Disguised as ransomware but built to destroy, NotPetya was not a criminal operation — it was an act of war. Deployed by Russia's GRU Sandworm unit against Ukraine in June 2017, it used the NSA-developed EternalBlue exploit to propagate across networks at machine speed, encrypting and permanently destroying data with no mechanism for recovery. There was no way to pay a ransom. There was no decryption key. The goal was pure destruction.
What made NotPetya catastrophic was how far it spread beyond its intended target. Within hours, it had escaped Ukraine's borders and was tearing through the networks of global corporations — shipping giants, pharmaceutical companies, advertising conglomerates, and logistics firms — all connected to Ukrainian suppliers or subsidiaries. The world's largest shipping company, Maersk, had to reinstall 45,000 PCs and 4,000 servers in 10 days. FedEx subsidiary TNT lost $400 million. Merck pharmaceutical lost $870 million. All collateral damage from a weapon aimed at a single country.
The most sophisticated espionage operation in cyber history. Russian intelligence (SVR) compromised the build environment of SolarWinds — a company that makes network management software used by 33,000 organizations worldwide. They injected malicious code called SUNBURST into a routine software update. When customers installed the update, they installed the backdoor. Quietly. Automatically. Trusting the software they paid for.
For nine months, Russian intelligence had access to the internal networks of the US Treasury Department, Department of Homeland Security, State Department, Pentagon, and dozens of Fortune 500 companies. The breach was only discovered when cybersecurity firm FireEye noticed their own red team tools had been stolen — and traced the theft back to the SolarWinds update. The full extent of what was accessed remains classified.
On May 12, 2017, a self-propagating ransomware worm erupted across the internet. Within 24 hours, WannaCry had infected 230,000 computers across 150 countries. It exploited EternalBlue — the same NSA-developed Windows exploit used in NotPetya — to spread automatically without any user interaction. If your Windows system was unpatched and connected to a network, it was infected. Period.
The human cost was immediate and visible. The UK's National Health Service was devastated — hospitals canceled 19,000 appointments, diverted ambulances, and locked surgeons out of patient records mid-operation. Factories stopped production. Telecom companies went dark. A 22-year-old British security researcher named Marcus Hutchins accidentally stopped the global spread by registering an unregistered domain he found in the malware's code — a kill switch the attackers had built in but never expected anyone to find.
Stuxnet was not designed to steal data or demand ransom. It was designed to destroy physical machinery — specifically, the uranium enrichment centrifuges at Iran's Natanz nuclear facility. It is the first known piece of malware ever created to cause real-world physical damage, and it changed the definition of warfare forever.
Stuxnet spread via infected USB drives, exploited four previously unknown Windows zero-days simultaneously (an almost unheard-of level of sophistication), and searched specifically for Siemens industrial control systems managing centrifuges. When found, it altered the centrifuges' operating speeds to cause physical stress and destruction — while simultaneously sending fake "all normal" readings to operators so nothing appeared wrong. An estimated 1,000 centrifuges were destroyed. Iran's nuclear program was set back by two years.
The largest data breach in history by sheer volume — every single Yahoo account that ever existed was compromised. 3 billion accounts. Names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions were stolen across two separate breaches in 2013 and 2014. Yahoo didn't disclose either breach until 2016, and even then dramatically underestimated the scope.
The timing was catastrophic. Yahoo was in the middle of a $4.83 billion acquisition by Verizon when the breaches became public. Verizon immediately renegotiated, ultimately paying $350 million less than originally agreed. Yahoo's CEO resigned. The company was renamed Altaba and essentially ceased to exist as an independent entity. The breach also exposed a fundamental industry failure: Yahoo was still storing passwords using MD5, a hashing algorithm considered dangerously weak since the early 2000s.
Equifax is one of the three largest credit reporting agencies in the United States — a company that holds the most sensitive financial data on hundreds of millions of Americans. In 2017, Chinese military hackers exploited a known vulnerability in Apache Struts (a patch had been available for two months) and spent 78 days inside Equifax's network, methodically exfiltrating the crown jewels of personal financial data.
147 million Americans had their Social Security numbers, birth dates, addresses, driver's license numbers, and credit card information stolen. This is the data that defines financial identity — once it's gone, it's gone forever. Unlike a password, you cannot change your Social Security number. The four Chinese military officers indicted for the breach were never extradited, and the stolen data has never appeared publicly — suggesting it was used for intelligence purposes rather than financial fraud.
In late 2009, Google's security team discovered something alarming: sophisticated attackers had been inside their infrastructure for months. The attackers had accessed source code repositories, attempted to access the Gmail accounts of Chinese human rights activists, and stole intellectual property of incalculable value. Google went public — an almost unprecedented move for a tech company — and triggered one of the first major public confrontations between a private corporation and a nation-state over cyber espionage.
Google wasn't alone. Operation Aurora targeted at least 34 major companies including Adobe, Intel, Juniper Networks, Northrop Grumman, and Morgan Stanley. All were breached through the same zero-day vulnerability in Internet Explorer. The attackers' primary targets appeared to be source code — the most valuable intellectual property these companies possessed. The operation marked the moment Silicon Valley understood it was a permanent target of state-sponsored espionage.
North Korea doesn't accept insults quietly. When Sony Pictures announced "The Interview" — a comedy depicting the assassination of Kim Jong Un — Pyongyang issued warnings. Sony proceeded anyway. The response was devastating and unprecedented: a complete network destruction attack that left Sony Pictures unable to function as a company for weeks.
Attackers spent months inside Sony's network before detonating their payload. They stole 100 terabytes of data — unreleased films, salary information for every employee, private emails between executives, Social Security numbers, medical records, and years of confidential business communications. They then leaked it all publicly in waves, maximizing embarrassment. Finally, they deployed a wiper that destroyed the data on Sony's systems. The attack cost Sony over $100 million and the careers of several senior executives whose private emails revealed extremely poor judgment.
The most audacious bank robbery in history never involved a single gun. North Korean hackers spent months inside Bangladesh Bank's network, studying how the SWIFT international payment system worked. Then, on a Friday evening in February 2016, they submitted 35 fraudulent transfer requests worth nearly $1 billion to the Federal Reserve Bank of New York — where Bangladesh Bank holds its foreign currency reserves.
Five transfers totaling $101 million were processed before anyone noticed something was wrong. $20 million was flagged and reversed due to a typo. $81 million reached accounts in the Philippines and was laundered through casinos within days — effectively untraceable. The remaining $850 million in requests was blocked partly by luck: one transfer was flagged because the destination bank name contained the word "fandisha," which a Fed employee looked up and found meant "foundation" in Farsi — triggering a fraud check.
Colonial Pipeline operates the largest fuel pipeline in the United States, supplying 45% of all fuel consumed on the East Coast. In May 2021, a ransomware group called DarkSide gained access through a single compromised VPN password — an account that wasn't protected by multi-factor authentication. Within hours, they had encrypted Colonial's billing systems and stolen 100GB of data. Colonial's response was to shut down the entire pipeline preemptively.
The shutdown lasted six days and triggered the first federal state of emergency declaration caused by a cyberattack. Fuel prices spiked. Gas stations ran dry across the Southeast. Panic buying spread. Airlines scrambled to reroute flights. Colonial ultimately paid $4.4 million in Bitcoin ransom — a decision the CEO described as "the hardest decision I've ever made." The FBI later recovered $2.3 million of the ransom by seizing the attackers' Bitcoin wallet. The entire crisis began with one unprotected password.