posted on-line. On November 24, Sony Pictures Entertainment
personnel could not log in to their workstations due to the hack. On December 16, Sony cancels the
film premiere, and on December 17, major US theater chains pull the film. Sony cancels the film’s
Christmas Day release and announces that is does not have "further release plans for the film".
Target Sony Pictures Entertainment
Effects The FBI determined that the intrusion into SPE’s network consisted of the deployment of destructive
malware and the theft of proprietary information as well as employees’ personally identifiable
information and confidential communications. The attack also rendered thousands of SPE’s computers
inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the
company’s business operations.121
121 https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation?utm_campaign=email-Immediate&utm_medium=email&utm_
source=national-press-releases&utm_content=386194
33
Attribution A group calling itself the "Guardians of Peace", a North Korea associated hacker group, claimed
responsibility for the attack.122
On December 9, 2014 assistant director with the FBI’s cyber division explicitly ruled out attribution to
North Korea.123
On December 19, the Federal Bureau of Investigation (FBI) attributed the incident to North Korea.124
In a statement on September 10, 2015, on worldwide cyber threats, US Director of National
Intelligence attributed the incident to North Korea.125 On June 8, 2018, the Department of Justice filed
a criminal complaint against a North Korean citizen.126
Involved private sector Mandiant, CrowdStrike, Novetta127

actors
122 Andrea Peterson (2018) The Sony Pictures hack, explained. The Washington Post (18 December)
https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/
123 https://www.reuters.com/article/us-sony-cybersecurity-fbi/fbi-official-says-no-attribution-to-north-korea-in-sony-hack-probe-idUSKBN-
0JN1MF20141209
124 https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation?utm_campaign=email-Immediate&utm_medium=email&utm_
source=national-press-releases&utm_content=386194
125 https://fas.org/irp/congress/2015_hr/091015clapper.pdf, page 4
126 https://www.justice.gov/usao-cdca/press-release/file/1091951/download
127 https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
34
16 TV5Monde
2015
Background and context Additionally, the attackers compromised multiple TV5Monde social media accounts.128
Timeline129 Reconnaissance between January 23 and February 6, 2015

Active Directory Compromise between February 7-11, 2015
Data collection February 16 through March 16, 2015
Compromise of Social Media platforms April 7-8, 2015
Sabotage of the TV5Monde 12 channels on April 8, 2015
Target TV5Monde, a French television network broadcasting worldwide.
Effects The attack caused a disruption of 12 channels for over 18 hours.130 "Any substantial delay would
have led satellite distribution channels to cancel their contracts, placing the entire company in
jeopardy".131
Attribution Speculations made on attribution by FireEye.132
Involved private sector actors FireEye133
128 https://www.bankinfosecurity.com/french-officials-detail-fancy-bear-hack-tv5monde-a-9983
129 Timeline of attack: https://blog.comae.io/lessons-from-tv5monde-2015-hack-c4d62f07849d
130 https://www.bankinfosecurity.com/french-officials-detail-fancy-bear-hack-tv5monde-a-9983
132 http://securityaffairs.co/wordpress/37710/hacking/apt28-hacked-tv5monde.html
133 https://www.fireeye.com/blog/threat-research/2015/05/hacking_the_newsgl.html
35
17 Power Outage in Ukraine
2015
Background and context The cyber-attack on three power companies in Ukraine on December 23, 2015 is the first known
instance of a cyber-attack disrupting electric grid operations.
Timeline "On December 23, 2015, the Ukrainian Kyivoblenergo, a regional electricity distribution company,
reported service outages to customers. […] Starting at approx. 3:35 PM local time, seven 110 kV
and 23 35 kV substations were disconnected for three hours".134 The incident was caused by a third
party’s entry into computer and SCADA systems, which escalated to "additional portions of the
distribution grid and forced operators to switch to manual mode".135
Cyber-attacks against three companies occurred within 30 minutes of each other. During them,
malicious remote operation of the breakers was carried out by using either existing remote
administration tools at the operating system level or remote industrial control system (ICS) client
software via virtual private network (VPN) connections. The perpetrators "wiped some systems by
executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases
selected files on target systems and corrupts the master boot record (MBR), rendering systems
inoperable".136
Target Ukraine power grid, specifically Western region’s Prykarpattyaoblenergo control center.
134 https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
135 ibid.
136 https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01
36
Effects Over 225,000 customers without power for up to 6 hours.137 The attack caused power outages and
blackouts in 103 cities and towns across Ukraine.138 The Ukrainian grid operators lost the ability for
automated control, for up to a year in some locations.139
Attribution The attack was attributed to the Sandworm team – aka Voodoo Bear, BlackEnergy APT Group,
Telebots.140 This group is assessed to consist of Russian pro-hacktivists.141 Elizabeth Sherwood-
Randall, US deputy Energy Secretary, has been reported to attribute the attacks to Russia, speaking
at a gathering of electric power grid industry executives.142 There is also speculation that this was
a warning against Ukraine’s moves towards possible nationalization of private energy companies
– some of which belong to a Russian oligarch close to Putin. In addition, the denial-of-service
attacks were all traced back to Moscow, which could be an attempt "to stoke the ire of Ukrainian
customers and weaken their trust in the Ukrainian power companies and government."143
Involved private sector actors Dragos144, E-ISAC and SANS Institute145
137 https://dragos.com/wp-content/uploads/CrashOverride-01.pdf
138 http://www.homelandsecuritynewswire.com/dr20160216-russian-govt-behind-attack-on-ukraine-power-grid-u-s-officials
140 https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html;
https://dragos.com/wp-content/uploads/Crash Override-01.pdf, p. 10
141 https://attack.mitre.org/groups/G0034/
142 http://www.homelandsecuritynewswire.com/dr20160216-russian-govt-behind-attack-on-ukraine-power-grid-u-s-officials;
https://edition.cnn.com/2016/02/11/politics/ukraine-power-grid-attack-russia-us/index.html.
143 https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
145 https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
37
18 Industroyer/CRASHOVERRIDE
2016
Background and context The CRASHOVERRIDE malware affected a single transmission level substation in Ukraine. Close
to midnight of December 17, 2016, the power grid went off in the Kiev region. The timing, target
and method strongly suggest it is part of a wider campaign targeting Ukraine’s infrastructure,
suspected to originate with Russian secret services, following the annexation of Crimea and the
start of an armed conflict in Eastern Ukraine, which begun with the December 2015 outage (see
supra).146
Timeline Hackers are thought to have hidden in Ukrenergo’s IT network undetected for six months,
acquiring privileges to access systems and figuring out their workings, before taking methodical
steps to take the power offline.147
Target Ukraine power grid, specifically Western region’s Prykarpattyaoblenergo control center.
Effects The attack cut a fifth of the Ukrainian capital off power for one hour.
146 https://www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks/?fbclid=IwAR2YvS7Cq6zrcObPELejDyWBsJtF3MAXxy3PzgwI0Z-
cbDW9SGkEtC5vZyas; https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html;
147 https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA
38
Attribution Dragos tracks the origin back to a malicious group behind ELECTRUM, claiming "with high
confidence" it has direct ties to the Sandworm team, associated to Russia.148 Honeywell, an
industrial cybersecurity lab for plants and critical infrastructure, representative concluded that it
was an intentional cyber incident not meant to be on a large scale.149
Involved private sector actors Dragos150, ESET151
148 https://www.zdnet.com/article/security-researchers-find-solid-evidence-linking-industroyer-to-notpetya/
149 https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA
151 https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
39
19 Bangladesh Bank Heist
2016
Background and context Fraudulent instructions issued via the SWIFT network led to transferring $20 million from a Federal
Reserve Bank of New York account belonging to central bank of Bangladesh to Sri Lanka and $81
million to the Philippines. The Federal Reserve Bank of New York blocked further scheduled fraudulent
transactions, due to suspicions raised by a misspelled instruction.152 The events coincided with the
Chinese New Year, which complicated the processing of related requests and slowed information
exchange between involved entities.
Timeline The four US dollar accounts involved in the scheme were opened on May 15, 2015. The fraudulent
instructions were filed between February 4-5, 2016 when the bank was closed. Some transfers were
implemented on February 5 and several conversions of the stolen funds followed from February 5 to 13,
2016.153
Target Bangladesh Bank
Effects Loss of monetary assets, close to $81 million not recovered.
152 https://www.dhakatribune.com/opinion/op-ed/2019/02/03/the-bangladesh-bank-heist-and-beyond
153 https://web.archive.org/web/20160312145208/http://www.asianews.network/content/hackers-bugged-bangladesh-bank-system-jan-11271
40
Attribution In May 2016 FBI reported suspicions of an inside job.154 In parallel, allegations were made that the
culprit was North Korea.155 In May 2017, NSA referred to North Korea behind the attack.156
In September 2018 the US Government charged a North Korean national for the heist.157 On January 10,
2019 a Philippine court found former bank manager Maia Santos-Deguito guilty of money laundering
offenses on Thursday, in the first criminal conviction related to the 2016 heist of Bangladesh’s central
bank.
In January 2019 the Bangladesh Bank sued Philippine Bank RCBC and some of its staff for the heist in a
US court.
154 https://blogs.wsj.com/indiarealtime/2016/05/10/fbi-suspects-insider-involvement-in-81-million-bangladesh-bank-heist/
155 https://fortune.com/2016/05/27/north-korea-swift-hack/
156 https://foreignpolicy.com/2017/03/21/nsa-official-suggests-north-korea-was-culprit-in-bangladesh-bank-heist/
157 https://news.abs-cbn.com/business/09/07/18/us-charges-north-korean-in-bangladesh-central-bank-sony-hacks
41
20 Democratic National Committee e-mail leak (DNC Hack)
2016
Background and context The Democratic National Committee (DNC) is the formal governing body of the United States
Democratic Party. It provides strategic support to Democratic Party candidates.
Before the 2016 Democratic National Committee Convention, DCLeaks and WikiLeaks released a large
amount of DNC internal e-mails obtained from a persona named Guccifer 2.0.158
Timeline According to the indictment, the attack preparations started the latest in March 2016.
July 22, 2016, WikiLeaks released 19,252 e-mails and 8,034 attachments.159
November 6, 2016, WikiLeaks released an additional 8,263 DNC e-mails.
October 7, 2017 official attribution.
July 13, 2018 indictment.160
Effects Plausible indirect behavioral effects.
158 https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/
159 https://www.washingtonpost.com/news/post-politics/wp/2016/07/22/on-eve-of-democratic-convention-wikileaks-releases-thousands-of-docu-
ments-about-clinton-the-campaign-and-internal-deliberations/
160 https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf
42
Attribution CrowdStrike, Fidelis Cybersecurity, Mandiant, SecureWorks and ArsTechnica have associated the attacks
with Russia. ThreatConnect believed Fancy Bear (see also Montenegro election hack) did the hack and
then used Guccifer 2.0 and DCLeaks as proxies to leak the stolen information.161
The U.S. Intelligence Community concluded that the Russian Government directed the recent
compromises of e-mails from US persons and institutions, including from US political organizations.162
In the indictment, the deputy attorney general said all 12 defendants worked for the Russian military
intelligence service, the GRU.163 Later updates reveal that the Dutch helped to find evidence.164
Involved private sector CrowdStrike165, Fidelis Cybersecurity166

actors
161 https://www.nbcnews.com/storyline/2016-rio-summer-olympics/experts-same-russians-hacked-olympic-whistleblower-democrats-n637871
162 https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national
163 https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf
164 https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~b4f8111b/;
https://www.bloomberg.com/opinion/articles/2018-01-26/release-the-dutch-evidence-of-the-dnc-hack;
https://techcrunch.com/2019/04/18/read-the-mueller-report/;
https://www.nytimes.com/interactive/2019/04/18/us/politics/mueller-report-document.html?mtrref=www.google.com&gwh=94155A699F752B4B-
6B19665A8B70AC77&gwt=pay&assetType=REGIWALL.
165 https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
166 https://www.fidelissecurity.com/threatgeek/archive/findings-analysis-dnc-intrusion-malware/;
https://www.fidelissecurity.com/threatgeek/archive/podcast-how-experts-traced-dnc-hack-russian-spies/
43
21 Shamoon 2.0
2016-2017
Background and Between November 2016 and January 2017, a wave of wiper cyber-attacks was directed at organizations in
context various critical and economic sectors in Saudi Arabia. The malware used in the attack was a variant of the
Shamoon worm that targeted Saudi Aramco and RasGas back in 2012.167 Researchers from Anomali Labs found
that the new sample of Shamoon used an image of a burning US dollar as a part of its attack. The image includes
the text "WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN", which is displayed in tandem
with the overwriting of files on a victim’s system.168
Target Saudi Arabia
Effects Saudi Arabian TV reported 15 private and government entities affected.
Attribution Some have pointed finger at Iran and APT 33/Elfin due to the timing of the attacks, after President Trump decided
to withdraw from the Nuclear deal. Elements from the Quran already indicated a Middle Eastern origin.169
Involved private Anomali Labs170

sector actors
167 https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
168 https://www.anomali.com/blog/destructive-shamoon-malware-continues-its-return-with-a-new-anti-american-message
169 https://www.zdnet.com/article/shamoons-data-wiping-malware-believed-to-be-the-work-of-iranian-hackers/;
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
170 https://www.anomali.com/blog/destructive-shamoon-malware-continues-its-return-with-a-new-anti-american-message
44
22 Montenegro election hack
2017
Background and In 2017, Montenegro was preparing to join NATO.

context
The Balkan Investigative Reporting Network’s (BIRN) investigation pointed out that the rise in cyber-attacks
can be associated with the final phase of the country’s NATO accession negotiations in late 2016.171
Timeline Several cyber-attacks:

The Ministry of Information Society and Telecommunications released a communication to the public to
inform about the DDoS attacks on October 17 and 18, 2016.172
On October 20, 2016 a phishing attack was launched against the parliament of Montenegro.
Cyber-attacks on February 15, 2017 peaked over the following days affecting the websites of the government
and state institutions, as well as some pro-government media, officials in Podgorica told to the Center for
Investigative Journalism of Montenegro (CIN-CG) / BIRN.173
Target The parliament of Montenegro.
171 https://balkaninsight.com/2018/03/05/russia-s-fancy-bear-hacks-its-way-into-montenegro-03-01-2018/
172 http://www.mid.gov.me/en/news/166902/Web-portal-of-the-Government-of-Montenegro-exposed-to-DDoS-attacks.html
45
Effects The Government of Montenegro (www.gov.me), the Radio "Antena M" (www.antenam.net), the Centre
for Democratic Transition (www.cdtmn.org), the Democratic Party of Socialists of Montenegro (www.
sigurnimkorakom.me) websites were affected. Disruption in communication services as Facebook, WhatsApp,
Viber.174
Attribution Three prominent international security companies, Fire Eye175, Trend Micro and ESET agree that Fancy Bear, a
Russian hacker group, staged at least three separate attacks in January, February and June 2017.176
The IT company ESET, also confirmed to CIN-CG/BIRN that Fancy Bear was on active maneuvers in the
Balkans during summer of 2017.177
Montenegro’s leaders accused Russia of meddling in the election, which Moscow denied.178
The EU’s Agency for Network and Information Security (ENISA) has said Montenegrin infrastructure has been
targeted by Fancy Bear.179
Involved private TrendMicro180, ESET and Fire Eye181

sector actors
174 http://www.cin-cg.me/demo/wp-content/uploads/2018/03/CIN-BIRN-eng.pdf
175 https://www.theregister.co.uk/2017/06/06/russian_hackers_target_montenegro/
178 https://balkaninsight.com/2017/02/22/montenegro-govt-on-alert-over-new-cyber-attacks-02-21-2017/
179 https://www.rferl.org/a/montenegro-seeks-stare-down-fancy-bear-ahead-election/29105869.html
180 https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/
46
23 Qatar News Agency
2017
Background and context Starting on April 19, 2017 hackers successfully used VPNs, exploits, and malware to penetrate the
website, Twitter, and YouTube pages of the Qatar News Agency (QNA). Fabricated quotes from High
Highness Sheikh Tamim bin Hamad al-Thani, Emir of Qatar, and Mohammed bin Abdulrahman bin
Jassim al-Thani, Qatari Minister of Foreign Affairs, were posted on the hacked Twitter page and website
of QNA at 12:13AM Wednesday May 24, 2017. Immediately after publication, the fabricated quotes
became major news in other Gulf Cooperation Council (GCC) countries. This incident was a key event
in the broader geopolitical timeline that led to the June 5, 2017 fallout with nine previously allied
governments (including Saudi Arabia, United Arab Emirates, Bahrain and Egypt) resulting in an air and
land embargo on Qatar, cessation of trade, and suspension of all diplomatic relations.
Target Twitter, and YouTube pages of the Qatar News Agency.
Effects Official Website and Twitter Feed of Qatar News Agency were compromised.
Attribution Qatar has attributed the attacks to the United Arab Emirates.182 Traffic logs indicated a spike in
visits – anomalous for the late hour – from certain IP addresses in a fellow GCC country in the hour
preceding the publication of the fabricated quotes. Immediately after the publication, the fabricated
quotes became major news in other GCC countries. Over 20 political figures and senior guests were
promptly available between 1AM and 5:30AM to discuss the fabricated quotes and criticize the Qatari
government on live television.
182 https://www.aljazeera.com/news/2017/07/qatar-sheds-light-cyberattack-official-media-170720151344996.html
47
Attribution A week and a half later, certain Arab countries began severing diplomatic relations with Qatar.
(Continues)
Their airspace was restricted to Qatari flights, borders were closed restricting food shipments,
and access to Qatari news sources was blocked in these countries. Other sources implicated Saudi
Arabia.183 However, it is believed that UAE and Saudi Arabia were using Russian hackers for hire as their
intermediary to conduct the cyber-attack to mask their identity.184
183 https://www.alaraby.co.uk/english/news/2018/6/4/saudi-based-agents-hacked-qatar-state-news-website-documentary-reveals
184 https://www.reuters.com/article/us-gulf-qatar-cybercrime/qatar-investigation-finds-state-news-agency-hacked-foreign-ministry-idUSKBN18Y2X4;
https://www.bbc.com/news/blogs-trending-44294826
48
24 Left of the Launch
2017
Background and context On April 15, 2017 the North Korean leader Kim Jong-un ordered a nuclear test missile launch. The
missile exploded a few seconds into the launch.
Timeline January 1, 2017 Kim Jong-un releases plans of a launch.185

January 2, 2017 President-elect Donald Trump tweets about the North Korean plans.
April 15, 2017 the missile launch fails.
Target North Korea’s nuclear missile.
Effects Destruction of the missile.
Attribution Speculations of the US involvement were based on President-elect Donald Trump’s tweet from
January 2, 2017186: "North Korea just stated that it is in the final stages of developing a nuclear
weapon capable of reaching parts of the U.S. It won’t happen!"
185 https://www.nytimes.com/2017/01/01/world/asia/north-korea-intercontinental-ballistic-missile-test-kim-jong-un.html
186 https://twitter.com/realdonaldtrump/status/816057920223846400
49
25 NotPetya
2017
Background and On June 27, 2017, a ransomware attack affected companies in Ukraine, Russia, France, Germany, Italy, Poland,
context the United Kingdom, and the United States.187 The malware took advantage of the same weaknesses used by
the WannaCry attack a month earlier.188
The incident has been associated with the 2015 Power outage in Ukraine & 2016 Crash Override/Industroyer
(all took place/originated in Ukraine and are attributed to the Sandworm group).189
Timeline Between 05:00 – 6:00 AM: Kyiv’s electricity provider Kyivenergo and Ukrenergo, Ukraine national energy
company, report they have been hacked. They are followed by many: Danish conglomerate Maersk; French
Saint Gobain; Spanish multinationals and UK’s advertiser WPP.
08:00AM: Symantec identifies Petya and Eternalblue in the series of attacks.
10:00AM: Kaspersky clarifies that it is actually a new malware, dubbing it "NotPetya", adding that the threat
had already affected some 2000 organisations. Later on, they identify the exploits EternalRomance and
Mimikatz as well as other tools used by the malware.
12:00: Ukraine’s police confirm MeDoc as initial infection vector.
189 https://www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks/?fbclid=IwAR2YvS7Cq6zrcObPELejDyWBsJtF3MAXxy3PzgwI0Z-
cbDW9SGkEtC5vZyas
50
Timeline 13:00: Security researchers share information and provide preventive solutions to stop the execution of the
(Continues) program.
June 28th, 05:00 AM: it is being observed that paying the ransom does not give back access to encrypted
files.190
Target Private sector entities globally, including banks, airports, transport firms, power companies, healthcare sector.
Effects Among companies affected were the aircraft manufacturer Antonov, Russia’s biggest oil producer Rosneft,
and Danish shipping company Maersk, including its container shipping, oil, gas and drilling operations. A port
in Mumbai was among those that had halted operations.191 "NotPetya" interrupted the normal operation of
banking, power, airports and metro services in Ukraine. While the brunt of the impact was felt in Ukraine, the
malware spread globally, affecting a number of major international businesses causing hundreds of millions of
dollars in damage.192
Attribution The United States, the United Kingdom, Australia, New Zealand and Canada have attributed the attack to
Russia.193 The governments of the US, the UK, Denmark, Lithuania, Estonia, Canada, and Australia called out
Russia in official statements. Official statements came also from Norway, Latvia, Sweden, and Finland.194
190 https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/notpetya-timeline-of-a-ransomworm/;
see also: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
192 https://dfat.gov.au/international-relations/themes/cyber-affairs/Documents/australia-attributes-notpetya-malware-to-russia.pdf
193 https://dfat.gov.au/international-relations/themes/cyber-affairs/Documents/australia-attributes-notpetya-malware-to-russia.pdf;
https://www.gcsb.govt.nz/news/new-zealand-joins-international-condemnation-of-notpetya-cyber-attack/; https://www.cse-cst.gc.ca/en/me-
dia/2018-02-15; https://www.berlingske.dk/virksomheder/claus-hjort-rusland-stod-bag-cyberangreb-mod-maersk
194 https://www.zdnet.com/article/blaming-russia-for-notpetya-was-coordinated-diplomatic-action/
51
Attribution The UK Government judged that the Russian Government, specifically the Russian military, was
(Continues) responsible for the destructive NotPetya cyber-attack.195 The White House concluded that "the
Russian military launched the most destructive and costly cyber-attack in history".196 Ukraine
accused Russian military services days after the attack.197
Recent analyses provided strong evidence that NotePetya is linked to previous attacks on the
Ukrainian power grid (in particular the 2015 BlackEnergy3 and 2016 Crash Override / Industroyer
attacks), pointing at the Sandworm Group (in this case dubbed TeleBots due to their evolved
modus operandi).198
Involved private sector actors CrowdStrike199, LogRhythm Labs200, Microsoft Security Team201, Cynet202, Fortinet203, Carbon
Black204
195 https://www.gov.uk/government/news/foreign-office-minister-condemns-russia-for-notpetya-attacks
196 https://web.archive.org/web/20180215220405/https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/#main-content
197 https://ssu.gov.ua/en/news/1/category/21/view/3660#.C2HJKnpy.dpbs
198 https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
199 https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/,
https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/
200 https://logrhythm.com/blog/notpetya-technical-analysis/
201 https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc;
https://msrc-blog.microsoft.com/2017/06/28/update-on-petya-malware-attacks/
https://www.microsoft.com/security/blog/2017/10/03/advanced-threat-analytics-security-research-network-technical-analysis-notpetya/
202 https://www.cynet.com/blog/technical-analysis-notpetya/
203 https://www.fortinet.com/blog/threat-research/new-ransomware-follows-wannacry-exploits.html
https://www.fortinet.com/blog/threat-research/a-technical-analysis-of-the-petya-ransomworm.html.
204 https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/
52
Involved private sector actors Kaspersky Lab205, Anomali206, Symantec207
(Continues)
205 https://securelist.com/schroedingers-petya/78870/
https://www.kaspersky.com/blog/new-ransomware-epidemics/17314/
206 https://dsimg.ubm-us.net/envelope/402623/584083/Anomali-NotPeya_One_Year_Later-Whitepaper.pdf
207 https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-executive-summary-en.pdf
53
26 Trisis/Triton
2017
Background and context In mid-November 2017, industrial control systems-tailored malware was deployed against a
particular unnamed petrochemical plant in Saudi Arabia. The malware targeted Schneider
Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final
control elements.208
In December 2017, FireEye reported209 that it had recently worked with an industrial operator
whose facility was attacked by a new type of industrial control system malware, which they named
TRITON (other organizations have named it TRISIS or HatMan).210
Timeline In June 2017, an emergency plant-process shutdown system was knocked offline by the attackers.
This incident was "insufficiently" investigated.
August 7, 2017 shutdown of the Saudi Arabian firm’s Triconex ESD system.
November 2017 discovery by Dragos.
Target An unnamed petrochemical plant in Saudi Arabia.
208 https://dragos.com/wp-content/uploads/TRISIS-01.pdf
https://www.nozominetworks.com/labs/projects/triton/
209 https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
210 https://www.nozominetworks.com/downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf, page 2.
54
Attribution FireEye has concluded that a Russian Government-Owned Lab Most Likely Built Custom Intrusion
Tools.211
Involved private sector actors Dragos212, FireEye/Mandiant213
211 https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
212 https://dragos.com/wp-content/uploads/TRISIS-01.pdf
213 https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
55
27 WannaCry (WannaCrypt, WanaCrypt0r, WCrypt, or WCRY)
2017
Background and It is believed that the US National Security Agency (NSA) originally discovered the vulnerability in Microsoft
context software that became a key to the widespread effects of the ransomware. Rather than reporting the
vulnerability to the infosec community, the NSA developed a code to exploit it, called EternalBlue.214 This
exploit was stolen by a hacking group known as the Shadow Brokers, who released it on April 8, 2017.215
Timeline On March 14, 2017, Microsoft released a security update to patch the vulnerability exploited by EternalBlue.
On April 8, 2017 Shadow Brokers released the vulnerability.
On May 12, 2017 the ransomware started spreading.
June 8, 2018 criminal complaint by the US Department of Justice (DOJ).
September 6, sanctions by the US Treasury.
Target A particular target has not been identified. The ransomware was different from most other ransomware
attacks in that it did not appear targeting any particular victim(s). Instead, it was designed to self-propagate
and continually infect additional vulnerable computers.216
214 https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html
215 https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
216 https://www.justice.gov/usao-cdca/press-release/file/1091951/download, p 108.
56
Effects Hundreds of thousands of computers in more than 150 countries were affected by the WannaCry Version 2
ransomware.217
UK was one of the most severely affected countries as at least 80 out of 236 National Health Service (NHS)
trusts were disconnected temporarily.218 Almost 7 000 appointments were cancelled between May 12 and 18,
2017.219 603 primary care or other NHS organizations were infected.220 Affected files remain encrypted and
inaccessible.221
Attribution BAE Systems has attributed this attack to the Lazarus Group (see 4th of July attacks).222 The Department of
Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have linked the Lazarus Group (also
known as Hidden Cobra or Guardians of Peace)223 to the North Korean government.224
In a White House press briefing, the Trump Administration attributed the attack to North Korea: "After careful
investigation, the United States is publicly attributing the massive WannaCry cyberattack to North Korea. /…/
The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in
denouncing North Korea for WannaCry."225
217 https://www.reuters.com/article/us-cyber-attack-europol/cyber-attack-hits-200000-in-at-least-150-countries-europol-idUSKCN18A0FX
222 https://baesystemsai.blogspot.com/2017/05/wanacrypt0r-ransomworm.html
223 https://attack.mitre.org/groups/G0032/
224 https://www.us-cert.gov/ncas/alerts/TA17-164A
225 https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/
57
Attribution Statements from Australia226, Canada,227 Japan228, New Zealand229 and the UK230 followed.
(Continues)
Involved private BAE Systems, Symantec, Kaspersky, Microsoft

sector actors
226 https://foreignminister.gov.au/releases/Pages/2017/jb_mr_171220.aspx
227 https://www.cse-cst.gc.ca/en/media/2017-12-19
228 https://www.mofa.go.jp/press/release/press4e_001850.html
229 https://www.gcsb.govt.nz/news/opening-statement-by-the-director-general-government-communications-security-bureau-to-the-intelli-
gence-and-security-committee/
230 https://www.gov.uk/government/news/foreign-office-minister-condemns-north-korean-actor-for-wannacry-attacks
58
28 Disruption of Daesh activities
2017
Background and context In April 2018, the director of the UK Government Communications Headquarters (GCHQ) revealed that
the UK has conducted a "major offensive cyber-campaign" against the Islamic State group.231
The attacks are in line with the British Government’s conclusion that a price must be imposed on
malicious cyber-activity, sufficient to deter authoritarian states and non-state actors. The Foreign and
Commonwealth Office has also announced it is considering further steps, consistent with international
law, to make sure that one does not just manage current cyber-attacks but deter future ones as well.232
Timeline The campaign was conducted during 2017 and revealed in the speech of the GCHQ director on April 18,
2018.233
Target Daesh is an Arabic language acronym for the Islamic State, a jihadist militant group (also known as the
Islamic State of Iraq and the Levant (ISIL) and the Islamic State of Iraq and Syria (ISIS)).
231 https://www.gchq.gov.uk/speech/jeremy-fleming-fullerton-speech-singapore-2019
232 https://www.scmagazineuk.com/uk-sanctions-cyber-offensives-deter-cyber-attacks-undermining-democracy/article/1578587
233 https://www.gchq.gov.uk/speech/director-cyber-uk-speech-2018
59
Effects According to GCHQ, the operations have made a significant contribution to the coalition efforts to
suppress Daesh propaganda, hindered its ability to coordinate attacks, and protected coalition forces
on the battlefield.234 GCHQ noted: "2017 there were times when Daesh found it almost impossible
to spread their hate online, to use their normal channels to spread their rhetoric, or trust their
publications". 235
Attribution UK self-attributed the campaign to GCHQ in partnership with the Ministry of Defence.
60
29 Olympics Destroyer
2018
Background and Internet disruption occurred during the Winter Olympics’ opening ceremony in Pyeongchang, South Korea
context in February 2018. This disruption affected telecasts, grounded broadcasters’ drones, and the website of the
Pyeongchang 2018. In addition, it caused issues with printing out reservations of the ceremony.
Timeline In December 2017, spear-phishing attempts were discovered before the official opening event of the Winter
Games.236
The technical disruption occurred on February 9, 2018.
The Guardian reported on February 10, 2018 that the Winter Olympics organizers were investigating the
incident.237
On February 11, 2018 the Olympics Officials confirmed that the games had been targeted by a cyber-
attack.238
Target Winter Olympics’ opening ceremony in Pyeongchang.
Effects Disruption of network affecting the telecasts, drones and taking offline the website.
236 https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/malicious-document-targets-pyeongchang-olympics/
https://www.crowdstrike.com/blog/malicious-spear-phishing-campaign-targets-upcoming-winter-olympics-in-south-korea/
https://www.cyberscoop.com/atos-olympics-hack-olympic-destroyer-malware-peyongchang/
237 https://www.theguardian.com/sport/2018/feb/10/winter-olympics-investigating-if-technical-problems-were-cyber-attack
238 https://www.theguardian.com/sport/2018/feb/11/winter-olympics-was-hit-by-cyber-attack-officials-confirm
61
Attribution CrowdStrike Falcon Intelligence analyzed the initial spear-phishing campaign and attributed it to Russia and
North Korea.239 The Intezer attributed to Chinese threat agents.240
Recorded Future attributed the incident to the Lazarus Group of North Korea (see 4th of July attacks).241
Kaspersky Lab concluded that traces for Lazarus threat actor was a false flag242. The Winter Olympics
organizers refused to confirm any sources of the attack.243
The Russian Foreign Ministry anticipated allegations against Russia being involved in hacking the Winter
Olympic Games, and expressed that they "/…/ know that Western media are planning pseudo-investigations
on the theme of "Russian fingerprints /…/, of course, no evidence will be presented to the world".244
Involved private Cisco’s Talos245, McAfee246, Intezer247, Kaspersky248, Recorded Future249

sector actors
239 https://www.crowdstrike.com/blog/malicious-spear-phishing-campaign-targets-upcoming-winter-olympics-in-south-korea/
240 http://www.intezer.com/2018-winter-cyber-olympics-code-similarities-cyber-attacks-pyeongchang/
241 https://www.recordedfuture.com/olympic-destroyer-malware/
242 https://securelist.com/the-devils-in-the-rich-header/84348/
243 https://globalnews.ca/news/4018850/pyeongchang-winter-olympics-cyberattack/
244 https://www.reuters.com/article/us-olympics-2018-cyber/games-organizers-confirm-cyber-attack-wont-reveal-source-idUSKBN1FV036
245 https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
246 Malicious Document Targets Pyeongchang Olympics: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/malicious-document-tar-
gets-pyeongchang-olympics/, Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems: https://securingto-
morrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
247 http://www.intezer.com/2018-winter-cyber-olympics-code-similarities-cyber-attacks-pyeongchang/
248 https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/
249 https://www.recordedfuture.com/olympic-destroyer-malware/
62
30 Disruption of the activities of the Internet Research Agency
2018
Background and context In February 2018, Internet Research Agency (IRA), a Russian organization, was charged with interfering
in the 2016 US election. The US Department of Treasury has tied IRA with Federal News Agency (FNA), a
Russian online media outlet (publisher).250
In June 2018, the US Cyber Command’s mandate was extended to offensive operations.251
Timeline The disruption commenced on November 5, 2018, the day preceding the US Midterm elections, at
about 10 pm.
On February 26, 2019, Washington Post first revealed the incident, based on input of unidentified US
officials.252
On February 27, the Federal News Agency confirmed and further commented on the incident.
Target The US Government has framed IRA as an organization engaged in operations to interfere with elections
and political processes. IRA is also widely referred to by media as "a Russian troll factory".
250 US Department of Treasury (2018) Treasury Targets Russian Operatives over Election Interference, World Anti-Doping Agency Hacking, and Other
Malign Activities. (December) https://home.treasury.gov/news/press-releases/sm577
251 https://www.cfr.org/blog/what-do-trump-administrations-changes-ppd-20-mean-us-offensive-cyber-operations
252 https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-
day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html?noredirect=on
63
Effects The US sources have described the operation as taking the IRA offline. According to a representative
of IRA, the failed parts of the server were quickly replaced, new mirrors were created for USAReally, a
Moscow-based media outlet, and the IRA and USAReally work did not stop.253
Attribution US self-attribution.
253 https://riafan.ru/1155441-kiberataka-ssha-na-fan-podrobnosti-neudachnoi-operacii-us-cyber-command
64
31 Cryptocurrency Exchange Raids
2017-2018
Background and context North Korea has been under various economic sanctions, including bans on the imports of coal, wood
and minerals, as well as sanctions blocking the import of luxury goods and placing restrictions on fishing
rights, to force it to abandon its nuclear weapons program.254
These sanctions have affected the country’s economy, and to tackle the economic crisis, as the United
Nations Security Council report states, there has been a "trend in the Democratic People’s Republic of
Korea’s evasion of financial sanctions of using cyberattacks to illegally force the transfer of funds from
financial institutions and cryptocurrency exchanges".255
Timeline According to the UN Security Council Panel of Experts report, the timeline of the cyber-attacks launched
against financial institutions is the following:
The theft of $81 million from Bangladesh Bank in 2016.256
The theft of $571 million from across five cryptocurrency exchanges in Asia between January 2017 and
September 2018.257
The theft of a $400 million worth of bitcoin as a result of the penetration of Coincheck258, a Japan-based
254 https://www.wired.co.uk/article/north-korea-hackers-apt38-cryptocurrency
255 https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/s_2019_171.pdf
256 https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/s_2019_171.pdf, p. 50, (112).
257 https://home.treasury.gov/news/press-releases/sm774
258 https://www.reuters.com/article/uk-southkorea-northkorea-cryptocurrency/south-korean-intelligence-says-n-korean-hackers-possibly-behind-co-
65
Timeline (Continues) exchange,259 in January 2018.
Target Cryptocurrency exchanges such as Yapizon, Coinis, YouBit260, Bithumb, Coinckeck261 in South Korea,
Japan, and potentially other countries.262
Effects An increase in cyber-attacks and security breaches of crypto exchanges and markets caused losses
of tremendous amounts of money.
Attribution In the US indictment263 and the UN Security Council Panel of Experts attributed these cyber-attacks
on crypto exchanges to North Korea. The UN panel also attributed the 2016 theft of $81 million
from Bangladesh Bank to a North Korean sponsored cyberattack. In that case, the panel cited a US
indictment.264
Involved private sector actors Group-IB265
incheck-heist-sources-idUSKBN1FP2XX
259 https://www.forbes.com/sites/adelsteinjake/2018/01/30/japan-cracks-down-on-cryptocurrency-exchanges-after-534m-heist-police-begin-investi-
gation/
260 http://www.theinvestor.co.kr/view.php?ud=20171220000397&ACE_MAIN=2
261 https://www.group-ib.com/media/gib-crypto-summary/
263 https://www.justice.gov/usao-cdca/press-release/file/1091951/download
264 https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and,
https://www.justice.gov/usao-cdca/press-release/file/1091951/download
66
32 US Cyber Command Operation against Iran’s Paramilitary/
Intelligence networks
2019
Background and context This incident is related to tensions between Iran and the Trump administration. The US has accused
Iran for a series of attacks against oil tankers in the Hormuz strait.266 A US airstrike in retaliation for Iran
downing of a US drone had been initiated, then pulled back.267
Timeline June 20, 2019 Drone downed and US retaliatory airstrike approved-then-pulled-back
Replaced by a cyber-attack on the same day (allegedly, planned ahead)
Target The Iranian Revolutionary Guards’ intelligence group (allegedly)
Effects The attack "wiped out a critical database used by Iran’s paramilitary arm to plot attacks against oil
tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf, at least
temporarily".
Attribution US Cyber Command (admitted)
266 https://www.nytimes.com/2019/06/19/world/middleeast/navy-tanker-iran-evidence.html?module=inline
267 https://www.nytimes.com/2019/06/20/world/middleeast/iran-us-drone.html?module=inline
67
Additional Readings
1 RadioFreeEurope/RadioLiberty (2019) Behind the Estonia Cyberattacks. (March)

https://www.rferl.org/a/Behind_The_Estonia_Cyberattacks/1505613.html
2 John Markoff (2008) Before the Gunfire, Cyberattacks. The New York Times (13 August)
https://www.nytimes.com/2008/08/13/technology/13cyber.html?mtrref=www.google.
com&gwh=9C4485D9BCF9B252F0269DA44DA387DD&gwt=pay&assetType=REGIWALL
Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul (2008) Cyber Attacks Against Georgia:
Legal Lessons Identified. http://www.ismlab.usf.edu/isec/files/Georgia-Cyber-Attack-NATO-Aug-2008.pdf
Dancho Danchev (2008) Georgia President’s web site under DDoS attack from Russian hackers. ZD Net (July)
https://www.zdnet.com/article/georgia-presidents-web-site-under-ddos-attack-from-russian-hackers/
Jon Swaine (2008) Russia continues cyber war on Georgia. The Telegraph (August)
https://www.telegraph.co.uk/news/worldnews/europe/georgia/2553058/Russia-continues-cyber-war-on-Georgia.html
Jim Nochol (2009) Russia-Georgia Conflict in August 2008: Context and Implications for U.S. Interest. Federation of American
Scientists (March). https://fas.org/sgp/crs/row/RL34618.pdf
Paulo Shakarian (2008) The 2008 Russian Cyber Campaign Against Georgia (November-December 2011)
https://www.academia.edu/1110559/The_2008_Russian_Cyber_Campaign_Against_Georgia
3 Jim Min Park (2015) Finding Effective Responses Against Cyber Attacks for Divided Nations. (December)
https://faculty.nps.edu/ncrowe/oldstudents/15Dec_Park_JiMin_final.htm
68
4 Rob Welham (2010) Baidu taken offline by hackers. SCI & TECH (January)
https://web.archive.org/web/20150909180441/http://news.xinhuanet.com/english/2010-01/12/content_12797829.htm
Robert Mackey (2010) "Iranian Cyber Army" Strikes Chinese Site. The New York Times (January)
https://thelede.blogs.nytimes.com/2010/01/12/iranian-cyber-ar my-strikes-chinese-site/?_
r=0&mtrref=undefined&gwh=4C57CC8000877B70049D079EF1A4F14A&gwt=pay&assetType=REGIWALL
5 Committee to Protect Journalists (2010) Burma’s exile media hit by cyber-attacks. (September)
https://cpj.org/2010/09/burmas-exile-media-hit-by-cyber-attacks.php
InfoSecurity (2010) Massive DDoS attack knocks Burma offline. (November)

https://www.infosecurity-magazine.com/news/massive-ddos-attack-knocks-burma-offline/
6 Fred Kaplan (2019) The Dutch Connection. (September)

https://slate.com/news-and-politics/2019/09/stuxnet-netherlands-allies-trump-cyberattack.html
MehrNews (2010) Identifying the origin of Stuxnet virus / virus control status in the country (non-official translation)
(August). https://web.archive.org/web/20101103235349/https://www.mehrnews.com/fa/newsdetail.aspx?NewsID=1182559
Kim Zetter (2014) An unprecedented look at Stuxnet, the World’s First Digital Weapon. Wired
Eugene Kaspersky (2011) The Man Who Found Stuxnet – Sergey Ulasen in the Spotlight. (November)
https://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/
Science Direct. https://www.sciencedirect.com/topics/computer-science/stuxnet
Julian Borger (2019) Iran to develop nuclear centrifuges as US dismisses French plan to ease tension. (September)
https://www.theguardian.com/world/2019/sep/04/us-iran-french-initiative-economic-pressure-brian-hook
69
Brandon Vigliarolo (2017) Stuxnet: The smart person’s guide. (August)
https://www.techrepublic.com/article/stuxnet-the-smart-persons-guide/
David Kushner (2013) The Real Story of Stuxnet. (March)

https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
See also Alex Gibney (2016) Zero Days, a documentary film268
7 Elizabeth Flock (2011) Operation Cupcake: MI6 replaces Al-Qaeda bomb-making instructions with cupcake recipes. (June)
https://www.washingtonpost.com/blogs/blogpost/post/operation-cupcake-mi6-replaces-al-qaeda-bomb-making-
instructions-with-cupcake-recipes/2011/06/03/AGFUP2HH_blog.html
8 Jim Min Park (2015) Finding Effective Responses Against Cyber Attacks for Divided Nations. (December)
https://faculty.nps.edu/ncrowe/oldstudents/15Dec_Park_JiMin_final.htm
DongJooHa, SangMyungChoi, TaeHyungKim, SeungYounHan (2011)
Check Your Zombie Devices! https://media.blackhat.com/bh-ad-11/Ha/bh-ad-11-Ha-Check_Your_Zombie_Devices_Slides.pdf
9 Annie Fixler and Frank Cilluffo (2018) Evolving Menace: Iran’s Use of Cyber-Enabled Economic Warfare (November)
https://www.fdd.org/analysis/2018/11/06/evolving-menace/
Collin Anderson and Karim Sadjadpour (2018) Iran’s Cyber threat Carnegie Endowment for International Peace.
https://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf
268 https://www.imdb.com/title/tt5446858/
70
10 Laboratory of Cryptography and System Security (CrySyS Lab) (2012) sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex
malware for targeted attacks. (May). https://www.crysys.hu/publications/files/skywiper.pdf
Dave Lee (2012) Flame: Massive cyber-attack discovered, researchers say. (May)
https://www.bbc.com/news/technology-18238326
Kim Zetter (2012) Meet "Flame", The massive Spy malware infiltrating Iranian Computers. Wired (May)
https://www.wired.com/2012/05/flame/
Kim Zetter (2019) Researchers Uncover New Version of the Infamous Flame Malware. Vice (April)
https://www.vice.com/en_us/article/d3maw7/researchers-uncover-new-version-of-the-infamous-flame-malware
11 Nicole Perlroth (2012) Among Digital Crumbs from Saudi Aramco Cyberattack, Image of Burning U.S. Flag. (August)
https://bits.blogs.nytimes.com/2012/08/24/among-digital-crumbs-from-saudi-aramco-cyberattack-image-of-burning-u-s-fla
g?mtrref=undefined&gwh=83A4209B521D40BA1C348DFF5D01C9F0&gwt=pay&assetType=REGIWALL
Nicole Perlroth (2012) In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back. (October)
https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?mtrref=www.
google.com&gwh=6FB7F8C19F67256C754CA963249BC93B&gwt=pay&assetType=REGIWALL
Paul Roberts (2012) Oil giant Saudi Aramco back online after 30,000 workstations hit by malware
https://nakedsecurity.sophos.com/2012/08/27/saudi-aramco-malware/
Pastebin (2012). https://pastebin.com/HqAgaQRj
Elisabeth Bumiller and Tom Shanker (2012) Panetta Warns of Dire Threat of Cyberattack on U.S. The New York Times (11
October) https://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?pagewanted=all.
71
12 Jonathan A.P.Marpuang and HoonJae Lee (2013) Dark Seoul Cyber Atatck: Could it be worse?
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Dark_Seoul_Cyberattack.pdf
McAfee (2011) Ten Days of Rain. Expert analysis of distributed denial-of-service attacks targeting South Korea. (July)
https://securingtomorrow.mcafee.com/wp-content/uploads/2011/07/McAfee-Labs-10-Days-of-Rain-July-2011.pdf
13 Richard Sale (2015) German Steel Mill: Insider Job ISSSource. https://isssource.com/german-steel-mill-attack-inside-job/
14 Sean Gallagher (2014) Iranian hackers used Visual Basic malware to wipe Vegas casino’s network.
https://arstechnica.com/information-technology/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-
casinos-network
Reuters (2014) Las Vegas Sands’ network hit by destructive malware in Feb: Bloomberg.
https://www.reuters.com/article/us-lasvegassands-cybersecurity/las-vegas-sands-network-hit-by-destructive-malware-in-
feb-bloomberg-idUSKBN0JQ04520141212
15 TrendMicro (2014) An Analysis of the "Destructive" Malware Behind FBI Warnings (December)
https://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-the-destructive-malware-behind-fbi-warnings/
16 Doug Drinkwater (2015) TV5Monde in chaos as data breach costs roll into the millions. (July)
https://www.scmagazineuk.com/tv5monde-chaos-data-breach-costs-roll-millions/article/1479048
Infocyte (2016) TV5 Monde Malware Attack – A Cautionary Tale and Lessons Learned- (Ocotber)
https://www.infocyte.com/blog/2016/10/26/tv5-monde-malware-attack-a-cautionary-tale-of-lessons-learned/
72
17 Donghui Park, Julia Summers and Michael Walstrom (2017)
Cyberattack on Critical Infrastructure: Russia and the Ukrainian Power Grid Attacks. The Henry M. Jackson School of
International Studies (October)
https://jsis.washington.edu/news/cyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks/
Robert M. Lee, Michael J. Assante and Tim Conway (2016) Analysis of the Cyber Attack on the Ukrainian Power Grid Defense
Use Case. SANS-ICS, E-ISAC. https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
Evan Perez (2016) U.S. official blames Russia for power grid attack in Ukraine. CNN (February)
https://edition.cnn.com/2016/02/11/politics/ukraine-power-grid-attack-russia-us/index.htm
Kim Zetter (2016) Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid. Wired. (March)
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
Kyle Wilhoit (2016) KillDisk and BlackEnergy Are Not Just Energy Sector Threats. (February)
https://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/
18 Andy Greenberg (2017) "Crash Override": The Malware That Took Down a Power Grid. Wired (December)
https://www.wired.com/story/crash-override-malware/
Catalin Cimpanu (2018) Security researchers find solid evidence linking Industroyer to NotPetya. ZDNet )October)
https://www.zdnet.com/article/security-researchers-find-solid-evidence-linking-industroyer-to-notpetya/
19 Mamun Rashid (2019) The Bangladesh Bank heist and beyond. Dhaka Tribune (Frbruary).
https://www.dhakatribune.com/opinion/op-ed/2019/02/03/the-bangladesh-bank-heist-and-beyond
Cliff Venzon (2019) Philippine court finds banker guilty over Bangladesh Bank heist. Nikkei Asian Review (January).
73
https://asia.nikkei.com/Business/Banking-Finance/Philippine-court-finds-banker-guilty-over-Bangladesh-Bank-heist
Tracy Kitten (2016) Bangladesh Bank Heist: Lessons Learned

https://www.bankinfosecurity.com/bangladesh-bank-heist-lessons-learned-a-9064
Chelsea Allison (2019) Anatomy of a bank heist. Fin (March). https://fin.plaid.com/articles/anatomy-of-a-bank-heist/
20 Spencer Ackerman and Sam Thielman (2016) US officially accuses Russia of hacking DNC and interfering with election. The
Guardian (October)
https://www.theguardian.com/technology/2016/oct/07/us-russia-dnc-hack-interfering-presidential-election
21 Eduard Kovacs (2017) Ransomware Module Found in Shamoon 2.0. (March)

https://www.securityweek.com/ransomware-module-found-shamoon-20
Salem Alelyani and Harish Kumar G R (2018) Overview of Cyberattack on Saudi Organizations. Naif Arab University for
Security Sciences. (June). https://journals.nauss.edu.sa/index.php/JISCR/article/viewFile/455/464
22 InfoSec (2017) Russian APT Groups Continue Their Stealthy Operations. (September)
https://resources.infosecinstitute.com/russian-apt-groups-continue-stealthy-operations/#gref.
Eduard Kovacs (2017) Russian Hackers Target Montenegro as Country Joins NATO. (June)
https://www.securityweek.com/russian-hackers-target-montenegro-country-joins-nato
Ben Farmer (2017) Russia plotted to overthrow Montenegro’s government by assassinating Prime Minister Milo Djukanovic
last year, according to senior Whitehall sources. (February)
https://www.telegraph.co.uk/news/2017/02/18/russias-deadly-plot-overthrow-montenegros-government-assassinating/
74
23 Mike Sexton (2018) Cyber Attack on the Qatar News Agency
https://synqxzpkn61kbbx049lp881e-wpengine.netdna-ssl.com/wp-content/uploads/2016/12/365881322-Cyber-Attack-on-
the-Qatar-News-Agency-Fake-News-Cyber-War-and-an-Attack-on-International-Norms-of-Sovereignty-1.pdf
Kapil Bhatia (2018) Political Warfare With Other Means: 2017 Cyber Attacks On Qatar. (December)
https://www.eurasiareview.com/03122018-political-warfare-with-other-means-2017-cyber-attacks-on-qatar-oped/
Bethan McKernan (2017) UAE denies launching cyber attack on Qatari news agency that sparked diplomatic crisis. (July)
https://www.independent.co.uk/news/world/middle-east/uae-qatar-cyber-attack-deny-hacking-news-agency-united-arab-
emirates-gulf-diplomatic-crisis-a7845306.html
24 David E. Sanger and William J. Broad (2017) Trump Inherits a Secret Cyberwar Against North Korean Missiles. The New York
Times (4 March). https://www.nytimes.com/2017/03/04/world/asia/north-korea-missile-program-sabotage.html
25 R Lakshmi Prasanna Sai and T. Pavan Kumar (2019) Reverse Engineering the Behaviour of NotPetya Ransomware. (March)
https://www.ijrte.org/wp-content/uploads/papers/v7i6s/F03120376S19.pdf
Josh Fruhlinger (2017) Petya ransomware and NotPetya malware: What you need to know now. (October)
https://www.csoonline.com/article/3233210/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html
Andy Greenberg (2018) The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Wired (August)
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
26 Kelly Jackson Higgins (2019) Triton/Trisis Attack Was More Widespread Than Publicly Known. (January)
https://www.darkreading.com/attacks-breaches/triton-trisis-attack-was-more-widespread-than-publicly-known/d/d-
id/1333661
75
Alessandro Di Pinto, Younes Dragoni and Andrea Carcano (2018)
TRITON: The First ICS Cyber Attack on Safety Instrument Systems. Nozomi Networks.
https://www.nozominetworks.com/downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf
27 Sergei Shevchenko and Adrian Nish (2017)
Wannacryptor Ransomworm. (May). https://baesystemsai.blogspot.com/2017/05/wanacrypt0r-ransomworm.html
Tanmay Ganacharya (2017) WannaCrypt ransomware worm targets out-of-date systems. Microsoft Defender ATP Research
Team (May). https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-
systems/?source=mmpc
National Cyber Security Centre (2017) The NCSC’s latest statement regarding the international cyber incident. (May)
https://www.ncsc.gov.uk/news/latest-statement-international-ransomware-cyber-attack-0
Matthew Field (2018) WannaCry cyber attack cost the NHS £92m as 19,000 appointments cancelled. (October)
https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/
Jack Goldsmith (2017) The Strange WannaCry Attribution. (December)

https://www.lawfareblog.com/strange-wannacry-attribution
The White House (2017) Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea. (December)
https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-
north-korea-121917/
The Foreign & Commonwealth Office and Lord Ahmad of Wimbledon (2017)
Foreign Office Minister condemns North Korean actor for WannaCry attacks. (December)
76
https://www.gov.uk/government/news/foreign-office-minister-condemns-north-korean-actor-for-wannacry-attacks
William Smart (2018) Lessons learned review of the WannaCry Ransomware Cyber Attack. Health and Social Care. (February)
https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-
cio-review.pdf
The Government Communications Security Bureau (2018)
Opening statement to the Intelligence and Security Committee, (March)

https://www.gcsb.govt.nz/news/opening-statement-by-the-director-general-government-communications-security-bureau-
to-the-intelligence-and-security-committee/
Ellen Nakashima (2017) The NSA has linked the WannaCry computer worm to North Korea. The Washington Post. (June)
https://www.washingtonpost.com/world/national-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-
korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html
Office of the Secretary of Defense (2017) Military and Security Developments Involving the Democratic People’s Republic of
Korea. (December). https://fas.org/irp/world/dprk/dod-2017.pdf
28 Jeremy Hunt (2019) Deterrence in the cyber age: Foreign Secretary’s speech. (March)
https://www.gov.uk/government/speeches/deterrence-in-the-cyber-age-speech-by-the-foreign-secretary
Andrea Manciulli (2017) ISIL/DAESH and Al-Qaeda Threat to Europe. NATO Parliamentary Assembly Report. (November)
https://www.nato-pa.int/download-file?filename=sites/default/files/2018-02/091%20GSM%2017%20E%20rev.2%20fin%20
-%20ISIS%20DAESH%20THREAT%20TO%20EUROPE%20-%20MANCIULLI%20REPORT.pdf
29 Yonhap News Agency (2018) (Olympics) PyeongChang organizers cyber-attacked during opening ceremony. (February)
https://en.yna.co.kr/view/AEN20180210000551320
77
30 Jacqueline Thomsen (2019) US cyber operation blocked internet for Russian troll farm on Election Day 2018: report.
(February). https://thehill.com/policy/cybersecurity/431614-us-cyber-operation-blocked-internet-for-russian-troll-farm-on-
election
Федеральное агентство новостей (The Federal News Agency) (2019)
Кибератака США на ФАН: подробности неудачной операции US Cyber Command (Cyber-attack by US on Federal News
Agency: details of unsuccessful operation of the US Cyber Command) (February)
https://riafan.ru/1155441-kiberataka-ssha-na-fan-podrobnosti-neudachnoi-operacii-us-cyber-command
Leonid Bershidsky (2019) U.S. Cyberattacks May Be Doing Putin a Favor. The Kremlin is going to spin the alleged cyberattack
for its own purposes. (February). https://www.themoscowtimes.com/2019/02/28/us-cyberattacks-may-be-doing-putin-a-
favor-a64667
Meduza (2019) News agency tied to Russia’s "troll factory" says it was targeted in last November’s "failed" cyberattack by
the U.S. military. (February). https://meduza.io/en/news/2019/02/27/news-agency-tied-to-russia-s-troll-factory-says-it-was-
targeted-in-last-november-s-failed-cyberattack-by-the-u-s-military
Robert Morgus and Justin Sherman (2019) When To Use the "Nuclear Option?" Why Knocking Russia Offline Is a Bad Idea.
(February). https://www.justsecurity.org/64094/when-to-use-the-nuclear-option-why-knocking-russia-offline-is-a-bad-idea/
Department of Justice, Office of Public Affairs (2018) Grand Jury Indicts Thirteen Russian Individuals and Three Russian
Companies for Scheme to Interfere in the United States Political System. (February). https://www.justice.gov/opa/pr/grand-
jury-indicts-thirteen-russian-individuals-and-three-russian-companies-scheme-interfere
The United States District Court for the District of Columbia (2018) United States of America v. Internet Research Agency LLC
et al. Case 1:18-cr-00032-DLF, filed on 16 February. https://www.justice.gov/file/1035477/download
Nicu Popescu and Stanislav Secrieru (eds,) (2018) Hacks, leaks and disruptions: Russian cyber strategies. Chaillot Paper no.
78
148 (October). https://www.iss.europa.eu/sites/default/files/EUISSFiles/CP_148.pdf
Aric Toler (2018) Anatomy of a Russian "Troll Factory" News Site.

https://www.bellingcat.com/resources/case-studies/2018/06/08/anatomy-russian-troll-factory-news-site/
Erica D. Borghard, Shawn Lonergan (2018) What Do the Trump Administration’s Changes to PPD-20 Mean for U.S. Offensive
Cyber Operations? Council on Foreign Relations
https://www.cfr.org/blog/what-do-trump-administrations-changes-ppd-20-mean-us-offensive-cyber-operations
31 The White House (2017) Press Briefing on the Attribution of the WannaCry Malware Attack to North Korea. (December)
https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-
north-korea-121917/
CipherTrace (2019) Cryptocurrency Anti-Money Laundering Report, 2019 Q1. (April). https://ciphertrace.com/wp-content/
uploads/2019/05/ciphertrace-q1-2019-cryptocurrency-anti-money-laundering-report.pdf
Tim Alper (2019) S Korean Crypto Community Must "Get House in Order" after Bithumb Hack. (April)
https://cryptonews.com/news/s-korean-crypto-community-must-get-house-in-order-after-bith-3613.htm
Joseph Young (2019) Round-Up of Crypto Exchange Hacks So Far in 2019 — How Can They Be Stopped? (June)
https://cointelegraph.com/news/round-up-of-crypto-exchanges-hack-so-far-in-2019-how-can-it-be-stopped
32 Red Button (2016) Dyn (DynDNS) DDoS Attack. https://www.red-button.net/blog/dyn-dyndns-ddos-attack/
Kyle York (2016) Dyn’s Statement on the 10/21/2016 DNS DDoS Attack Dynamic DNS
https://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
Flashpoint (2016) An After-Action Analysis of the Mirai Botnet Attacks on Dyn (October)
79
https://www.flashpoint-intel.com/blog/cybercrime/action-analysis-mirai-botnet-attacks-dyn/
KrebsonSecurity (2016) DDoS on Dyn Impacts Twitter, Spotify, Reddit (October)

https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/
Nick Statt (2016) How an army of vulnerable gadgets took down the web today (October)
https://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-attack-cause-outage-status-explained
Dan Goodin (2019) US hack attack hobbles Iran’s ability to target oil tankers, NYT says Ars Technica’s (August)
https://arstechnica.com/tech-policy/2019/08/us-hack-attack-hobbles-irans-ability-to-target-oil-tankers-nyt-says/
Robert Chesney (2019) The Legal Context for CYBERCOM’s Reported Operations Against Iran LAWFARE (June)
https://www.lawfareblog.com/legal-context-cybercoms-reported-operations-against-iran
Vishnu Kannan (2019) What Really Happened in the Cyber Command Action Against Iran? LAWFARE (July)
https://www.lawfareblog.com/what-really-happened-cyber-command-action-against-iran
Marc Schack (2019) Did the US Stay "Well Below the Threshold of War" With its June Cyberattack on Iran? EJIL (September)
https://www.ejiltalk.org/did-the-us-stay-well-below-the-threshold-of-war-with-its-june-cyberattack-on-iran/
80
81

Fact Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fact Book

Uploaded by

Copyright:

Available Formats

FOR THE TALLINN UNIVERSITY OF TECHNOLOGY

WITH THE SUPPORT OF MICROSOFT NV

for the Tallinn University of Technology

ENEKEN TIKK KRISTINE HOVHANNISYAN MIKA KERTTUNEN MIRVA SALMINEN

CYBER CONFLICT FACTBOOK:

ISBN 978-952-69341-0-5 (nid.)

1 Longman Webster English College Dictionary (1984). Harlow, Longman.

Involved private Arbor Networks16, F-Secure17

Involved private Arbor Networks30, Renesys31

Timeline July 4, 2009 US websites targeted.

Target US and South Korean governments

Involved private sector McAfee36

Target The most popular Chinese search engine.

Effects Unavailability of the search engine for a short period of time.

Involved private sector actors Renesys40

Involved private sector actors Arbor Networks48

Target The Natanz Nuclear Plant in Isfahan, Iran.

Timeline 2010 – the actual incident.

Effects Content of website changed.

Attribution UK self-attribution through a government leak.

Target South Korean Government

Attribution Attributed to Lazarus Group.72

Involved private sector actors McAfee73

Target US financial sector.

Attribution Equation Group, linked to the US National Security Agency (NSA).80

Involved private sector actors Kaspersky Lab81

Involved private sector Symantec90, Imperva91, Naked Security by SOPHOS92

Timeline The remote-access Trojan was compiled on January 26, 2013.

Target South Korea

involved private Symantec106, McAfee107, Avast108

Target An unidentified steel mill.

Involved private SANS Institute113, Sentryo114

109 https://www.bsi.bund.de/DE/Publikationen/Lageberichte/bsi-lageberichte.html, page 31.

Target Las Vegas Sands Casino, a US corporation.

Involved private sector Dell SecureWorks120

119 https://fas.org/irp/congress/2015_hr/091015clapper.pdf, page 4

Target Sony Pictures Entertainment

Involved private sector Mandiant, CrowdStrike, Novetta127

Timeline129 Reconnaissance between January 23 and February 6, 2015

Target TV5Monde, a French television network broadcasting worldwide.

Attribution Speculations made on attribution by FireEye.132

Involved private sector actors FireEye133

Involved private sector actors Dragos144, E-ISAC and SANS Institute145

Involved private sector actors Dragos150, ESET151

Target Bangladesh Bank

Effects Loss of monetary assets, close to $81 million not recovered.

Effects Plausible indirect behavioral effects.

Involved private sector CrowdStrike165, Fidelis Cybersecurity166

Target Saudi Arabia

Effects Saudi Arabian TV reported 15 private and government entities affected.

Involved private Anomali Labs170

Background and In 2017, Montenegro was preparing to join NATO.

Timeline Several cyber-attacks:

Target The parliament of Montenegro.

Involved private TrendMicro180, ESET and Fire Eye181

Target Twitter, and YouTube pages of the Qatar News Agency.

Timeline January 1, 2017 Kim Jong-un releases plans of a launch.185

Target North Korea’s nuclear missile.

Effects Destruction of the missile.

Target An unnamed petrochemical plant in Saudi Arabia.

Involved private sector actors Dragos212, FireEye/Mandiant213

Involved private BAE Systems, Symantec, Kaspersky, Microsoft

Target Winter Olympics’ opening ceremony in Pyeongchang.