China-linked Salt Typhoon infiltrated at least nine U.S. telecom providers β Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated, Windstream β including the CALEA lawful-intercept systems used for court-authorised wiretaps. Metadata for over a million users was exposed; the U.S. Treasury sanctioned a linked PRC contractor.
- Victim
- U.S. telecommunications providers (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream)
China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations β including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.
- Victim
- Microsoft customers (US State Department, Department of Commerce, ~25 organisations)
Chinese state-attributed operators sat undetected on Starwood's guest reservation database from 2014, surviving Marriott's 2016 acquisition. Disclosed 2018: 500 million guest records exposed, including 5.25 million unencrypted passport numbers.
- Victim
- Marriott International / Starwood Hotels & Resorts
- Loss
- $200.0M
- Records
- 500.0M
Chinese state-attributed actors exfiltrated personal and outpatient medication records on 1.5 million SingHealth patients β including Prime Minister Lee Hsien Loong β in Singapore's most serious cyber incident.
- Victim
- Singapore Health Services (SingHealth)
- Loss
- $7.5M
- Records
- 1.5M
Russian GRU Units 26165 (APT28) and 31165 (APT29) compromised the Democratic National Committee, Hillary Clinton campaign, and DCCC. Stolen emails were selectively released via 'DCLeaks', 'Guccifer 2.0', and WikiLeaks to influence the 2016 U.S. presidential election.
- Victim
- Democratic National Committee + Clinton campaign + DCCC
- Loss
- $50.0M
- Records
- 50.0K
Lazarus operators sent fraudulent SWIFT instructions through the New York Fed to wire $951 million out of Bangladesh Bank's reserve account. A typo on one transfer stopped $850M; $81M still escaped to Philippine casinos.
- Victim
- Bangladesh Bank
- Loss
- $81.0M
The Russia-linked Sandworm group used spear-phishing, BlackEnergy3, and KillDisk to remotely flip breakers at three Ukrainian regional electricity distribution companies, cutting power to approximately 230,000 customers for 1β6 hours. It is the first publicly acknowledged successful cyberattack on an electric power grid in history.
- Victim
- Ukrainian regional electricity distribution companies (Oblenergos)
Chinese state operators exfiltrated background-investigation forms (SF-86s) for 21.5 million U.S. federal employees and contractors β the most-damaging intelligence-loss cyber incident in U.S. government history.
- Victim
- U.S. Office of Personnel Management (OPM)
- Loss
- $350.0M
- Records
- 21.5M
Russian GRU Unit 26165 (APT28 / Fancy Bear) compromised the Bundestag's parliamentary network, exfiltrating ~16 GB of data including emails from Chancellor Merkel's parliamentary office. Forced a full Bundestag IT estate rebuild.
- Victim
- Deutscher Bundestag (German federal parliament)
- Loss
- $22.0M
Chinese state-attributed actors exfiltrated personal data on 78.8 million current and former Anthem health insurance customers β at the time the largest healthcare-sector breach in U.S. history.
- Victim
- Anthem Inc.
- Loss
- $260.0M
- Records
- 78.8M