Case Studies: Historical Grid
Hammertoss / APT29 (2015)
When Cozy Bear Took Orders From Twitter: The Dead-Drop Blueprint Behind Today's Steam-Profile C2
In July 2015, FireEye detailed HAMMERTOSS, a backdoor wielded by Russia's APT29 (Cozy Bear) that fetched its marching orders from an ever-rotating set of daily Twitter handles, pulled images from GitHub, and hid commands inside them with steganography before exfiltrating to cloud storage. By blending malicious traffic into ordinary visits to wildly popular services, it defeated domain blocklists and frustrated network forensics. A decade on, this week's WordPress-on-Steam campaign runs the identical playbook — proof the social-media dead drop never went out of style, it only changed venue.
British Airways Magecart Breach (2018)
380,000 Card Payments Skimmed in Plain Sight: The Breach That Made Magecart a Boardroom Word
Between August and September 2018, Magecart operators injected a small block of JavaScript into British Airways' website and mobile app, silently skimming payment-card and personal data from roughly 380,000 transactions as customers checked out. Investigators traced the theft to a single modified script and a malicious look-alike domain harvesting the data in real time. The UK's ICO ultimately fined BA £20 million, and the case turned client-side skimming into a board-level risk — the very trusted-script abuse powering this week's Google Tag Manager campaign.
Moonlight Maze (1996–1999)
The First Nation-State Hunt: Years of Stealthy Exfiltration That Seeded the Turla Lineage
Between 1996 and 1999, U.S. investigators traced a sprawling intrusion set — later codenamed Moonlight Maze — siphoning military, NASA, and university research data to Russia-linked infrastructure through a web of compromised relay hosts. It was among the first cyber-espionage cases to demand systematic log correlation, honeypots, and cross-agency forensics, and researchers later tied its LOKI2-based tooling to the code lineage behind Turla and today's Kazuar botnet. The case proved that patient, low-and-slow state intrusions could evade detection for years — the very playbook Secret Blizzard still runs three decades later.
Operation Aurora (2009–2010)
An Internet Explorer Zero-Day Opens Google, Adobe, and Dozens More to Persistent Theft
Disclosed by Google in January 2010, Operation Aurora was a China-linked campaign that weaponized an Internet Explorer zero-day (CVE-2010-0249) to breach at least 20 major companies and steal source code and intellectual property. Forensic teams reconstructed the intrusions through memory analysis, encrypted C2 traffic, and the IE use-after-free exploit chain. The case pushed the industry toward threat-intelligence sharing and made "advanced persistent threat" a board-level term — and that same CVE-2010-0249 resurfaced in CISA's May 20, 2026 KEV batch, proving old exploits never truly die.
— Page 2 —