• United States



Josh Fruhlinger
Contributing writer

What is a cyber attack? Recent examples show disturbing trends

Feb 27, 202018 mins
CybercrimeData BreachPhishing

From virtual bank heists to semi-open attacks from nation-states, the last couple of years has been rough on IT security. Here are some of the major recent cyber attacks and what we can learn from them.

Cybersecurity  >  Attack warning / danger / security threat
Credit: Matejmo / Getty Images

Cyber attack definition

Simply put, a cyber attack is an attack launched from one or more computers against another computer, multiple computers or networks. Cyber attacks can be broken down into two broad types: attacks where the goal is to disable the target computer or knock it offline, or attacks where the goal is to get access to the target computer’s data and perhaps gain admin privileges on it.

8 types of cyber attack

To achieve those goals of gaining access or disabling operations, a number of different technical methods are deployed by cybercriminals. There are always new methods proliferating, and some of these categories overlap, but these are the terms that you’re most likely to hear discussed.

  1. Malware
  2. Phishing
  3. Ransomware
  4. Denial of service
  5. Man in the middle
  6. Cryptojacking
  7. SQL injection
  8. Zero-day exploits

Malware -- Short for malicious software, malware can refer to any kind of software, no matter how it’s structured or operated, that “is a designed to cause damage to a single computer, server, or computer network,” as Microsoft puts it. Worms, viruses, and trojans are all varieties of malware, distinguished from one another by the means by which they reproduce and spread. These attacks may render the computer or network inoperable, or grant the attacker root access so they can control the system remotely.

Phishing -- Phishing is a technique by which cybercriminals craft emails to fool a target into taking some harmful action. The recipient might be tricked into downloading malware that’s disguised as an important document, for instance, or urged to click on a link that takes them to a fake website where they’ll be asked for sensitive information like bank usernames and passwords. Many phishing emails are relatively crude and emailed to thousands of potential victims, but some are specifically crafted for valuable target individuals to try to get them to part with useful information.

Denial of service -- A denial of service attack is a brute force method to try stop some online service from working properly. For instance, attackers might send so much traffic to a website or so many requests to a database that it overwhelms those systems ability to function, making them unavailable to anybody. A distributed denial of service (DDoS) attack uses an army of computers, usually compromised by malware and under the control of cybercriminals, to funnel the traffic towards the targets.

Man in the middle -- A man in the middle attack (MITM) is a method by which attackers manage to interpose themselves secretly between the user and a web service they’re trying to access. For instance, an attacker might set up a Wi-Fi network with a login screen designed to mimic a hotel network; once a user logs in, the attacker can harvest any information that user sends, including banking passwords.

Cryptojacking -- Cryptojacking is a specialized attack that involves getting someone else’s computer to do the work of generating cryptocurrency for you (a process called mining in crypto lingo). The attackers will either install malware on the victim’s computer to perform the necessary calculations, or sometimes run the code in JavaScript that executes in the victim’s browser. 

SQL injection -- SQL injection is a means by which an attacker can exploit a vulnerability to take control of a victim’s database. Many databases are designed to obey commands written in the Structured Query Language (SQL), and many websites that take information from users send that data to SQL databases. In a SQL injection attack, a hacker will, for instance, write some SQL commands into a web form that’s asking for name and address information; if the web site and database aren’t programmed correctly, the database might try to execute those commands.

Zero-day exploits -- Zero-days are vulnerabilities in software that have yet to be fixed. The name arises because once a patch is released, each day represents fewer and fewer computers open to attack as users download their security updates.  Techniques for exploiting such vulnerabilites are often bought and sold on the dark web -- and are sometimes discovered by government agencies that controversially may use them for their own hacking purposes, rather than releasing information about them for the common benefit.

Recent cyber attacks

Deciding which cyber attacks were the worst is, arguably, somewhat subjective. Those that made our list did so because they got a lot of notice for various reasons -- because they were widespread, perhaps, or because they were signals of a larger, scary trend.

Without further ado, here are some of the most notable cyber attacks in recent history and what we can learn from them:

  1. Capitol One breach
  2. The Weather Channel ransomware
  3. U.S. Customs and Border Protection/Perceptics
  4. Citrix breach
  5. Texas ransomware attacks
  6. WannaCry
  7. NotPetya
  8. Ethereum
  9. Equifax
  10. Yahoo
  11. GitHub

Capitol One breach

In July of 2019, online banking giant Capitol One realized that its data had been hacked. Hundreds of thousands of credit card applications, which included personally identifying information like birthdates and Social Security numbers, were exposed. No bank account numbers were stolen, but the sheer scale was extremely worrying. Things followed the usual script, with Capitol One making shamefaced amends and offering credit monitoring to those affected.

But then things took a turn for the unusual. The stolen data never appeared on the dark web, nor did the hack look like a Chinese espionage operation like the Equifax and Marriott breaches. In fact, the attack was perpetrated by an American named Paige Thompson, aka Erratic. Thompson had previously worked for Amazon, which gave her the background necessary to recognize that Capitol One’s AWS server had been badly misconfigured in such a way to leave it quite vulnerable. It initially seemed that Thompson’s theft of the data was in the tradition of freelance white-hat hacking and security research: she made little attempt to hide what she was doing, never tried to profit from the data, and in fact was caught because she posted a list of Capitol One’s breached directories -- but no actual data -- on her GitHub page. But attempts to understand her motivation in the wake of her arrest were increasingly difficult, and it’s possible that she was, true to her chosen nickname, erratic, if not undergoing a serious mental health crisis.

The Weather Channel ransomware

The Weather Channel may not seem like a crucial piece of infrastructure, but for many people it’s a lifeline -- and in April 2019, during a stretch of tornado strikes across the American south, many people were tuning in. But one Thursday morning the channel ceased live broadcasting for nearly 90 minutes, something almost unheard of in the world of broadcast television.

It turns out The Weather Channel had fallen victim to a ransomware attack, and while there’s been no confirmation of the attack vector, rumors are that it was via phishing attack, one of the most common causes of ransomware infection. The attack demonstrated that the boundary between “television” and “the internet” has more or less been erased, as any TV operation like The Weather Channel would be entirely reliant on internet-based services to operate. It also demonstrated one way to beat ransomware. The Weather Channel didn’t fork over any bitcoin; rather, they had good backups of the affected servers and were able to get back online in less than two hours.

U.S. Customs and Border Protection/Perceptics

The sequence was sadly not that unusual: a hacker breaches a company’s servers, gets access to sensitive data, and then demands a ransom. When the executives fail to pay up, the material begins to find its way to the dark web for sale, where the scope of its importance become recognized.

The data turned out to be very important indeed: it was stolen from the U.S. Customs and Border Protection agency (CBP), and the irony that the agency dedicated to protecting the U.S. borders couldn’t protect its own data wasn’t lost on anyone. In fact, much of the blame lay on Perceptics, a contractor that provides all the license plate scanners for the border agency, as well as to a host of other U.S. and Canadian government departments. The stolen photos of cars and drivers had actually been copied from CBP’s computers to Perceptics’ own servers, in violation of government policy; Perceptics was then hacked, and the data publicized by the attacker “Boris Bullet-Dodger” when ransom negotiations with execs broke down. The case brought up questions about government-contractor relations and the wisdom of allowing the collection of biometric data. While Perceptics’ relationship with CBP was suspended in the wake of the attack, the government eventually agreed to keep doing business with the company.

Citrix breach

When an organization being breached is itself in the cybersecurity business, that’s enough to make everyone nervous -- but it’s also a cautionary tale about how even security vendors can have a hard time establishing a security mindset internally.

Take Citrix, for example. The company makes VPNs, which help secure millions of internet connections, and has extensive dealings with the U.S. government. But it still fell victim to a “password spraying” attack in March of 2019 -- essentially, an attack where a hacker attempts to gain access to a system via brute force, by rapidly attempting to login with simple and frequently used passwords (think “password123” and the like). In all likelihood, the attack came from a group associated with the Iranian government. Fortunately, the attackers didn’t get very far into Citrix’s systems -- but the company still promised a revamp of its internal security culture.

Texas ransomware attacks

In August of 2019, computer systems in 22 small Texas towns were rendered useless by ransomware, leaving their governments unable to provide basic services like issuing birth or death certificates. How did a single attacker, using the REvil/Sodinokibi ransomware, manage to hit so many different towns? There was a single point of weakness: an IT vendor who provided services to all of these municipalities, all of which were too small to support a full-time IT staff.

But if that sort of collective action opened a weakness, there was a power in collaboration as well. Rather than giving in and paying the $2.5 million ransom demanded, the towns teamed up with the Texas state government’s Department of Information Resources. The agency led a remediation effort that had the cities back on their feet within weeks, in contrast with places like Baltimore, where systems were offline for months.


WannaCry was a ransomware attack that spread rapidly in May of 2017. Like all ransomware, it took over infected computers and encrypted the contents of their hard drives, then demanded a payment in Bitcoin in order to decrypt them. The malware took particular root in computers at facilities run by the United Kingdom’s NHS.

Malware isn’t anything new, though. What made WannaCry significant and scary was the means it used to propagate: it exploited a vulnerability in Microsoft Windows using code that had been secretly developed by the United States National Security Agency. Called EternalBlue, the exploit had been stolen and leaked by a hacking group called the Shadow Brokers. Microsoft had already patched the vulnerability a few weeks before, but many systems hadn’t upgraded. Microsoft was furious that the U.S. government had built a weapon to exploit the vulnerability rather than share information about the hole with the infosec community.


Petya was just another piece of ransomware when it started circulating via phishing spam in 2016; its main claim to fame was that it encrypted the master boot record of infected machines, making it devilishly difficult for users to get access to their files.

Then, abruptly in June of 2017, a much more virulent version of the malware started spreading. It was different enough from the original that it was dubbed NotPetyait originally propagated via compromised Ukrainian accounting software and spread via the same EternalBlue exploit that WannaCry used. NotPetya is widely believed to be a cyberattack from Russia against Ukraine, though Russia denies it, opening up a possible era of states using weaponized malware.


While this one might not have been as high-profile as some of the others on this list, it deserves a spot here due to the sheer amount of money involved. Ether is a Bitcoin-style cryptocurrency, and $7.4 million in Ether was stolen from the Ethereum app platform in a manner of minutes in July. Then, just weeks later came a $32 million heist. The whole incident raised questions about the security of blockchain-based currencies.


The massive credit rating agency announced in July of 2017 that “criminals exploited a U.S. website application vulnerability to gain access to certain files,” getting personal information for nearly 150 million people. The subsequent fallout enraged people further, especially when the site Equifax set up where people could see if their information had been compromised seemed primarily designed to sell Equifax services.

Ed Szofer, CEO of SenecaGlobal, says the Equifax breach is particularly bad “because they had already been told about the fix -- it needed to be implemented in a tool called Apache Struts that they use -- well before the breach even happened. And yet they failed to do so fully in a timely manner. To prevent such breaches from happening requires a shift in culture and resources; this was not a technical issue, as the technical fix was already known. Equifax certainly had the resources, but it clearly did not have the right culture to ensure the right processes were in place and followed.”

Yahoo (revised)

This massive hack of Yahoo’s email system gets an honorable mention because it actually happened way back in 2013 -- but the severity of it, with all 3 billion Yahoo email addresses affected, only became clear in October 2017. Stolen information included passwords and backup email addresses, encrypted using outdated, easy-to-crack techniques, which is the sort of information attackers can use to breach other accounts. In addition to the effect on the account owners, the breach could spawn a revisiting of the deal by which Verizon bought Yahoo, even though that deal had already closed.

The truly scary thing about this breach is that the culture of secrecy that kept it under wraps means that there’s more like it out there. “No one is excited to share a breach, for obvious PR reasons,” says Mitch Lieberman, director of research at G2 Crowd. “But the truth eventually comes out. What else do we not know?”


On February 28, 2018, the version control hosting service GitHub was hit with a massive denial of service attack, with 1.35 TB per second of traffic hitting the popular site. Although GitHub was only knocked offline intermittently and managed to beat the attack back entirely after less than 20 minutes, the sheer scale of the assault was worrying; it outpaced the huge attack on Dyn in late 2016, which peaked at 1.2 TB per second.

More troubling still was the infrastructure that drove the attack. While the Dyn attack was the product of the Mirai botnet, which required malware to infest thousands of IoT devices, the GitHub attack exploited servers running the Memcached memory caching system, which can return very large chunks of data in response to simple requests.

Memcached is meant to be used only on protected servers running on internal networks, and generally has little by way of security to prevent malicious attackers from spoofing IP addresses and sending huge amounts of data at unsuspecting victims. Unfortunately, thousands of Memcached servers are sitting on the open internet, and there has been a huge upsurge in their use in DDoS attacks. Saying that the servers are “hijacked” is barely fair, as they’ll cheerfully send packets wherever they’re told without asking questions.

Just days after the GitHub attack, another Memecached-based DDoS assault slammed into an unnamed U.S. service provider with 1.7 TB per second of data.

Cyber attack statistics

If you want to understand just what’s going on in the murky world of cybercrime, diving into the numbers can give you a real sense of what’s going on out there. For instance, we’ve grown rather numb to constant tales of breaches of personally identifying information, but in the aggregate the amounts are truly staggering: in the first half of 2019 alone, 4.1 billion records were exposed.

Verizon, which issues a detailed report on data breaches every year, helped break down who the victims and perpetrators were in 2019. By their estimation, a full 34 percent of breaches were inside jobs, 39 percent were perpetrated by organized crime, and 23 percent by state actors. And when it came to the victims, by far the biggest category were small businesses, who bore the brunt of 43 percent of attacks.

The costs are staggering as well. Ransomware alone cost $8 billion dollars in 2018; interestingly, only $1 billion of that consists of ransom payments, while the rest takes the form of lost revenue and damages to company reputation from downtime. Other types of cybercrimes also take their toll. Radware estimated that a cyberattack on a large enterprise would end up costing $1.7 million in 2019. For small businesses the cost is lower -- just $86,000 -- but that can still be devastating to a company without much by way of reserves.

Cyber attack maps

It can take a lot of effort to comb through all those numbers (and really, we’re just scratching the surface and providing a few nuggets here--by all means follow the links for more details). So you can see the why someone might prefer all that info presented in an easy-to-grasp visual medium like a cyber attack map. These futuristic displays show what attacks are emerging from what countries and focusing on what targets, and give the impression of offering a bird’s-eye view of the current internet threat landscape.

The problem is that an impression is all they really have to offer. Most of the data they display isn’t live, and it certainly isn’t comprehensive. But they can be useful in starting conversations about security, getting students interested in cyber security, and serving as sales tools for cyber security tool companies. (Many security experts dismissively refer to them as “pew pew” maps.)

Cyber attack prevention

Looking for tips on how to prevent falling prey to cyber attacks like these? CSO has you covered: