Open Access
Table 1.
Cyberattack case study
| Attack name | Year | Threat actor/group | Initial access method | Key techniques used | Target sector/system | Impact | Notable features |
|---|---|---|---|---|---|---|---|
| BlackEnergy [11] | 2015 | Sandworm (Russia) | Phishing emails w/ Office docs | Macro exploitation, plugins | Energy / Power Distribution Systems | Outage for 230,000+ customers in Ukraine | Use of Modbus & IEC 104; plugins for recon, credential theft, persistence |
| Industroyer [12] | 2016 | Unknown (suspected Russian) | Unknown | ICS protocol manipulation | Energy / Power Grid (Ukraine) | Cascading power outages | Modular design targeting IEC 60870-5-104, IEC 61850, OPC DA; included wiper module |
| TRITON (Trisis) [3] | 2017 | Unknown | Spear-phishing | Lateral movement, SIS control | Oil & Gas (Safety Instrumented Systems) | Potential physical harm by disabling safety systems | Targeted Triconex SIS; could reprogram safety logic; used Mimikatz, RDP |
| NotPetya [1] | 2017 | Sandworm (Russia) | Compromised software updater | EternalBlue, PsExec, WMI | Multinational corporations (Maersk, etc.) | USD 10+ billion damages; destroyed IT infrastructure | Wiper disguised as ransomware; exploited SMB vulnerability |
| LockerGoga [2] | 2019 | Unknown | Spear-phishing | Privilege escalation | Manufacturing / OT Systems (Norsk Hydro) | Forced manual operations; encrypted both IT & OT systems | Exploited poor segmentation; weak patch management |
| DarkSide [2] | 2021 | DarkSide group (Russia) | Unpatched VPN | Reconnaissance, extortion | Energy / Colonial Pipeline (USA) | Major fuel supply disruption; ransom demand | Double extortion; admin access through advanced recon |
| WhisperGate [13] | 2022 | Ember Bear (Russia) | Stolen credentials, RMM exploits | MBR overwrite, file wiper | Government (Ukraine) | 70+ gov websites affected; systems rendered unbootable | Two-stage wiper; used Discord CDN; political destabilization intent |
| AcidRain [2] | 2022 | Suspected pro-Russian | Exploited modem admin interfaces | Firmware wipe | Satellite communications | Ukrainian military + EU users disconnected | Targeted Linux-based devices; disabled satellite modems |
| Industroyer2 [16] | 2022 | Sandworm (Russia) | Phishing + lateral movement | ICS protocol commands, wiper | Energy / Power Grid (Ukraine) | Grid outages; increased sophistication vs 2016 attack | Upgraded malware with protocol interactions and destructive module |
| Volt Typhoon [2] | 2023 | China (state-sponsored) | Router/firewall vulnerabilities | “Living off the land” | U.S. infrastructure (Energy, Transport) | Long-term covert access | PowerShell/WMI; no malware used; evaded detection through legitimate tools |
| Fancy Bear (APT28) [15] | 2023 | Fancy Bear (Russia) | Phishing | Malware delivery, ICS access | Ukrainian energy facility | Attempted ICS manipulation thwarted | CERT-UA detected in real time; emergency patching deployed |
| Denmark Energy Attack [8] | 2023 | Unknown | Spear-phishing, software exploits | OT-IT bridging disruption | National Energy Infrastructure (Denmark) | Minor outages, communication delays | Highlighted IT-OT segmentation failure; manual overrides helped recovery |
| Kyivstar Attack [13] | 2023 | Sandworm (Russia) | Unknown | Malware on network systems | Telecommunications (Ukraine) | Disruption of mobile comms, no full outage | Targeted wartime communication; revealed telco infrastructure weaknesses |
| Port of Seattle [2] | 2024 | Unknown | Unpatched software, weak security | Ransomware + DDoS | Maritime / Shipping | Cargo delays; comms blackout; financial loss | Combined attack vectors; overwhelmed logistics coordination |
| CERT-UA Spring Campaign [16] | 2025 | Sandworm, UAC-0099 | Phishing (PowerShell, Excel), infected USBs | Wrecksteel, GIFTEDCROOK, GammaSteel | Government, Military (Ukraine) | Data exfiltration, surveillance, system infiltration | Sophisticated multi-tool attack; USB vectors and APT targeting law enforcement |
| Nobitex Crypto Hack [17, 46] | 2025 | Predatory Sparrow (Israel-linked) | Exploited network & crypto vulnerabilities | Destructive cyberattack | Financial sector (Iran) | Loss of over USD 90 million in assets | Politically motivated; targeted blockchain infrastructure and bank Sepah |
| EU Diplomatic Targets [17] | 2025 | APT29 (Russia) | Spear-phishing with malicious attachments | Cyberespionage | Foreign Ministries (EU) | Breach of sensitive diplomatic communications | Recurring operation; highlighted ongoing Russian cyberespionage activity |
| US Critical Infrastructure Warning [18] | 2025 | Suspected Iranian actors | Potential nation-state escalation | Anticipated cyberattacks | Energy, Water, Transport | Raised threat level; increased preemptive cyber defense measures | Linked to geopolitical escalation in Middle East; no major incident yet confirmed |
| Ivanti Zero-Day Exploitation Campaign [2] | 2024 | UNC5221 (suspected China-linked) | Zero-day vulnerabilities in Ivanti Connect Secure & Policy Secure VPN appliances | Webshell deployment (GLASSTOKEN, WIREFIRE), credential harvesting, lateral movement | Government, Energy, Telecommunications (global) | Widespread compromise of secure gateways; persistent access to national-level infrastructure | Rapid exploitation before disclosure; bypassed MFA; used custom malware designed for stealth and long-term persistence |
| Change Healthcare Ransomware Attack [2] | 2024 | BlackCat/ALPHV RaaS | Compromised credentials + VPN access (no MFA) | Data exfiltration, ransomware encryption, extortion | Healthcare infrastructure (U.S. medical payment network) | Nationwide disruption of hospital billing systems; delays in drug prescriptions; billions in economic losses | Largest healthcare cyber disruption in U.S. history; double extortion; exposed vulnerability of medical financial systems |
| Viasat KA-SAT Modem Attack [13] | 2022 | Sandworm (Russia) | Remote exploitation of satellite-modem management interface | Unauthorized command injection, modem firmware corruption | Satellite communications (Europe, Ukraine) | Thousands of modems disabled; Ukrainian military communications disrupted; EU wind turbines temporarily offline | Coordinated with first day of Russia’s invasion; destructive OTA firmware push; one of the first major satellite cyberattacks |
| London Water Utility ICS Intrusion [20] | 2024 | Cyber Av3ngers (Iran-linked) | Compromised VPN credentials + exposed OT interface | ICS reconnaissance, attempted manipulation of chemical dosing systems | Water treatment facilities (United Kingdom) | No physical harm; temporary shutdown of treatment processes; emergency manual override required | Attackers attempted to alter chemical mix ratios; confirmed targeting of public health infrastructure; highlighted OT-IT segmentation flaws |
Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.
Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.
Initial download of the metrics may take a while.