From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS NEWS Since 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next. From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber As part of its 20th anniversary celebration, Dark Reading looks back on 20 of the biggest newsmaking events from the past two decades that influenced the risk landscape for today's cybersecurity teams. Dark Reading Editorial Team May 6, 2026 31 Min Read From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber Over the past two decades, cyber has evolved into a board-level business risk, with early Internet worms and endpoint viruses giving way to industrial-grade operations that can disrupt hospitals, utilities, and supply chains, erode public trust, and rattle markets. The lesson for security leaders is straightforward: in a hyperconnected enterprise, the blast radius is no longer just digital, it’s operational and strategic. As part of Dark Reading's 20th anniversary celebration, our staff takes a look back at the biggest cyber moments in the past two decades that have rewritten the playbook for security teams and changed the face of how we perceive cybersecurity threats and defense strategies. We revisit the impact of WannaCry and NotPetya, the SolarWinds compromise, Colonial Pipeline, the rise of Anonymous, the birth of ChatGPT, and much more.  As we examine these 20 defining moments, we also consider their present-day ramifications, and their legacy can’t be overstated. Liability concerns now abound, with disclosure rules, critical infrastructure directives, and sector-specific obligations raising the stakes for chief information security officers (CISOs) and boards. Attacker automation (including with AI) and supercharged exploit pipelines are compressing defenders' response windows. There's also been a steady rise of intrusions that degrade operations and safety, not just data; and ransomware has become a core operations risk. And meanwhile, supply chain vectors and identity abuse now challenge the limits of how attackers can reach their victims, especially in the age of agentic AI and non-human identities. Join us as we revisit a few major catalysts for these evolutions, gleaned from Dark Reading's 20 years of comprehensive industry coverage.  Click here for all of our DR20 content, which will be rolling out across the month of May. Keep checking back for new items!  Stuxnet Sabotages Centrifuges and the 'Air Gap'  The discovery in July 2010 of what was believed to be the first known kinetic cyberattack on industrial systems and processes served as a massive klaxon of warning to critical infrastructure and operational-technology (OT) network operators worldwide.   Stuxnet targeted the secretive Natanz nuclear facility in Iran, forcing thousands of centrifuges used to enrich uranium to spin wildly out of control and fail. The attack also shattered the illusion that logically separating IT and OT networks — known as air gapping — kept industrial plants and their processes immune from cyberattacks.  LOADING... The complex worm malware consisted of four zero-day exploits that traveled to the plant's Windows-based machines via USB devices that were somehow plugged into plant machines. Stuxnet infected machines running Siemens SIMATIC Step 7 or Siemens SIMATIC WinCC industrial control system (ICS) software, which communicated with the programmable logic controllers (PLC) that operated the centrifuges used for enriching uranium. The attack, reportedly the handiwork of US and Israel nation-state hackers, demonstrated next-level cyber capabilities.  Ralph Logan, an ICS security expert who studied Stuxnet while at The Honeynet Project, says it was Stuxnet's stunning "precision" that gave him and his team pause. "This wasn't crude destruction; it was engineered sabotage designed to appear as mechanical failure," Logan recalls. "That precision signaled something we understood immediately: this represented a doctrine shift, not just an attack. A nation-state had demonstrated that critical infrastructure could be targeted with surgical accuracy and … it worked."  Stuxnet's story didn't end there. Three years later, researchers at Symantec found what they described as a precursor to Stuxnet, aka Stuxnet 0.5, malware dating back to 2005 that targeted Siemens 417 PLCs to sabotage the valves that fed uranium hexaflouride gas into the uranium enrichment centrifuges. And just last month, SentinelOne researchers cited a cyber weapon that predates Stuxnet's discovery. The malware framework, tracked as fast16, could sabotage systems by injecting stealthy errors into their mathematical computations.  Anonymous, LulzSec Hacking Sprees Put Cybersecurity Teams on Notice  When Anonymous and LulzSec emerged in the mid-2000s to usher in the era of "hacktivist" and nuisance-related messaging campaigns, they lit a fire under security teams in both the private and public sectors and represented an important new wrinkle in the cyber-risk landscape. While their exploits now seem like quaint relics of a bygone era, given they've been largely replaced by ransomware gangs, extortion groups, and nation-state advanced persistent threat (APT) actors, it's important to remember that the likes of Scattered Spider and ShinyHunters probably wouldn't exist without these two pioneering the idea of a hacking collective. Anonymous emerged in the mid-2000s and members, with their notorious Guy Fawkes masks, began their hacking activity in earnest in 2008 with simple distributed denial of service (DDoS) attacks against the controversial Church of Scientology. Later, they mounted attacks in support of WikiLeaks, the Pirate Bay, and other causes before graduating to data breaches and leaks, where they breached San Francisco's Bay Area Rapid Transit (BART) system as well as government websites and agencies in China and Syria, among others. As the 2010s progressed, the group shifted to more politically motivated hacks before its activity waned.  LulzSec, on the other hand, was short-lived by comparison. The rival group launched in 2011, ostensibly to spotlight porous cybersecurity defenses of major organizations. However, the group would admit from time to time that the hacking was largely for members' own amusement or "the lulz." Its exploits include hack-and-leak attacks against Fox News, PBS, and Sony Pictures (no, not that one). The group also compromised senate.gov, the website for the US Senate, leaking usernames and passwords. The group, which disbanded later that year, was viewed as a "grey hat" hacktivist operation, but US authorities didn't see it that way. The FBI labeled LulzSec as an "international cyber criminal group" and arrested several members, including Hector "Sabu" Monsegur.  And instead of website hacks and DDoS attacks, today's hacker collectives, like "The Com," are conducting devastating, financially motivated cyberattacks against a wide range of organizations. But it all started with Anonymous and LulzSec.  Theft of RSA's SecurID Seed Changes 2-Factor Authentication Attackers, widely believed to be a Chinese advanced persistent threat (APT) group, launched a multipronged campaign in 2011 against RSA Security that included spear-phishing emails, malicious Flash code embedded in Excel spreadsheets, and multistage malware. The attackers successfully stole the seed information for RSA SecurID tokens, essentially rendering all existing tokens useless.  Up until this incident, RSA SecurID was considered the gold standard for two-factor authentication (2FA). The tokens generated one-time passwords (OTPs) that expired after 30 to 60 seconds (depending on their configuration), making it difficult for attackers to log in even if they had valid credentials. By stealing the seed information — the cryptographic keys used to generate the OTPs — the attackers could predict future codes for compromised tokens, requiring organizations to replace them all. The threat was not theoretical: stolen seed data was used in an attack against Lockheed Martin a few months later.  This incident was one of the earliest supply chain attacks involving security vendors, in which compromising a single vendor made it possible to compromise downstream customers. Targeting security vendors to compromise downstream customers is an attack method that is still successful, as amply illustrated by the Okta breach in 2023, or Salesforce customers being compromised after attackers stole OAuth tokens.  In this case, the US defense contractor successfully blocked the attack and later shared its Cyber Kill Chain framework, a process that tracks an intruder's movements and throws up barriers each time the attacker attempts to siphon data from the network. The Kill Chain was one of the earliest examples of a cybersecurity playbook that focuses on stopping attackers who get inside from taking anything with them on the way out, rather than on keeping attackers out.   The incident also accelerated significant shifts in authentication, such as a growing focus on risk-based authentication, the adoption of FIDO standards and hardware security keys, and the development of mobile-based authenticators such as Google Authenticator and Microsoft Authenticator. That shift is still ongoing, especially with the push for passwordless authentication. Shamoon's Digital Scorched-Earth Attack on Saudi Aramco The Shamoon wiper attack on Saudi Aramco in August 2012, which destroyed more than 30,000 computers, was one of the most destructive cyberattacks ever seen at that time. The malware wiped the hard drives and corrupted the master boot record, rendering three-quarters of the oil giant’s corporate PCs unusable. This was one of the first major uses of wiper malware.  Similar to what happened with Colonial Pipeline's 2021 ransomware incident, Shamoon did not hit Saudi Aramco’s production systems or pipeline operations; the damage was entirely to business systems, but the impact was still widespread.  The actors behind the Shamoon attack weren't interested in espionage or data theft — they wanted pure digital destruction. And like the modern scourge of ransomware, the Shamoon attack crossed from the digital realm to impact the physical world. The machines were physically destroyed and employees had to switch to typewriters and fax machines to keep working. A consultant who worked on the company’s recovery said buying up 50,000 hard drives all at once temporarily drove up prices and halted shipments to other buyers around the world. And also like ransomware, the malware used in the Shamoon attacks was not trying to evade detection or being stealthy to maintain persistence. It was designed for maximum disruption.   While less sophisticated than Stuxnet, it had a bigger blast radius because it affected business operations. The Shamoon attack underscored the importance of cybersecurity in maintaining business continuity. Afterward, there was a focus on resiliency planning and on improving backup and recovery capabilities so that, even under attack, the organization can continue to function. It also drove massive investments in cybersecurity across the energy sector and the development of sector-specific cybersecurity frameworks and regulations. Energy companies also established information-sharing networks to exchange threat intelligence. And a good thing too: the later Shamoon 2 and Shamoon 3 attacks also demonstrated that these types of attacks are not one-off incidents, because threat actors are continually evolving and would return with improved capabilities.  Twitter Hoax Triggers Stock Market Crash  In April 2013, US stock markets took a sudden, massive plunge that erased hundreds of billions in value. Thankfully, the crash was only temporary, but it was notably caused by a single tweet from the Associated Press's verified Twitter account: "Breaking: Two Explosions in the White House and Barack Obama is injured." What was quickly revealed just minutes later through follow-up tweets from the AP was that the report was a hoax, and the news outlet's Twitter account had been compromised. The "Hack Crash," as some called it, didn't last long, but the high-profile incident did provide some important insights about the future of cybersecurity and technology at large.  First, the market crash was largely driven by "so-called algorithms," according to The Wall Street Journal, which powered high-frequency trading platforms that make automated trades based on news headlines. The attack offered a glimpse of what was to come about a decade later with the advent of large-language models (LLMs) and agentic AI, and risks of giving such technology autonomy.   Second, the attack sparked an urgent call to offer and implement multifactor authentication, which would become a very familiar pattern in the intervening years. At the time of the attack, Twitter did not offer two-factor authentication (2FA) protection for accounts, but the social media company added it about a month later.  And finally, the attack showed how a small amount of disinformation or "fake news" could have a major impact. The Twitter hack was executed by the Syrian Electronic Army (SEA), a hacktivist organization that first emerged in 2011 to support former Syrian president Bashar al-Assad. The group would commit several notable hacks, including the defacement of the US Marine Corps website as well as The New York Times and Huffington Post sites. The group's activity declined in later years, and al-Assad was pushed out of power in 2024, but the AP hoax tweet had a long-lasting impact on cybersecurity. Target, Home Depot Breaches Spark Retail Industry Focus on Supply Chain Security Target suffered a monumental data breach in December 2013 that affected more than 110 million individuals. Threat actors initially compromised a small Pennsylvania-based third-party HVAC vendor, and stole the credentials the provider used to access Target's network. The attackers then moved laterally through Target’s network and breached point-of-sale (PoS) systems to steal payment card information. While the initial breach disclosure focused on stolen payment card data, Target said further investigation found that names, mailing addresses, phone numbers, and email addresses had also been stolen.   In a moment of cybersecurity déjà vu, attackers successfully stole credentials from another third-party vendor and reached Home Depot’s network less than one year later. Both incidents used BlackPOS malware to harvest and exfiltrate payment card information, suggesting that the same group was behind both attacks. With 2014 informally dubbed The Year Of The Retailer Data Breach (Neiman Marcus and Michaels were among the many, many retailers compromised that year), there was a push across the industry to bolster security protocols for payment card data.  The Payment Card Industry Data Security Standard (PCI DSS) was released in the wake of it all, with updated requirements regarding education and awareness, weak passwords and authentication, third-party security challenges, slow self-detection and malware, and inconsistent assessments in the retail sector. The industry also prioritized the shift to EMV, or chip-based cards.  The Target breach was the first major incident caused by a supplier compromise. The idea that attackers would piggyback on third-party partners and vendors to compromise larger companies is now a well-recognized risk, but it wasn't widely acknowledged back in 2014. Among many other impacts, the spate of retail breaches underscored the importance of focusing on the supply chain ecosystem and using vendor questionnaires and assessments to ensure third-party partners are implementing strong security measures to protect data and networks.  North Korea's Sony Pictures Hack Offers Real-World Consequences  One of the most infamous cybersecurity incidents of the past 20 years is also one of the most absurd. Nation-state hackers infiltrated the network of a major Hollywood studio to protest — and eventually impede — the release of an upcoming film.  On Nov. 24, 2014, Sony Pictures Entertainment's network suddenly went down. A threat group calling itself "Guardians of Peace" had deployed wiper malware across the studio's infrastructure — but not before exfiltrating reems of confidential data, including corporate emails, salary information, screenplays, and copies of unreleased films.  Over the next two weeks, as Sony Pictures attempted to rebuild its network and authorities investigated the attack, the Guardians of Peace published several batches of stolen data, most notably the private communications of several executive team members and Hollywood stars. In fact, the leaked emails led to the resignation of Amy Pascal, famed Sony Pictures executive and Hollywood producer.  Then, the situation became even more serious when the Guardians of Peace threatened terrorist attacks against theaters showing the soon to be released comedy The Interview, starring James Franco and Seth Rogen. The movie is about two journalists who score an interview with North Korean leader Kim Jong Un and are tasked by the CIA to assassinate him (which they eventually do in a controversial scene).  Sony Pictures opted to cancel the film's theatrical release, moving it to streaming platforms such as YouTube. Several cybersecurity firms attributed the attack to nation-state actors tied to the Democratic People's Republic of Korea (DPRK), specifically those aligned with the notorious APT known as Lazarus Group. Years later, the US government charged North Korean national Park Jin Hyok, who was also tied to infamous WannaCry ransomware attacks, with participating in the Sony hack.   While some are still skeptical that the DPRK was behind it, there's no question the attack changed the threat landscape and showed how malicious activity in cyberspace could have potentially terrifying, real-world impacts.  Yahoo: World’s Largest Data Breach Also Derails a Major M&A Plan Nearly 10 years ago, Yahoo discovered a series of data breaches that impacted roughly 3.5 billion people. Between 2013 and 2014, attackers exposed personal identifiable information (PII) such as names, email addresses, phone numbers, security questions, hashed passwords, and dates of birth for the tech pioneer's user base.  The threat actors, identified as Russian state-sponsored groups, were able to exploit avoidable vulnerabilities in Yahoo's systems such as weak encryption methods, and used forged cookies and malicious scripts to gain unauthorized access.  The breaches ultimately had a catastrophic impact on the company and its users once they came to light in 2015. The company faced criticism from regulatory bodies like the SEC and was fined $35 million for failing to inform its users sooner. It also dealt with a damaged reputation and a diminished acquisition valuation of just $4.48 billion when it was picked off by Verizon in 2017 — just 10 years earlier, in 2008, the company had rejected Microsoft's $44.6 billion offer. And, perhaps because of the delay in informing its users, individuals found themselves facing phishing attacks and identity theft risks from attackers because of their compromised information.  Even today, the breach takes first place as the largest in history and underscores the importance of maintaining a basic security posture, proper disclosure practices, and routine cybersecurity checkups, leaving a stark reminder of the real-world business fallout that can happen when the worst does actually happen.  When Nation-States Come Knocking: The OPM Breach The 2015 data breach at the Office of Personnel Management (OPM), in which personal data of approximately 21.5 million current and former US government employees was stolen, ushered in a golden age of nation-state actors conducting cyber-espionage operations. Along with federal employees across virtually every government agency and individuals with security clearances, the victim pool included family members and colleagues who had been listed in background checks.  The stolen data included complete life histories; detailed financial information (including debt and bankruptcy filings); mental health records (including information about substance abuse); information about family members, friends, neighbors, associates, and references; full employment history; and current and past addresses. The breach also included 5.6 million fingerprints, making it one of the first major thefts of biometric data.  Because the breach was widely attributed to Chinese state-sponsored actors, the prevailing theory was that the Chinese government could create comprehensive psychological and personal profiles of individuals with access to classified information within the US government, and perhaps identify people in sensitive roles who may be vulnerable to blackmail. It could also potentially be used to unmask undercover intelligence agents and operatives, the theory went.  There were indicators that the same group — or another group also affiliated with the Chinese government — targeted United Airlines a few months later to steal travel information. The information could be combined with personnel data to create even more detailed profiles of US government workers, which could then be used to blackmail officials with security clearances or to recruit informants working in sensitive roles.   After the breach, several federal agencies initiated modernization efforts to improve cybersecurity, adopted zero-trust architectures, and developed new security protocols and standards — major initiatives for a notoriously slow-moving sector. One thing to remember is that the data is still out there, so whoever stole it could still use it for malicious purposes.  ShadowBrokers Leaks NSA Tooling & EternalBlue Costs Orgs Billions For a months-long stretch in 2016 and 2017, a group calling itself the “ShadowBrokers” publicly released waves of data allegedly heisted from the Equation Group, rumored to be the cyber hacking arm of the US National Security Agency (NSA). Among the ill-gotten goods was the NSA exploit EternalBlue, which leverages a critical vulnerability in Microsoft’s legacy SMBv1 protocol tracked as CVE-2017-0144, to allow self-replication and lateral movement in older Windows systems. In the wake of the disclosures (and an auction, and the “exploit wine club”), EternalBlue cropped up at the heart of two major cyberattack waves: WannaCry and NotPetya. And it lingered on for years as organizations failed to patch the bug and shore up their older Windows SMB instances.   WannaCry was a ransomware worm that spread around the globe unchecked until Marcus Hutchkins (malware zero or security hero, depending on who you ask) famously created a kill switch for it; victims included the National Health Service in the United Kingdom, Renault-Nissan and FedEx; in all, the clean-up costs topped $8 billion, according to one estimate.   But WannaCry was trumped by NotPetya, a rapid and destructive worming campaign architected by Russia’s intelligence services to destroy data and throw critical systems offline, was aimed at businesses in Ukraine and in more than 60 allied countries. Victims included the shipping giant Maersk and Oreo-maker Mondelez. "NotPetya changed the world's perception of destructive cyberattacks and is one of the only cyber activities that is considered to be an act of war," Charles Carmakal, senior vice president and CTO at Mandiant told Dark Reading at the time. And in a February 2018 statement, the White House called the NotPetya outbreak the "most destructive and costliest cyberattack in history.” Ten years later, EternalBlue remains burned in security teams’ minds as a major patch-process failure, even if the Russian-speaking ShadowBrokers largely faded from relevance. After all, a March 14 2017 Patch Tuesday update would have saved organizations from a May 12 cyberattack (WannaCry).  GDPR Pioneers Privacy as a Human Right in the Digital Age The idea that personal data is a valuable commodity seems obvious now, but it hasn't always been perceived that way. Personal data stolen through data breaches have flooded criminal forums and underground markets, and companies would like to collect every scrap of information about people’s online activities without explaining how they use it. People began to realize just how much of their own information was beyond their control in the late 2010s, prompting the European Union (EU) to pass the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018.  The GDPR gives individuals the right to opt out of having their information collected, to find out what information companies had about them, and to have their personal data deleted on demand. It also changes how consent is obtained. And to cap it all, there are actual financial penalties for not complying with the privacy rules.  GDPR applies not only to EU-based organizations but also to any company worldwide that handles the personal data of EU residents. Businesses around the world must comply if they want to keep their European customers, making GDPR a global benchmark. It also inspired similar legislation worldwide, giving individuals meaningful control over how their information is collected, used, and shared. For example, the California Consumer Privacy Act (CCPA), passed shortly afterward, gives consumers the right to demand that companies erase all data they had collected about them.  Today, privacy legislation is still evolving — 20 states in the US have some kind of privacy law on the books, and Congress is considering a new bill that may preempt some of those state-level rules. GDPR isn't important because it's the law; it's important because it illustrates that privacy is a human right in the digital age, and that protections need to adapt as technology and business practices evolve.  Olympic Destroyer Plants a False Flag — and Attribution Doubt Cyberattacks targeting major sporting events are nothing new, but few have managed to successfully disrupt operations at a Super Bowl, World Cup, or Olympics – with one exception: Olympic Destroyer, a malware that changed the attribution game forever. During the opening ceremony for the 2018 Winter Olympics in Pyeongchang, South Korea, nation-state hackers wielded the Olympic Destroyer malware to temporarily disable Wi-Fi networks, monitors, and the Olympics website, so that ticket holders couldn’t print their passes. It also caused outages at nearby ski resorts, disabling gates and lifts. While a master-class-level incident-response playbook allowed event organizers to stop the attack in its tracks, it remains notable for exposing a nastier side of disruptive nation-state activity, and lays claim to being one of the first big false-flag efforts seen in the wild. Initially, the attack appeared to be the work of the Lazarus Group, the infamous North Korean advanced persistent threat (APT), given the use of many of the group’s recognizable hallmarks. But closer inspection revealed that sophisticated attackers had merely created a convincing forgery of malware associated with Lazarus Group; lurking behind that were several of the tactics, techniques, and procedures (TTPs) normally associated with Russia’s APT28 (aka Sofacy and Fancy Bear). The situation ushered in an era of camouflage that has made attribution a much more complex endeavor than it ever was before. "To say the waters are muddied would be such an understatement," Vikram Thakur, senior manager on Symantec's security response team at the time, told Dark Reading in 2018. In a moment of prescience, he added, "We think the future is going to get even more complicated with actors relying more and more on false flags, in some cases, throwing another group [under] the bus from an attribution standpoint." The SWIFT Banking Caper Robs Bangladesh Central Bank In 2018, hackers from North Korea robbed $81 million from Bangladesh’s national bank (BB) using a laser-focused malware written specifically for that particular bank’s environment.  Using stolen credentials for the payment-approval mechanisms at the bank, the attackers managed to move money out of the bank using the SWIFT interbank messaging system, by bombarding other banks with dozens of requests to move money from the Bangladesh Bank's accounts to entities in the Philippines and Sri Lanka. The malware (a variant of which also turned up at a second bank weeks later) was built to make the system blind and hide the traces of fraudulent payments. It manipulated records of account balances, monitored all the messages sent via SWIFT, sent doctored copies of wire transfers to printers, and then deleted transfer records. For its part, SWIFT denied it was at any fault, despite Bangladeshi police alleging "seriously deficient" security on the part of the system — but it did set up a cybersecurity task force in the wake of the attack.  Losing $81 million is pretty bad, but things could have been worse: $850 to $870 million in other attempted transactions were stopped after a typo on the part of the hackers triggered a second-channel approval request from Deutsche Bank. As such, the event serves as a watershed moment for the trust-but-verify security practice later held up as the best way to thwart business email compromise (BEC) efforts: Pick up the phone and make a confirmation call before approving big money transfers. Cyber's SolarWinds Gut Punch  It was just supposed to be a routine software update to a SolarWinds software called Orion, but instead, the download spread a piece of malware called “Sunburst” dropped by Russian Foreign Intelligence Service hackers.   In all, the September 2019 update delivered the malware to more than 18,000 SolarWinds customers, including highly sensitive government agencies like the Departments of the Treasury and Homeland Security, leaving the Russians with a secret backdoor to compromise organizations at their leisure.   Panic quickly spread, particularly throughout the US government.   Worse yet, despite the malware sitting on systems since late 2019, the campaign wasn't discovered until March 2020, setting off a firestorm of Congressional hearings, Executive Orders, aggressive crisis PR efforts, and it even landed SolarWinds chief information security officer (CISO) Tim Brown in the crosshairs of the SEC, personally.   For its part, SolarWinds stood firmly behind Brown and vigorously defended him and the company against proposed enforcement action from the Securities and Exchange Commission (SEC). The SEC accused Brown of fraudulently claiming the organization had controls in place, when in reality, investigators said, no controls were there.   Even impacted SolarWinds customers were fined by millions by the SEC (the largest fine hit $4 million), for intentionally trying to minimize the impact of the breach in their public disclosures.   The company and Brown were ultimately vindicated in court, much to the relief of CISOs everywhere concerned they too could be held personally liable for a breach of their organization. By February 2025, SolarWinds had been taken private for $4.4 billion, well out of reach of SEC regulators.   In the six years since the incident, the cybersecurity sector has gained a far more nuanced understanding of how software supply chains can present hidden attack vectors, and how to harden systems against increasingly sophisticated nation-state actors. Importantly, the incident provided a model for how organizations can weather massive fallout  after compromise that lands them in international headlines, and make it to the other side of controversy intact.   SolarWinds was a gut punch to the cybersecurity sector, but the hard lessons learned will continue to prompt questions of liability for defenders and CISOs for decades to come.  Healthcare Ransomware Starts Impacting Patient Safety Hospitals and healthcare firms remain one of the primary targets of ransomware attacks today, and with that comes the cruelty of patient lives being threatened. One of the first examples of this was when a woman died in Germany en route to a hospital, because she was redirected after the hospital she was supposed to go to suffered a ransomware attack.   It's an example of how ransomware grew more severe in the early 2020s, thanks to the rise of double extortion attacks and threat actors wising up to the fact that critical infrastructure, schools, and healthcare organizations are more likely to pay up due to the nature of their business. There was some indication as COVID-19 ramped up that some threat actors would refrain from attacking hospitals, but such attacker commitments didn't last long.   Although the ransomware landscape has recently grown more complex as organizations get better at responding to attacks and extortion-free data theft has become more in vogue, the rise of ransomware from "something mostly tech people care about" to "one of the most significant business concerns of our time" is difficult to overstate, and its impact on healthcare is a bellwether for the transformation. It continues today. For instance, in 2024, pharmacy technology services provider Change Healthcare experienced a cyberattack that disrupted the healthcare supply chain for weeks, causing widespread delays for patients that needed prescription refills. Change Healthcare reportedly paid a $22 million Bitcoin ransom to the BlackCat ransomware gang. And as one of its core plotlines this season, television show The Pitt recently portrayed a cyberattack experienced by a neighboring hospital; the show emphasized its impact on doctors and patients alike.  Log4Shell Exposes the Dangers Lurking in Open Source Software Log4j, a foundational Java-based logging library used by hundreds of millions of devices and applications, is at the root of "Log4Shell," a remote code execution vulnerability in the library (CVE-2021-44228) that carried a massive impact. The flaw was publicly disclosed on Dec. 9, 2021, and multiple proof-of-concept exploits (PoCs) began circulating within hours. Just a few weeks later, ransomware groups and nation-state actors were actively exploiting the flaw.  Log2Shell was trivial to exploit, as an attack could be as simple as dropping a single line of malicious code into user-input fields in forms, HTTP headers, or any other context involving logs. Attackers could gain complete control of vulnerable systems to install malware or backdoors, steal sensitive data, establish persistent access, and pivot to other systems within the network. Practically everything was affected: enterprise applications such as SAP and Oracle; cloud services such as Amazon Web Services, Microsoft Azure, and Google Cloud; and devices including embedded systems, consumer devices, industrial control systems, and networking infrastructure.  Unfortunately, remediation was hard because many organizations didn’t even know whether the Java library was part of their organization.  There are many wake-up calls in cybersecurity, and Log4Shell was one for software supply chain security, notably for open source components. Just as the Heartbleed vulnerability in OpenSSL back in 2014 highlighted the important role open source software plays in critical Internet infrastructure, Log4Shell illustrated the prevalence of open source libraries in network and application stacks. Managing the software supply chain is more than just knowing which dependencies were being used; it also means knowing which frameworks and libraries each named dependency uses. Trying to patch Log4j underscored the necessity of a software bill of materials (SBOM), and there is now a greater focus on software composition analysis and growing investment in dependency management.   Even five years later, many systems — especially legacy applications — still have the vulnerable Log4j version. That’s technical debt for you.  Colonial Pipeline: The Wake-Up Call to Secure US Critical Infrastructure The country was still in the throes of the COVID-19 pandemic when Colonial Pipeline was hit with a massive ransomware attack on May 7, 2021, which led to a history-making shutdown of a major oil and gas pipeline connecting Houston to northern New Jersey.   Critical infrastructure had officially emerged as a target for hackers-for-hire like DarkSide, the group behind the Colonial Pipeline ransomware attack. A frightening worst case had emerged: if a rogue group of cybercriminals could shut down a crucial oil artery in the US, how long until a national adversary reached into the country's other critical infrastructure from overseas to cause widespread damage?   Adding insult to the injury, the Colonial Pipeline cyberattack was painfully straightforward: the Russian-language DarkSide gang was able to get its hands on a single password to a long forgotten VPN account without multifactor authentication (MFA) protection, giving it easy access to Colonial’s IT environment. The pipeline was forced to shut down as a result of the breach.   While fuel shortages and price hikes mounted across the East Coast, the group demanded a $4.4 million payout in bitcoin. Colonial Pipeline ultimately decided to make the ransomware payment to get systems back up and running, a hotly debated move at the time. Giving millions to criminals is both morally reprehensible and only encourages more bad behavior, critics said, while on the other side, the practical implications of long-term fuel shortages made the price seem like a reasonable bargain to many. "I know that's a highly controversial decision," Colonial Pipeline's CEO Joseph Blount said at the time. "I didn’t make it lightly. I will admit that I wasn't comfortable seeing money go out the door to people like this."  By June 7, the FBI was able to recover a big chunk of the ransom payout — 63.7 bitcoins, or about $2.3 million at the time.  In late July 2021, the White House issued a memo declaring that critical infrastructure cybersecurity was one of the most pressing issues facing the nation.   And yet, fast-forward five years to the present, and little progress has been made to shore up US critical infrastructure against cyberattacks, particularly in operational technology (OT) environments. Colonial Pipeline was indeed a proverbial wake-up call for critical infrastructure operators to realize that their systems were being targeted, but so far, they have done little beyond hitting the snooze button.  ChatGPT: AI Changes the Security Landscape Forever In November 2022, OpenAI, a San Francisco startup, unleashed an AI chatbot known as ChatGPT on the unwitting masses. Part of the chatbot’s charm was its intuitive interface, its freemium model, and its natural-feeling response to user prompts — often filled with personalized, conversational speech, and thoughtfully placed emojis. Though AI and, indeed, even chatbots had already existed for years, ChatGPT's accessibility meant that millions of users started using it within months of its release. And today, according to OpenAI, more than a quarter of US workers are using ChatGPT for their jobs, including in security operations centers around the globe. There are now  more than 700 million weekly active users overall.  Since its release, however, ChatGPT has also garnered security concerns. While the chatbot will seemingly always supply you with a response to a question, it can generate incorrect answers, otherwise known as hallucinations. It’s been known to reflect biases in its responses, propagate misinformation, create malicious code, and more, causing cybersecurity concerns for businesses, especially when threat actors use the chatbot for their criminal purposes, like creating convincing phishing messages in other languages.   The company has taken steps to remedy some of its problems (problematically at times: a Time investigation revealed that OpenAI outsourced the help of Kenyan workers earning less than $2 an hour to make ChatGPT less harmful — critical work for the company since the GPT-3 model had a tendency to make violent, racist, and sexist comments due to its training on billions of words scraped from the Internet). And OpenAI continues to shell out updates to the platform with security advancements that include protection against threats such as prompt injection attacks, data poisoning, and of course privacy breaches. ChatGPT was the first salvo across the bow in a war of agentic AI models that now includes everything from Microsoft Copilot to Google Gemini — changing business workflows forever, along with the security risk landscape as security teams and threat actors alike lean on them for their own purposes. 2024 Microsoft's Security Failures Slammed by Government Report It is no secret that Microsoft had a tough time on the security front for the first half of the 2020s. There were the devastating on-prem Microsoft Exchange vulnerabilities, ProxyShell and ProxyLogon, discovered in 2021. And there was the time when Russian threat actor Midnight Blizzard broke into Microsoft and stole source code. But it was the 2023 attack against Microsoft Exchange that compromised US government agencies that really put the company on notice.  In that event, China-based espionage actor Storm-0558 stole a Microsoft account (MSA) signing key and subsequently breached 22 organizations including federal departments, and it proved to be a tipping point for Microsoft's risk profile. Attackers accessed emails belonging to hundreds of individuals through Exchange Online, and it took a federal civilian executive agency branch of the US government to discover the attack in the first place.   The US Department of Homeland Security's Cyber Safety Review Board (CSRB) published a report the following year, saying a "cascade of security failures" led to the attack and that Microsoft's security culture needed an overhaul. The government censured Microsoft because of the responsibility it carries in selling so much of the technological infrastructure that runs the world; and subsequently, the report led to Microsoft expanding its Secure Future Initiative to prioritize security above all else.  China Moves Beyond Espionage: Volt Typhoon Causes Shockwaves In 2023 Microsoft dropped a bomb on US government security teams: China-sponsored threat actors had managed to establish persistent access within telecom networks and other critical infrastructure targets in the US, with the observed purpose of espionage — and, potentially, the ability down the line to disrupt communications in the event of military conflict in the South China Sea and broader Pacific. In the wake of the tech giant outing the advanced persistent threat (APT) known as Volt Typhoon (aka Bronze Silhouette and Vanguard Panda), its conquests began also coming to light: telecom networks in Guam, a widespread web of air, communications, maritime, and land transportation targets; numerous electric utilities; and other critical infrastructure.  These "contingency intrusions" that allow China to pre-position itself for future destruction is a new wrinkle; China-backed APTs are typically far more focused on cyber espionage than physical disruption. And while government agencies, congresspeople, and CISA have all helped to block and remedy Volt Typhoon incursions so far, much remains unclear in terms of the group’s motivations and tooling. It thus remains a wild card in the general critical infrastructure threat landscape. None of the infections have so far managed to breach operational technology (OT) networks; but that could change. "Chinese cyber threat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks,” John Hultquist, chief analyst at Google’s Threat Intelligence Group, told Dark Reading in response to the initial disclosure. “As a result, Volt Typhoon’s capability is quite opaque." Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025