Cybersecurity is not a new frontier—it's become the frontline of modern warfare. Every day, billions of devices communicate across networks, and every day, attackers probe for weaknesses. This encyclopedia documents the methodologies, tools, and infamous operations that have shaped the landscape of digital security.
Whether you're defending a small business or a critical infrastructure, understanding how attacks work is the foundation of proper defense. This guide covers the full spectrum: from common phishing tactics that fool everyday users, to sophisticated zero-day exploits wielded by nation-state hackers.
The most dangerous attacks are rarely the ones you see on the news. The ones that succeed are the ones you never hear about—attacks that go undetected for months or years, stealing data silently.
The easiest way into a system is often not through firewalls or encryption—it's through human beings. These attacks require minimal technical skill but have an enormous success rate because they exploit psychology, not code.
How it works: An attacker sends a seemingly legitimate email pretending to be from a trusted source (bank, IT department, popular service). The email contains a link to a fake website designed to look identical to the real one. When the victim enters their credentials, the attacker captures them.
Why it's effective: Most people receive hundreds of emails daily and trust the sender without verifying. A well-crafted phishing email can fool even tech-savvy users.
How it works: Attackers use databases of previously leaked credentials from other breaches and try them against different services. If you reused your password across multiple accounts, they'll gain access within seconds.
Technical approach:
for each password in leaked_database:
try login(target_service, username, password)
if success: return access
Brute force is similar but less targeted—the attacker simply tries many password combinations until one works. Modern systems rate-limit this, making it slower but still viable against weak passwords.
The art of manipulating people into divulging confidential information. A common tactic: calling a company's IT department and claiming to be a new employee who "forgot their password." If the attacker knows enough details (company structure, employee names from LinkedIn), they'll sound legitimate enough to get access.
Attackers didn't break into Target's fortress of security—they compromised an HVAC contractor's credentials through phishing. Using those credentials, they gained access to Target's network, and eventually reached the point-of-sale systems where they stole 40 million credit card numbers. Cost to Target: $18.5 million settlement.
Malware that runs silently on a victim's computer, recording every keystroke and screenshot. When the victim logs into their bank, the keylogger captures their username and password. Simple, effective, and invisible to the user.
Once an attacker gains initial access (via phishing, weak credentials, or exploited vulnerability), they move to the next phase: expanding that foothold and stealing valuable data.
How it works: Many web applications take user input and construct database queries from it. A careless developer might build a login form like this:
query = "SELECT * FROM users WHERE username='" + username + "'"
An attacker enters: ' OR '1'='1 as the username. The query becomes:
SELECT * FROM users WHERE username='' OR '1'='1'
Since '1'='1' is always true, the query returns all users. The attacker gains unauthorized access without knowing any password.
Real-world impact: SQL injection has compromised millions of user records in major breaches. It's one of the oldest attack types and still works on poorly secured applications.
The holy grail of exploits. An attacker finds a vulnerability that allows them to execute arbitrary code on the target system. This could be:
With RCE, the attacker essentially becomes the application—they can read files, delete data, install malware, or create backdoors for persistent access.
An exploit for a vulnerability that's unknown to the vendor—hence "zero days" before they can patch it. These are rare and valuable. Nation-states and criminal groups spend millions finding and weaponizing zero-days because they're guaranteed to work against unpatched systems.
An attacker positions themselves between two communicating parties, intercepting and potentially modifying data in transit. On public WiFi, this is trivial—the attacker runs a tool like Wireshark or mitmproxy to capture unencrypted traffic. If you log into your email over unencrypted HTTP, they see your password.
Modern HTTPS provides encryption, making MITM harder but not impossible—attackers can use SSL stripping techniques or forge certificates against users who don't verify correctly.
Once inside, attackers deploy malware tailored to their objectives:
Emotet was one of the most dangerous malware families of the 2010s. It started as banking malware stealing credentials, evolved into a worm that spread via email, and eventually became a botnet command-and-control system for hiring out to other criminals. At its peak, it infected millions of computers globally and caused an estimated $1 billion in damages. It was finally dismantled by law enforcement in 2021.
At this level, attackers have significant resources, patience, and sophistication. They're often state-sponsored or well-funded criminal organizations. Their goal isn't quick cash—it's long-term access, espionage, or critical infrastructure disruption.
An APT is not a single attack; it's a campaign. The attacker gains initial access, then spends weeks or months quietly moving through the network, escalating privileges, identifying high-value targets, and stealing data—all while evading detection.
Typical APT timeline:
The entire operation might take 6-18 months, and the target might not detect it until data appears for sale on the dark web.
Instead of attacking a large target directly (heavily defended), attack a smaller supplier or partner. Once inside the supplier's network, inject malware into software updates or products. When the supplier pushes the update to thousands of customers, the malware spreads to all of them.
SolarWinds Orion is network management software used by thousands of organizations, including U.S. government agencies. A sophisticated attacker (attributed to Russia's SVR) compromised SolarWinds' build systems and injected malicious code into the software update. When thousands of customers updated, the backdoor installed silently. The attacker gained access to Pentagon, Treasury Department, Homeland Security, and Fortune 500 companies. It took months to discover, and the full impact is still unknown. Estimated cost: billions in investigation and remediation.
Attackers breach a network, exfiltrate sensitive data, then encrypt critical files and demand payment to restore them. The threat is double: "Pay or we sell your data." Major targets: hospitals, local governments, utilities. A single attack can cost victims millions in ransom and recovery.
Ransomware-as-a-Service (RaaS): Criminal organizations now rent out ransomware tools to lesser criminals, taking a percentage of the ransom. It's industrialized cybercrime.
A botnet is a network of compromised computers (often millions) controlled remotely by an attacker. The individual computer owners don't know their machines are infected. The attacker uses them for:
After initial access, the attacker moves sideways through the network (lateral movement) using compromised credentials and exploits. They escalate from a regular user to administrator level, then to domain admin. Each step gives them more access and ability to evade detection.
Attribution: Widely believed to be a joint U.S.-Israeli operation (NSA & Israeli intelligence).
Target: Iran's Natanz nuclear facility.
How it worked: Stuxnet was a masterpiece of cyber-warfare. It targeted industrial control systems (SCADA) used to operate uranium enrichment centrifuges. The worm:
Impact: Destroyed approximately 1,000 centrifuges and delayed Iran's nuclear program by an estimated 2 years. First known cyberweapon to cause physical destruction to infrastructure.
Attribution: Russia's GRU (military intelligence).
Target: Ukraine, but spread globally to 200,000+ computers in 65 countries.
Method: Disguised as a ransomware attack, NotPetya used the EternalBlue exploit (a Windows zero-day leaked by NSA hackers) to spread rapidly. But unlike typical ransomware, there was no way to pay ransom and recover files—it was purely destructive.
Impact: Caused an estimated $10 billion in damages. Disrupted shipping ports, hospitals, power plants, and major corporations worldwide. Maersk shipping company alone lost $300 million. Considered the most destructive cyberattack in history.
Attribution: North Korea's Lazarus Group.
Delivery: Spread via EternalBlue (same zero-day as NotPetya), used by a criminal group or supplied by a state actor.
Mechanism: Encrypted files and demanded $300-600 in Bitcoin for decryption. Spread exponentially because it worm-like replicated to other unpatched systems automatically.
Impact: Infected over 200,000 computers across 150 countries in 72 hours. Hit hospitals (disrupting patient care), manufacturing plants, and transportation. Estimated damage: $4+ billion.
Why it worked: Many organizations didn't apply Microsoft's security patch released weeks before, leaving them vulnerable.
Developer: NSO Group (Israeli cyber weapons firm).
What it is: Pegasus isn't a ransomware or worm—it's spyware that infiltrates a target's smartphone and silently exfiltrates all data: messages, emails, photos, location history, call recordings, and even activates the camera and microphone remotely.
How infection happens: A zero-click exploit—the target doesn't need to click a link or download anything. Simply receiving a WhatsApp call from an attacker-controlled number was enough to infect an iPhone. Android versions required the target to click a malicious link.
Impact & Controversy: Pegasus has been used by governments to spy on journalists, human rights activists, and political opponents. The 2021 Pegasus Project revealed that at least 10 democratic governments used NSO's software to target activists and journalists.
Price: NSO sold Pegasus licenses for $500,000 to several million dollars per contract, making it one of the most expensive cyber weapons.
Attribution: China's Ministry of State Security (MSS).
What happened: Attackers discovered a zero-day vulnerability in Microsoft Exchange Server (used by thousands of organizations for email). They didn't immediately weaponize it—instead, they used it quietly to access hundreds of thousands of email servers and steal data from government agencies, law firms, and tech companies.
Timeline: The exploit was used for months before Microsoft released a patch. By then, it was too late—the vulnerability was already public knowledge and criminal groups began mass-exploiting it.
Impact: Estimated 30,000+ organizations breached, including U.S. Treasury, Homeland Security, and multiple Fortune 500 companies.
Attribution: North Korea.
Target: Sony Pictures Entertainment (in retaliation for the film "The Interview," a comedy about assassination of Kim Jong Un).
Attack chain:
Impact: Sony's entire network was crippled. Unreleased films leaked online. Embarrassing executive emails made public. Estimated damage: $75+ million.
Nation-states and wealthy organizations spend billions developing and acquiring tools to conduct cyber operations. Here are some of the most significant known cyber weapons and toolkits:
Already covered above. The most notorious commercial spyware. Works on iPhones and Android.
Similar to Pegasus but older. A surveillance suite sold to governments worldwide. Captures keystrokes, webcam feeds, and all communications.
Italian company that sold cyberespionage tools to governments. Exposed in 2015 when hackers breached their own systems and released 400GB of documents. Found to have sold to authoritarian regimes including Sudan, Egypt, and Uzbekistan—countries known for human rights violations.
An Abu Dhabi-based company that developed sophisticated spyware used by UAE authorities to target activists and journalists. Details emerged after several former employees went public.
An American company that discovered and sold zero-day vulnerabilities to the U.S. government and allied nations. A single zero-day for a popular software can be worth $250K to $5 million depending on its impact and the target.
China's Unit 61398 (a known military hacking unit) developed toolkits including:
These tools are refined and updated regularly, with estimated development costs in the tens of millions.
Russia's military (GRU) and intelligence (FSB) services develop custom frameworks like:
The profitability of cyber weapons is immense. A single zero-day can be sold multiple times to different buyers for millions. Some exploits are believed to have been used in intelligence operations worth billions in espionage value.
Network monitors that analyze traffic for suspicious patterns. An IDS alerts when an attack is detected; an IPS can block it in real-time. However, sophisticated attackers use obfuscation and encryption to avoid detection.
Software installed on individual computers that monitors for suspicious behavior: unusual process execution, network connections, file system modifications, registry changes. When triggered, EDR can isolate the compromised machine automatically.
Aggregates logs from thousands of sources (firewalls, servers, applications) and correlates them to identify attack patterns. A skilled analyst using SIEM can detect an APT by recognizing unusual login patterns or data movements.
Organizations subscribe to intelligence feeds that provide information about known malware, command-and-control servers, and attacker tactics. If your IDS sees traffic to a known malicious IP, it can block it immediately.
When a breach is detected, specialized teams must:
Attackers need to find just one vulnerability. Defenders must protect against thousands of known vulnerabilities plus unknown zero-days. It's an asymmetrical war: attackers only need one success; defenders need to succeed 100% of the time.
Machine learning is being integrated into cyber weapons to:
Current encryption relies on mathematical problems that are hard for classical computers to solve. Quantum computers will break this encryption trivially. Intelligence agencies are already harvesting encrypted data now, betting they'll be able to decrypt it in the future once quantum computers exist.
As we've seen with SolarWinds, the supply chain is becoming the primary attack vector. Software updates, hardware components, and cloud services are all potential infection vectors.
Attacks on power grids, water systems, hospitals, and transportation networks are increasing. A successful attack could cause physical harm and economic damage on a national scale.
The cybersecurity field is rapidly expanding. Defenders are in high demand:
Cybersecurity is a constant evolutionary battle. As defenders implement new protections, attackers develop new techniques. The adversaries range from individual script kiddies trying to steal game accounts, to nation-states conducting espionage and sabotage operations worth billions.
Understanding how attacks work—their methods, motivations, and impact—is the first step toward defending against them. The best security professionals are those who think like attackers, anticipate their next moves, and build defenses accordingly.
The frontier is vast. The challenge is real. And the defenders are desperately needed.