Case Studies: Historical Grid
SolarWinds Sunburst (2020)
APT29 Implants a Signed Backdoor in the Build Pipeline: 18,000 Orion Customers, Months of Undetected Beaconing
In December 2020, FireEye discovered that APT29 (Cozy Bear) had compromised SolarWinds' build server and inserted the SUNBURST backdoor into a signed Orion Platform DLL, distributed via routine update to ~18,000 customers. Forensic teams identified DGA-based C2 over avsvmcloud.com, in-memory loaders, and pre-staged TEARDROP and RAINDROP payloads. The case forced DFIR to treat code-signing certificates and CI/CD pipelines as crown-jewel assets — exactly the threat model now playing out at Grafana.
Kaseya VSA / REvil (2021)
Supply-Chain Ransomware Hits 1,500+ Downstream Customers in a Single Patch Push
On July 2, 2021, REvil exploited zero-day CVE-2021-30116 in Kaseya VSA's authentication and dropped an encryptor through the platform's own software-management agent, hitting 60 MSPs and an estimated 1,500+ end customers worldwide. Sophos and Mandiant reconstructed the attack chain through VSA agent procedure logs and the malicious "Kaseya VSA Agent Hot-fix" task. The FBI later recovered a universal decryptor; the case codified MSP and management-plane software as the highest-leverage supply-chain target class.
Bangladesh Bank SWIFT Heist (2016)
Lazarus Group Steals $81 Million via SWIFT Credential Theft, Forged Transfers, and Custom Banking Malware
In February 2016, Lazarus Group deployed keylogger malware inside Bangladesh Bank to steal SWIFT credentials, then issued 35 fraudulent transfer requests — five succeeded, moving $81 million to Philippines casinos. Mandiant investigators recovered custom malware that interfaced directly with SWIFT Alliance Access software, and the FBI identified evidence of an insider accomplice. The heist established financial sector forensics as a discipline requiring SWIFT audit log reconstruction and cross-border transaction tracing.
Ashley Madison Breach (2015)
The Impact Team Wipes Its Tracks and Vanishes: 37 Million Records, PGP-Signed Leaks, No Identified Suspects
In July 2015, the Impact Team compromised extramarital dating site Ashley Madison, stealing records on 37 million users and releasing 9.7 GB publicly in August with PGP-signed authenticity. Forensic investigation found attackers escalated to administrator level and wiped logs that would have contained their indicators of compromise, rendering attribution impossible. Despite FBI and RCMP investigation, no suspects were ever identified — a landmark study in attacker log-wiping tradecraft and the limits of log-dependent forensics.
— Page 2 —