Cybersecurity: Selected Cyberattacks, 2012-2022

November 22, 2021 – August 9, 2023 R46974

Cybersecurity: Selected Cyberattacks,
August 9, 2023
2012-2022
Chris Jaikaran
Many Members of Congress have raised concerns over the frequency, types, and impacts of
Specialist in Cybersecurity
cyber incidents during hearings, speeches, and in legislation. Cyber incidents affect nearly every
Policy
national entity, from federal and state government agencies to private companies and individuals.

One course of action to stymie attacks has been to investigate the adversaries that conduct
cyberattacks, what types of activities they conduct online, and how the U.S. government can

identify them.
To assist with Congress’s understanding of cyberattacks, this report describes attribution in cyberspace, confidence of
attribution, and common types of cyberattack. Listed in this report are two categories of cyberattacks by foreign adversaries
against entities in the United States: 30 cyberattack campaigns that the federal government has attributed to actors operating
on behalf of other nation-states, and 30 cyberattacks the government has attributed to criminal actors seeking personal gain.
In investigating cyber incidents, the U.S. government attempts to unmask those behind the incident and attribute it as an
attack. Attributing cyberattacks is difficult, but not impossible. Officials seek to develop a comprehensive understanding of
the cyber incident not just from the victim, but also by corroborating that information with other government and private
sector evidence to make a claim of attribution. While a process exists to repeatedly and consistently develop a claim of
attribution and a confidence level in it, adversaries take steps to complicate these efforts by obfuscating and removing any
trace of their activity, and using new infrastructure to make it difficult to track attack campaigns.
Nation-states are some of the most sophisticated actors that conduct cyberattacks. The Director of National Intelligence is
required annually to deliver to Congress an assessment from the intelligence community on worldwide threats. Recent
assessments have highlighted cyberspace as an area of strategic concern, with China, Russia, North Korea and Iran as the
leading threat actors. Attacks from these countries include spying on government agencies by accessing agency computers,
stealing sensitive information from public and private sector entities in the United States, stealing intellectual property, and
destroying or potentially destroying computer equipment.
Cyber criminals are less resourced than nation-state actors and are less likely to employ novel and cutting-edge techniques in
campaigns, yet their attacks are often highly effective. Most criminals are financially motivated and use cyberspace as a
medium for conducting profit-bearing schemes. However, gaining money is not a requirement for illicit activity.
Cyberattacks against victims in the United States from actors located abroad include compromising computers to create and
maintain botnets, business email compromise schemes, hack and release campaigns, and ransomware attacks.
Congressional Research Service

Cybersecurity: Selected Cyberattacks, 2012-2022

Introduction
The frequency, type, and impact of cyber incidents against and in the United States continues to
grow.1 In an effort to address this challenge, policymakers are considering a variety of solutions,
such as denying opportunities for successful attacks by improving defenses and deterring
adversaries from engaging in disruptive activities in cyberspace. As Congress considers options
for deterrence, knowledge of known adversaries, the types of activities they conduct online, and
how they are identified by the U.S. government may inform the debate. With this information,
policymakers may gain a greater understanding of the risks that the nation and specific sectors
face.
This report describes selected cyberattacks against entities in the United States which were
discovered or ended within the past decade (even if the activity was observed earlier) and
includes information on claims of attribution in cyberspace, confidence of attribution, and
common types of cyberattack. Listed in this report are two categories of cyberattacks: 30
cyberattack campaigns that the government has attributed to actors operating on behalf of a
nation-state, and 30 cyberattacks the government has attributed to criminal actors seeking
personal gain.
Attribution
Attributing a cyberattack is difficult, but not impossible. Government investigators seek to
develop a comprehensive understanding of cyber incidents from not just the victim but also by
corroborating information in order to make claims of attribution.
First, investigators look at the attributes of the event itself, such as the tradecraft employed by the
adversary (i.e., techniques, tactics, and procedures used to carry out the attack), any malware used
(i.e., the type of the software that exploited a vulnerability for access), and the features of the
attack (e.g., logging key stokes or encrypting data). Then investigators seek to discover the
infrastructure used to carry out the attack (e.g., the command and control servers communicating
with the malware). They will combine this information with government and industry analysis on
an attacker’s intent (e.g., reasons for targeting a particular victim) and information from external
sources (e.g., cybersecurity firm reports, think tank analysis, and news media).2 In analyzing this
information, investigators will seek to minimize human error, substantiate hypotheses among
various sources, and entertain competing theories of attribution. Finally, investigators typically
provide their assessment and a confidence level.
• High confidence reflects an assessment that investigators believe beyond a
reasonable doubt and without a viable alternative that the attributed party is
responsible for the attack.
• Moderate confidence means that investigators believe that the evidence is clear
and convincing, but alternatives are possible.
• Low confidence is used when evidence points to a particular actor, but there are
significant information gaps.3

1 Statista, U.S. Companies and Cyber Crime, June 20, 2023, https://www.statista.com/study/12881/smb-and-cyber-
crime-in-the-united-states-statista-dossier/.
2 Office of the Director of National Intelligence, A Guide to Cyber Attribution, report, September 14, 2018, at
https://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf.
3 Ibid.
Congressional Research Service

1

Cybersecurity: Selected Cyberattacks, 2012-2022

Developing a claim of attribution remains difficult despite having a process to determine
attribution and a system for articulating confidence in a claim. For example, sophisticated actors
continue to develop and deploy novel techniques and establish new infrastructure for different
attacks, which may make it difficult to track known activity from one attack to another.
Additionally, they will seek to obfuscate their activity as legitimate and remove records of their
actions on a network.
Claims of attribution appear in a variety of sources. The authoritativeness of these sources exist
on a spectrum. At the highest level of authority are primary sources, followed by secondary
sources, supposed sources, and, finally, conjecture being the least authoritative. With regards to
cyberattack attribution:
• Primary sources include statements by a U.S. government entity. A court finding
that a party was guilty of committing the attack—usually by violating the
Computer Fraud and Abuse Act4 or the Economic Espionage Act5—is the most
authoritative. A grand jury indictment is slightly less authoritative. An official
statement by a government official (e.g., a press briefing by the National Security
Advisor) providing attribution to a party is the least authoritative of the primary
sources. Evidence of why a primary source believes a party is responsible for an
attack is usually included in public documentation along with the claim and can
be further examined (e.g., an unsealed indictment).
• Secondary sources include claims by non-governmental entities. These
attributions frequently come from a cybersecurity firm releasing research on an
adversary or attack campaign. These claims usually include research into the
tradecraft, malware, infrastructure, and intent of a campaign or attack. Secondary
sources usually include evidence to support their claims. However, private
entities usually do not have access to classified government information (e.g.,
signals intelligence), which can further corroborate a claim of attribution.
Cybersecurity firms have generally avoided attributing attacks to nation-states.
Instead, a firm will attribute an attack to an actor set that the firm is tracking.
These actor sets are sometimes referred to as an Advanced Persistent Threat
(APT) or by a codename used for that company’s research.
• Supposed sources are predominantly composed of statements reported by
mainstream news media. These statements are frequently attributed to
unidentified government officials and corroborated with other primary or
secondary sources. However, these statements cannot otherwise be independently
examined.
• Conjecture includes claims by victims that a certain party is responsible for an
attack, or claims on social media platforms of attribution. These statements rarely
include evidence or provide analysis.

4 18 U.S.C. §1030. For more information on the Computer Fraud and Abuse Act, see CRS Report R46536, Cybercrime
and the Law: Computer Fraud and Abuse Act (CFAA) and the 116th Congress, by Peter G. Berris.
5 18 U.S.C. §§1831-1832. For more information on the Economic Espionage Act, see CRS Report R42681, Stealing
Trade Secrets and Economic Espionage: An Overview of the Economic Espionage Act, by Charles Doyle.
Congressional Research Service

2

Cybersecurity: Selected Cyberattacks, 2012-2022

Common Cyberattack Terms
“Cyberattack” is a broad term for a variety of malicious actions against information and
communications technologies. Below are a selection of common cyberattacks (in alphabetical
order).
Botnet: A portmanteau of “robot” and “network” which refers to a collection of computers for
which control has been seized by one or more unauthorized parties. Once an unauthorized party
controls an individual computer, they may then connect it to other computers in their control to
create a pool of computing resources (e.g., network bandwidth or processing power). Botnets are
used to further illicit activity online, such as distributing malware and surreptitiously mining
cryptocurrencies.
Business Email Compromise: A scam in which an attacker creates an email address (usually of a
high ranking official in an organization) and alters the identifying information of that email to make
it appear to come from the organization (e.g., changing the name associated with the email address).
Typically, scammers then email members of that organization with urgent needs for funds to be
transferred. These are sometimes under the guise of paying past due invoices. However, the
invoices are fraudulent and the accounts where the funds are to be transferred belong to the
scammers.
Denial of Service (DOS) or Distributed Denial of Service (DDOS): A DOS attack inhibits an
authorized user’s ability to access a resource (e.g., a website) by overwhelming that resource with
unauthorized requests (e.g., more requests to load a webpage than it was built to support). DDOS
attacks are more common and use many hosts to attack a single resource (e.g., a network of
malware-infected computers—a botnet—sending junk web traffic to a single service provider).
Hack and Leak: An attack in which an unauthorized party gains access to a sensitive data store
and exfiltrates (steals) the data. Once the sensitive data is in their control, the attacker either
releases the data in an effort to expose or embarrass the victim or contacts the victim and
demands a ransom in order to not release the data.
Phishing: An attack which attempts to gain access to a system by tricking authorized users into
engaging with malicious computer code. Frequently, this attack is carried out by combining an
email which uses social-engineering (i.e., an attempt to manipulate someone into revealing
information or taking some action) with a malicious web link or attachment. When the web link is
clicked or attachment opened, the device downloads and executes malware.
Malware: A portmanteau of “malicious” and “software” which refers to software and firmware
intentionally added to an information technology (IT) product and designed to cause harm to the
IT product or its data. There are many ways malware can be added to a product, such as from an
inserted USB drive or downloaded from the internet. Data may be harmed by making it no longer
private (i.e., compromising its confidentiality), manipulating it (i.e., compromising its integrity),
or deleting it (i.e., compromising its availability).
Malvertising: A portmanteau of “malicious” and “advertising.” This attack uses online
advertising networks to spread malware and compromise computer systems. Malvertisers buy ad-
space and inject malware into those ads in an effort to easily spread it online. When a user visits a
website, they may be presented with the ad and download the malicious code via a legitimate
advertising network. If the code downloads and successfully executes, then the computer
succumbs to malware. Generally, neither the website delivering the ad nor the advertising
networks are aware of the malicious code being delivered.
Congressional Research Service

3

link to page 4 Cybersecurity: Selected Cyberattacks, 2012-2022

Man-in-the-Middle (MitM): An attack where a malicious actor seeks to insert itself between
two computers in an effort to access the communications between those computers, usually in an
effort to eavesdrop between the users of those computers (either directly, or by intercepting
encryption keys so that encrypted text may be decrypted).
Ransomware: A portmanteau of “ransom” and “malware.” Ransomware attacks seek to deny
users access to data and IT systems by encrypting files and systems—thus, locking out users.
Perpetrators usually extort victims for payment, typically in cryptocurrency, to decrypt the
system. Recently, such attacks have been coupled with data breaches in which perpetrators also
steal data from their victims. In addition to locking the computer systems, the perpetrators
typically notify victims that they have copies of their data and will release sensitive information
unless a ransom is paid, potentially extorting them twice. A triple extortion may occur if the
perpetrators contact a company’s clients to tell them about the attack in an effort to pressure the
victim to pay the ransom or risk harming their future business prospects.
Supply Chain Attack: An attack in which an adversary inserts an unauthorized physical or
software component into a product in order to surreptitiously access data or manipulate a system.
These attacks can occur during any phase of a product lifecycle (e.g., development, shipping, or
updating).6
Zero-Day: An attack that exploits a previously unknown vulnerability in an IT product. This type
of attack is particularly dangerous because until it is noticed, there is usually no defense against it.
This attack is sometimes written as “0-Day” and sometimes pronounced “oh-day.”
These attacks may be used alone or in conjunction to conduct a variety of computer network
operations (CNO), such as computer network exploitation (CNE) for the purposes of espionage or
computer network attack (CNA) to disrupt a targeted victim.
Methodology
To develop the list of attacks, CRS considered only primary sources (explained further in the
“Attribution” section). CRS searched for public statements on U.S. government websites
belonging to the Department of Defense (DOD), the Department of Homeland Security (DHS),
the Department of Justice (DOJ), the Office of the Director of National Intelligence (ODNI), and
the Cybersecurity and Infrastructure Security Agency (CISA). Search terms (e.g., “cyber” and
“state-sponsored”) and topic filters (e.g., “national security” and “cybersecurity”) were used to
refine search results.
The results reflect the cybersecurity and legal communities’ broad public understanding of
responsible parties, but should not be considered comprehensive. DOJ’s website only publishes
press releases from 2009 onward, limiting the number of available press releases and indictments
available for the search. There may be additional indictments that are not publicized but unsealed
and available in court proceeding databases. Those documents are not searchable and accessible
via the public internet, and are therefore not included in these results. Additionally, government
officials may attribute a particular campaign to a nation-state actor or criminal group, but have
not made evidence or corroborating information available (e.g., a list of victims or naming a
specific actor in country). Such instances are not included in this list.
Tables are organized by attack and campaign year. The country of origin and entity responsible
for a particular attack or campaign are listed next to it, followed by a short description. Colloquial

6 For more information, see CRS In Focus IF10920, Cyber Supply Chain Risk Management: An Introduction, by Chris
Jaikaran.
Congressional Research Service

4

link to page 9 Cybersecurity: Selected Cyberattacks, 2012-2022

country names and abbreviations for the perpetrating entity are used in the tables. Full names are
provided in the table notes. Further information is available in the citation provided for each row.
In some cases, many individual attacks were combined in a single indictment against actors
working in a single campaign. Nation-state campaigns are identified by their Advanced Persistent
Threat (APT) identifier, as those are commonly used monikers in the cybersecurity community.
Other inventories of cyberattacks have many more incidents.7 These inventories use different
methodologies which have different criteria for attribution confidence and include unidentified
victims and victims outside the United States.
Nation-State Cyberattacks
The Director of National Intelligence is required annually to deliver to Congress an assessment
from the intelligence community on worldwide threats.8 Recent assessments have highlighted
cyberspace as an area of strategic concern, with Russia,9 China,10 Iran,11 and North Korea12 as the
leading threat actors.13 Table 1 lists 30 selected cyberattack campaigns against the United States
attributed to nation-state actors operating on behalf of a country. These attacks include spying on
government agencies by accessing agency computers, stealing sensitive information from public
and private sector entities in the United States to undermine confidence in those entities, stealing
intellectual property to bolster national companies, and destroying or potentially destroying
computer equipment.

7 For examples, see Center for Strategic and International Studies, “Significant Cyber Incidents,” website, 2021, at
https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents; and Council on Foreign
Relations, “Cyber Operations Tracker,” website, 2021, at https://www.cfr.org/cyber-operations/.
8 50 U.S.C. §3043b.
9 For more information, see CRS In Focus IF11718, Russian Cyber Units, by Andrew S. Bowen. For technical
information, see Cybersecurity and Infrastructure Security Agency, “Russia Cyber Threat Overview and Advisories,”
website, at https://us-cert.cisa.gov/russia.
10 For more information, see CRS In Focus IF11284, U.S.-China Trade Relations, by Karen M. Sutter. For technical
information, see Cybersecurity and Infrastructure Security Agency, “China Cyber Threat Overview and Advisories,”
website, at https://us-cert.cisa.gov/china.
11 For more information, see CRS In Focus IF11406, Iranian Offensive Cyberattack Capabilities, by Catherine A.
Theohary. For technical information, see Cybersecurity and Infrastructure Security Agency, “Iran Cyber Threat
Overview and Advisories,” website, at https://us-cert.cisa.gov/iran.
12 For more information, see CRS Report R44912, North Korean Cyber Capabilities: In Brief, by Emma Chanlett-
Avery et al. For technical information, see Cybersecurity and Infrastructure Security Agency, “North Korea Cyber
Threat Overview and Advisories,” website, at https://us-cert.cisa.gov/northkorea.
13 For examples, see Avril Haines, Annual Threat Assessment, remarks as prepared, April 14, 2021, at
https://www.dni.gov/files/documents/Newsroom/Testimonies/2021-04-14-ATA-Opening-Statement-FINAL.pdf; and
James R. Clapper, Worldwide Threat Assessment of the U.S. Intelligence Community, statement for the record,
February 25, 2016, at https://www.dni.gov/files/documents/Newsroom/Testimonies/
HPSCI_Unclassified_2016_ATA_SFR-25Feb16.pdf.
Congressional Research Service

5

Table 1. Selected Cyberattack Campaigns Attributed to Nation States
In Descending Order by Campaign Year: 2023-2012
Incident/
Campaign,
Campaign Attributed Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2020-2023
North Korea RGB
N/A
Targeted companies using
Cybersecurity and Infrastructure Security Agency, “TraderTraitor:
blockchain technologies (e.g.,
North Korean State-Sponsored APT Targets Blockchain
cryptocurrencies and non-
Companies,” April 20, 2022, at https://www.cisa.gov/news-events/
fungible tokens) to steal money.
cybersecurity-advisories/aa22-108a.
2022
Russia
N/A
N/A
State-sponsored actors exploited Cybersecurity and Infrastructure Security Agency, “Russian State-
multi-factor authentication
Sponsored Cyber Actors Gain Network Access by Exploiting
misconfigurations to steal data.
Default Multifactor Authentication Protocols and ‘PrintNightmare’
Vulnerability,” May 2, 2022, at https://www.cisa.gov/news-events/
cybersecurity-advisories/aa22-074a.
2020-2022
Russia
N/A
N/A
State-sponsored actors targeted
Cybersecurity and Infrastructure Security Agency, “Russian State-
cleared defense contractors to
Sponsored Cyber Actors Target Cleared Defense Contractor
steal weapons and vehicle
Networks to Obtain Sensitive U.S. Defense Information and
research, and spy on
Technology,” February 16, 2022, at https://www.cisa.gov/news-
communications.
events/cybersecurity-advisories/aa22-047a.
2018-2022
Iran
MOIS
N/A
Government actors spied on and Cybersecurity and Infrastructure Security Agency, “Iranian
stole data from private sector
Government-Sponsored Actors Conduct Cyber Operations Against
organizations in the
Global Government and Commercial Networks,” February 24,
telecommunications, defense,
2022, at https://www.cisa.gov/news-events/cybersecurity-advisories/
and energy sectors, as well as
aa22-055a.
governmental entities.
2021-2022
North Korea N/A
Maui
Government-sponsored actors
Cybersecurity and Infrastructure Security Agency, “North Korean
Ransomware
targeted healthcare companies
State-Sponsored Cyber Actors Use Maui Ransomware to Target the
with ransomware.
Healthcare and Public Health Sector,” July 7, 2022, at
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-
187a.
CRS-6

Incident/
Campaign,
Campaign Attributed Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2022
Iran
N/A
Log4Shell
Government-sponsored actors
Cybersecurity and Infrastructure Security Agency, “Iranian
exploited open-source
Government-Sponsored APT Actors Compromise Federal
vulnerabilities in network
Network, Deploy Crypto Miner, Credential Harvester,”
connection software to install
cybersecurity advisory, November 25, 2022, at https://www.cisa.gov/
crypto-mining software and steal
news-events/cybersecurity-advisories/aa22-320a.
credentials.
2021
Russia
GRU
Cisco Router
Russian military intelligence
Cybersecurity and Infrastructure Security Agency, “APT28 Exploits
Malware
compromised widely used
Known Vulnerability to Carry Out Reconnaissance and Deploy
internet network equipment to
Malware on Cisco Routers,” cybersecurity advisory, April 18, 2023,
spy on victims and spread
at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-
malware.
108.
2021
Iran
N/A
N/A
Government-sponsored actors
Federal Bureau of Investigation, Cybersecurity and Infrastructure
exploited vulnerabilities in email
Security Agency, Australian Cyber Security Centre, and National
and security appliances to gain
Cyber Security Centre, “Iranian Government-Sponsored APT Cyber
access to U.S. critical
Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in
infrastructure. Once they had
Furtherance of Malicious Activities,” AA21-321A, November 17,
access, they conducted fol ow-on 2021, at https://us-cert.cisa.gov/sites/default/files/publications/AA21-
theft, encryption, ransomware
321A-Iranian%20Government-
and extortion operations.
Sponsored%20APT%20Actors%20Exploiting%20Vulnerabilities_1.pdf.
2020-2021
China
MSS
Hafnium
Exploited previously unknown
The White House, “The United States, Joined by Allies and Partners,
vulnerabilities in on-premise
Attributes Malicious Cyber Activity and Irresponsible State Behavior
Microsoft Exchange servers to
to the People’s Republic of China,” press release, July 19, 2021, at
gain access to sensitive data.
https://www.whitehouse.gov/briefing-room/statements-releases/
2021/07/19/the-united-states-joined-by-allies-and-partners-
attributes-malicious-cyber-activity-and-irresponsible-state-behavior-
to-the-peoples-republic-of-china/.
2020-2021
Russia
SVR
SolarWinds
Conducted a supply-chain attack
Joint Statement by the Federal Bureau of Investigation (FBI), the
against a widely used software
Cybersecurity and Infrastructure Security Agency (CISA), the Office
management company to gain
of the Director of National Intelligence (ODNI), and the National
access to government and
Security Agency (NSA), press release, January 5, 2021, at
private sector networks.
https://www.cisa.gov/news/2021/01/05/joint-statement-federal-
bureau-investigation-fbi-cybersecurity-and-infrastructure.
CRS-7

Incident/
Campaign,
Campaign Attributed Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2020
Iran
Kazemi and
2020 U.S.
Hacked into state election
Department of Justice, “Two Iranian Nationals Charged for Cyber-
Kashiana
Presidential
websites and accessed voter
Enabled Disinformation and Threat Campaign Designed to Influence
Election
information on over 100,000
the 2020 U.S. Presidential Election” press release, November 18,
Disinformation citizens. Sent disinformation to
2021, at https://www.justice.gov/opa/pr/two-iranian-nationals-
and Election
politicians and the media claiming charged-cyber-enabled-disinformation-and-threat-campaign-designed.
Infrastructure
to be from voters. Intimidated
Hacking
voters online. Attempted to hack
into a media company to spread
further disinformation.
2020
Iran
MOIS & IRGC APT-39
Stole data pertaining to national
Department of Justice, “Department of Justice and Partner
security, foreign policy
Departments and Agencies Conduct Coordinated Actions to
intelligence, non-military nuclear
Disrupt and Deter Iranian Malicious Cyber Activities Targeting the
information, aerospace data,
United States and the Broader International Community,” press
human rights activist information, release, September 17, 2020, at https://www.justice.gov/opa/pr/
individual financial information
department-justice-and-partner-departments-and-agencies-conduct-
and PII, and intellectual property, coordinated-actions-disrupt.
including unpublished scientific
research.
2014-2020
China
MSS
APT-41
Targeted IT companies,
Department of Justice, “Seven International Cyber Defendants,
telecommunications companies,
Including ‘Apt41’ Actors, Charged In Connection with Computer
academic institutions, NGOs,
Intrusion Campaigns Against More Than 100 Victims Globally,” press
and pro-democracy activists to
release, September 16, 2020, at https://www.justice.gov/opa/pr/
steal intellectual property;
seven-international-cyber-defendants-including-apt41-actors-
deployed ransomware; and used
charged-connection-computer.
il egal y accessed computers to
mine cryptocurrency.
CRS-8

Incident/
Campaign,
Campaign Attributed Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2014-2020
North Korea RGB
APT-38
Destroyed computers of Sony
Department of Justice, “Three North Korean Military Hackers
Pictures Entertainment over the
Indicted in Wide-Ranging Scheme to Commit Cyberattacks and
release of The Interview;
Financial Crimes Across the Globe," press release, February 17,
compromised the Society for
2021, at https://www.justice.gov/opa/pr/three-north-korean-military-
Worldwide Interbank Financial
hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and.
Telecommunications (SWIFT)
network to steal money from
banks; created and deployed the
WannaCry 2.0 ransomware;
created malicious
cryptocurrency wallets;
compromised cryptocurrency
companies to steal
cryptocurrencies; and conducted
spear phishing campaigns against
defense contractors, energy
companies, aerospace
companies, technology
companies, the U.S. Department
of State, and the U.S.
Department of Defense.
2013-2020
Iran
Criminal
N/A
Targeted universities, think
Department of Justice, “Two Iranian Nationals Charged in Cyber
group
tanks, defense contractors, and
Theft Campaign Targeting Computer Systems in United States,
operating on
aerospace companies to steal
Europe, and the Middle East,” press release, September 16, 2020, at
behalf of the
sensitive data.
https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-
state
theft-campaign-targeting-computer-systems-united-states.
2009-2020
China
MSS
N/A
Targeted technology
Department of Justice, “Two Chinese Hackers Working with the
manufacturing, healthcare,
Ministry of State Security Charged with Global Computer Intrusion
energy, defense, business,
Campaign Targeting Intellectual Property and Confidential Business
educational, and gaming
Information, Including COVID-19 Research,” press release, July 21,
companies to steal intellectual
2020, at https://www.justice.gov/opa/pr/two-chinese-hackers-
property and confidential
working-ministry-state-security-charged-global-computer-intrusion.
business information, including
COVID-19 research.
CRS-9

Incident/
Campaign,
Campaign Attributed Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2015-2019
Iran
IRGC
APT-33
Conducted spear phishing
Department of Justice, “State-Sponsored Iranian Hackers Indicted
attacks against satellite and
for Computer Intrusions at U.S. Satellite Companies,” press release,
aerospace company employees
September 17, 2020, at https://www.justice.gov/opa/pr/state-
to gain access to company
sponsored-iranian-hackers-indicted-computer-intrusions-us-satellite-
networks, steal identities, and
companies.
use malware to steal intellectual
property and sensitive data.
2015-2018
Russia
GRU
Sandworm
Attacked the Ukrainian
Department of Justice, “Six Russian GRU Officers Charged in
government and critical
Connection with Worldwide Deployment of Destructive Malware
infrastructure (BlackEnergy);
and Other Disruptive Actions in Cyberspace,” press release,
sought to interfere in the French
October 19, 2020, at https://www.justice.gov/opa/pr/six-russian-gru-
national elections; conducted the officers-charged-connection-worldwide-deployment-destructive-
NotPetya attacks against U.S.-
malware-and.
based hospitals, shipping
companies, and pharmaceutical
companies; sought to undermine
the PyeongChang Winter
Olympics; spear phished
investigators of the Novichok
poisoning to gain sensitive data;
and sought to compromise
Georgian government entities.
CRS-10

Incident/
Campaign,
Campaign Attributed Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2014-2018
Russia
GRU
N/A
Conducted disinformation
Department of Justice, “U.S. Charges Russian GRU Officers with
operations. Hacked into
International Hacking and Related Influence and Disinformation
computers belonging to the
Operations,” press release, October 4, 2018, at
World Anti-Doping Agency
https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-
(WADA), United States Anti-
international-hacking-and-related-influence-and.
Doping Agency (USADA), Rio de
Janeiro Olympic and Paralympic
games, Fédération Internationale
de Football Association (FIFA),
Westinghouse Electric
Company’s (WEC), and the
[Organization] for the
Prohibition of Chemical
Weapons (OPCW). Published
stolen and altered information
from these entities to retaliate
for and delegitimize doping
charges against Russia’s sporting
organizations.
2013-2018
Iran
IRGC
Mabna
Stole academic data and
Department of Justice, “Nine Iranians Charged with Conducting
Institute
intellectual property from
Massive Cyber Theft Campaign on Behalf of the Islamic
universities, companies, and
Revolutionary Guard Corps,” press release, March 23, 2018, at
government agencies.
https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-
massive-cyber-theft-campaign-behalf-islamic-revolutionary.
2011-2018
China
MSS
APT-40
Stole the intellectual property of
Department of Justice, “Four Chinese Nationals Working with the
companies dealing with
Ministry of State Security Charged with Global Computer Intrusion
submersibles, autonomous
Campaign Targeting Intellectual Property and Confidential Business
vehicles, chemicals, aircraft,
Information, Including Infectious Disease Research,” press release,
genetics, transportation, and
July 10, 2021, at https://www.justice.gov/opa/pr/four-chinese-
infectious disease research.
nationals-working-ministry-state-security-charged-global-computer-
intrusion.
CRS-11

Incident/
Campaign,
Campaign Attributed Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2006-2018
China
MSS
APT-10
Targeted and stole intellectual
Department of Justice, “Two Chinese Hackers Associated with the
property and confidential
Ministry of State Security Charged with Global Computer Intrusion
business information from
Campaigns Targeting Intellectual Property and Confidential Business
transportation, technology,
Information,” press release, December 20, 2018, at
shipping, consulting, healthcare,
https://www.justice.gov/opa/pr/two-chinese-hackers-associated-
and energy companies through
ministry-state-security-charged-global-computer-intrusion.
cloud and managed service
providers.
2017
China
PLA
Equifax Hack
Theft of the PII of nearly 150
Department of Justice, “Chinese Military Personnel Charged with
mil ion Americans.
Computer Fraud, Economic Espionage and Wire Fraud for Hacking
into Credit Reporting Agency Equifax,” press release, February 10,
2020, at https://www.justice.gov/opa/pr/chinese-military-personnel-
charged-computer-fraud-economic-espionage-and-wire-fraud-
hacking.
2016
Russia
GRU
DCLeaks and
Targeted political campaigns,
Department of Justice, “Grand Jury Indicts 12 Russian Intelligence
Guccifer 2.0
state boards of elections, state
Officers for Hacking Offenses Related to the 2016 Election,” press
secretaries of state, and
release, July 13, 2018, at https://www.justice.gov/opa/pr/grand-jury-
companies providing technology
indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-
for elections to steal and leak
election.
their sensitive data.
2014-2016
Russia
FSB
Yahoo Breach Breach of 500 mil ion accounts
Department of Justice, “U.S. Charges Russian FSB Officers and Their
and other webmail account
Criminal Conspirators for Hacking Yahoo and Mil ions of Email
compromises targeted
Accounts,” press release, March 15, 2017, at
journalists, government officials,
https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-
cybersecurity company
their-criminal-conspirators-hacking-yahoo-and-mil ions.
employees, financial services
companies, and transportation
companies to steal sensitive
information.
CRS-12

Incident/
Campaign,
Campaign Attributed Perpetrating
Incident, or
Year(s)
Country
Entity
Identifier
Description
Citation
2015
China
Fujie Wang,
Anthem Hack
Stole massive amounts of PII held Department of Justice, “Member of Sophisticated China-Based
and othersb
by the health insurance company
Hacking Group Indicted for Series of Computer Intrusions, Including
Anthem Inc., as well as other
2015 Data Breach of Health Insurer Anthem Inc. Affecting Over 78
companies.
Mil ion People,” press release, May 9, 2019, at
https://www.justice.gov/opa/pr/member-sophisticated-china-based-
hacking-group-indicted-series-computer-intrusions-including.
2014-2015
Iran
IRGC
N/A
Targeted intelligence community
Department of Justice, “Former U.S. Counterintelligence Agent
(IC) employees as part of an
Charged with Espionage on Behalf of Iran; Four Iranians Charged
intelligence campaign with fake
with a Cyber Campaign Targeting Her Former Col eagues,” press
accounts used to deploy
release, February 13, 2019, at https://www.justice.gov/opa/pr/
malware.
former-us-counterintelligence-agent-charged-espionage-behalf-iran-
four-iranians-charged-cyber.
2010-2015
China
MSS
N/A
Targeted aerospace companies
Department of Justice, “Chinese Intelligence Officers and Their
to steal intellectual property
Recruited Hackers and Insiders Conspired to Steal Sensitive
related to turbofan engine
Commercial Aviation and Technological Data for Years,” press
technology.
release, October 30, 2018, at https://www.justice.gov/opa/pr/
chinese-intelligence-officers-and-their-recruited-hackers-and-
insiders-conspired-steal.
2006-2014
China
PLA
N/A
Hacked into computers of U.S.
Department of Justice, “U.S. Charges Five Chinese Military Hackers
manufacturers in order to steal
for Cyber Espionage Against U.S. Corporations and a Labor
sensitive information to benefit
Organization for Commercial Advantage,” press release, May 19,
Chinese state enterprises.
2014, at https://www.justice.gov/opa/pr/us-charges-five-chinese-
military-hackers-cyber-espionage-against-us-corporations-and-labor.
2011-2013
Iran
ITSecTeam &
N/A
Waged DDOS attacks against
Department of Justice, “Seven Iranians Working for Islamic
Mersad
financial services companies, and
Revolutionary Guard Corps-Affiliated Entities Charged for
Company
hacked into networks of a
Conducting Coordinated Campaign of Cyber Attacks Against U.S.
municipal dam in Rye Brook,
Financial Sector,” press release, March 24, 2016, at
N.Y.
https://www.justice.gov/opa/pr/seven-iranians-working-islamic-
revolutionary-guard-corps-affiliated-entities-charged.
Source: CRS analysis.
Notes: Abbreviations used in the table include Advanced Persistent Threat (APT); Democratic People’s Republic of North Korea (North Korea); Distributed Denial of
Service (DDOS); Federal Security Service (FSB); Islamic Republic of Iran (Iran); Islamic Revolutionary Guard Corps (IRGC); The People’s Republic of China (China); Main
Intelligence Directorate, Military (GRU); Intelligence Community (IC); Ministry of Intelligence and Security (MOIS); Ministry of State Security (MSS); People’s Liberation
CRS-13

Army (PLA); Personal Identifiable Information (PII); The Russian Federation (Russia); Reconnaissance General Bureau (RGB); and Russia’s Foreign Intelligence Service
(SVR).
a. Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian are the two Iranian nationals charged. The indictment claims that they work for an Iranian company now
known as Emennet Pasargad. The company is known to have provided services to the Iranian government and the Guardian Council.
b. The indictment does not attribute this attack as being for the benefit of the state. However, government officials have since speculated that this was under the
direction of the Chinese government—see, Christopher Wray, “The Threat Posed by the Chinese Government and the Chinese Communist Party to the Economic
and National Security of the United States,” remarks to the Hudson Institute as delivered, July 7, 2020, at https://www.fbi.gov/news/speeches/the-threat-posed-by-
the-chinese-government-and-the-chinese-communist-party-to-the-economic-and-national-security-of-the-united-states.

CRS-14

link to page 19 link to page 9 Cybersecurity: Selected Cyberattacks, 2012-2022

Foreign Criminal Cyberattacks
Most criminals are financially motivated and use cyberspace as a medium for conducting profit-
bearing schemes. However, financial gain is not a requirement for illicit activity. Some malicious
actors also victimize entities online without desires for payment, such as in hack and leak
operations intended to embarrass the victim. Table 2 lists a selection of 30 cyberattacks against
victims in the United States from actors located abroad. The country of residence for the
perpetrator is included for each cyberattack campaign to highlight the geographic diversity from
where attacks originate. Some campaigns were part of criminal groups and others are conducted
by individuals, as indicated for each entry in the table. The U.S. government has determined that
these actors were not operating to benefit the state, but were acting for personal gain—thus
distinguishing these attacks from those listed in Table 1. Criminal cyberattacks also originate
from U.S. individuals but are not included in this table as those individuals may face both state
and federal criminal charges, which the search methodology does not take into account. These
attacks include the compromise of computers to create and maintain botnets, business email
compromise schemes, hack and release campaigns, and ransomware attacks.

Congressional Research Service

15

Table 2. Selected Criminal Cyberattacks
In Descending Order by Campaign Year: 2021-2012
Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2021
Ukraine and
Multiple
REvil
Hackers built and distributed Department of Justice, “Ukrainian Arrested and Charged with
Russia
ransomware and
the Sodinokibi and REvil
Ransomware Attack on Kaseya,” press release, November 8, 2021,
Kaseya attack
ransomware attacks. They
at https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-
conducted a supply chain
ransomware-attack-kaseya.
attack against an IT
management company to
distribute ransomware to
new victims.
2019-2021
Switzerland
Single
Hack & Leak
Hacked into U.S. companies
Department of Justice, “Swiss Hacker Indicted for Conspiracy,
and posted sensitive data.
Wire Fraud, and Aggravated Identity Theft,” press release, March
18, 2021, at https://www.justice.gov/usao-wdwa/pr/swiss-hacker-
indicted-conspiracy-wire-fraud-and-aggravated-identity-theft.
2011-2021
Moldova
Multiple
Bugat Botnet
Targeted school districts,
Department of Justice, “Bugat Botnet Administrator Arrested and
banks, and energy companies Malware Disabled,” press release, October 13, 2015, at
to wire funds il icitly.
https://www.justice.gov/opa/pr/bugat-botnet-administrator-
arrested-and-malware-disabled.
2016-2020
Iran
Multiple
N/A
Defaced websites by
Department of Justice, “Two Alleged Hackers Charged with
changing them to protest
Defacing Websites Fol owing Kil ing of Qasem Soleimani,” press
U.S. government policies and release, September 15, 2020, at https://www.justice.gov/opa/pr/
actions. Stole credit card
two-alleged-hackers-charged-defacing-websites-fol owing-kil ing-
information and distributed
qasem-soleimani.
spam emails.
2016-2020
Ukraine
Multiple
N/A
Hacked into computers,
Department of Justice, “Ukrainian Cyber Criminal Extradited For
stole user credentials,
Decrypting The Credentials Of Thousands Of Computers Across
managed a botnet of hacked
The World And Selling Them On A Dark Web Website,” press
computers and sold access
release, September 8, 2021, at https://www.justice.gov/usao-mdfl/
online.
pr/ukrainian-cyber-criminal-extradited-decrypting-credentials-
thousands-computers-across.
CRS-16

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2015-2020
Latvia
Multiple
Trickbot
Targeted hospitals, schools,
Department of Justice, “Latvian National Charged for Alleged Role
utilities, and governments to
in Transnational Cybercrime Organization,” press release, June 4,
steal financial information.
2021, at https://www.justice.gov/opa/pr/latvian-national-charged-
alleged-role-transnational-cybercrime-organization.
2019
Nigeria
Multiple
Hushpuppi
Conducted business email
Department of Justice, “Six Indicted in International Scheme to
compromise and money
Defraud Qatari School Founder and Then Launder over $1 Mil ion
laundering campaigns.
in Il icit Proceeds,” press release, July 29, 2021, at
https://www.justice.gov/usao-cdca/pr/six-indicted-international-
scheme-defraud-qatari-school-founder-and-then-launder-over-1.
2013-2019
Romania,
Multiple
Fraud
Sold nonexistent goods
Department of Justice, “United States and International Law
Bulgaria,
online and attacked
Enforcement Dismantle Online Organized Crime Ring Operating
U.S.A.
credentials for web services.
out of Romania that Victimized Thousands of U.S. Residents,”
press release, February 7, 2019, at https://www.justice.gov/opa/pr/
united-states-and-international-law-enforcement-dismantle-online-
organized-crime-ring.
2015-2018
Ukraine
Multiple
Fin7
Targeted retailers and point-
Department of Justice, “Three Members of Notorious
of-sale terminals to steal
International Cybercrime Group “Fin7” in Custody for Role in
credit card information.
Attacking over 100 U.S. companies,” press release, August 1, 2018,
at https://www.justice.gov/opa/pr/three-members-notorious-
international-cybercrime-group-fin7-custody-role-attacking-over-
100.
2015-2018
Iran
Multiple
SamSam
Conducted ransomware
Department of Justice, “Two Iranian Men Indicted for Deploying
Ransomware
attacks against state and city
Ransomware to Extort Hospitals, Municipalities, and Public
government agencies,
Institutions, Causing Over $30 Mil ion in Losses,” press release,
hospitals, and other victims. November 28, 2018, at https://www.justice.gov/opa/pr/two-
iranian-men-indicted-deploying-ransomware-extort-hospitals-
municipalities-and-public.
2013-2018
Ukraine
Single
Malvertising
Delivered online
Department of Justice, “International ‘Malvertiser’ Extradited from
campaign
advertisements embedded
the Netherlands to Face Hacking Charges in New Jersey,” press
with malware.
release, May 3, 2019, at https://www.justice.gov/opa/pr/
international-malvertiser-extradited-netherlands-face-hacking-
charges-new-jersey.
CRS-17

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2007-2018
Romania
Single
N/A
Targeted customers of the
Department of Justice, “Leader of International Cyber Fraud Ring
Better Business Bureau, the
Returned to United States to Face Federal Racketeering Charges,”
Internal Revenue Service,
press release, October 9, 2018, at https://www.justice.gov/opa/pr/
the U.S. Tax Court, the
leader-international-cyber-fraud-ring-returned-united-states-face-
National Payrol Records
federal-racketeering.
Center, and others with
phishing and fraudulent
online auctions.
2017
Romania
Multiple
Ransomware
Targeted Metropolitan
Department of Justice, “Two Romanian Suspects Charged with
Police Department
Hacking of Metropolitan Police Department Surveillance Cameras
surveillance cameras and
in Connection with Ransomware Scheme,” press release,
compromised those devices
December 28 2017, at https://www.justice.gov/usao-dc/pr/two-
to distribute ransomware.
romanian-suspects-charged-hacking-metropolitan-police-
department-surveillance-cameras.
2017
Turkey
Single
WireX Botnet
Used the WireX Botnet in a
Department of Justice, “Federal Indictment in Chicago Charges
DDOS attack against a
Turkish National with Directing Cyber Attack on Multinational
hospitality company.
Hospitality Company,” press release, September 29, 2021, at
https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-
charges-turkish-national-directing-cyber-attack.
2016-2017
United
Single
Dark Overlord
Breached the network of a
Department of Justice, “Member of ‘The Dark Overlord’ Hacking
Kingdom
business in St. Louis, MO,
Group Extradited from United Kingdom to Face Charges in St.
stole sensitive data, and
Louis,” press release, December 18, 2019, at
threatened to release it
https://www.justice.gov/opa/pr/member-dark-overlord-hacking-
unless a ransom was paid.
group-extradited-united-kingdom-face-charges-st-louis.
2014-2017
Cyprus
Single
N/A
Hacked into a company’s
Department of Justice, “Two Alleged Criminals – A Hezbol ah
data store, stole sensitive
Associated Narco-Money Launderer and a Computer Hacker –
information, then extorted
Extradited from Cyprus to the United States,” press release, July
the company for a fee to not 18, 2020, at https://www.justice.gov/opa/pr/two-alleged-criminals-
release information. With
hezbol ah-associated-narco-money-launderer-and-computer-
persistent access, charged
hacker.
clients to remove
unfavorable information
from the company’s records.
CRS-18

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2014-2017
Russia,
Multiple
MethBot
Built a botnet and
Department of Justice, “Two International Cybercriminal Rings
Ukraine, and
maintained infrastructure to
Dismantled and Eight Defendants Indicted for Causing Tens of
Kazakhstan
operate a malvertising
Mil ions of Dol ars in Losses in Digital Advertising Fraud,” press
campaign.
release, November 27, 2018, at https://www.justice.gov/usao-edny/
pr/two-international-cybercriminal-rings-dismantled-and-eight-
defendants-indicted-causing.
2011-2017
China
Multiple
Economic
Targeted firms working on
Department of Justice, “U.S. Charges Three Chinese Hackers
Espionage
satellite, energy, technology,
Who Work at Internet Security Firm for Hacking Three
transportation, and
Corporations for Commercial Advantage,” press release,
economic analysis to steal
November 27, 2017, at https://www.justice.gov/opa/pr/us-charges-
credentials and access
three-chinese-hackers-who-work-internet-security-firm-hacking-
sensitive data.
three-corporations.
2010-2017
Russia
Single
Kelihos Botnet
Stole PII and credentials,
Department of Justice, “Russian National Indicted with Multiple
distributed spam and
Offenses in Connection with Kelihos Botnet,” press release, April
malware, engaged in pump-
21, 2017, at https://www.justice.gov/opa/pr/russian-national-
and-dump stock schemes.
indicted-multiple-offenses-connection-kelihos-botnet.
2010-2017
Russia
Multiple
InFraud
Targeted financial
Department of Justice, “Russian National Pleads Guilty for Role in
Organization
institutions, merchants, and
Transnational Cybercrime Organization Responsible for More
individuals to steal credit
Than $568 Mil ion in Losses,” press release, June 26, 2020, at
cards, PII, identities and
https://www.justice.gov/opa/pr/russian-national-pleads-guilty-role-
engage in other crimes.
transnational-cybercrime-organization-responsible-more.
2015-2016
Russia,
Multiple
GozNym
Stole banking information
Department of Justice, “GozNym Cyber-Criminal Network
Georgia,
Malware
from a paving company, law
Operating out of Europe Targeting American Entities Dismantled
Ukraine,
firms, churches, companies
in International Operation,” press release, May 16, 2019, at
Moldova, and
providing services to
https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-
Bulgaria
disabled individuals, medical
operating-out-europe-targeting-american-entities-dismantled.
equipment distributers,
casinos, and furniture stores.
CRS-19

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2007-2016
Romania
Multiple
Botnet
Developed malware that
Department of Justice, “Three Romanian Nationals Indicted in $4
spread to more than 60,000
Mil ion Cyber Fraud Scheme That Infected at Least 60,000
computers, creating a botnet Computers and Sent 11 Mil ion Malicious Emails,” press release,
used to mine
December 16, 2016, at https://www.justice.gov/opa/pr/three-
cryptocurrency, send spam
romanian-nationals-indicted-4-mil ion-cyber-fraud-scheme-
email, and steal credentials
infected-least-60000-computers.
and financial information.
2016
Ukraine
Multiple
SEC EDGAR
Infiltrated the SEC EDGAR
Department of Justice, “Two Ukrainian Nationals Indicted in
Compromise
filing system to glean
Computer Hacking and Securities Fraud Scheme Targeting U.S.
nonpublic company
Securities and Exchange Commission,” press release, January 15,
information in order to
2019, at https://www.justice.gov/opa/pr/two-ukrainian-nationals-
trade in company stock
indicted-computer-hacking-and-securities-fraud-scheme-targeting-
based on private
us.
information.
2015
Kosovo
Single
Kosova Hacker’s
Targeted PII of U.S.
Department of Justice, “ISIL-Linked Hacker Arrested in Malaysia
Security
servicemembers and
on U.S. Charges,” press release, October 15, 2015, at
government employees.
https://www.justice.gov/opa/pr/isil-linked-hacker-arrested-malaysia-
us-charges.
2007-2015
Ukraine
Single
Money
Spammed victims,
Department of Justice, “Ukrainian National Extradited from Poland
Laundering
maintained infrastructure to
to Face Charges Related to $10 Mil ion Cyber Money Laundering
perpetuate cybercrimes, and Operation,” press release, December 23, 2015, at
stole money from company
https://www.justice.gov/opa/pr/ukrainian-national-extradited-
bank accounts.
poland-face-charges-related-10-mil ion-cyber-money-laundering.
2012-2014
Romania
Single
Guccifer
Hacked the personal email
Department of Justice, “Romanian National “Guccifer” Extradited
and social media accounts of to Face Hacking Charges,” press release, April 1, 2016, at
high profile individuals and
https://www.justice.gov/opa/pr/romanian-national-guccifer-
released sensitive
extradited-face-hacking-charges.
information.
CRS-20

Incident/
Perpetrator
Single or
Campaign,
Campaign
Country of
Multiple
Incident, or
Year(s)
Residence
Perpetrators
Identifier
Description
Citation
2010-2012
Ukraine/Italy
Single
Zeus Malware
Targeted banks and banking
Department of Justice, “Ukrainian Citizen Sentenced to 41 Months
information for financial
in Prison for Using Army of 13,000 Infected Computers to Loot
theft.
Log-In Credentials, Payment Card Data,” press release, February
16, 2017, at https://www.justice.gov/usao-nj/pr/ukrainian-citizen-
sentenced-41-months-prison-using-army-13000-infected-
computers-loot-log.
2009-2012
China
Single
N/A
Targeted U.S. defense
Department of Justice, “Chinese National Pleads Guilty to
contractors to steal sensitive Conspiring to Hack into U.S. Defense Contractors’ Systems to
military transport design
Steal Sensitive Military Information,” press release, March 23,
data and send the data to
2016, at https://www.justice.gov/opa/pr/chinese-national-pleads-
China.
guilty-conspiring-hack-us-defense-contractors-systems-steal-
sensitive.
2003-2012
Russia
Multiple
N/A
Theft of credit card
Department of Justice, “Russian National Admits Role in Largest
information from payment
Known Data Breach Conspiracy Ever Prosecuted,” press release,
processors, financial
September 15, 2015, at https://www.justice.gov/opa/pr/russian-
institutions, and retailers.
national-admits-role-largest-known-data-breach-conspiracy-ever-
prosecuted.
2012
Iran/Turkey
Single
N/A
Stole intellectual property
Department of Justice, “Man Pleads Guilty to Facilitating
from a Vermont-based
Computer Hacking of Vermont Company,” press release,
defense contractor and
December 2, 2015, at https://www.justice.gov/opa/pr/man-pleads-
engineering firm.
guilty-facilitating-computer-hacking-vermont-company.
Source: CRS analysis.
Notes: Abbreviations and col oquialisms used in this table: the Republic of Bulgaria (Bulgaria); the People’s Republic of China (China); the Republic of Cyprus (Cyprus);
the Electronic Data Gathering, Analysis, and Retrieval system (EDGAR); the Federal Republic of Nigeria (Nigeria); the Islamic Republic of Iran (Iran); the Italian Republic
(Italy); the Republic of Kazakhstan (Kazakhstan); the Republic of Kosovo (Kosovo); the Republic of Moldova (Moldova); personally identifiable information (PII); the
Russian Federation (Russia); the U.S. Securities and Exchange Commission (SEC); the Swiss Confederation (Switzerland); the Republic of Turkey (Turkey); the United
States of America (U.S.A.); and the United Kingdom of Great Britain and Northern Ireland (United Kingdom).

CRS-21

Cybersecurity: Selected Cyberattacks, 2012-2022

Author Information

Chris Jaikaran

Specialist in Cybersecurity Policy

Acknowledgments
Jared Nagel (a former Information Research Specialist with CRS) and Alexandra Kosmidis (a Research Librarian with
CRS) provided research support in identifying cyberattacks.

Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material.

Congressional Research Service
R46974 · VERSION 3 · UPDATED
22

Download PDF

Download EPUB

Revision History

Aug. 9, 2023

HTML · PDF

3% changed

Nov. 22, 2021

HTML · PDF

Metadata

Report Type: CRS Report

Source: CRSReports.Congress.gov

Raw Metadata: JSON