Cybersecurity: Selected Cyberattacks, 2012-2024

Changes from November 22, 2021 to August 9, 2023

This page shows textual changes in the document between the two versions indicated in the dates above. Textual matter removed in the later version is indicated with ~~red strikethrough~~ and textual matter added in the later version is indicated with blue.

Cybersecurity: Selected Cyberattacks,
~~November 22, 2021~~August 9, 2023
2012-~~2021~~2022
Chris Jaikaran
Many Members of Congress have raised concerns over the frequency, types, and impacts of Many Members of Congress have raised concerns over the frequency, types, and impacts of
~~Analyst~~Specialist in Cybersecurity in Cybersecurity
cyber incidents during hearings, speeches, and in legislation. Cyber incidents affect nearly every cyber incidents during hearings, speeches, and in legislation. Cyber incidents affect nearly every
Policy Policy
national entity, from federal and state government agencies to private companies and individuals. national entity, from federal and state government agencies to private companies and individuals.

One course of action to stymie attacks has been to investigate One course of action to stymie attacks has been to investigate ~~who~~ the adversaries the adversaries ~~are~~ that that
conduct cyberattacks, what types of activities they conduct online, and how the U.S. government conduct cyberattacks, what types of activities they conduct online, and how the U.S. government
can
~~can~~ identify them.identify them. To assist with Congress’s understanding of cyberattacks, this report describes To assist with Congress’s understanding of cyberattacks, this report describes
attribution in cyberspace, confidence of attribution, and common types of cyberattack. Listed in this report are two categories attribution in cyberspace, confidence of attribution, and common types of cyberattack. Listed in this report are two categories
of cyberattacks by foreign adversaries against entities in the United States: of cyberattacks by foreign adversaries against entities in the United States: 2330 cyberattack campaigns that the federal cyberattack campaigns that the federal
government has attributed to actors operating on behalf of other nation-states, and 30 cyberattacks the government has government has attributed to actors operating on behalf of other nation-states, and 30 cyberattacks the government has
attributed to criminal actors seeking personal gain. attributed to criminal actors seeking personal gain.
In investigating cyber incidents, the U.S. government attempts to unmask those behind the incident and attribute it as an In investigating cyber incidents, the U.S. government attempts to unmask those behind the incident and attribute it as an
attack. Attributing cyberattacks is difficult, but not impossible. Officials seek to develop a comprehensive understanding of attack. Attributing cyberattacks is difficult, but not impossible. Officials seek to develop a comprehensive understanding of
the cyber incident not just from the victim, but also by corroborating that information with other government and private the cyber incident not just from the victim, but also by corroborating that information with other government and private
sector evidence to make a claim of attribution. While a process exists to repeatedly and consistently develop a claim of sector evidence to make a claim of attribution. While a process exists to repeatedly and consistently develop a claim of
attribution and a confidence level in it, adversaries take steps to complicate these efforts by obfuscating and removing any attribution and a confidence level in it, adversaries take steps to complicate these efforts by obfuscating and removing any
trace of their activity, and using new infrastructure to make it difficult to track attack campaigns. trace of their activity, and using new infrastructure to make it difficult to track attack campaigns.
Nation-states are some of the most sophisticated actors that conduct cyberattacks. The Director of National Intelligence is Nation-states are some of the most sophisticated actors that conduct cyberattacks. The Director of National Intelligence is
required annually to deliver to Congress an assessment from the intelligence community on worldwide threats. Recent required annually to deliver to Congress an assessment from the intelligence community on worldwide threats. Recent
assessments have highlighted cyberspace as an area of strategic concern, with assessments have highlighted cyberspace as an area of strategic concern, with ~~Russia,~~ China, China, ~~Iran, and~~ Russia, North Korea North Korea and Iran as the as the
leading threat actors. Attacks from these countries include spying on government agencies by accessing agency computers, leading threat actors. Attacks from these countries include spying on government agencies by accessing agency computers,
stealing sensitive information from public and private sector entities in the United States, stealing intellectual property, and stealing sensitive information from public and private sector entities in the United States, stealing intellectual property, and
destroying or potentially destroying computer equipment. destroying or potentially destroying computer equipment.
Cyber criminals are less resourced than nation-state actors and are less likely to employ novel and cutting-edge techniques in Cyber criminals are less resourced than nation-state actors and are less likely to employ novel and cutting-edge techniques in
campaigns, yet their attacks are often highly effective. Most criminals are financially motivated and use cyberspace as a campaigns, yet their attacks are often highly effective. Most criminals are financially motivated and use cyberspace as a
medium for conducting profit-bearing schemes. However, gaining money is not a requirement for illicit activity. medium for conducting profit-bearing schemes. However, gaining money is not a requirement for illicit activity.
Cyberattacks against victims in the United States from actors located abroad include compromising computers to create and Cyberattacks against victims in the United States from actors located abroad include compromising computers to create and
maintain botnets, business email compromise schemes, hack and release campaigns, and ransomware attacks. maintain botnets, business email compromise schemes, hack and release campaigns, and ransomware attacks.
Congressional Research Service Congressional Research Service

Cybersecurity: Selected Cyberattacks, 2012-~~2021~~2022

Introduction
The frequency, type, and impact of cyber incidents against and in the United States continues to The frequency, type, and impact of cyber incidents against and in the United States continues to
grow.1 In an effort to address this grow.1 In an effort to address this ~~chal enge~~challenge, policymakers are considering a variety of solutions, , policymakers are considering a variety of solutions,
such as denying opportunities for successful attacks by improving defenses and deterring such as denying opportunities for successful attacks by improving defenses and deterring
adversaries from engaging in disruptive activities in cyberspace. As Congress considers options adversaries from engaging in disruptive activities in cyberspace. As Congress considers options
for deterrence, knowledge of known adversaries, the types of activities they conduct online, and for deterrence, knowledge of known adversaries, the types of activities they conduct online, and
how they are identified by the U.S. government may inform the debate. With this information, how they are identified by the U.S. government may inform the debate. With this information,
policymakers may gain a greater understanding of the risks that the nation and specific sectors policymakers may gain a greater understanding of the risks that the nation and specific sectors
face. face.
This report describes selected cyberattacks against entities in the United States which were This report describes selected cyberattacks against entities in the United States which were
discovered or ended within the past discovered or ended within the past ~~10 years~~decade (even if the activity was observed earlier) and (even if the activity was observed earlier) and
includes information on claims of attribution in cyberspace, confidence of attribution, and includes information on claims of attribution in cyberspace, confidence of attribution, and
common types of cyberattack. Listed in this report are two categories of common types of cyberattack. Listed in this report are two categories of ~~cyberat acks: 23~~cyberattacks: 30
cyberattack campaigns that the government has attributed to actors operating on behalf of a cyberattack campaigns that the government has attributed to actors operating on behalf of a
nation-state, and 30 cyberattacks the government has attributed to criminal actors seeking nation-state, and 30 cyberattacks the government has attributed to criminal actors seeking
personal gain. personal gain.
Attribution
Attributing a cyberattack is difficult, but not impossible. Government investigators seek to Attributing a cyberattack is difficult, but not impossible. Government investigators seek to
develop a comprehensive understanding of cyber incidents from not just the victim but also by develop a comprehensive understanding of cyber incidents from not just the victim but also by
corroborating information in order to make claims of attribution. corroborating information in order to make claims of attribution.
First, investigators look at the attributes of the event itself, such as the First, investigators look at the attributes of the event itself, such as the tradecraft employed by the employed by the
adversary (i.e., techniques, tactics, and procedures used to carry out the attack), any adversary (i.e., techniques, tactics, and procedures used to carry out the attack), any malware used used
(i.e., the type of the software that exploited a vulnerability for access), and the features of the (i.e., the type of the software that exploited a vulnerability for access), and the features of the
attack (e.g., logging key stokes or encrypting data). Then investigators seek to discover the attack (e.g., logging key stokes or encrypting data). Then investigators seek to discover the
infrastructure used to carry out the attack (e.g., the command and control servers communicating used to carry out the attack (e.g., the command and control servers communicating
with the malware). They with the malware). They ~~wil~~ will combine this information with government and industry analysis on combine this information with government and industry analysis on
an attacker’s an attacker’s intent (e.g., reasons for targeting a particular victim) and information from external (e.g., reasons for targeting a particular victim) and information from external
sources (e.g., cybersecurity firm reports, think tank analysis, and news media).2 In analyzing this sources (e.g., cybersecurity firm reports, think tank analysis, and news media).2 In analyzing this
information, investigators information, investigators ~~wil~~ will seek to minimizeseek to minimize human error, substantiate hypotheses among human error, substantiate hypotheses among
various sources, and entertain competing theories of attribution. various sources, and entertain competing theories of attribution. ~~Final y~~Finally, investigators , investigators ~~typical y~~
typically provide their assessment and a confidence level.provide their assessment and a confidence level.
 • High confidence reflects an assessment that investigators believe beyond a reflects an assessment that investigators believe beyond a
reasonable doubt and without a viable alternative that the attributed party is reasonable doubt and without a viable alternative that the attributed party is
responsible for the attack. responsible for the attack.
• Moderate confidence means that investigators believe that the evidence is clear means that investigators believe that the evidence is clear
and convincing, but alternatives are possible. and convincing, but alternatives are possible.
• Low confidence is used when evidence points to a particular actor, but there are is used when evidence points to a particular actor, but there are
significant information gaps.3 significant information gaps.3

1 Statista, 1 Statista, U.S. Companies and Cyber Crime, , ~~2021~~June 20, 2023, https://www.statista.com/study/12881/smb-and-cyber-crime-in-the-, https://www.statista.com/study/12881/smb-and-cyber-crime-in-the-
united-states-statista-dossier/. united-states-statista-dossier/.
2 Office of the Director of National Intelligence, 2 Office of the Director of National Intelligence, A Guide to Cyber Attribution, report, September 14, 2018, at , report, September 14, 2018, at
https://www.dni.gov/files/https://www.dni.gov/files/~~CT IIC~~CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf. /documents/ODNI_A_Guide_to_Cyber_Attribution.pdf.
3 Ibid.3 Ibid.
Congressional Research Service Congressional Research Service

1 1

Cybersecurity: Selected Cyberattacks, 2012-~~2021~~2022

Developing a claim of attribution remains difficult despite having a process to determine Developing a claim of attribution remains difficult despite having a process to determine
attribution and a system for articulating confidence in a claim. For example, sophisticated actors attribution and a system for articulating confidence in a claim. For example, sophisticated actors
continue to develop and deploy novel techniques and establish new infrastructure for different continue to develop and deploy novel techniques and establish new infrastructure for different
attacks, which may make it difficult to track known activity from one attack to another. attacks, which may make it difficult to track known activity from one attack to another.
~~Additional y, they wil~~ Additionally, they will seek to obfuscate their activity as legitimate and remove records of their seek to obfuscate their activity as legitimate and remove records of their
actions on a network. actions on a network.
Claims of attribution appear in a variety of sources. The authoritativeness of these sources exist Claims of attribution appear in a variety of sources. The authoritativeness of these sources exist
on a spectrum. At the highest level of authority are on a spectrum. At the highest level of authority are primary sources, sources, ~~fol owed~~followed by by secondary
sources, sources, supposed sources, and, sources, and, ~~final y~~finally, , conjecture being the least authoritative. With regards to being the least authoritative. With regards to
cyberattack attribution: cyberattack attribution:
• Primary sources include statements by a U.S. government entity. A court finding sources include statements by a U.S. government entity. A court finding
that a party was guilty of committing the attack— that a party was guilty of committing the attack—~~usual y~~usually by violating the by violating the
Computer Fraud and Abuse Act4 or the Economic Espionage Act5—is the most Computer Fraud and Abuse Act4 or the Economic Espionage Act5—is the most
authoritative. A grand jury indictment is slightly less authoritative. An official authoritative. A grand jury indictment is slightly less authoritative. An official
statement by a government official (e.g., a press briefing by the National Security statement by a government official (e.g., a press briefing by the National Security
Advisor) providing attribution to a party is the least authoritative of the primary Advisor) providing attribution to a party is the least authoritative of the primary
sources. Evidence of why a primary source believes a party is responsible for an sources. Evidence of why a primary source believes a party is responsible for an
attack is attack is ~~usual y~~usually included in public documentation along with the claim and can included in public documentation along with the claim and can
be further examined (e.g., an unsealed indictment). be further examined (e.g., an unsealed indictment).
• Secondary sources include claims by non-governmental entities. These sources include claims by non-governmental entities. These
attributions frequently come from a cybersecurity firm releasing research on an attributions frequently come from a cybersecurity firm releasing research on an
adversary or attack campaign. These claims adversary or attack campaign. These claims ~~usual y~~usually include research into the include research into the
tradecraft, malware, infrastructure, and intent of a campaign or attack. Secondary tradecraft, malware, infrastructure, and intent of a campaign or attack. Secondary
sources sources ~~usual y~~usually include evidence to support their claims. However, private include evidence to support their claims. However, private
entities entities ~~usual y~~usually do not have access to classified government information (e.g., do not have access to classified government information (e.g.,
signals signals ~~intel igence~~intelligence), which can further corroborate a claim of attribution. ), which can further corroborate a claim of attribution.
Cybersecurity firms have Cybersecurity firms have ~~general y~~generally avoided attributing attacks to nation-states. avoided attributing attacks to nation-states.
Instead, a firm Instead, a firm ~~wil~~ will attribute an attack to an actor set that the firm is tracking. attribute an attack to an actor set that the firm is tracking.
These actor sets are sometimes referred to as an Advanced Persistent Threat These actor sets are sometimes referred to as an Advanced Persistent Threat
(APT) or by a codename used for that company’s research.(APT) or by a codename used for that company’s research.
 • Supposed sources are predominantly composed of statements reported by sources are predominantly composed of statements reported by
mainstream news media. These statements are frequently attributed to mainstream news media. These statements are frequently attributed to
unidentified government officials and corroborated with other primary or unidentified government officials and corroborated with other primary or
secondary sources. However, these statements cannot otherwise be independently secondary sources. However, these statements cannot otherwise be independently
examined.examined.
 • Conjecture includes claims by victims that a certain party is responsible for an includes claims by victims that a certain party is responsible for an
attack, or claims on social media platforms of attribution. These statements rarely attack, or claims on social media platforms of attribution. These statements rarely
include evidence or provide analysis. include evidence or provide analysis.

4 18 U.S.C.4 18 U.S.C. §1030. For more information on the Computer Fraud and Abuse§1030. For more information on the Computer Fraud and Abuse Act, seeAct, see ~~CRS~~ CRS Report R46536, Report R46536, Cybercrime
and the Law: ~~Com puter~~Computer Fraud and Abuse Act (CFAA) and the 116th Congress, by Peter G. Berris. , by Peter G. Berris.
5 18 U.S.C.5 18 U.S.C. §§1831-1832. For more information on the Economic Espionage Act, see CRS§§1831-1832. For more information on the Economic Espionage Act, see CRS Report R42681, Report R42681, Stealing
Trade Secrets and ~~Econom ic~~Economic Espionage: An Overview of the ~~Econom ic~~Economic Espionage Act, by Charles Doyle. , by Charles Doyle.
Congressional Research Service Congressional Research Service

2 2

Cybersecurity: Selected Cyberattacks, 2012-~~2021~~2022

Common Cyberattack Terms
“Cyberattack” is a broad term for a variety of malicious actions against information and “Cyberattack” is a broad term for a variety of malicious actions against information and
communications technologies. Below are a selection of common cyberattacks (in alphabetical communications technologies. Below are a selection of common cyberattacks (in alphabetical
order). order).
Botnet: A portmanteau of “robot” and “network” which refers to a collection of computers for A portmanteau of “robot” and “network” which refers to a collection of computers for
which control has been seized by one or more unauthorized parties. Once an unauthorized party which control has been seized by one or more unauthorized parties. Once an unauthorized party
controls an individual computer, they may then connect it to other computers in their control to controls an individual computer, they may then connect it to other computers in their control to
create a pool of computing resources (e.g., network bandwidth or processing power). Botnets are create a pool of computing resources (e.g., network bandwidth or processing power). Botnets are
used to further used to further ~~il icit~~illicit activity online, such as distributing malware and surreptitiously mining activity online, such as distributing malware and surreptitiously mining
cryptocurrencies. cryptocurrencies.
Business Email Compromise: A scam in which an attacker creates an email address ( A scam in which an attacker creates an email address (~~usual y~~usually of a of a
high ranking official in an organization) and alters the identifying information of that email to make high ranking official in an organization) and alters the identifying information of that email to make
it appear to come from the organization (e.g., changing the name associated with the email address). it appear to come from the organization (e.g., changing the name associated with the email address).
~~Typical y~~Typically, scammers then email, scammers then email members of that organization with urgent needs for funds to be members of that organization with urgent needs for funds to be
transferred.transferred. ~~These~~ These are sometimesare sometimes under the guise of paying pastunder the guise of paying past due invoices. However,due invoices. However, the the
invoices are fraudulentinvoices are fraudulent and the accountsand the accounts ~~where the funds are to~~ where the funds are to be transferredbe transferred belong to the belong to the
scammers. scammers.
Denial of Service (DOS) or or Distributed Denial of Service (DDOS): A DOS attack inhibits an A DOS attack inhibits an
authorized user’s ability to access a resource (e.g., a website) by overwhelming that resource with authorized user’s ability to access a resource (e.g., a website) by overwhelming that resource with
unauthorized requests (e.g., more requests to load a webpage than it was built to support). DDOS unauthorized requests (e.g., more requests to load a webpage than it was built to support). DDOS
attacks are more common and use many hosts to attack a single resource (e.g., a network of attacks are more common and use many hosts to attack a single resource (e.g., a network of
malware-infected computers—a botnet—sending junk web traffic to a single service provider). malware-infected computers—a botnet—sending junk web traffic to a single service provider).
Hack and Leak: An attack in which an unauthorized party gains access to a sensitive data store An attack in which an unauthorized party gains access to a sensitive data store
and exfiltrates (steals) the data. Once the sensitive data is in their control, the attacker either and exfiltrates (steals) the data. Once the sensitive data is in their control, the attacker either
releases the data in an effort to expose or embarrass the victim or contacts the victim and releases the data in an effort to expose or embarrass the victim or contacts the victim and
demands a ransom in order to not release the data. demands a ransom in order to not release the data.
Phishing: An attack which attempts to gain access to a system by tricking authorized users into An attack which attempts to gain access to a system by tricking authorized users into
engaging with malicious computer code. Frequently, this attack is carried out by combining an engaging with malicious computer code. Frequently, this attack is carried out by combining an
email which uses social-engineering (i.e., an attempt to manipulate someone into revealing email which uses social-engineering (i.e., an attempt to manipulate someone into revealing
information or taking some action) with a malicious web link or attachment. When the web link is information or taking some action) with a malicious web link or attachment. When the web link is
clicked or attachment opened, the device downloads and executes malware.clicked or attachment opened, the device downloads and executes malware.
Malware: A portmanteau of “malicious” and “software” which refers to software and firmware A portmanteau of “malicious” and “software” which refers to software and firmware
~~intentional y~~ intentionally added to an information technology (IT) product and designed to cause harm to the added to an information technology (IT) product and designed to cause harm to the
IT product or its data. There are many ways malware can be added to a product, such as from an IT product or its data. There are many ways malware can be added to a product, such as from an
inserted USB drive or downloaded from the internet. Data may be harmed by making it no longer inserted USB drive or downloaded from the internet. Data may be harmed by making it no longer
private (i.e., compromising its confidentiality), manipulating it (i.e., compromising its integrity), private (i.e., compromising its confidentiality), manipulating it (i.e., compromising its integrity),
or deleting it (i.e., compromising its availability). or deleting it (i.e., compromising its availability).
Malvertising: A portmanteau of “malicious” and “advertising.” This attack uses online A portmanteau of “malicious” and “advertising.” This attack uses online
advertising networks to spread malware and compromise computer systems. Malvertisers buy ad-advertising networks to spread malware and compromise computer systems. Malvertisers buy ad-
space and inject malware into those ads in an effort to easily spread it online. When a user visits a space and inject malware into those ads in an effort to easily spread it online. When a user visits a
website, they may be presented with the ad and download the malicious code via a legitimate website, they may be presented with the ad and download the malicious code via a legitimate
advertising network. If the code downloads and successfully executes, then the computer advertising network. If the code downloads and successfully executes, then the computer
succumbs to malware. succumbs to malware. ~~General y~~Generally, neither the website delivering the ad nor the advertising , neither the website delivering the ad nor the advertising
networks are aware of the malicious code being delivered. networks are aware of the malicious code being delivered.
Congressional Research Service Congressional Research Service

3 3

link to page 4 link to page 4 Cybersecurity: Selected Cyberattacks, 2012-~~2021~~2022

Man-in-the-Middle (MitM): An attack where a malicious actor seeks to insert itself between An attack where a malicious actor seeks to insert itself between
two computers in an effort to access the communications between those computers, two computers in an effort to access the communications between those computers, ~~usual y~~usually in an in an
effort to eavesdrop between the users of those computers (either directly, or by intercepting effort to eavesdrop between the users of those computers (either directly, or by intercepting
encryption keys so that encrypted text may be decrypted). encryption keys so that encrypted text may be decrypted).
Ransomware: A portmanteau of “ransom” and “malware.” Ransomware attacks seek to deny A portmanteau of “ransom” and “malware.” Ransomware attacks seek to deny
users access to data and IT systems by encrypting files and systems—thus, locking out users. users access to data and IT systems by encrypting files and systems—thus, locking out users.
Perpetrators Perpetrators ~~usual y~~usually extort victims for payment, extort victims for payment, ~~typical y~~typically in cryptocurrency, to decrypt the in cryptocurrency, to decrypt the
system. Recently, such attacks have been coupled with data breaches in which perpetrators also system. Recently, such attacks have been coupled with data breaches in which perpetrators also
steal data from their victims. In addition to locking the computer systems, the perpetrators steal data from their victims. In addition to locking the computer systems, the perpetrators
~~typical y~~typically notify victims that they have copies of their data and notify victims that they have copies of their data and ~~wil~~ will release sensitive information release sensitive information
unless a ransom is paid, unless a ransom is paid, ~~potential y~~ potentially extorting them twice. A triple extortion may occur if the extorting them twice. A triple extortion may occur if the
perpetrators contact a company’s clients to perpetrators contact a company’s clients to ~~tel~~ tell them about the attack in an effort to pressure the them about the attack in an effort to pressure the
victim to pay the ransom or risk harming their future business prospects. victim to pay the ransom or risk harming their future business prospects.
Supply Chain Attack: An attack in which an adversary inserts an unauthorized physical or An attack in which an adversary inserts an unauthorized physical or
software component into a product in order to surreptitiously access data or manipulate a system. software component into a product in order to surreptitiously access data or manipulate a system.
These attacks can occur during any phase of a product lifecycle (e.g., development, shipping, or These attacks can occur during any phase of a product lifecycle (e.g., development, shipping, or
updating).6updating).6
Zero-Day: An attack that exploits a previously unknown vulnerability in an IT product. This type An attack that exploits a previously unknown vulnerability in an IT product. This type
of attack is particularly dangerous because until it is noticed, there is of attack is particularly dangerous because until it is noticed, there is ~~usual y~~usually no defense against it. no defense against it.
This attack is sometimes written as “0-Day” and sometimes pronounced “oh-day.” This attack is sometimes written as “0-Day” and sometimes pronounced “oh-day.”
These attacks may be used alone or in conjunction to conduct a variety of computer network These attacks may be used alone or in conjunction to conduct a variety of computer network
operations (CNO), such as computer network exploitation (CNE) for the purposes of espionage or operations (CNO), such as computer network exploitation (CNE) for the purposes of espionage or
computer network attack (CNA) to disrupt a targeted victim. computer network attack (CNA) to disrupt a targeted victim.
Methodology
To develop the list of attacks, CRS considered only primary sources (explained further in the To develop the list of attacks, CRS considered only primary sources (explained further in the
“Attribution” section). CRS searched for public statements on U.S. government websites section). CRS searched for public statements on U.S. government websites
belonging to the Department of Defense (DOD), the Department of Homeland Security (DHS), belonging to the Department of Defense (DOD), the Department of Homeland Security (DHS),
the Department of Justice (DOJ), the Office of the Director of National the Department of Justice (DOJ), the Office of the Director of National ~~Intel igence~~Intelligence (ODNI), and (ODNI), and
the Cybersecurity and Infrastructure Security Agency (CISA). Search terms (e.g., “cyber” and the Cybersecurity and Infrastructure Security Agency (CISA). Search terms (e.g., “cyber” and
“state-sponsored”) and topic filters (e.g., “national security” and “cybersecurity”) were used to “state-sponsored”) and topic filters (e.g., “national security” and “cybersecurity”) were used to
refine search results. refine search results.
The results reflect the cybersecurity and legal communities’ broad public understanding of The results reflect the cybersecurity and legal communities’ broad public understanding of
responsible parties, but should not be considered comprehensive. DOJ’s website only publishes responsible parties, but should not be considered comprehensive. DOJ’s website only publishes
press releases from 2009 onward, limiting the number of available press releases and indictments press releases from 2009 onward, limiting the number of available press releases and indictments
availableavailable for the search. There may be additional indictments that are not publicized but unsealed for the search. There may be additional indictments that are not publicized but unsealed
and availableand available in court proceeding databases. Those documents are not searchable and accessible in court proceeding databases. Those documents are not searchable and accessible
via the public internet, and are therefore not included in these results. via the public internet, and are therefore not included in these results. ~~Additional y~~Additionally, government , government
officials may attribute a particular campaign to a nation-state actor or criminal group, but have officials may attribute a particular campaign to a nation-state actor or criminal group, but have
not made evidence or corroborating information available (e.g., a list of victims or naming a not made evidence or corroborating information available (e.g., a list of victims or naming a
specific actor in country). Such instances are not included in this list. specific actor in country). Such instances are not included in this list.
Tables are organized by attack and campaign year. The country of origin and entity responsible Tables are organized by attack and campaign year. The country of origin and entity responsible
for a particular attack or campaign are listed next to it, followed by a short description. Colloquial for a particular attack or campaign are listed next to it, followed by a short description. Colloquial

6 For more information, see CRS6 For more information, see CRS In FocusIn Focus IF10920, IF10920, Cyber Supply Chain Risk Management: An Introduction , by Chris , by Chris
Jaikaran. Jaikaran.
Congressional Research Service Congressional Research Service

4 4

link to page 9 link to page 9 Cybersecurity: Selected Cyberattacks, 2012-~~2021~~2022

country names and abbreviations for the perpetrating entity are used in the tables. Full names are country names and abbreviations for the perpetrating entity are used in the tables. Full names are
provided in the table notes. Further information is available in the citation provided for each row. provided in the table notes. Further information is available in the citation provided for each row.
In some cases, many individual attacks were combined in a single indictment against actors In some cases, many individual attacks were combined in a single indictment against actors
working in a single campaign. Nation-state campaigns are identified by their Advanced Persistent working in a single campaign. Nation-state campaigns are identified by their Advanced Persistent
Threat (APT) identifier, as those are commonly used monikers in the cybersecurity community. Threat (APT) identifier, as those are commonly used monikers in the cybersecurity community.
Other inventories of cyberattacks have many more incidents.7 These inventories use different Other inventories of cyberattacks have many more incidents.7 These inventories use different
methodologies which have different criteria for attribution confidence and include unidentified methodologies which have different criteria for attribution confidence and include unidentified
victims and victims outside the United States. victims and victims outside the United States.
Nation-State Cyberattacks
The Director of National The Director of National ~~Intel igence~~Intelligence is required is required ~~annual y~~ annually to deliver to Congress an assessment to deliver to Congress an assessment
from the from the ~~intel igence~~intelligence community on worldwide threats.8 Recent assessments have highlighted community on worldwide threats.8 Recent assessments have highlighted
cyberspace as an area of strategic concern, with Russia,9 China,10 Iran,11 and North Korea12 as the cyberspace as an area of strategic concern, with Russia,9 China,10 Iran,11 and North Korea12 as the
leading threat actors.leading threat actors.1313 Table 1 lists lists 2330 selected cyberattack campaigns against the United States selected cyberattack campaigns against the United States
attributed to nation-state actors operating on behalf of a country. These attacks include spying on attributed to nation-state actors operating on behalf of a country. These attacks include spying on
government agencies by accessing agency computers, stealing sensitive information from public government agencies by accessing agency computers, stealing sensitive information from public
and private sector entities in the United States to undermine confidence in those entities, stealing and private sector entities in the United States to undermine confidence in those entities, stealing
~~intel ectual~~ intellectual property to bolster national companies, and destroying or property to bolster national companies, and destroying or ~~potential y~~potentially destroying destroying
computer equipment. computer equipment.

7 For examples, see7 For examples, see Center for Strategic and International Studies, “Significant CyberCenter for Strategic and International Studies, “Significant Cyber Incidents,” website, 2021, at Incidents,” website, 2021, at
https://www.csis.org/programs/strategic-technologies-program/significanthttps://www.csis.org/programs/strategic-technologies-program/significant -cyber-incidents; and Council on Foreign -cyber-incidents; and Council on Foreign
Relations, “Cyber Operations Relations, “Cyber Operations ~~T racker~~Tracker,” website, 2021, at https://www.cfr.org/cyber-operations/. ,” website, 2021, at https://www.cfr.org/cyber-operations/.
8 50 U.S.C.8 50 U.S.C. §3043b. §3043b.
9 For more information, see CRS9 For more information, see CRS In FocusIn Focus IF11718, IF11718, Russian Cyber Units, by Andrew, by Andrew S. S. Bowen. For technical Bowen. For technical
information, see Cybersecurity and Infrastructure Security Agency, “Russiainformation, see Cybersecurity and Infrastructure Security Agency, “Russia ~~Cyber T hreat~~ Cyber Threat Overview and Advisories,” Overview and Advisories,”
website,website, at https://us-cert.cisa.gov/russia. at https://us-cert.cisa.gov/russia.
10 For more information, see CRS 10 For more information, see CRS In FocusIn Focus IF11284, IF11284, U.S.-China Trade Relations, by Karen M. Sutter. For technical , by Karen M. Sutter. For technical
information, see Cybersecurity and Infrastructure Security Agency, “China Cyber information, see Cybersecurity and Infrastructure Security Agency, “China Cyber ~~T hreat~~Threat Overview and Advisories,” Overview and Advisories,”
website,website, at https://us-cert.cisa.gov/china. at https://us-cert.cisa.gov/china.
11 For more information, see CRS11 For more information, see CRS In FocusIn Focus IF11406, IF11406, Iranian Offensive Cyberattack Capabilities, by Catherine A. , by Catherine A.
~~T heohary~~Theohary. For technical information, see Cybersecurity and Infrastructure Security Agency, “. For technical information, see Cybersecurity and Infrastructure Security Agency, “ Iran Cyber Iran Cyber ~~T hreat~~Threat
Overview and Advisories,”Overview and Advisories,” website,website, at https://us-cert.cisa.gov/iran. at https://us-cert.cisa.gov/iran.
12 For more information, see CRS12 For more information, see CRS Report R44912, Report R44912, North Korean Cyber Capabilities: In Brief, by Emma Chanlett, by Emma Chanlett --
Avery et al. For technical information, see Cybersecurity and Infrastructure Security Agency, “Avery et al. For technical information, see Cybersecurity and Infrastructure Security Agency, “ North Korea Cyber North Korea Cyber
~~T hreat~~Threat Overview and Advisories,” Overview and Advisories,” website,website, at https://us-cert.cisa.gov/northkorea. at https://us-cert.cisa.gov/northkorea.
13 For examples, see13 For examples, see Avril Haines, Avril Haines, Annual Threat Assessment, remarks as prepared, April 14, 2021, at , remarks as prepared, April 14, 2021, at
https://www.dni.gov/files/documents/Newsroom/https://www.dni.gov/files/documents/Newsroom/~~T estimonies~~Testimonies/2021-04-14-ATA-Opening-Statement-FINAL.pdf; and /2021-04-14-ATA-Opening-Statement-FINAL.pdf; and
James R. Clapper, James R. Clapper, Worldwide ~~Threat Assessm ent~~ Threat Assessment of the U.S. Intelligence ~~Com m unity~~Community, statement for the record, , statement for the record,
February 25, 2016, at https://www.dni.gov/files/documents/Newsroom/February 25, 2016, at https://www.dni.gov/files/documents/Newsroom/~~T estimonies/~~
~~HPSCI_Unclassified_2016_AT A_SFR~~Testimonies/HPSCI_Unclassified_2016_ATA_SFR-25Feb16.pdf. -25Feb16.pdf.
Congressional Research Service Congressional Research Service

5 5

Table 1. Selected Cyberattack Campaigns Attributed to Nation States
In Descending Order by Campaign Year: In Descending Order by Campaign Year: ~~2021~~2023-2012 -2012
Incident/
Campaign,
Campaign Attributed
~~Perpetrating~~
~~Incident, or~~
~~Year(s)~~
~~Country~~
~~Entity~~
~~Identifier~~
~~Description~~
~~Citation~~
~~2021~~
~~Iran~~
~~N/A~~
~~N/A~~
~~Government-sponsored actors~~
~~Federal Bureau of Investigation, Cybersecurity and Infrastructure~~
~~exploiting vulnerabilities in email~~
~~Security Agency, Australian Cyber Security Centre, and National~~
~~and security appliances to gain~~
~~Cyber Security Centre, “Iranian Government-Sponsored APT Cyber~~
~~access to U.S. critical~~
~~Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in~~
~~infrastructure. Once they have~~
~~Furtherance of Malicious Activities,” AA21-321A, November 17,~~
~~access, they conduct fol ow on~~
~~2021, at https://us-cert.cisa.gov/sites/default/files/publications/AA21-~~
~~theft, encryption, ransomware~~
~~321A-Iranian%20Government-~~
~~and extortion operations.~~
~~Sponsored%20APT%20Actors%20Exploiting%20Vulnerabilities_1.pdf.~~
~~2020-2021 China~~
~~MSS~~
~~Hafnium~~
~~Exploited previously unknown~~
~~The White House, “The United States, Joined by Al ies and Partners,~~
~~vulnerabilities in on-premise~~
~~Attributes Malicious Cyber Activity and Irresponsible State Behavior~~
~~Microsoft Exchange servers to~~
~~to the People’s Republic of China,” press release, July 19, 2021, at~~
~~gain access to sensitive data.~~
~~https://www.whitehouse.gov/briefing-room/statements-releases/~~
~~2021/07/19/the-united-states-joined-by-al ies-and-partners-~~
~~attributes-malicious-cyber-activity-and-irresponsible-state-behavior-~~
~~to-the-peoples-republic-of-china/.~~
~~2020-2021 Russia~~
~~SVR~~
~~SolarWinds~~
~~Conducted a supply-chain attack~~
~~Joint Statement by the Federal Bureau of Investigation (FBI), the~~
~~against a widely used software~~
~~Cybersecurity and Infrastructure Security Agency (CISA), the Office~~
~~management company to gain~~
~~of the Director of National Intel igence (ODNI), and the National~~
~~access to government and private~~
~~Security Agency (NSA), press release, January 5, 2021, at~~
~~sector networks.~~
~~https://www.cisa.gov/news/2021/01/05/joint-statement-federal-~~
~~bureau-investigation-fbi-cybersecurity-and-infrastructure.~~
~~2020~~
~~Iran~~
~~Kazemi and~~
~~2020 U.S.~~
~~Hacked into state election~~
~~Department of Justice, “Two Iranian Nationals Charged for Cyber-~~
~~Kashiana~~
~~Presidential~~
~~websites and accessed voter~~
~~Enabled Disinformation and Threat Campaign Designed to Influence~~
~~Election~~
~~information on over 100,000~~
~~the 2020 U.S. Presidential Election” press release, November 18,~~
~~Disinformation~~
~~citizens. Sent disinformation to~~
~~2021, at https://www.justice.gov/opa/pr/two-iranian-nationals-~~
~~and Election~~
~~politicians and the media claiming~~
~~charged-cyber-enabled-disinformation-and-threat-campaign-designed.~~
~~Infrastructure~~
~~to be from voters. Intimidated~~
~~Hacking~~
~~voters online. Attempted to hack~~
~~into a media company to spread~~
~~further disinformation.~~
~~CRS-6~~

~~Incident/~~
~~Campaign,~~
~~Campaign Attributed~~
~~Perpetrating~~
~~Incident, or~~
~~Year(s)~~
~~Country~~
~~Entity~~
~~Identifier~~
~~Description~~
~~Citation~~
~~2020~~
~~Iran~~
~~MOIS & IRGC~~
~~APT-39~~
~~Stole data pertaining to national~~
~~Department of Justice, “Department of Justice and Partner~~
~~security, foreign policy~~
~~Departments and Agencies Conduct Coordinated Actions to~~
~~intel igence, non-military nuclear~~
~~Disrupt and Deter Iranian Malicious Cyber Activities Targeting the~~
~~information, aerospace data,~~
~~United States and the Broader International Community,” press~~
~~human rights activist information,~~
~~release, September 17, 2020, at https://www.justice.gov/opa/pr/~~
~~individual financial information~~
~~department-justice-and-partner-departments-and-agencies-conduct-~~
~~and PII, and intel ectual property,~~
~~coordinated-actions-disrupt.~~
~~including unpublished scientific~~
~~research.~~
~~2014-2020 China~~
~~MSS~~
~~APT-41~~
~~Targeted IT companies,~~
~~Department of Justice, “Seven International Cyber Defendants,~~
~~telecommunications companies,~~
~~Including ‘Apt41’ Actors, Charged In Connection with Computer~~
~~academic institutions, NGOs, and Intrusion Campaigns Against More Than 100 Victims Global y,” press~~
~~pro-democracy activists to steal~~
~~release, September 16, 2020, at https://www.justice.gov/opa/pr/~~
~~intel ectual property; deployed~~
~~seven-international-cyber-defendants-including-apt41-actors-~~
~~ransomware; and used il egal y~~
~~charged-connection-computer.~~
Perpetrating Incident, or Year(s) Country Entity Identifier Description Citation 2020-2023 North Korea RGB N/A Targeted companies using Cybersecurity and Infrastructure Security Agency, “TraderTraitor: blockchain technologies (e.g., North Korean State-Sponsored APT Targets Blockchain cryptocurrencies and non- Companies,” April 20, 2022, at https://www.cisa.gov/news-events/ fungible tokens) to steal money. cybersecurity-advisories/aa22-108a. 2022 Russia N/A N/A State-sponsored actors exploited Cybersecurity and Infrastructure Security Agency, “Russian State-multi-factor authentication Sponsored Cyber Actors Gain Network Access by Exploiting misconfigurations to steal data. Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability,” May 2, 2022, at https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a. 2020-2022 Russia N/A N/A State-sponsored actors targeted Cybersecurity and Infrastructure Security Agency, “Russian State- cleared defense contractors to Sponsored Cyber Actors Target Cleared Defense Contractor steal weapons and vehicle Networks to Obtain Sensitive U.S. Defense Information and research, and spy on Technology,” February 16, 2022, at https://www.cisa.gov/news- communications. events/cybersecurity-advisories/aa22-047a. 2018-2022 Iran MOIS N/A Government actors spied on and Cybersecurity and Infrastructure Security Agency, “Iranian stole data from private sector Government-Sponsored Actors Conduct Cyber Operations Against organizations in the Global Government and Commercial Networks,” February 24, telecommunications, defense, 2022, at https://www.cisa.gov/news-events/cybersecurity-advisories/ and energy sectors, as well as aa22-055a. governmental entities. 2021-2022 North Korea N/A Maui Government-sponsored actors Cybersecurity and Infrastructure Security Agency, “North Korean Ransomware targeted healthcare companies State-Sponsored Cyber Actors Use Maui Ransomware to Target the with ransomware. Healthcare and Public Health Sector,” July 7, 2022, at https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a. CRS-6 Incident/ Campaign, Campaign Attributed Perpetrating Incident, or Year(s) Country Entity Identifier Description Citation 2022 Iran N/A Log4Shell Government-sponsored actors Cybersecurity and Infrastructure Security Agency, “Iranian exploited open-source Government-Sponsored APT Actors Compromise Federal vulnerabilities in network Network, Deploy Crypto Miner, Credential Harvester,” connection software to install cybersecurity advisory, November 25, 2022, at https://www.cisa.gov/ crypto-mining software and steal news-events/cybersecurity-advisories/aa22-320a. credentials. 2021 Russia GRU Cisco Router Russian military intelligence Cybersecurity and Infrastructure Security Agency, “APT28 Exploits Malware compromised widely used Known Vulnerability to Carry Out Reconnaissance and Deploy internet network equipment to Malware on Cisco Routers,” cybersecurity advisory, April 18, 2023, spy on victims and spread at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23- malware. 108. 2021 Iran N/A N/A Government-sponsored actors Federal Bureau of Investigation, Cybersecurity and Infrastructure exploited vulnerabilities in email Security Agency, Australian Cyber Security Centre, and National and security appliances to gain Cyber Security Centre, “Iranian Government-Sponsored APT Cyber access to U.S. critical Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in infrastructure. Once they had Furtherance of Malicious Activities,” AA21-321A, November 17, access, they conducted fol ow-on 2021, at https://us-cert.cisa.gov/sites/default/files/publications/AA21- theft, encryption, ransomware 321A-Iranian%20Government- and extortion operations. Sponsored%20APT%20Actors%20Exploiting%20Vulnerabilities_1.pdf. 2020-2021 China MSS Hafnium Exploited previously unknown The White House, “The United States, Joined by Allies and Partners, vulnerabilities in on-premise Attributes Malicious Cyber Activity and Irresponsible State Behavior Microsoft Exchange servers to to the People’s Republic of China,” press release, July 19, 2021, at gain access to sensitive data. https://www.whitehouse.gov/briefing-room/statements-releases/ 2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/. 2020-2021 Russia SVR SolarWinds Conducted a supply-chain attack Joint Statement by the Federal Bureau of Investigation (FBI), the against a widely used software Cybersecurity and Infrastructure Security Agency (CISA), the Office management company to gain of the Director of National Intelligence (ODNI), and the National access to government and Security Agency (NSA), press release, January 5, 2021, at private sector networks. https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure. CRS-7 Incident/ Campaign, Campaign Attributed Perpetrating Incident, or Year(s) Country Entity Identifier Description Citation 2020 Iran Kazemi and 2020 U.S. Hacked into state election Department of Justice, “Two Iranian Nationals Charged for Cyber- Kashiana Presidential websites and accessed voter Enabled Disinformation and Threat Campaign Designed to Influence Election information on over 100,000 the 2020 U.S. Presidential Election” press release, November 18, Disinformation citizens. Sent disinformation to 2021, at https://www.justice.gov/opa/pr/two-iranian-nationals- and Election politicians and the media claiming charged-cyber-enabled-disinformation-and-threat-campaign-designed. Infrastructure to be from voters. Intimidated Hacking voters online. Attempted to hack into a media company to spread further disinformation. 2020 Iran MOIS & IRGC APT-39 Stole data pertaining to national Department of Justice, “Department of Justice and Partner security, foreign policy Departments and Agencies Conduct Coordinated Actions to intelligence, non-military nuclear Disrupt and Deter Iranian Malicious Cyber Activities Targeting the information, aerospace data, United States and the Broader International Community,” press human rights activist information, release, September 17, 2020, at https://www.justice.gov/opa/pr/individual financial information department-justice-and-partner-departments-and-agencies-conduct- and PII, and intellectual property, coordinated-actions-disrupt. including unpublished scientific research. 2014-2020 China MSS APT-41 Targeted IT companies, Department of Justice, “Seven International Cyber Defendants, telecommunications companies, Including ‘Apt41’ Actors, Charged In Connection with Computer academic institutions, NGOs, Intrusion Campaigns Against More Than 100 Victims Globally,” press and pro-democracy activists to release, September 16, 2020, at https://www.justice.gov/opa/pr/ steal intellectual property; seven-international-cyber-defendants-including-apt41-actors- deployed ransomware; and used charged-connection-computer. il egal y accessed computers to mine accessed computers to mine
cryptocurrency. cryptocurrency.
CRS- CRS-78

Incident/
Campaign,
Campaign Attributed
Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2014-2020 2014-2020 ~~North~~
North Korea RGB RGB
APT-38 APT-38
Destroyed Destroyed computers of Sony computers of Sony
Department of Justice, “Three North Korean Military Hackers Department of Justice, “Three North Korean Military Hackers
~~Korea~~
Pictures Entertainment over the Pictures Entertainment over the
Indicted in Wide-Ranging Scheme to Commit Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Cyberattacks and
release release of of The Interview; ;
Financial Crimes Financial Crimes ~~Across~~ Across the Globe," pressthe Globe," press release,release, February 17, February 17,
compromised compromised the Society for the Society for
2021, at https://www.justice.gov/opa/pr/three-north-korean-military- 2021, at https://www.justice.gov/opa/pr/three-north-korean-military-
Worldwide Worldwide Interbank Financial Interbank Financial
hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and. hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and.
Telecommunications Telecommunications (SWIFT) (SWIFT)
network to steal money from network to steal money from
banks; created and deployed the banks; created and deployed the
WannaCry 2.0 ransomware; WannaCry 2.0 ransomware;
created maliciouscreated malicious ~~cryptocurrency~~
~~wal ets;~~ cryptocurrency wallets; compromised compromised
cryptocurrency cryptocurrency ~~companies to~~
companies to steal cryptocurrencies; and steal cryptocurrencies; and
conducted spear phishing conducted spear phishing
campaigns against defense campaigns against defense
contractors, energy companies, contractors, energy companies,
aerospace companies,aerospace companies, technology technology
companies,companies, the U.S. Department the U.S. Department
of State, and the U.S. Department of State, and the U.S. Department
of Defense.of Defense.
2013-2020 2013-2020 Iran Iran
Criminal Criminal
N/A N/A
Targeted universities, Targeted universities, ~~think tanks,~~ think
Department of Justice, “Two Iranian Nationals Charged in Cyber Department of Justice, “Two Iranian Nationals Charged in Cyber
group group
tanks, defense contractors, and defense contractors, and
Theft Campaign Targeting Computer Systems Theft Campaign Targeting Computer Systems in United States, in United States,
operating on operating on
aerospace companies to steal aerospace companies to steal
Europe, and the Middle East,” press Europe, and the Middle East,” press release,release, ~~September~~ September 16, 2020, at 16, 2020, at
behalf of the behalf of the
sensitive sensitive data. data.
https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber- https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-
state state
theft-campaign-targeting-computer-systems-united-states. theft-campaign-targeting-computer-systems-united-states.
2009-2020 2009-2020 China China
MSS MSS
N/A N/A
Targeted technology Targeted technology
Department of Justice, “Two Chinese Hackers Department of Justice, “Two Chinese Hackers Working with the Working with the
manufacturing, healthcare, manufacturing, healthcare, ~~energy,~~ Ministry of State Security Charged with Global Computer Intrusion Ministry of State Security Charged with Global Computer Intrusion
energy, defense, business,defense, business, ~~educational,~~
Campaign Targeting Campaign Targeting ~~Intel ectual~~Intellectual Property and Confidential Business Property and Confidential Business
educational, and gaming ~~and gaming companies to steal~~
Information, Including COVID-19 Research,” press release, Information, Including COVID-19 Research,” press release, July 21, July 21,
~~intel ectual property and~~companies to steal intellectual
2020, at https://www.justice.gov/opa/pr/two-chinese-hackers- 2020, at https://www.justice.gov/opa/pr/two-chinese-hackers-
~~confidential business information,~~property and confidential
working-ministry-state-security-charged-global-computer-intrusion. working-ministry-state-security-charged-global-computer-intrusion.
business information, including COVID-19 research.including COVID-19 research.
CRS- CRS-89

Incident/
Campaign,
Campaign Attributed
Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2015-2019 2015-2019 Iran Iran
IRGC IRGC
APT-33 APT-33
Conducted spear phishing Conducted spear phishing ~~attacks~~
Department of Justice, “State-Sponsored Iranian Hackers Indicted Department of Justice, “State-Sponsored Iranian Hackers Indicted
~~against satel ite and aerospace~~attacks against satellite and
for Computer Intrusions at U.S. for Computer Intrusions at U.S. ~~Satel ite~~ Satellite Companies,” Companies,” press release, press release,
aerospace company employeescompany employees ~~to gain~~
September September 17, 2020, at https://www.justice.gov/opa/pr/state-17, 2020, at https://www.justice.gov/opa/pr/state-
to gain access to companyaccess to company ~~networks,~~
sponsored-iranian-hackers-indicted-computer-intrusions-us- sponsored-iranian-hackers-indicted-computer-intrusions-us-~~satel ite-~~
~~steal identities, and use malware~~
~~companies.~~
~~to steal intel ectual~~ satellite- networks, steal identities, and companies. use malware to steal intellectual property and sensitive data. 2015-2018 ~~property and~~
~~sensitive data.~~
~~2015-2018~~ Russia Russia
GRU GRU
Sandworm Sandworm
Attacked the Ukrainian Attacked the Ukrainian
Department of Justice, “Six Russian GRU Officers Charged in Department of Justice, “Six Russian GRU Officers Charged in
government and critical government and critical
Connection with Worldwide Connection with Worldwide ~~Deployment~~ Deployment of Destructiveof Destructive Malware Malware
infrastructure (BlackEnergy); infrastructure (BlackEnergy);
and Other Disruptive Actions in Cyberspace,” press and Other Disruptive Actions in Cyberspace,” press release, release,
sought to interfere in the French sought to interfere in the French
October 19, 2020, at https://www.justice.gov/opa/pr/six-russian-gru- October 19, 2020, at https://www.justice.gov/opa/pr/six-russian-gru-
national elections; conducted the national elections; conducted the
officers-charged-connection-worldwide-deployment-destructive-officers-charged-connection-worldwide-deployment-destructive-
NotPetya attacks against U.S.-NotPetya attacks against U.S.-
malware-and. malware-and.
based hospitals, shipping based hospitals, shipping
companies,companies, and pharmaceutical and pharmaceutical
companies; sought to undermine companies; sought to undermine
the PyeongChang Winter the PyeongChang Winter
Olympics; spear phished Olympics; spear phished
investigators of the Novichok investigators of the Novichok
poisoning to gain sensitivepoisoning to gain sensitive data; data;
and sought to compromise and sought to compromise
Georgian government entities. Georgian government entities.
CRS- CRS-910

Incident/
Campaign,
Campaign Attributed
Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2014-2018 2014-2018 Russia Russia
GRU GRU
N/A N/A
Conducted disinformation Conducted disinformation
Department of Justice, “U.S. Charges Russian GRU Officers with Department of Justice, “U.S. Charges Russian GRU Officers with
operations. Hacked into operations. Hacked into
International Hacking and Related Influence and Disinformation International Hacking and Related Influence and Disinformation
computers belonging to the computers belonging to the
Operations,” press Operations,” press release,release, October 4, 2018, at October 4, 2018, at
World World Anti-Doping Agency Anti-Doping Agency
https://www.justice.gov/opa/pr/us-charges-russian-gru-officers- https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-
(WADA), (WADA), United States Anti-United States Anti-
international-hacking-and-related-influence-and. international-hacking-and-related-influence-and.
Doping Agency (USADA), Rio de Doping Agency (USADA), Rio de
Janeiro Olympic and Paralympic Janeiro Olympic and Paralympic
games,games, Fédération Internationale Fédération Internationale
de de ~~Footbal Association~~ Football Association (FIFA), (FIFA),
Westinghouse ElectricWestinghouse Electric Company’s Company’s
(WEC), and the [Organization] (WEC), and the [Organization]
for the Prohibition of Chemical for the Prohibition of Chemical
Weapons (OPCW). Published Weapons (OPCW). Published
stolen and altered information stolen and altered information
from these entities to retaliatefrom these entities to retaliate for for
and delegitimizeand delegitimize doping charges doping charges
against Russia’s sporting against Russia’s sporting
organizations. organizations.
2013-2018 2013-2018 Iran Iran
IRGC IRGC
Mabna Mabna
Stole academic data and Stole academic data and
Department of Justice, “Nine Iranians Charged with Conducting Department of Justice, “Nine Iranians Charged with Conducting
Institute Institute
~~intel ectual~~intellectual property from property from
Massive Cyber Theft Campaign on Behalf of the Islamic Massive Cyber Theft Campaign on Behalf of the Islamic
universities, universities, companies, and companies, and
Revolutionary Guard Corps,” press release, Revolutionary Guard Corps,” press release, March 23, 2018, at March 23, 2018, at
government agencies. government agencies.
https://www.justice.gov/opa/pr/nine-iranians-charged-conducting- https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-
massive-cyber-theft-campaign-behalf-islamic-revolutionary.massive-cyber-theft-campaign-behalf-islamic-revolutionary.
2011-2018 2011-2018 China China
MSS MSS
APT-40 APT-40
Stole the Stole the ~~intel ectual~~intellectual property of property of
Department of Justice, “Four Chinese Nationals Working Department of Justice, “Four Chinese Nationals Working with the with the
companies dealing with companies dealing with
Ministry of State Security Charged with Global Computer Intrusion Ministry of State Security Charged with Global Computer Intrusion
submersibles, submersibles, autonomous autonomous
Campaign Targeting Campaign Targeting ~~Intel ectual~~Intellectual Property and Confidential Business Property and Confidential Business
vehicles, vehicles, chemicals,chemicals, aircraft, aircraft,
Information, Including Infectious Disease Information, Including Infectious Disease Research,” press release, Research,” press release,
genetics, transportation, and genetics, transportation, and
July 10, 2021, at https://www.justice.gov/opa/pr/four-chinese- July 10, 2021, at https://www.justice.gov/opa/pr/four-chinese-
infectious disease research. infectious disease research.
nationals-working-ministry-state-security-charged-global-computer- nationals-working-ministry-state-security-charged-global-computer-
intrusion. intrusion.
CRS- CRS-1011

Incident/
Campaign,
Campaign Attributed
Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2006-2018 2006-2018 China China
MSS MSS
APT-10 APT-10
Targeted and stole Targeted and stole ~~intel ectual~~intellectual
Department of Justice, “Two Chinese Hackers Department of Justice, “Two Chinese Hackers Associated with the Associated with the
property and confidential property and confidential ~~business~~ Ministry of State Security Charged with Global Computer Intrusion Ministry of State Security Charged with Global Computer Intrusion
business information from information from ~~transportation,~~
Campaigns Targeting Campaigns Targeting ~~Intel ectual~~Intellectual Property and Confidential Business Property and Confidential Business
~~technology, shipping, consulting~~transportation, technology, ,
Information,” press release, Information,” press release, ~~December~~ December 20, 2018, at 20, 2018, at
~~healthcare, and energy companies~~shipping, consulting, healthcare,
https://www.justice.gov/opa/pr/two-chinese-hackers-associated- https://www.justice.gov/opa/pr/two-chinese-hackers-associated-
~~through cloud and managed~~and energy companies through
ministry-state-security-charged-global-computer-intrusion. ministry-state-security-charged-global-computer-intrusion.
~~service providers.~~
cloud and managed service providers. 2017 2017
China China
PLA PLA
Equifax Hack Equifax Hack
Theft of the PII of nearly 150 Theft of the PII of nearly 150
Department of Justice, “Chinese Military Personnel Charged with Department of Justice, “Chinese Military Personnel Charged with
mil ion mil ion Americans. Americans.
Computer Fraud, Economic Espionage and Wire Computer Fraud, Economic Espionage and Wire Fraud for Hacking Fraud for Hacking
into Credit Reporting Agency Equifax,” press release,into Credit Reporting Agency Equifax,” press release, February 10, February 10,
2020, at https://www.justice.gov/opa/pr/chinese-military-personnel-2020, at https://www.justice.gov/opa/pr/chinese-military-personnel-
charged-computer-fraud-economic-espionage-and-wire-fraud-charged-computer-fraud-economic-espionage-and-wire-fraud-
hacking. hacking.
2016 2016
Russia Russia
GRU GRU
DCLeaks DCLeaks and and
Targeted political Targeted political campaigns, campaigns, ~~state~~ Department of Justice, “Grand Jury Indicts 12 Russian Department of Justice, “Grand Jury Indicts 12 Russian ~~Intel igence~~Intelligence
Guccifer 2.0 Guccifer 2.0
state boards of elections,boards of elections, state state
Officers Officers for Hacking Offenses Related to the 2016 Election,” press for Hacking Offenses Related to the 2016 Election,” press
secretaries secretaries of state, and of state, and
release, release, July 13, 2018, at https://www.justice.gov/opa/pr/grand-jury-July 13, 2018, at https://www.justice.gov/opa/pr/grand-jury-
companies providing technology companies providing technology
indicts-12-russian- indicts-12-russian-~~intel igence~~intelligence-officers-hacking-offenses-related-2016--officers-hacking-offenses-related-2016-
for elections to steal and leak for elections to steal and leak
election. election.
their sensitive their sensitive data. data.
2014-2016 2014-2016 Russia Russia
FSB FSB
Yahoo Breach Breach of 500 mil ion Yahoo Breach Breach of 500 mil ion accounts accounts
Department of Justice, “U.S. Charges Russian FSB Officers Department of Justice, “U.S. Charges Russian FSB Officers and Their and Their
and other webmail account and other webmail account
Criminal Criminal Conspirators for Hacking Yahoo and Mil ionsConspirators for Hacking Yahoo and Mil ions of Email of Email
compromises compromises ~~targeted journalists,~~ targeted
Accounts,” press Accounts,” press release,release, March 15, 2017, at March 15, 2017, at
journalists, government officials, government officials,
https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and- https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-
cybersecurity company cybersecurity company
their-criminal-conspirators-hacking-yahoo-and-mil ions. their-criminal-conspirators-hacking-yahoo-and-mil ions.
employees, employees, financial services financial services
companies,companies, and transportation and transportation
companies to steal sensitive companies to steal sensitive
information.information.
CRS-12 Incident/ Campaign, Campaign Attributed Perpetrating Incident, or Year(s) Country Entity Identifier Description Citation 2015 2015
China China
Fujie Wang, Fujie Wang,
Anthem Hack Anthem Hack
Stole massive Stole massive amounts of PII heldamounts of PII held
Department of Justice, “Member of Sophisticated China-Based Department of Justice, “Member of Sophisticated China-Based
and othersb and othersb
by the health insurance company by the health insurance company
Hacking Group Indicted for Series Hacking Group Indicted for Series of Computer Intrusions, Including of Computer Intrusions, Including
Anthem Inc., as Anthem Inc., as ~~wel~~ well as other as other
2015 Data Breach of Health Insurer Anthem Inc. Affecting Over 2015 Data Breach of Health Insurer Anthem Inc. Affecting Over 78 78
companies. companies.
Mil ion Mil ion People,” press release,People,” press release, May 9, 2019, at May 9, 2019, at
https://www.justice.gov/opa/pr/member-sophisticated-china-based-https://www.justice.gov/opa/pr/member-sophisticated-china-based-
hacking-group-indicted-series-computer-intrusions-including. hacking-group-indicted-series-computer-intrusions-including.
~~CRS-11~~

~~Incident/~~
~~Campaign,~~
~~Campaign Attributed~~
~~Perpetrating~~
~~Incident, or~~
~~Year(s)~~
~~Country~~
~~Entity~~
~~Identifier~~
~~Description~~
~~Citation~~
~~2014-2015~~ 2014-2015 Iran Iran
IRGC IRGC
N/A N/A
Targeted Targeted ~~intel igence~~ intelligence community community
Department of Justice, “Former Department of Justice, “Former ~~U.S. Counterintel igence~~ U.S. Counterintelligence Agent Agent
(IC) employees (IC) employees as part of an as part of an
Charged with Espionage on Behalf of Iran; Four Iranians Charged Charged with Espionage on Behalf of Iran; Four Iranians Charged
~~intel igence~~ intelligence campaign with fake campaign with fake
with a Cyber Campaign Targeting Her with a Cyber Campaign Targeting Her ~~Former~~ Former Col eagues,”Col eagues,” press press
accounts used to deploy accounts used to deploy ~~malware.~~ release,release, February 13, 2019, at https://www.justice.gov/opa/pr/February 13, 2019, at https://www.justice.gov/opa/pr/
malware. former-us-counterintelligence~~former-us-counterintel igence~~-agent-charged-espionage-behalf-iran--agent-charged-espionage-behalf-iran-
four-iranians-charged-cyber. four-iranians-charged-cyber.
2010-2015 2010-2015 China China
MSS MSS
N/A N/A
Targeted aerospace companies Targeted aerospace companies to Department of Justice, “Chinese Department of Justice, “Chinese ~~Intel igence~~Intelligence Officers Officers and Their and Their
~~steal intel ectual property related~~
to steal intellectual property Recruited Hackers and Insiders Conspired to Steal Sensitive Recruited Hackers and Insiders Conspired to Steal Sensitive
related to turbofan engineto turbofan engine ~~technology.~~
Commercial Commercial Aviation and Technological Data for Years,” press Aviation and Technological Data for Years,” press
technology. release,release, October 30, 2018, at https://www.justice.gov/opa/pr/October 30, 2018, at https://www.justice.gov/opa/pr/
chinese-chinese-~~intel igence~~intelligence-officers-and-their-recruited-hackers-and--officers-and-their-recruited-hackers-and-
insiders-conspired-steal.insiders-conspired-steal.
2006-2014 2006-2014 China China
PLA PLA
N/A N/A
Hacked into computers of U.S. Hacked into computers of U.S.
Department of Justice, “U.S. Charges Five Chinese Military Hackers Department of Justice, “U.S. Charges Five Chinese Military Hackers
manufacturers in order to steal manufacturers in order to steal
for Cyber Espionage Against U.S. for Cyber Espionage Against U.S. Corporations and a Labor Corporations and a Labor
sensitive sensitive information to benefit information to benefit
Organization for Commercial Organization for Commercial Advantage,” press release,Advantage,” press release, May 19, May 19,
Chinese state enterprises. Chinese state enterprises.
2014, at https://www.justice.gov/opa/pr/us-charges-five-chinese- 2014, at https://www.justice.gov/opa/pr/us-charges-five-chinese-
military-hackers-cyber-espionage-against-us-corporations-and-labor.military-hackers-cyber-espionage-against-us-corporations-and-labor.
2011-2013 2011-2013 Iran Iran
ITSecTeam & ITSecTeam &
N/A N/A
Waged DDOS attacks against Waged DDOS attacks against
Department of Justice, “Seven Iranians Working Department of Justice, “Seven Iranians Working for Islamic for Islamic
Mersad Mersad
financial services financial services companies,companies, and and
Revolutionary Guard Corps-Affiliated Entities Charged for Revolutionary Guard Corps-Affiliated Entities Charged for
Company Company
hacked into networks hacked into networks of a of a
Conducting Coordinated Campaign of Cyber Attacks Against U.S. Conducting Coordinated Campaign of Cyber Attacks Against U.S.
municipal dam in Rye Brook, municipal dam in Rye Brook, ~~N.Y.~~ Financial Sector,” press release,Financial Sector,” press release, March 24, 2016, at March 24, 2016, at
N.Y. https://www.justice.gov/opa/pr/seven-iranians-working-islamic-https://www.justice.gov/opa/pr/seven-iranians-working-islamic-
revolutionary-guard-corps-affiliated-entities-charged. revolutionary-guard-corps-affiliated-entities-charged.
Source: CRS analysis. CRS analysis.
Notes: Abbreviations used in the table include Abbreviations used in the table include: Advanced Persistent Advanced Persistent Threat (APT); DemocraticThreat (APT); Democratic People’s Republic of North Korea (North Korea); Distributed DenialPeople’s Republic of North Korea (North Korea); Distributed Denial of of
ServiceService (DDOS); Federal(DDOS); Federal Security Service (FSB); IslamicSecurity Service (FSB); Islamic Republic of Iran (Iran); Islamic Revolutionary Guard Corps (IRGC); Republic of Iran (Iran); Islamic Revolutionary Guard Corps (IRGC); ~~Th e~~The People’s People’s Republic of China (China); Main Republic of China (China); Main
~~Intel igence~~Intelligence Directorate, Directorate, Military (GRU); Military (GRU); ~~Intel igence~~Intelligence Community Community (IC); Ministry of (IC); Ministry of ~~Intel igence~~Intelligence and Security (MOIS); Ministry of State Security (MSS); People’s and Security (MOIS); Ministry of State Security (MSS); People’s Liberation Liberation
~~Army~~ CRS-13 Army (PLA); Personal(PLA); Personal Identifiable Information (PII); The Russian Federation (Russia); Reconnaissance General Bureau (RGB); Identifiable Information (PII); The Russian Federation (Russia); Reconnaissance General Bureau (RGB); ~~an d~~and Russia’s Russia’s Foreign Foreign ~~Intel igence~~Intelligence Service Service
(SVR). (SVR).
a. Seyyed Mohammad Hosein Musa Kazemia. Seyyed Mohammad Hosein Musa Kazemi ~~and Saj ad~~ and Sajjad Kashian are the two Iranian nationals charged. The indictment claims Kashian are the two Iranian nationals charged. The indictment claims that they work for an Iranian company now that they work for an Iranian company now
known as Emennet Pasargad. The company is known to have provided services known as Emennet Pasargad. The company is known to have provided services to the Iranian government and the Guardian Council. to the Iranian government and the Guardian Council.
b. The indictment does not attribute this attack as being for the benefit of the state. However, b. The indictment does not attribute this attack as being for the benefit of the state. However, government officialsgovernment officials have since speculated that this was under the have since speculated that this was under the
direction of the Chinese government—see, direction of the Chinese government—see, Christopher Wray, “The Threat Posed by the Chinese GovernmentChristopher Wray, “The Threat Posed by the Chinese Government and the Chinese Communist Party to the Economic and the Chinese Communist Party to the Economic
~~CRS-12~~

and National Security of the United States,” remarksand National Security of the United States,” remarks to the Hudson Institute as delivered,to the Hudson Institute as delivered, July 7, 2020, at https://www.fbi.gov/news/speeches/the-threat-posed-by-July 7, 2020, at https://www.fbi.gov/news/speeches/the-threat-posed-by-
the-chinese-government-and-the-chinese-communist-party-to-the-economic-and-national-security-of-the-united-states. the-chinese-government-and-the-chinese-communist-party-to-the-economic-and-national-security-of-the-united-states.

CRS- CRS-1314

link to page link to page 1819 link to page 9 link to page 9 Cybersecurity: Selected Cyberattacks, 2012-~~2021~~2022

Foreign Criminal Cyberattacks
Most criminals are Most criminals are ~~financial y~~financially motivated and use cyberspace as a medium for conducting profit- motivated and use cyberspace as a medium for conducting profit-
bearing schemes. However, financial gain is not a requirement for bearing schemes. However, financial gain is not a requirement for ~~il icit~~illicit activity. Some malicious activity. Some malicious
actors also victimize entities online without desires for payment, such as in hack and leak actors also victimize entities online without desires for payment, such as in hack and leak
operations intended to embarrass the victimoperations intended to embarrass the victim. Table 2 lists a selection of 30 cyberattacks against lists a selection of 30 cyberattacks against
victims in the United States from actors located abroad. The country of residence for the victims in the United States from actors located abroad. The country of residence for the
perpetrator is included for each cyberattack campaign to highlight the geographic diversity from perpetrator is included for each cyberattack campaign to highlight the geographic diversity from
where attacks originate. Some campaigns were part of criminal groups and others are conducted where attacks originate. Some campaigns were part of criminal groups and others are conducted
by individuals, as indicated for each entry in the table. The U.S. government has determined that by individuals, as indicated for each entry in the table. The U.S. government has determined that
these actors were not operating to benefit the state, but these actors were not operating to benefit the state, but ~~where~~were acting for personal gain—thus acting for personal gain—thus
distinguishing these attacks from those listed idistinguishing these attacks from those listed in Table 1. ~~Criminal~~ Criminal cyberattacks also originate cyberattacks also originate
from U.S. individuals but are not included in this table as those individuals may face both state from U.S. individuals but are not included in this table as those individuals may face both state
and federal criminal charges, which the search methodology does not take into account. These and federal criminal charges, which the search methodology does not take into account. These
attacks include the compromise of computers to create and maintain botnets, business email attacks include the compromise of computers to create and maintain botnets, business email
compromise schemes, hack and release campaigns, and ransomware attacks.compromise schemes, hack and release campaigns, and ransomware attacks.

Congressional Research Service Congressional Research Service

1415

Table 2. Selected Criminal Cyberattacks
In Descending Order by Campaign Year: 2021-2012 In Descending Order by Campaign Year: 2021-2012
Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2021 2021
Ukraine and Ukraine and
Multiple Multiple
REvil REvil
Hackers Hackers built and distributed Department of Justice, “Ukrainian Arrestedbuilt and distributed Department of Justice, “Ukrainian Arrested and Charged with and Charged with
Russia Russia
ransomware ransomware and and
the Sodinokibi and REvil the Sodinokibi and REvil
Ransomware Attack on Kaseya,” Ransomware Attack on Kaseya,” press release,press release, November 8, 2021, November 8, 2021,
Kaseya attack Kaseya attack
ransomware ransomware attacks. They attacks. They
at https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged- at https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-
conducted a supply chain conducted a supply chain
ransomware-attack-kaseya. ransomware-attack-kaseya.
attack against an IT attack against an IT
management company to management company to
distribute ransomwaredistribute ransomware to to
new victims. new victims.
2019-2021 2019-2021 Switzerland Switzerland
Single Single
Hack & Leak Hack & Leak
Hacked into U.S. companies Hacked into U.S. companies
Department of Justice, “Swiss Hacker Department of Justice, “Swiss Hacker Indicted for Conspiracy, Indicted for Conspiracy,
and posted sensitive and posted sensitive data. data.
Wire Wire Fraud, and Aggravated Identity Theft,” pressFraud, and Aggravated Identity Theft,” press release,release, March March
18, 2021, at https://www.justice.gov/usao-wdwa/pr/swiss-hacker-18, 2021, at https://www.justice.gov/usao-wdwa/pr/swiss-hacker-
indicted-conspiracy-wire-fraud-and-aggravated-identity-theft. indicted-conspiracy-wire-fraud-and-aggravated-identity-theft.
2011-2021 2011-2021 Moldova Moldova
Multiple Multiple
Bugat Botnet Bugat Botnet
Targeted school districts, Targeted school districts,
Department of Justice, “Bugat Botnet Administrator Department of Justice, “Bugat Botnet Administrator ~~Arrested~~ Arrested and and
banks, and energy companies Malware Disabled,” banks, and energy companies Malware Disabled,” press release,press release, October 13, 2015, at October 13, 2015, at
to wireto wire funds il icitly.funds il icitly.
https://www.justice.gov/opa/pr/bugat-botnet-administrator- https://www.justice.gov/opa/pr/bugat-botnet-administrator-
arrested-and-malware-disabled.arrested-and-malware-disabled.
2016-2020 2016-2020 Iran Iran
Multiple Multiple
N/A N/A
Defaced websites by Defaced websites by
Department of Justice, “Two Department of Justice, “Two ~~Al eged Hackers~~ Alleged Hackers Charged with Charged with
changing them to protest changing them to protest
Defacing Websites Defacing Websites Fol owing Kil ingFol owing Kil ing of Qasemof Qasem Soleimani,”Soleimani,” press press
U.S. government policies U.S. government policies and release,and release, September 15, 2020, at https://www.justice.gov/opa/pr/September 15, 2020, at https://www.justice.gov/opa/pr/
actions. Stole credit card actions. Stole credit card
two- two-~~al eged~~alleged-hackers-charged-defacing-websites-fol owing-kil ing--hackers-charged-defacing-websites-fol owing-kil ing-
information and distributed information and distributed
qasem-soleimani. qasem-soleimani.
spam emails. spam emails.
2016-2020 2016-2020 Ukraine Ukraine
Multiple Multiple
N/A N/A
Hacked into computers, Hacked into computers,
Department of Justice, “Ukrainian Cyber Criminal Department of Justice, “Ukrainian Cyber Criminal Extradited For Extradited For
stole user credentials, stole user credentials,
Decrypting The Credentials Decrypting The Credentials Of Thousands Of Computers Across Of Thousands Of Computers Across
managed a botnet of hacked managed a botnet of hacked
The World The World ~~And Sel ing~~ And Selling Them On A Dark Them On A Dark Web Website,”Web Website,” press press
computers and sold access computers and sold access
release, release, September 8, 2021, at https://www.justice.gov/usao-mdfl/September 8, 2021, at https://www.justice.gov/usao-mdfl/
online. online.
pr/ukrainian-cyber-criminal-extradited-decrypting-credentials- pr/ukrainian-cyber-criminal-extradited-decrypting-credentials-
thousands-computers-across. thousands-computers-across.
CRS- CRS-1516

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2015-2020 2015-2020 Latvia Latvia
Multiple Multiple
Trickbot Trickbot
Targeted hospitals, schools, Targeted hospitals, schools,
Department of Justice, “Latvian National Charged for Department of Justice, “Latvian National Charged for ~~Al eged~~ Alleged Role Role
utilities, utilities, and governments to and governments to
in Transnational Cybercrime in Transnational Cybercrime Organization,” press release,Organization,” press release, June 4, June 4,
steal financial information. steal financial information.
2021, at https://www.justice.gov/opa/pr/latvian-national-charged- 2021, at https://www.justice.gov/opa/pr/latvian-national-charged-
~~al eged~~alleged-role-transnational-cybercrime-organization.-role-transnational-cybercrime-organization.
2019 2019
Nigeria Nigeria
Multiple Multiple
Hushpuppi Hushpuppi
Conducted business email Conducted business email
Department of Justice, “Six Indicted in International Scheme to Department of Justice, “Six Indicted in International Scheme to
compromise compromise and money and money
Defraud Qatari School Founder and Then Launder over $1 Mil ion Defraud Qatari School Founder and Then Launder over $1 Mil ion
laundering campaigns. laundering campaigns.
in Il icit in Il icit Proceeds,” pressProceeds,” press release,release, July 29, 2021, at July 29, 2021, at
https://www.justice.gov/usao-cdca/pr/six-indicted-international-https://www.justice.gov/usao-cdca/pr/six-indicted-international-
scheme-defraud-qatari-school-founder-and-then-launder-over-1. scheme-defraud-qatari-school-founder-and-then-launder-over-1.
2013-2019 2013-2019 Romania, Romania,
Multiple Multiple
Fraud Fraud
Sold Sold ~~non-existent~~nonexistent goods goods
Department of Justice, “United States and International Law Department of Justice, “United States and International Law
Bulgaria, Bulgaria,
online and attacked online and attacked
Enforcement Dismantle Enforcement Dismantle Online Organized CrimeOnline Organized Crime Ring Operating Ring Operating
U.S.A. U.S.A.
credentials for web services. credentials for web services.
out of Romania that Victimized out of Romania that Victimized Thousands of U.S. Residents,” Thousands of U.S. Residents,”
press release,press release, February 7, 2019, at https://www.justice.gov/opa/pr/February 7, 2019, at https://www.justice.gov/opa/pr/
united-states-and-international-law-enforcement-dismantle-online-united-states-and-international-law-enforcement-dismantle-online-
organized-crime-ring.organized-crime-ring.
2015-2018 2015-2018 Ukraine Ukraine
Multiple Multiple
Fin7 Fin7
Targeted retailers Targeted retailers and point-and point-
Department of Justice, “Three Members of Notorious Department of Justice, “Three Members of Notorious
of-sale terminals of-sale terminals to steal to steal
International Cybercrime International Cybercrime Group “Fin7” in Custody for Role in Group “Fin7” in Custody for Role in
credit card information. credit card information.
Attacking over 100 U.S. companies,” Attacking over 100 U.S. companies,” press release,press release, August 1, 2018, August 1, 2018,
at https://www.justice.gov/opa/pr/three-members-notorious-at https://www.justice.gov/opa/pr/three-members-notorious-
international-cybercrime-group-fin7-custody-role-attacking-over-international-cybercrime-group-fin7-custody-role-attacking-over-
100. 100.
2015-2018 2015-2018 Iran Iran
Multiple Multiple
SamSam SamSam
Conducted ransomware Conducted ransomware
Department of Justice, “Two Iranian Men Indicted for Deploying Department of Justice, “Two Iranian Men Indicted for Deploying
Ransomware Ransomware
attacks against state and city attacks against state and city
Ransomware to Extort Hospitals, Ransomware to Extort Hospitals, Municipalities, and Public Municipalities, and Public
government agencies, government agencies,
Institutions, Causing Over $30 Mil ion in Losses,” Institutions, Causing Over $30 Mil ion in Losses,” press release, press release,
hospitals, and other victims. hospitals, and other victims.
~~November~~ November 28, 2018, at https://www.justice.gov/opa/pr/two-28, 2018, at https://www.justice.gov/opa/pr/two-
iranian-men-indicted-deploying-ransomware-extort-hospitals-iranian-men-indicted-deploying-ransomware-extort-hospitals-
municipalities-and-public. municipalities-and-public.
2013-2018 2013-2018 Ukraine Ukraine
Single Single
Malvertising Malvertising
Delivered Delivered online online
Department of Justice, “International ‘Malvertiser’ Department of Justice, “International ‘Malvertiser’ Extradited from Extradited from
campaign campaign
advertisements advertisements embedded embedded
the Netherlands to Face Hacking Charges in New Jersey,” the Netherlands to Face Hacking Charges in New Jersey,” press press
with malware. with malware.
release, release, May 3, 2019, at https://www.justice.gov/opa/pr/May 3, 2019, at https://www.justice.gov/opa/pr/
international-malvertiser-extradited-netherlands-face-hacking-international-malvertiser-extradited-netherlands-face-hacking-
charges-new-jersey.charges-new-jersey.
CRS- CRS-1617

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2007-2018 2007-2018 Romania Romania
Single Single
N/A N/A
Targeted customers Targeted customers of the of the
Department of Justice, “Leader of International Cyber Fraud Ring Department of Justice, “Leader of International Cyber Fraud Ring
Better Business Better Business Bureau, the Bureau, the
Returned to United States to Face Federal Returned to United States to Face Federal Racketeering Charges,” Racketeering Charges,”
Internal Revenue Service, Internal Revenue Service,
press release, press release, October 9, 2018, at https://www.justice.gov/opa/pr/October 9, 2018, at https://www.justice.gov/opa/pr/
the U.S. Tax Court, the the U.S. Tax Court, the
leader-international-cyber-fraud-ring-returned-united-states-face- leader-international-cyber-fraud-ring-returned-united-states-face-
National Payrol Records National Payrol Records
federal-racketeering. federal-racketeering.
Center, and others with Center, and others with
phishing and fraudulent phishing and fraudulent
online auctions. online auctions.
2017 2017
Romania Romania
Multiple Multiple
Ransomware Ransomware
Targeted Metropolitan Targeted Metropolitan
Department of Justice, “Two Romanian Suspects Charged with Department of Justice, “Two Romanian Suspects Charged with
Police Department Police Department
Hacking of Metropolitan Police Department Hacking of Metropolitan Police Department ~~Surveil ance Cameras~~
~~surveil ance~~ Surveillance Cameras surveillance cameras and cameras and
in Connection with Ransomware Scheme,” in Connection with Ransomware Scheme,” press release, press release,
compromised compromised those devices those devices
December December 28 2017, at https://www.justice.gov/usao-dc/pr/two-28 2017, at https://www.justice.gov/usao-dc/pr/two-
to distribute ransomware. to distribute ransomware.
romanian-suspects-charged-hacking-metropolitan-police- romanian-suspects-charged-hacking-metropolitan-police-
department-department-~~surveil ance~~surveillance-cameras.-cameras.
2017 2017
Turkey Turkey
Single Single
WireX WireX Botnet Botnet
Used the WireX Used the WireX Botnet in a Botnet in a
Department of Justice, “Federal Indictment in Chicago Charges Department of Justice, “Federal Indictment in Chicago Charges
DDOS attack against a DDOS attack against a
Turkish National with Directing Cyber Attack on Multinational Turkish National with Directing Cyber Attack on Multinational
hospitality company. hospitality company.
Hospitality Company,” press Hospitality Company,” press release,release, ~~September~~ September 29, 2021, at 29, 2021, at
https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-
charges-turkish-national-directing-cyber-attack. charges-turkish-national-directing-cyber-attack.
2016-2017 2016-2017 United United
Single Single
Dark Overlord Dark Overlord
Breached the network of a Breached the network of a
Department of Justice, “Member of ‘The Dark Overlord’ Department of Justice, “Member of ‘The Dark Overlord’ Hacking Hacking
Kingdom Kingdom
business in St. Louis, MO, business in St. Louis, MO,
Group Extradited from United Kingdom to Face Charges in St. Group Extradited from United Kingdom to Face Charges in St.
stole sensitive stole sensitive data, and data, and
Louis,” Louis,” press release,press release, ~~December~~ December 18, 2019, at 18, 2019, at
threatened to release threatened to release it it
https://www.justice.gov/opa/pr/member-dark-overlord-hacking- https://www.justice.gov/opa/pr/member-dark-overlord-hacking-
unless a ransom was paid. unless a ransom was paid.
group-extradited-united-kingdom-face-charges-st-louis. group-extradited-united-kingdom-face-charges-st-louis.
2014-2017 2014-2017 Cyprus Cyprus
Single Single
N/A N/A
Hacked into a company’s Hacked into a company’s
Department of Justice, “Two Department of Justice, “Two ~~Al eged Criminals~~ Alleged Criminals – A Hezbol ah – A Hezbol ah
data store, data store, stole sensitive stole sensitive
Associated Associated Narco-Money LaundererNarco-Money Launderer and a Computer Hacker – and a Computer Hacker –
information, information, then extorted then extorted
Extradited from Extradited from Cyprus to the United States,” pressCyprus to the United States,” press release,release, July July
the company for a fee to not 18, 2020, at https://www.justice.gov/opa/pr/two- the company for a fee to not 18, 2020, at https://www.justice.gov/opa/pr/two-~~al eged~~alleged-criminals--criminals-
releaserelease information.information. With With
hezbol ah-associated-narco-money-launderer-and-computer- hezbol ah-associated-narco-money-launderer-and-computer-
persistent access, persistent access, charged charged
hacker. hacker.
clients to remove clients to remove
unfavorable information unfavorable information
from the company’s records.from the company’s records.
CRS- CRS-1718

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2014-2017 2014-2017 Russia, Russia,
Multiple Multiple
MethBot MethBot
Built a botnet and Built a botnet and
Department of Justice, “Two International Cybercriminal Department of Justice, “Two International Cybercriminal Rings Rings
Ukraine, Ukraine, and and
maintained infrastructure to maintained infrastructure to
Dismantled Dismantled and Eight Defendants Indicted for Causing Tens of and Eight Defendants Indicted for Causing Tens of
Kazakhstan Kazakhstan
operate a malvertising operate a malvertising
Mil ions Mil ions of Dol arsof Dol ars in Lossesin Losses in Digital Advertisingin Digital Advertising Fraud,” press Fraud,” press
campaign. campaign.
release, release, November 27, 2018, at https://www.justice.gov/usao-edny/November 27, 2018, at https://www.justice.gov/usao-edny/
pr/two-international-cybercriminal-rings-dismantled-and-eight-pr/two-international-cybercriminal-rings-dismantled-and-eight-
defendants-indicted-causing. defendants-indicted-causing.
2011-2017 2011-2017 China China
Multiple Multiple
Economic Economic
Targeted firms Targeted firms working on working on
Department of Justice, “U.S. Charges Three Chinese Hackers Department of Justice, “U.S. Charges Three Chinese Hackers
Espionage Espionage
~~satel ite,~~ satellite, energy,energy, technology, technology,
Who Work Who Work at Internet Security Firmat Internet Security Firm for Hacking Three for Hacking Three
transportation, and transportation, and
Corporations for Commercial Corporations for Commercial Advantage,” press release, Advantage,” press release,
economic economic analysis to steal analysis to steal
November November 27, 2017, at https://www.justice.gov/opa/pr/us-charges-27, 2017, at https://www.justice.gov/opa/pr/us-charges-
credentials and access credentials and access
three-chinese-hackers-who-work-internet-security-firm-hacking- three-chinese-hackers-who-work-internet-security-firm-hacking-
sensitive sensitive data.data.
three-corporations. three-corporations.
2010-2017 2010-2017 Russia Russia
Single Single
Kelihos Kelihos Botnet Botnet
Stole PII and credentials, Stole PII and credentials,
Department of Justice, “Russian National Indicted with Multiple Department of Justice, “Russian National Indicted with Multiple
distributed spam and distributed spam and
Offenses in Connection with Kelihos Offenses in Connection with Kelihos Botnet,” press release,Botnet,” press release, April April
malware, malware, engaged in pump-engaged in pump-
21, 2017, at https://www.justice.gov/opa/pr/russian-national- 21, 2017, at https://www.justice.gov/opa/pr/russian-national-
and-dump stock schemes. and-dump stock schemes.
indicted-multiple-offenses-connection-kelihos-botnet. indicted-multiple-offenses-connection-kelihos-botnet.
2010-2017 2010-2017 Russia Russia
Multiple Multiple
InFraud InFraud
Targeted financial Targeted financial
Department of Justice, “Russian National Pleads Guilty for Role in Department of Justice, “Russian National Pleads Guilty for Role in
Organization Organization
institutions, merchants, and institutions, merchants, and
Transnational Cybercrime Transnational Cybercrime Organization ResponsibleOrganization Responsible for More for More
individuals to steal credit individuals to steal credit
Than $568 Mil ion Than $568 Mil ion in Losses,”in Losses,” ~~press~~ press release,release, June 26, 2020, at June 26, 2020, at
cards, PII, identities and cards, PII, identities and
https://www.justice.gov/opa/pr/russian-national-pleads-guilty-role- https://www.justice.gov/opa/pr/russian-national-pleads-guilty-role-
engage in other crimes. engage in other crimes.
transnational-cybercrime-organization-responsible-more. transnational-cybercrime-organization-responsible-more.
2015-2016 2015-2016 Russia, Russia,
Multiple Multiple
GozNym GozNym
Stole banking information Stole banking information
Department of Justice, “GozNym Cyber-Criminal Department of Justice, “GozNym Cyber-Criminal Network Network
Georgia, Georgia,
Malware Malware
from a paving company, law from a paving company, law
Operating out of Europe Targeting American Operating out of Europe Targeting American Entities Dismantled Entities Dismantled
Ukraine, Ukraine,
firms, firms, churches, companies churches, companies
in International Operation,” press release, in International Operation,” press release, May 16, 2019, at May 16, 2019, at
Moldova, and Moldova, and
providing services providing services to to
https://www.justice.gov/opa/pr/goznym-cyber-criminal-network- https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-
Bulgaria Bulgaria
disabled individuals, medical disabled individuals, medical
operating-out-europe-targeting-american-entities-dismantled. operating-out-europe-targeting-american-entities-dismantled.
equipment distributers, equipment distributers,
casinos, and furniture stores.casinos, and furniture stores.
CRS- CRS-1819

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2007-2016 2007-2016 Romania Romania
Multiple Multiple
Botnet Botnet
Developed Developed malware that malware that
Department of Justice, “Three Romanian Nationals Indicted in $4 Department of Justice, “Three Romanian Nationals Indicted in $4
spread to more than 60,000 spread to more than 60,000
Mil ion Mil ion Cyber Fraud Scheme That Infected at Least 60,000 Cyber Fraud Scheme That Infected at Least 60,000
computers, computers, creating a botnet Computers and Sent 11 Mil ion Maliciouscreating a botnet Computers and Sent 11 Mil ion Malicious Emails,” pressEmails,” press release, release,
used to mine used to mine
December December 16, 2016, at https://www.justice.gov/opa/pr/three-16, 2016, at https://www.justice.gov/opa/pr/three-
cryptocurrency, send spam cryptocurrency, send spam
romanian-nationals-indicted-4-mil ion-cyber-fraud-scheme- romanian-nationals-indicted-4-mil ion-cyber-fraud-scheme-
email, email, and steal credentials and steal credentials
infected-least-60000-computers. infected-least-60000-computers.
and financial information. and financial information.
2016 2016
Ukraine Ukraine
Multiple Multiple
SEC EDGAR SEC EDGAR
Infiltrated the SEC EDGAR Infiltrated the SEC EDGAR
Department of Justice, “Two Ukrainian Nationals Indicted in Department of Justice, “Two Ukrainian Nationals Indicted in
Compromise Compromise
filing system to glean filing system to glean ~~non-~~
Computer Hacking and Securities Computer Hacking and Securities Fraud Scheme Targeting U.S. Fraud Scheme Targeting U.S.
~~public company information~~nonpublic company
Securities Securities and Exchange Commission,”and Exchange Commission,” press release,press release, January 15, January 15,
information in orderin order ~~to trade in~~
to 2019, at https://www.justice.gov/opa/pr/two-ukrainian-nationals- 2019, at https://www.justice.gov/opa/pr/two-ukrainian-nationals-
~~company stock based on~~trade in company stock
indicted-computer-hacking-and-securities-fraud-scheme-targeting- indicted-computer-hacking-and-securities-fraud-scheme-targeting-
~~private information.~~
~~us.~~
based on private us. information. 2015 2015
Kosovo Kosovo
Single Single
Kosova Hacker’s Kosova Hacker’s
Targeted PII of U.S. Targeted PII of U.S. ~~service~~
Department of Justice, “ISIL-Linked Hacker Arrested Department of Justice, “ISIL-Linked Hacker Arrested in Malaysia in Malaysia
Security Security
~~members and government~~servicemembers and
on U.S. Charges,” press release, on U.S. Charges,” press release, October 15, 2015, at October 15, 2015, at
government employees.employees.
https://www.justice.gov/opa/pr/isil-linked-hacker-arrested-malaysia- https://www.justice.gov/opa/pr/isil-linked-hacker-arrested-malaysia-
us-charges. us-charges.
2007-2015 2007-2015 Ukraine Ukraine
Single Single
Money Money
Spammed victims, Spammed victims,
Department of Justice, “Ukrainian National Extradited from Poland Department of Justice, “Ukrainian National Extradited from Poland
Laundering Laundering
maintained infrastructure to maintained infrastructure to
to Face Charges Related to $10 Mil ion to Face Charges Related to $10 Mil ion Cyber Money Laundering Cyber Money Laundering
perpetuate cybercrimes, perpetuate cybercrimes, and Operation,” press release,and Operation,” press release, ~~December~~ December 23, 2015, at 23, 2015, at
stole money from company stole money from company
https://www.justice.gov/opa/pr/ukrainian-national-extradited- https://www.justice.gov/opa/pr/ukrainian-national-extradited-
bank accounts. bank accounts.
poland-face-charges-related-10-mil ion-cyber-money-laundering. poland-face-charges-related-10-mil ion-cyber-money-laundering.
2012-2014 2012-2014 Romania Romania
Single Single
Guccifer Guccifer
Hacked the personal email Hacked the personal email
Department of Justice, “Romanian National “Guccifer” Extradited Department of Justice, “Romanian National “Guccifer” Extradited
and social and social media accounts ofmedia accounts of
to Face Hacking Charges,” press release,to Face Hacking Charges,” press release, April 1, 2016, at April 1, 2016, at
high profile individuals and high profile individuals and
https://www.justice.gov/opa/pr/romanian-national-guccifer- https://www.justice.gov/opa/pr/romanian-national-guccifer-
released released sensitive sensitive
extradited-face-hacking-charges. extradited-face-hacking-charges.
information. information.
~~2010-2012~~ CRS-20 Incident/ Perpetrator Single or Campaign, Campaign Country of Multiple Incident, or Year(s) Residence Perpetrators Identifier Description Citation 2010-2012 Ukraine/Italy Ukraine/Italy
Single Single
Zeus Malware Zeus Malware
Targeted banks and banking Targeted banks and banking
Department of Justice, “Ukrainian Citizen Sentenced to 41 Months Department of Justice, “Ukrainian Citizen Sentenced to 41 Months
information for financial information for financial
in Prison for Using Army in Prison for Using Army of 13,000 Infected Computers to Loot of 13,000 Infected Computers to Loot
theft. theft.
Log-In Credentials, Log-In Credentials, Payment Card Data,” press release,Payment Card Data,” press release, February February
16, 2017, at https://www.justice.gov/usao-nj/pr/ukrainian-citizen-16, 2017, at https://www.justice.gov/usao-nj/pr/ukrainian-citizen-
sentenced-41-months-prison-using-army-13000-infected-sentenced-41-months-prison-using-army-13000-infected-
computers-loot-log. computers-loot-log.
~~CRS-19~~

~~Incident/~~
~~Perpetrator~~
~~Single or~~
~~Campaign,~~
~~Campaign~~
~~Country of~~
~~Multiple~~
~~Incident, or~~
~~Year(s)~~
~~Residence~~
~~Perpetrators~~
~~Identifier~~
~~Description~~
~~Citation~~
~~2009-2012~~ 2009-2012 China China
Single Single
N/A N/A
Targeted U.S. defense Targeted U.S. defense
Department of Justice, “Chinese National Pleads Guilty to Department of Justice, “Chinese National Pleads Guilty to
contractors to steal sensitive contractors to steal sensitive
Conspiring to Hack into U.S.Conspiring to Hack into U.S. Defense Contractors’ SystemsDefense Contractors’ Systems to
~~military~~ to military transport design transport design
Steal Sensitive Military Steal Sensitive Military Information,” pressInformation,” press release,release, March 23, March 23,
data and send the data to data and send the data to
2016, at https://www.justice.gov/opa/pr/chinese-national-pleads- 2016, at https://www.justice.gov/opa/pr/chinese-national-pleads-
China. China.
guilty-conspiring-hack-us-defense-contractors-systems-steal- guilty-conspiring-hack-us-defense-contractors-systems-steal-
sensitive.sensitive.
2003-2012 2003-2012 Russia Russia
Multiple Multiple
N/A N/A
Theft of credit card Theft of credit card
Department of Justice, “Russian National Admits Department of Justice, “Russian National Admits Role in Largest Role in Largest
information from payment information from payment
Known Data Breach Conspiracy Ever Prosecuted,” press release, Known Data Breach Conspiracy Ever Prosecuted,” press release,
processors, processors, financial financial
September September 15, 2015, at https://www.justice.gov/opa/pr/russian-15, 2015, at https://www.justice.gov/opa/pr/russian-
institutions, and retailers. institutions, and retailers.
national-admits-role-largest-known-data-breach-conspiracy-ever- national-admits-role-largest-known-data-breach-conspiracy-ever-
prosecuted. prosecuted.
2012 2012
Iran/Turkey Iran/Turkey
Single Single
N/A N/A
Stole Stole ~~intel ectual~~intellectual property property
Department of Justice, “Man Pleads Guilty to Facilitating Department of Justice, “Man Pleads Guilty to Facilitating
from a Vermont-based from a Vermont-based
Computer Hacking of Vermont Company,” press release, Computer Hacking of Vermont Company,” press release,
defense contractor and defense contractor and
December December 2, 2015, at https://www.justice.gov/opa/pr/man-pleads-2, 2015, at https://www.justice.gov/opa/pr/man-pleads-
engineering firm. engineering firm.
guilty-facilitating-computer-hacking-vermont-company. guilty-facilitating-computer-hacking-vermont-company.
Source: CRS analysis. CRS analysis.
Notes: Abbreviations and col oquialismsAbbreviations and col oquialisms used in this table: the Republic of Bulgaria (Bulgaria); the People’s Republic of China (China); the Republic of Cyprus (Cyprus); used in this table: the Republic of Bulgaria (Bulgaria); the People’s Republic of China (China); the Republic of Cyprus (Cyprus);
the Electronic Data Gathering, Analysis,the Electronic Data Gathering, Analysis, and Retrieval systemand Retrieval system (EDGAR); the Federal Republic of Nigeria(EDGAR); the Federal Republic of Nigeria (Nigeria); the Islamic Republic of Iran (Iran); the Italian Republic (Nigeria); the Islamic Republic of Iran (Iran); the Italian Republic
(Italy); the Republic of Kazakhstan (Kazakhstan); the Republic of Kosovo(Italy); the Republic of Kazakhstan (Kazakhstan); the Republic of Kosovo (Kosovo); the Republic of Moldova (Moldova); (Kosovo); the Republic of Moldova (Moldova); ~~personal y~~ personally identifiable information (PII); the identifiable information (PII); the
Russian Federation (Russia); the U.S. SecuritiesRussian Federation (Russia); the U.S. Securities and Exchange Commissionand Exchange Commission (SEC); the Swiss(SEC); the Swiss Confederation (Confederation (~~Switzerla nd~~Switzerland); the Republic of Turkey (Turkey); the United ); the Republic of Turkey (Turkey); the United
States of AmericaStates of America (U.S.A.); and the United Kingdom of Great Britain and Northern Ireland (United Kingdom). (U.S.A.); and the United Kingdom of Great Britain and Northern Ireland (United Kingdom).

CRS- CRS-2021

Cybersecurity: Selected Cyberattacks, 2012-~~2021~~2022

Author Information

Chris Jaikaran Chris Jaikaran

~~Analyst~~Specialist in Cybersecurity Policy in Cybersecurity Policy

Acknowledgments
Jared Jared ~~Nagel, Information Research Specialist with CRS,~~ Nagel (a former Information Research Specialist with CRS) and Alexandra Kosmidis (a Research Librarian with CRS) provided research support in identifying cyberattacks. provided research support in identifying cyberattacks.

Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should under the direction of Congress. Information in a CRS Report should ~~n ot~~not be relied upon for purposes other be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material. copy or otherwise use copyrighted material.

Congressional Research Service Congressional Research Service
R46974 R46974 · VERSION ~~1 · NEW~~
213 · UPDATED 22