● Dark Reading 📅 06/05/2026 à 14:00

From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber

Cybersécurité 👤 Dark Reading Editorial Team
Illustration
Threat IntelligenceCyberattacks & Data BreachesVulnerabilities & ThreatsCybersecurity OperationsNewsSince 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next.From Stuxnet to ChatGPT: 20 News Events That Shaped CyberAs part of Dark Reading's 20th anniversary celebration, its staff looks back on 20 of the biggest newmaking events from the past two decades that shaped our industry and the risk landscape for today's security teams.Dark Reading Editorial TeamMay 6, 202631 Min ReadFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberOver the past two decades, cyber has evolved into a board-level business risk, with early Internet worms and endpoint viruses giving way to industrial-grade operations that can disrupt hospitals, utilities, and supply chains, erode public trust, and rattle markets. The lesson for security leaders is straightforward: in a hyperconnected enterprise, the blast radius is no longer just digital, it’s operational and strategic.As part of Dark Reading's 20th anniversary celebration, our staff took a look back at the biggest cyber moments in the past two decades that have rewritten the playbook for security teams and changed the face of how we perceive cybersecurity threats and defense strategies. We revisit the impact of WannaCry and NotPetya; the SolarWinds compromise; Colonial Pipeline; the rise of Anonymous; the birth of ChatGPT; and much more. As we examine these 20 defining moments, we also consider their present-day ramifications, and their legacy can’t be overstated. Liability concerns now abound, with disclosure rules, critical infrastructure directives, and sector-specific obligations raising the stakes for CISOs and boards. Attacker automation (including AI) and supercharged exploit pipelines are compressing defenders’ response windows. There's also been a steady rise of intrusions that can degrade operations and safety, not just data; and ransomware has become an core operations risk. And meanwhile, supply chain vectors and identity abuse now challenge the limits of how attackers can reach their victims, especially in the age of agentic AI and non-human identities.Join us as we revisit a few major catalysts for these evolutions, gleaned from Dark Reading's 20 years of industry coverage. Click here for all of our DR20 content, which will be rolling out across the month of May. Keep checking back for new items! Stuxnet Sabotages Centrifuges and the 'Airgap' The discovery in July 2010 of what was believed to be the first known kinetic cyberattack on industrial systems and processes served as a massive klaxon of warning to critical infrastructure and operational-technology (OT) network operators worldwide. Stuxnet targeted the secretive Natanz nuclear facility in Iran, forcing thousands of centrifuges used to enrich uranium to spin wildly out of control and fail. The attack also shattered the illusion that logically separating IT and OT networks — known as air-gapping — kept industrial plants and their processes immune from cyberattacks. The complex worm malware consisted of four zero-day exploits that traveled to the plant's Windows-based machines via USB devices that were somehow plugged into plant machines. Stuxnet infected machines running Siemens SIMATIC Step 7 or Siemens SIMATIC WinCC industrial control system (ICS) software, which communicated with the programmable logic controllers (PLC) that operated the centrifuges used for enriching uranium. The attack, reportedly the handiwork of US and Israel nation-state hackers, demonstrated next-level cyber capabilities. Ralph Logan, an ICS security expert who studied Stuxnet while at The Honeynet Project, says it was Stuxnet's stunning "precision" that gave him and his team pause. "This wasn't crude destruction; it was engineered sabotage designed to appear as mechanical failure," Logan recalls. "That precision signaled something we understood immediately: this represented a doctrine shift, not just an attack. A nation-state had demonstrated that critical infrastructure could be targeted with surgical accuracy and … it worked." Stuxnet's story didn't end there. Three years later, researchers at Symantec found what they described as a precursor to Stuxnet, aka Stuxnet 0.5, malware dating back to 2005 that targeted Siemens 417 PLCs to sabotage the valves that fed uranium hexaflouride gas into the uranium enrichment centrifuges. And just last month, SentinelOne researchers cited a cyber weapon that predates Stuxnet's discovery. The malware framework, tracked as fast16, could sabotage systems by injecting stealthy errors into their mathematical computations. Anonymous, LulzSec Hacking Sprees Put Cybersecurity Teams on Notice When Anonymous and LulzSec emerged in the mid-2000s to usher in the era of "hacktivist" and nuisance-related messaging campaigns, they lit a fire under security teams in both the private and public sectors and represented an important new wrinkle in the cyber-risk landscape. While their exploits now seem like quaint relics of a bygone era, given they've been largely replaced by ransomware gangs, extortion groups, and nation-state advanced persistent threat (APT) actors, it's important to remember that the likes of Scattered Spider and ShinyHunters probably wouldn't exist without these two pioneering the idea of a hacking collective.Anonymous emerged in the mid-2000s and members, with their notorious Guy Fawkes masks, began their hacking activity in earnest in 2008 with simple distributed denial of service (DDoS) attacks against the controversial Church of Scientology. Later, they mounted attacks in support of WikiLeaks, the Pirate Bay, and other causes before graduating to data breaches and leaks, where they breached San Francisco's Bay Area Rapid Transit (BART) system as well as government websites and agencies in China and Syria, among others. As the 2010s progressed, the group shifted to more politically motivated hacks before its activity waned. LulzSec, on the other hand, was short-lived by comparison. The rival group launched in 2011, ostensibly to spotlight porous cybersecurity defenses of major organizations. However, the group would admit from time to time that the hacking was largely for members' own amusement or "the lulz." Its exploits include hack-and-leak attacks against Fox News, PBS, and Sony Pictures (no, not that one). The group also compromised senate.gov, the website for the US Senate, leaking usernames and passwords. The group, which disbanded later that year, was viewed as a "grey hat" hacktivist operation, but US authorities didn't see it that way. The FBI labeled LuzlSec as an "international cyber criminal group" and arrested several members, including Hector "Sabu" Monsegur. And instead of website hacks and DDoS attacks, today's hacker collectives, like "The Com," are conducting devastating, financially motivated cyberattacks against a wide range of organizations. But it all started with Anonymous and LulzSec. Theft of RSA's SecurID Seed Changes 2-Factor AuthenticationAttackers, widely believed to be a Chinese advanced persistent threat (APT) group, launched a multipronged campaign in 2011 against RSA Security that included spear-phishing emails, malicious Flash code embedded in Excel spreadsheets, and multistage malware. The attackers successfully stole the seed information for RSA SecurID tokens, essentially rendering all existing tokens useless. Up until this incident, RSA SecurID was considered the gold standard for two-factor authentication (2FA). The tokens generated one-time passwords (OTPs) that expired after 30 to 60 seconds (depending on their configuration), making it difficult for attackers to log in even if they had valid credentials. By stealing the seed information — the cryptographic keys used to generate the OTPs — the attackers could predict future codes for compromised tokens, requiring organizations to replace them all. The threat was not theoretical: stolen seed data was used in an attack against Lockheed Martin a few months later. This incident was one of the earliest supply chain attacks involving security vendors, in which compromising a single vendor made it possible to compromise downstream customers. Targeting security vendors to compromise downstream customers is an attack method that is still successful, as amply illustrated by the Okta breach in 2023, or Salesforce customers being compromised after attackers stole OAuth tokens. In this case, the US defense contractor successfully blocked the attack and later shared its Cyber Kill Chain framework, a process that tracks an intruder's movements and throws up barriers each time the attacker attempts to siphon data from the network. The Kill Chain was one of the earliest examples of a cybersecurity playbook that focuses on stopping attackers who get inside from taking anything with them on the way out, rather than on keeping attackers out. The incident also accelerated significant shifts in authentication, such as a growing focus on risk-based authentication, the adoption of FIDO standards and hardware security keys, and the development of mobile-based authenticators such as Google Authenticator and Microsoft Authenticator. That shift is still ongoing, especially with the push for passwordless authentication.Shamoon's Digital Scorched-Earth Attack on Saudi AramcoThe Shamoon wiper attack on Saudi Aramco in August 2012, which destroyed more than 30,000 computers, was one of the most destructive cyberattacks ever seen at that time. The malware wiped the hard drives and corrupted the master boot record, rendering three-quarters of the oil giant’s corporate PCs unusable. This was one of the first major uses of wiper malware. Similar to what happened with Colonial Pipeline's 2021 ransomware incident, Shamoon did not hit Saudi Aramco’s production systems or pipeline operations; the damage was entirely to business systems, but the impact was still widespread. The actors behind the Shamoon attack weren't interested in espionage or data theft — they wanted pure digital destruction. And like the modern scourge of ransomware, the Shamoon attack crossed from the digital realm to impact the physical world. The machines were physically destroyed and employees had to switch to typewriters and fax machines to keep working. A consultant who worked on the company’s recovery said buying up 50,000 hard drives all at once temporarily drove up prices and halted shipments to other buyers around the world. And also like ransomware, the malware used in the Shamoon attacks was not trying to evade detection or being stealthy to maintain persistence. It was designed for maximum disruption. While less sophisticated than Stuxnet, it had a bigger blast radius because it affected business operations. The Shamoon attack underscored the importance of cybersecurity in maintaining business continuity. Afterward, there was a focus on resiliency planning and on improving backup and recovery capabilities so that, even under attack, the organization can continue to function. It also drove massive investments in cybersecurity across the energy sector and the development of sector-specific cybersecurity frameworks and regulations. Energy companies also established information-sharing networks to exchange threat intelligence. And a good thing too: the later Shamoon 2 and Shamoon 3 attacks also demonstrated that these types of attacks are not one-off incidents, because threat actors are continually evolving and would return with improved capabilities. Twitter Hoax Triggers Stock Market Crash In April 2013, US stock markets took a sudden, massive plunge that erased hundreds of billions in value. Thankfully, the crash was only temporary, but it was notably caused by a single tweet from the Associated Press's verified Twitter account: "Breaking: Two Explosions in the White House and Barack Obama is injured."What was quickly revealed just minutes later through follow-up tweets from the AP was that the report was a hoax, and the news outlet's Twitter account had been compromised. The "Hack Crash," as some called it, didn't last long, but the high-profile incident did provide some important insights about the future of cybersecurity and technology at large. First, the market crash was largely driven by "so-called algorithms," according to The Wall Street Journal, which powered high-frequency trading platforms that make automated trades based on news headlines. The attack offered a glimpse of what was to come about a decade later with the advent of large-language models (LLMs) and agentic AI, and risks of giving such technology autonomy. Second, the attack sparked an urgent call to offer and implement multifactor authentication, which would become a very familiar pattern in the intervening years. At the time of the attack, Twitter did not offer two-factor authentication (2FA) protection for accounts, but the social media company added it about a month later. And finally, the attack showed how a small amount of disinformation or "fake news" could have a major impact. The Twitter hack was executed by the Syrian Electronic Army (SEA), a hacktivist organization that first emerged in 2011 to support former Syrian president Bashar al-Assad. The group would commit several notable hacks, including the defacement of the US Marine Corps website as well as The New York Times and Huffington Post sites. The group's activity declined in later years, and al-Assad was pushed out of power in 2024, but the AP hoax tweet had a long-lasting impact on cybersecurity.Target, Home Depot Breaches Spark Retail Industry Focus on Supply Chain SecurityTarget suffered a monumental data breach in December 2013 that affected more than 110 million individuals. Threat actors initially compromised a small Pennsylvania-based third-party HVAC vendor, and stole the credentials the provider used to access Target's network. The attackers then moved laterally through Target’s network and breached point-of-sale (PoS) systems to steal payment card information. While the initial breach disclosure focused on stolen payment card data, Target said further investigation found that names, mailing addresses, phone numbers, and email addresses had also been stolen. In a moment of cybersecurity déjà vu, attackers successfully stole credentials from another third-party vendor and reached Home Depot’s network less than one year later. Both incidents used BlackPOS malware to harvest and exfiltrate payment card information, suggesting that the same group was behind both attacks. With 2014 informally dubbed The Year Of The Retailer Data Breach (Neiman Marcus and Michaels were among the many, many retailers compromised that year), there was a push across the industry to bolster security protocols for payment card data. The Payment Card Industry Data Security Standard (PCI DSS) was released in the wake of it all, with updated requirements regarding education and awareness, weak passwords and authentication, third-party security challenges, slow self-detection and malware, and inconsistent assessments in the retail sector. The industry also prioritized the shift to EMV, or chip-based cards. The Target breach was the first major incident caused by a supplier compromise. The idea that attackers would piggyback on third-party partners and vendors to compromise larger companies is now a well-recognized risk, but it wasn't widely acknowledged back in 2014. Among many other impacts, the spate of retail breaches underscored the importance of focusing on the supply chain ecosystem and using vendor questionnaires and assessments to ensure third-party partners are implementing strong security measures to protect data and networks. North Korea's Sony Pictures Hack Offers Real-World Consequences One of the most infamous cybersecurity incidents of the past 20 years is also one of the most absurd. Nation-state hackers infiltrated the network of a major Hollywood studio to protest — and eventually impede — the release of an upcoming film. On Nov. 24, 2014, Sony Pictures Entertainment's network suddenly went down. A threat group calling itself "Guardians of Peace" had deployed wiper malware across the studio's infrastructure — but not before exfiltrating reems of confidential data, including corporate emails, salary information, screenplays, and copies of unreleased films. Over the next two weeks, as Sony Pictures attempted to rebuild its network and authorities investigated the attack, the Guardians of Peace published several batches of stolen data, most notably the private communications of several executive team members and Hollywood stars. In fact, the leaked emails led to the resignation of Amy Pascal, famed Sony Pictures executive and Hollywood producer. Then, the situation became even more serious when the Guardians of Peace threatened terrorist attacks against theaters showing the soon to be released comedy The Interview, starring James Franco and Seth Rogen. The movie is about two journalists who score an interview with North Korean leader Kim Jong Un and are tasked by the CIA to assassinate him (which they eventually do in a controversial scene). Sony Pictures opted to cancel the film's theatrical release, moving it to streaming platforms such as YouTube. Several cybersecurity firms attributed the attack to nation-state actors tied to the Democratic People's Republic of Korea (DPRK), specifically those aligned with the notorious APT known as Lazarus Group. Years later, the US government charged North Korean national Park Jin Hyok, who was also tied to infamous WannaCry ransomware attacks, with participating in the Sony hack. While some are still skeptical that the DPRK was behind it, there's no question the attack changed the threat landscape and showed how malicious activity in cyberspace could have potentially terrifying, real-world impacts. Yahoo: World’s Largest Data Breach Also Derails a Major M&A PlanNearly 10 years ago, Yahoo discovered a series of data breaches that impacted roughly 3.5 billion people. Between 2013 and 2014, attackers exposed personal identifiable information (PII) such as names, email addresses, phone numbers, security questions, hashed passwords, and dates of birth for the tech pioneer's user base. The threat actors, identified as Russian state-sponsored groups, were able to exploit avoidable vulnerabilities in Yahoo's systems such as weak encryption methods, and used forged cookies and malicious scripts to gain unauthorized access. The breaches ultimately had a catastrophic impact on the company and its users once they came to light in 2015. The company faced criticism from regulatory bodies like the SEC and was fined $35 million for failing to inform its users sooner. It also dealt with a damaged reputation and a diminished acquisition valuation of just $4.48 billion when it was picked off by Verizon in 2017 — just 10 years earlier, in 2008, the company had rejected Microsoft's $44.6 billion offer.And, perhaps because of the delay in informing its users, individuals found themselves facing phishing attacks and identity theft risks from attackers because of their compromised information. Even today, the breach takes first place as the largest in history and underscores the importance of maintaining a basic security posture, proper disclosure practices, and routine cybersecurity checkups, leaving a stark reminder of the real-world business fallout that can happen when the worst does actually happen. When Nation-States Come Knocking: The OPM BreachThe 2015 data breach at the Office of Personnel Management (OPM), in which personal data of approximately 21.5 million current and former US government employees was stolen, ushered in a golden age of nation-state
← Retour