Cyber Campaigns

Operation MidnightEclipse was a campaign exploiting vulnerabilities in Palo Alto Networks GlobalProtect to deploy backdoors on targeted systems.

The Change Healthcare attack was a ransomware incident that disrupted healthcare payment processing across the United States. The attack affected pharmacies, hospitals, and healthcare providers nationwide.

Pikabot Distribution February 2024 was a campaign distributing Pikabot malware through malicious email campaigns following the disruption of Qakbot infrastructure.

The FrostyGoop Incident was a campaign targeting Ukrainian heating infrastructure using ICS-specific malware. The attack disrupted heating services during winter months.

Cutting Edge was a campaign targeting Ivanti Connect Secure and Ivanti Policy Secure gateways using zero-day vulnerabilities. The campaign was attributed to suspected China-nexus threat actors.

ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.

The MOVEit Transfer attacks exploited a zero-day vulnerability in Progress Software's MOVEit Transfer application. The Cl0p ransomware group used this vulnerability to steal data from hundreds of organizations worldwide.

Juicy Mix was a campaign conducted by OilRig targeting Israeli organizations using updated versions of their custom malware.

APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP.

FLORAHOX Activity was a campaign targeting government and diplomatic entities using spearphishing and custom malware.

The J-magic Campaign targeted Juniper routers using a passive backdoor that could be activated by sending specially crafted packets.

The 3CX Supply Chain Attack was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized version of the X_Trader trading software. This provided UNC4736 access to the 3CX environment, from where they compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.

The 2022 Ukraine Electric Power Attack was a Sandworm Team campaign that used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and living off the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.

C0027 was a campaign conducted by Scattered Spider that targeted telecommunications and technology companies using social engineering and SIM swapping techniques.

HomeLand Justice was a campaign targeting Albanian government organizations using ransomware and wiper malware. The campaign was attributed to Iranian threat actors.

C0026 was a campaign conducted by Scattered Spider targeting telecommunications and business process outsourcing companies.

C0021 was a campaign conducted by Mustang Panda that targeted government and non-governmental organizations in Southeast Asia and Europe.

APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment.

C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools.

KV Botnet Activity was a campaign using compromised SOHO routers and VPN devices to create a botnet for proxying malicious traffic. The campaign was attributed to Volt Typhoon.

C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from Transparent Tribe's historic targeting of Indian government, military, and think tank personnel.

C0033 was a campaign that targeted organizations using Poseidon Group's custom malware and social engineering techniques.

Leviathan Australian Intrusions was a campaign targeting Australian organizations in the defense, government, and maritime sectors.

C0032 was a campaign conducted by LAPSUS$ targeting major technology companies through social engineering and credential theft.

C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.

The Kaseya VSA attack was a supply chain ransomware attack that exploited vulnerabilities in Kaseya's VSA remote management software. The attack affected up to 1,500 organizations worldwide.

The JBS Foods attack was a ransomware incident targeting the world's largest meat processing company. The attack disrupted operations in the United States, Canada, and Australia.

The Colonial Pipeline attack was a ransomware incident that forced the shutdown of the largest fuel pipeline in the United States. The attack was conducted by DarkSide ransomware operators and led to fuel shortages across the southeastern United States.

C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access.

Outer Space was a campaign conducted by OilRig targeting Israeli organizations using updated versions of their Solar backdoor.

Volt Typhoon is a campaign attributed to a China-nexus threat actor that has been targeting U.S. critical infrastructure organizations. The campaign uses living-off-the-land techniques and focuses on pre-positioning for potential disruptive operations.

C0010 was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researchers assess UNC3890 conducts operations in support of Iranian interests.

Operation Dream Job was a campaign conducted by Lazarus Group targeting defense and aerospace employees with fake job offers. The campaign used LinkedIn and other platforms to deliver malware.

The SolarWinds Compromise was a sophisticated supply chain attack attributed to APT29 (NOBELIUM) that compromised the SolarWinds Orion software build process. The attack affected approximately 18,000 organizations including U.S. government agencies and major corporations.

Indian Critical Infrastructure Intrusions was a campaign targeting Indian power grid organizations. The campaign used sophisticated techniques to maintain persistent access to critical systems.

Operation Spalax was a campaign targeting Colombian government and private companies using commodity RATs and spearphishing.

CostaRicto is a suspected hack-for-hire campaign that has targeted multiple industries worldwide since at least 2019. The campaign uses custom malware and sophisticated techniques to maintain persistence.

Frankenstein was a campaign that leveraged four different open-source techniques to create a sophisticated attack chain. The campaign targeted various organizations using a combination of publicly available tools.

Operation CuckooBees was a campaign conducted by APT41 targeting technology and manufacturing companies to steal intellectual property and sensitive data.

Operation Ghost was a campaign conducted by APT29 targeting European diplomatic entities using sophisticated malware and steganography techniques.

Operation Triangulation was a sophisticated campaign targeting iOS devices using zero-click exploits delivered via iMessage. The campaign was discovered by Kaspersky researchers on their own corporate network.

FunnyDream was a campaign that targeted Southeast Asian governments using custom backdoors and sophisticated persistence mechanisms.

Operation Sharpshooter was a campaign targeting defense, energy, and financial organizations using sophisticated malware and techniques associated with Lazarus Group.

Operation Honeybee was a campaign targeting humanitarian aid organizations using spearphishing and custom malware.

The Triton attack targeted a petrochemical facility in Saudi Arabia, attempting to disable safety instrumented systems (SIS) that protect against catastrophic failures. This was one of the first known attacks specifically designed to cause physical damage to industrial facilities.

NotPetya was a destructive wiper malware campaign disguised as ransomware that primarily targeted Ukrainian organizations but spread globally. The attack caused over $10 billion in damages worldwide and is considered one of the most destructive cyberattacks in history.

WannaCry was a global ransomware campaign that exploited the EternalBlue vulnerability to spread rapidly across networks. The attack affected over 200,000 computers in 150 countries and caused billions of dollars in damages.

Operation Wocao was a campaign conducted by APT20 targeting government and managed service providers to steal sensitive data and maintain persistent access.

The 2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team and demonstrated advanced capabilities to manipulate industrial control systems.

The 2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team, resulting in power outages affecting approximately 225,000 customers.

Operation Dust Storm was a campaign targeting Japanese organizations in the defense, utilities, and financial sectors. The campaign used sophisticated malware and persistence techniques.

Night Dragon was a campaign targeting global oil, gas, and petrochemical companies. The campaign used social engineering, spearphishing, and exploitation of Windows systems to steal sensitive data.

The Maroochy Water Breach was one of the first publicly known cyberattacks on critical infrastructure. A disgruntled former employee used stolen equipment and insider knowledge to release millions of liters of raw sewage into local waterways in Queensland, Australia.