Chapter 19 Β· Examples

Real-World Examples

Threat actor cases and exam scenarios.

Example 1: Nation-State β€” SolarWinds Supply Chain Attack (2020)

Cozy Bear (APT29), attributed to Russia's SVR foreign intelligence service, compromised SolarWinds' software build pipeline in 2019. They injected a sophisticated backdoor called SUNBURST into the Orion IT monitoring platform's build process, so that legitimate, digitally-signed software updates distributed SUNBURST to customers.

Approximately 18,000 organizations downloaded the trojanized update, including US Treasury, Department of Homeland Security, the Justice Department, and numerous Fortune 500 companies. The attackers then selectively activated SUNBURST at roughly 100 high-value targets for further exploitation.

The operation went undetected for nine or more months. The attackers used living-off-the-land techniques throughout β€” using legitimate network management traffic as their command-and-control channel, blending their activity into the normal behavior of a network monitoring tool. The intrusion was finally discovered by cybersecurity firm FireEye, which noticed the same techniques being used against its own network.

Lesson: Supply chain attacks let APTs bypass perimeter defenses entirely by entering through trusted, pre-approved, digitally-signed software. Once inside via a trusted vendor, traditional perimeter controls provide no protection. Every third-party software update is a potential attack vector against well-defended targets.

Example 2: Organized Crime β€” Conti Ransomware Operation

Conti was a ransomware-as-a-service operation that ran from approximately 2020 to 2022, earning hundreds of millions of dollars before internal conflicts fractured the group. What distinguished Conti was its organizational structure β€” it operated like a legitimate technology company with an internal org chart, HR functions, developer teams, quality assurance testers, pentesters who conducted actual intrusions, and dedicated negotiators who handled ransom communications.

Conti targeted hospitals during COVID-19 (including Ireland's national health service in 2021, demanding $20 million), local governments, schools, and enterprises. Their double extortion model encrypted data AND threatened to publish sensitive data on their leak site if the ransom wasn't paid β€” giving victims with good backups a second reason to pay.

In 2022, following Conti's public support for Russia's invasion of Ukraine, a member leaked the group's internal chat logs and source code β€” providing an unprecedented view into the internal operations of a major criminal enterprise.

Lesson: Modern criminal groups are professionalized organizations with specialized roles, management hierarchies, and business development strategies. This is not lone hackers β€” it is an industry. Defenses must account for adversaries with professional-grade operational capabilities.

Example 3: Hacktivist β€” Anonymous and Operation Payback (2010)

In December 2010, PayPal, Visa, Mastercard, and other financial institutions froze WikiLeaks' accounts and stopped processing donations after WikiLeaks released classified US diplomatic cables. Anonymous, a loosely organized hacktivist collective, launched Operation Payback in response β€” coordinated distributed denial-of-service attacks that temporarily took down the public websites of PayPal, Visa, and Mastercard.

The operation involved thousands of participants using the Low Orbit Ion Cannon (LOIC) tool to flood targets with traffic. No data was stolen, no systems were permanently compromised, no financial fraud occurred. The goal was pure disruption to make a political point about censorship and free information access. The attacks succeeded in getting global news coverage and demonstrating that digital activism could have real economic impact on major corporations.

Earlier in 2010, during the Arab Spring, Anonymous' Operation Tunisia targeted Tunisian government internet infrastructure to support pro-democracy protesters, defacing government websites and disrupting official online communications.

Lesson: Hacktivists choose targets based on ideology and current political events, not business value or profitable data. Disruption IS the goal, not theft. An organization that becomes politically controversial β€” for any reason β€” can find itself targeted by hacktivist groups regardless of its security posture. DDoS mitigation and public communications planning are the primary defenses.

Example 4: Insider Threat β€” Edward Snowden (2013)

Edward Snowden was an NSA contractor employed by Booz Allen Hamilton with authorized access to highly classified intelligence systems. Over several months in 2013, using his legitimate credentials and trusted position, he exfiltrated an estimated 1.5 million classified documents describing NSA surveillance programs. He then provided this material to journalists, resulting in global reporting on mass surveillance capabilities.

Snowden did not breach any perimeter. He did not exploit vulnerabilities. He did not use malware. He used the credentials and access he legitimately possessed for his job β€” and copied documents that he had authorization to access. Traditional security controls β€” firewalls, intrusion detection, vulnerability scanning β€” were entirely irrelevant.

Post-incident reviews identified multiple detection failures: Snowden requested access to systems outside his normal work scope, made unusual queries for documents about surveillance programs he had no operational need to access, and transferred large volumes of files to removable media. These behavioral anomalies were not detected by automated systems or noticed by supervisors.

Lesson: Insider threats require behavioral monitoring, least-privilege access enforcement, and data loss prevention β€” not perimeter defenses. Authorized access to one system does not justify access to all systems. User and Entity Behavior Analytics (UEBA) that can detect anomalous data access patterns is the primary detection mechanism.

Example 5: Script Kiddie β€” Opportunistic Web Defacement

A teenager using Shodan (a search engine for internet-connected devices) discovered 200 Apache web servers running a version vulnerable to a well-known CVE. The CVE had a public Metasploit module available β€” no custom exploitation required. In an afternoon, using a downloaded tool with minimal configuration, all 200 servers had their home pages replaced with a defacement message.

The attacker had no specific targets in mind β€” they searched for "vulnerable Apache version X" and got 200 results. The victims included a small nonprofit, a local government website, a regional newspaper, and a university project page. None of them were interesting or valuable to the attacker. They were just vulnerable and exposed.

Lesson: Technical skill of the attacker does not determine the impact β€” vulnerability of the target does. Unpatched systems exposed to the internet are at risk from the lowest-skill actors, not just sophisticated ones. Automated scanning tools do not discriminate by industry, size, or importance. Patching and reducing attack surface is the primary defense against opportunistic script kiddie attacks.

Exam Scenario 1

Question: An attacker has been inside a defense contractor's network for 9 months, stealing classified weapons design documents. They use PowerShell for all commands and only exfiltrate data during business hours to blend in with normal traffic. What type of threat actor is this, and what two characteristics identify them?

Answer: Nation-state APT. Characteristics: (1) Long persistence β€” 9 months of undetected access is the defining characteristic of an Advanced Persistent Threat; a criminal ransomware group would have deployed their payload weeks ago. (2) Living-off-the-land with PowerShell β€” using built-in Windows tools to evade signature-based detection is a core APT technique. The targeted data (classified weapons designs, not credit card numbers) and the methodology (staying quiet, not disrupting operations) confirm espionage motivation typical of nation-state actors. This requires a different response than criminal ransomware: longer forensic investigation, FBI involvement, and government coordination.

Exam Scenario 2

Question: A company discovers its website was defaced overnight with political slogans protesting the company's environmental record. Logs show the attack used a known, public exploit against an unpatched CMS plugin. What type of threat actor, and what is the most likely motivation?

Answer: Likely hacktivist β€” ideological motivation (environmental protest). The use of a public, known exploit suggests low-to-medium sophistication β€” not custom tooling, consistent with hacktivist capability. The goal was visibility and embarrassment, not data theft or financial gain; the defacement itself was the attack. The environmental focus confirms ideological motivation. Recommended response: patch the CMS vulnerability immediately, restore the website, review other public-facing systems for similar unpatched vulnerabilities, and assess whether the company is likely to face continued targeting from this group based on its public profile.

Exam Scenario 3

Question: A bank discovers an employee in the wire transfer department has been approving fraudulent transfers to accounts controlled by a criminal syndicate. The employee has no technical hacking skills β€” they just used their normal system access. What threat actor category applies and what control would have been most effective?

Answer: Malicious insider β€” intentional misuse of authorized access for financial gain (whether under coercion or voluntarily participating in fraud). Most effective control: dual-control (four-eyes) authorization requiring two separate employees to independently review and approve large wire transfers. This single control would have prevented or detected the fraud regardless of the employee's authorized access, because no single person could unilaterally approve a fraudulent transfer. Secondary controls: transaction monitoring with alerts for unusual transfer patterns, mandatory vacation policies (which force someone else to cover a role and can expose ongoing fraud), and regular audit of wire transfer activity against business justification.