The Decipher Files

May-July 2023

Cl0p exploited CVE-2023-34362 in Progress Software's MOVEit Transfer to steal data from approximately 2,500 organizations through a single managed-file-transfer dependency. The breach is the canonical case study for third-party software risk and for how a cybersecurity team should structure detection of zero-day SQL-injection in any managed-file-transfer product, not just MOVEit.

February-November 2024

ALPHV/BlackCat encrypted Change Healthcare's claims-processing infrastructure on February 21, 2024, halting prescription processing, claims adjudication, and provider payments across roughly one-third of US healthcare. UnitedHealth Group (the parent) eventually disclosed approximately 100 million affected individuals, the largest healthcare breach in US history at the time of disclosure.

April-July 2024

ShinyHunters and affiliated actors exfiltrated data from approximately 165 Snowflake customer tenants by reusing credentials harvested from prior infostealer-malware infections against accounts that had MFA disabled. The campaign disclosed AT&T, Ticketmaster, Santander, Advance Auto Parts, LendingTree, Neiman Marcus, and at least 159 others. The cybersecurity lesson is structural: a SaaS platform that defaults MFA to opt-in inherits the entire credential-hygiene state of every customer it serves.

November 2023-April 2024

APT29 (Russian Foreign Intelligence Service, tracked by Microsoft as Midnight Blizzard) compromised a Microsoft non-production legacy tenant in November 2023 via password spray against an account without MFA, then leveraged a test OAuth application to access Microsoft corporate email accounts. The case study exists primarily because Microsoft published the post-mortem with unusual transparency, making it the cleanest available worked example of how a low-value initial foothold turns into senior-leadership email access through misconfigured cross-tenant trust.

March-July 2024

AT&T disclosed two distinct cybersecurity incidents in 2024 within four months of each other. The March 2024 disclosure covered approximately 73 million current and former customer records released on the dark web in March 2024 and traced back to data that had been exfiltrated as early as 2019. The July 2024 disclosure covered approximately 109 million wireless customers' call and text metadata exfiltrated from a Snowflake-hosted database in April 2024. The pair is the canonical 2024 case study for how telecom carriers aggregate sensitive metadata at a scale and concentration that the rest of the cybersecurity industry has not yet adapted to defend.

August 2022-March 2023

LastPass disclosed two separate intrusions across August and December 2022. The second exfiltrated encrypted customer vaults plus unencrypted metadata. Subsequent crypto-currency theft losses traced back to the leaked vaults exceeded $35 million by early 2024. The case study is canonical for how user-facing encryption only works when the iteration count, the password strength, and the metadata exposure are all defended together.

May-July 2023

Storm-0558 (Chinese state-aligned, tracked by Microsoft) used a stolen Microsoft consumer signing key to forge Azure AD authentication tokens against approximately 25 Microsoft 365 customer email tenants, including the US Department of State and Department of Commerce. The Cyber Safety Review Board's 2024 report on the incident is the definitive public account of how a single key compromise cascaded into cross-tenant access through a flaw in Microsoft's identity validation.

September 2023

ALPHV/BlackCat affiliate Scattered Spider used a 10-minute vishing call against MGM Resorts' IT help desk to obtain credentials for a privileged Okta account, then encrypted the casino operator's infrastructure. The shutdown lasted 10 days, cost MGM approximately $100 million in direct revenue, and produced the canonical 2023 case study for help-desk security controls.

September-November 2023

Okta disclosed in October 2023 that an attacker had used a stolen credential to access its customer support case-management system, then read HAR files uploaded by customers that contained valid session tokens for those customers' Okta tenants. The downstream blast radius reached BeyondTrust, 1Password, Cloudflare, and at least one unnamed Okta customer. The case is the canonical worked example of how an identity-provider's customer-facing operational systems carry the same trust weight as the identity-provider's authentication infrastructure.

May 2023-Present

CISA, NSA, FBI, and Five Eyes partners disclosed in May 2023 (and re-disclosed with materially expanded scope in February 2024) that the People's Republic of China state-sponsored cyber actor tracked as Volt Typhoon had been pre-positioned in US critical infrastructure for at least five years. The campaign is structurally distinct from financially-motivated cybersecurity incidents: the operational objective was not data exfiltration or ransom but rather the establishment of disruptive capability against US critical infrastructure for use during a future geopolitical contingency.

September 2019-December 2020

APT29 (Russian SVR-aligned, tracked as Cozy Bear / NOBELIUM) compromised SolarWinds's Orion build system and shipped malicious updates to roughly 18,000 customer organizations. The campaign reset the cybersecurity industry's understanding of what a supply-chain attack looks like and motivated NIST SP 800-218, CISA's Secure-by-Design pledge, and the SBOM movement.

Disclosed October 2024-Present

PRC state-sponsored actor Salt Typhoon (also tracked as Earth Estries, GhostEmperor) compromised at least nine major US telecommunications carriers including AT&T, Verizon, T-Mobile, Lumen, and Charter, accessing wiretap-court-order metadata, call records, and in some cases real-time call audio for senior US officials including President-elect Donald Trump and Vice-President-elect JD Vance. Senate Intelligence Committee Chairman Mark Warner described the campaign in November 2024 as 'the worst telecom hack in our nation's history.'

2021-March 2024

A multi-year social-engineering campaign by an actor operating as 'Jia Tan' (jiatXX-aliased GitHub identities) inserted a sophisticated backdoor (CVE-2024-3094) into xz-utils, a foundational Linux compression library. Microsoft engineer Andres Freund discovered the backdoor on March 29, 2024 by chance while investigating a 500ms SSH login slowdown. The near-miss is the canonical 2024 case study for how patient adversaries weaponize open-source maintainer trust.

February-June 2024

A Chinese-owned domain operator acquired polyfill.io in February 2024 and silently injected malicious JavaScript into the polyfill.js script, which approximately 100,000 websites loaded directly into their pages. Sansec disclosed the compromise on June 25, 2024, and within 48 hours Cloudflare, Google Search, and Namecheap had blocked the domain. The case is the canonical 2024 worked example of how a third-party-script supply chain becomes a content-injection attack at scale.

February 2024-Present

ConnectWise disclosed two critical vulnerabilities in ScreenConnect (CVE-2024-1709 authentication bypass, CVSS 10.0; CVE-2024-1708 path traversal, CVSS 8.4) on February 19, 2024. Within 24 hours of disclosure, multiple ransomware groups (Black Basta, BlackCat, LockBit) began mass-exploitation against unpatched ScreenConnect instances, cascading attacks through Managed Service Provider customers. The case is the canonical worked example of how Remote Monitoring and Management software amplifies the blast radius of a single CVE across hundreds of downstream small-business victims.