The 20 Biggest Hacking Attacks of All Time
- Citibank / Vladimir Levin
- Melissa Virus
- Delta Airlines / Sven Jaschan
- Operation Get Rich
- Operation Shady RAT
- Estonia DDoS
- Playstation Network
- Saudi Aramco
- Global Bank Spear Phishing
- Mt Gox Bitcoin Exchange
- Bangladesh Bank Heist
Hacking, whether with dire implications or for "lulz", has a colorful history. Join us as we explore the top 20 of cyberattacks that changed the Internet. Share
There’s little doubt that the internet has transformed the modern world as we know it, and mostly in a positive way. From the ability to access information from anywhere we like, to instantaneous global communication, the worldwide web has helped to shape a more connected world where ideas, culture and commerce flow freely.
But, like the universe George Lucas imagined in Star Wars, the forces of good brought about by the internet have a dark side too. The freedom and opportunity the web provides is constantly exploited by criminals, gangsters, and terrorists which operate in the dark web, making online security and cybercrime one of the biggest social concerns of the 21st century.
Hacking occupies a prominent position in the pantheon of cybercrime. Occupying a shady digital underworld of government spies, political dissidents, delinquent teens and mercenary crooks, the ability to break into, infect, infiltrate, take over or destroy computer networks from afar is often romanticised as much as vilified in the public imagination. With a begrudging admiration for their mysterious skills, the work of hackers makes global headlines and is the subject matter of films, television dramas and books.
Despite the occasionally romantic portrayal, hacking poses a real threat. From identity theft to bringing down the IT systems of major corporations, stealing credit card details to compromising state security, hacking can and does cause enormous amounts of disruption with huge financial consequences. Here, then, is a timeline of the 20 biggest hacking attacks yet seen, how they were carried out, and what impact they had.
Before the internet even arrived, early hackers worked out a technique called phreaking for gaining access to high tariff international calls which could be sold at a profit. In one of the earliest high-profile internet hacking cases, a gang calling themselves the Phonemasters updated this technique by stealing international calling card codes online and selling them at $2 apiece.
Realising the scope for increasing their profits, the gang went on to hack, steal and sell everything from personal credit reports to FBI crime records, even at one point hacking the White House. Their activities were estimated to have raised around $1.85 million, until three of the gang were eventually snared and jailed five years later in an FBI data tap sting.
Citibank / Vladimir Levin
Demonstrating the global reach of cybercrime even when the world wide web was still in its infancy, Russian software engineer Vladimir Levin managed to hack into Citibank’s New York IT system from the comfort of his apartment in St Petersburg. Once in, he set about authorising a series of fraudulent transactions, eventually wiring an estimated $10 million to accounts worldwide. Fortunately, Citibank had clocked on that some of the activity looked suspicious, and many of the transactions were tracked by the FBI. In 1998, following extradition to the US, Levin was jailed for three years. Most of the stolen cash was recovered, but the case marked an early shot across the bows warning of the vulnerabilities of electronic banking transactions.
Nowadays, most of us are aware of the threat of so-called phishing attacks which use SPAM email to distribute viruses. But in 1999 the world was blissfully unaware of this possibility, which made the spread of Melissa all the more devastating. The work of an American programmer called David L. Smith, the Melissa Virus was carried in a Word document attached to an email. When the attachment was opened, not only would the virus infect the host system, it would automatically forward the email to the first 50 people in the victim’s address book. The result was a virus which spread so quickly that some email providers had to suspend services until a fix was found.
MafiaBoy was the online handle of a precocious teenage hacker from Quebec, Canada called Michael Calce. The archetypal troubled boy genius who used his computer as his escape from the world, in February 2000 Calce launched Project Rivolta – a series of massive Distributed Denial of Service (DDoS) attacks against companies including Yahoo!, Fifa.com, Amazon, Dell, eBay and CNN. By overloading the companies’ servers with traffic to the point that they shut down, Calce managed to freeze operations at several multinational corporations, losing them an estimated $1.2 billion. After receiving just 8 months detention for the offence because he was still a minor, Calce would later claim he had no idea what the impact of the attack would be, having simply inputted email addresses into a security tool he downloaded out of curiosity.
Delta Airlines / Sven Jaschan
Another in the category of lone wolf teenager wreaking havoc from his own bedroom, in the case of German college student Sven Jaschan, that havoc included bringing down the entire IT system of American airline Delta. Aged 18 and living with his parents, Jaschan is credited with writing the Sasser worm, a self-replicating, self-distributing virus which attacked vulnerable Microsoft Windows operating systems. Estimated to have infected tens of millions of computers worldwide, causing up to $500 million in damage, its highest profile victim was Delta, which was forced to cancel several transatlantic flights. Jaschan was eventually caught via a tip off after Microsoft put a $250,000 bounty on the head of the Sasser author.
Operation Get Rich
Over a three-year period, several big name retailers in the US were targeted in a series of major hacks aimed at stealing customer credit and debit card details so they could be sold for profit. All of these attacks were the work of Alberto Gonzalez and his gang, who used SQL injections to exploit weaknesses in unsecured company WiFi.
Considered one of the largest examples of identity theft in history, Gonzalez is believed to have stolen more than 140 million card numbers from retailers including TJX, Barnes & Noble, Heartland Payment Systems and Hannaford Bros. The TJX and Hannaford Bros attacks alone are estimated to have caused $250 million worth of damages each. Gonzalez was eventually caught and jailed for 20 years.
Operation Shady RAT
Next to hacking for financial gain, the world of online espionage gains most attention in the mainstream news. But given the involvement of national governments and the diplomatic / intelligence sensitivities that raises, getting the true stories behind this brand of hacking is often very difficult. Operation Shady RAT is the name given to a series of attacks targeting a variety of organisations across 14 different countries. The finger of blame is pointed at China, mainly on the basis that the IOC and World Anti-Doping Agency were hacked in the run up to the 2008 Olympic Games. But no one can be certain, and all anyone really knows is that the attacks used the same Remote Access approach to gain control of victims’ computers, and that the information stolen was unlikely to be for financial motives.
A classic example of the cyber double agent, Max Ray Butler worked a respectable job as an IT security consultant by day, and was so well respected in the field that he was even consulted by the FBI. But by night, Butler was the ‘Iceman’, a prolific hacker and lynchpin figure in the shady digital underworld. Butler was eventually arrested in 2007 and subsequently found guilty of stealing two million credit card numbers, using them to make purchases worth $86 million. He was also suspected of running the co-called ‘Carders Market’, a digital forum where online contraband could be bought and sold.
There have not been too many occasions to date when digital espionage has spilled over into open cyber warfare, but that is a fair description of what happened to Estonia in April and May 2007. Over a three week period, wave after wave of DDoS attacks hit the servers which ran the country’s government, media, education and banking infrastructure, crippling the economy, public services and daily life. The finger of blame was pointed at Russia as the two countries had become embroiled in a diplomatic row over the removal of a Soviet war memorial from the Baltic state’s capital, Tallinn. But as is so often the case in these events, no concrete proof was ever found.
The Conficker virus is one of the most famous and strange pieces of malware of all time. Discovered in 2008, no one is quite sure where it came from, who programmed it or how long it had been in existence. It also proved to be incredibly difficult to eliminate, and was still infecting systems worldwide many years later. What made Conficker so clever was the fact that, as it spread, it tied infected systems together to form an ever growing botnet, which at its peak probably contained some 9 million devices worldwide. Botnets are usually used by hackers to launch DDoS attacks, steal data and give remote access to individual nodes. But what made Conficker so mysterious was, despite creating a sleeping giant capable of wreaking untold havoc on the internet, it was never used to do anything other than keep spreading itself. Perhaps in the end it was just a demonstration of what was possible.
There are a number of documented cases of malware being used by governments to achieve quite specific military objectives. One was the ‘logic bomb’ allegedly used by the CIA in 1982 to cause safety valves on a Siberian gas line to fail, causing an enormous explosion. Another example linked to the US is the Stuxnet worm discovered in 2010. Stuxnet was precision engineered to infect and attack Siemens industrial controllers, and was responsible for destroying 1000 nuclear centrifuges in Iran – wiping out a fifth of the country’s nuclear capabilities. Although no one has ever admitted responsibility, it does not take much imagination to understand why the origins of the virus were linked to the US and Israel.
Kicking off what became a black year for hacking attacks against major corporations, in March 2011 the world’s biggest email marketing firm, Epsilon, was hacked. Epsilon runs campaigns for more than 2000 brands worldwide, including the likes of Marks & Spencer and JP Morgan Chase, handling some 40 billion emails every year. Having apparently ignored the risk of previous attacks, Epsilon finally fell victim to a spear phishing attack – a piece of malware which entered the system via malicious email masquerading as an authentic communication. Once the breach was made, the attackers were able to make off with the names and email addresses of some five million people – not just one of the biggest data breaches of all time, but enough to cost the firm anywhere between $225m to $4bn.
In April 2011 the Sony Playstation Network was breached by members of the LulzSec hacker syndicate. Gamers trying to log on to play online with friends were met with message saying that the system was temporarily closed for maintenance. But what was actually happening was that hackers were systematically hacking their way through Sony’s security protocols, gaining access to the personally identifiable information of 77 million user accounts.
In the end, Sony had to admit it had a serious problem, and was forced to close the network down for 20 days at an estimated cost of $171 million.
Security certificates are an important part of the verification process which confirms that the sites you are viewing online are what they say they are. They are bits of code attached to a site URL, and are generated by third party providers to assure authenticity. One such provider is Comodo. In 2011, however, a hacker got into the Comodo system and was able to generate bogus certificates for email providers like Yahoo, Google Gmail and Microsoft Hotmail. Using these codes, he could trick users into thinking they were on the genuine email platform, when instead they were sending emails straight to him. Responsibility was claimed by a lone wolf hacker from Iran, but the attack stands as one of the biggest breaches of online communications security.
Rounding off the massive cyber attacks which made the headlines in 2011, the attack on financial services provider CitiGroup was notable for the lax security it exposed in the company’s online platforms. By repeating the way the URL changed when credit card customers entered a valid username and password, the hackers were able to access the accounts of more than 200,000 people, stealing names, addresses and account numbers, and making off with $2.7 million. Widely considered a catastrophic failure of basic security, this attack underlined how most attacks result from weaknesses in online infrastructure.
Because of the commercial sensitivities involved, it is well known that many major hacking attacks go unreported, as big businesses close the lid on facts getting out to protect their reputation. One example of this is a massive attack against oil firm Saudi Aramco in 2012, which went completely unreported until details began to leak out several years later. Apparently launched via a phishing or spear phishing attack, it gave unknown hackers complete access to the company’s IT systems, wreaking havoc on an organisation which controls supply of 10 per cent of the world’s oil. With an entire network completely frozen, the company had to resort to managing its enormous global distribution by hand, while a mad scramble saw company reps sent to east Asia to buy up 50,000 new servers – pushing up server prices worldwide.
The history of cybercrime is full of examples of industrial sabotage, although most other examples on this list involve angry or rebellious young hackers venting their frustrations on what they see as the evils of big corporations. The Spamhaus case is a little different. Spamhaus is one of the world’s biggest anti-spam services, maintaining blocklists of servers known to be the source of untrustworthy content, which email providers can use to help filter what goes into inboxes. When Spamhaus added Dutch hosting service Cyberbunker to the list, all hell broke loose. Accusing Spamhaus of unjustified censorship, Cyberbunker retaliated with a massive DDoS attack – so big, it didn’t just freeze Spamhaus operations, it slowed down internet connections across Europe.
Global Bank Spear Phishing
Spear phishing attacks plant malware on a system using spam email in the same way an ordinary phishing attack does. The difference is, spear phishing attacks go to much greater lengths to make their email seem genuine and harmless by imitating recognised, trusted sources. Starting in 2013, a wave of spear phishing attacks targeting some of the world’s biggest banks and financial institutions is estimated to have stolen up to $1 billion. After two years, the attack was eventually detected, and was traced to organised crime syndicates operating from Russia. The malware used in the attack, which allowed the hackers to impersonate bank staff to transfer funds, sat in IT systems for months on end sending sensitive data to the criminals, and was so sophisticated it even allowed the gang to watch what was going on in the bank offices via web cams.
Mt Gox Bitcoin Exchange
So-called cryptocurrency Bitcoin bills itself as a payment system which cannot be blocked, frozen or censored. However, that does not mean it is immune to the unwanted attentions of cyber criminals. Bitcoin operates a series of exchanges, which are web sites where people can swap ordinary currency into Bitcoin. In February 2014, the Mt Gox exchange, at the time the biggest in the world, just suddenly ceased trading.
It turned out that the exchange had been bankrupted by the theft of some $460 million worth of Bitcoin currency, probably over a period of several years. Following an investigation, it was discovered that hackers had broken into the Mt Gox customer database, stealing the usernames and passwords of 60,000 people, and using them to get into the system to steal currency.
Bangladesh Bank Heist
What would have been the single biggest case of bank robbery in history, online or otherwise, was ultimately brought down in the most mundane of ways – a strange typo on a fraudulent transaction raised the suspicions of a vigilant employee. But the Bangladesh Bank heist was noteworthy for how the attackers got into the bank’s IT systems. The story caused huge concern because the attackers had managed to hack the SWIFT global monetary transfer system, giving them free rein to make withdrawals under the protection of the supposedly hyper-secure SWIFT system. The gang responsible had planned to remove $950 million, before a simple error blew their cover. They ended up making off with $81 million anyway, and have been linked to other attacks on banks across Asia.
The profile of so-called ransomware has increased significantly in recent years. Mainly distributed through phishing attacks, ransomware will usually freeze or take control of a computer while the perpetrators demand money for returning everything back to normal.
The WannaCry attack in May 2017 was different, however. It was the first known example of ransomware operating via a worm, i.e. a piece of viral software which replicates and distributes itself. WannaCry spread like wildfire by targeting a vulnerability in older versions of Windows OS which had apparently been identified by the NSA (and kept quiet) years ago. Within days, tens of thousands of businesses and organisations across 150 countries, including the UK’s National Health Service (NHS), were locked out of their own systems by WannaCry’s encryption. The attackers demanded $300 per computer to unlock the code.
Even big social media platforms can get hacked. On September 27th, Facebook was breached when hackers exploited three bugs that put at least 50 million users’ data at risk. While private messages or credit cards were not taken, Facebook made a statement that the hackers obtained personal information like your name and hometown from your profile page. It turns out that the vulnerabilities were first introduced back in July, which allowed hackers to gain access tokens (the ability to log in without a password) to many accounts, but Facebook didn’t notice it until September. While users are unsure if hackers also gained access to accounts linked to Facebook, like Instagram, it’s really unclear why the hackers decided to exploit these vulnerabilities instead of disclosing them for a bug bounty payment.
From mischievous youths with talent to waste, to organised criminal syndicates out to make a fortune, over the past two decades hacking has caused enormous disruption and damage to business, government and daily life the world over. And although the biggest attacks inevitably grab all the attention, really they are just the tip of the iceberg. Hacking and cybercrime are now everyday realities of our world, creating a billion-dollar black market industry.
So is there any way to stay safe from the hackers? Given the highly sophisticated and ever-evolving nature of their methods, it is very difficult. In response to the cybercrime threat, the online security industry has grown equally large and equally sophisticated, and will have to keep growing and adapting. For ordinary users, the message is this – keep on top of your system updates, make sure your firewalls and anti-virus are fit for purpose and in date, watch out for spam email, and be vigilant for anything odd happening with your computer.