Case Studies: Historical Grid
RSA SecurID Breach (2011)
The Hack That Broke Two-Factor Auth: Nation-State Actors Extract RSA's Entire SecurID Seed Database
In March 2011, RSA Security was breached via a spear-phishing Excel attachment exploiting an Adobe Flash zero-day. Attackers deployed Poison Ivy RAT, staged exfiltrated data as encrypted RAR archives, and used FTP for exfiltration — all traffic engineered to blend with legitimate patterns. The stolen asset was the seed database for 40 million SecurID tokens deployed at US government agencies and defense contractors, effectively undermining the enterprise 2FA ecosystem at scale.
SHAMOON / Disttrack (2012)
35,000 Saudi Aramco Workstations Wiped in Hours — The Wiper Attack That Redefined Destructive Malware
In August 2012, the SHAMOON wiper simultaneously destroyed the MBR and user files of 35,000 Saudi Aramco workstations across a single weekend, forcing the world's largest oil company to replace its entire PC fleet. Unlike ransomware, the payload carried no ransom demand — its sole purpose was destruction. Forensic recovery was possible only through Active Directory audit logs, offline backup tapes, and partial disk images from machines where payload execution failed mid-run.
Yahoo Data Breach (2013–2016)
3 Billion Accounts — Russian FSB Operated Silently Inside Yahoo for Three Years
Russian FSB officers infiltrated Yahoo between 2013 and 2016, stealing data on all 3 billion user accounts — the largest breach ever recorded — while Yahoo remained unaware for three years. The attackers also forged authentication cookies, bypassing login event logging entirely. The case established that post-breach forensics must account for multi-year silent dwell and authentication artifact gaps — the same patient persistence pattern demonstrated by APT28 last week.
Marriott / Starwood Breach (2014–2018)
Chinese State Actors Spent Four Years Inside a Network That Was Then Acquired for $13 Billion
Chinese state-sponsored hackers breached Starwood's hotel network in 2014 and remained undetected for four years — surviving Marriott's $13 billion acquisition in 2016 without detection. By discovery in 2018, 500 million guest records had been exfiltrated including passport numbers. The case is the definitive forensic lesson in M&A due diligence: Marriott unknowingly acquired an active four-year intrusion as part of the deal.
— Page 2 —