# Equation Group

**en.wikipedia.org/wiki/Equation_Group**

Contributors to Wikimedia projects

Equation Group

**Type** [Advanced persistent threat](https://en.wikipedia.org/wiki/Advanced_persistent_threat)

[United States](https://en.wikipedia.org/wiki/United_States)

**Location**

**Products** [Stuxnet,](https://en.wikipedia.org/wiki/Stuxnet) [Flame,](https://en.wikipedia.org/wiki/Flame_(malware)) [EternalBlue](https://en.wikipedia.org/wiki/EternalBlue)

[National Security Agency](https://en.wikipedia.org/wiki/National_Security_Agency)

[Signals Intelligence Directorate](https://en.wikipedia.org/w/index.php?title=Signals_Intelligence_Directorate&action=edit&redlink=1)

**Parent organization** [Tailored Access Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations)

The Equation Group, classified as an [advanced persistent threat, is a highly sophisticated](https://en.wikipedia.org/wiki/Advanced_persistent_threat)
[threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the](https://en.wikipedia.org/wiki/Threat_(computer)#Threat_agents_or_actors)
[United States](https://en.wikipedia.org/wiki/United_States) [National Security Agency (NSA).[1][2][3]](https://en.wikipedia.org/wiki/National_Security_Agency) [Kaspersky Labs describes them as one](https://en.wikipedia.org/wiki/Kaspersky_Labs)
of the most sophisticated cyber attack groups in the world and "the most advanced ... we
[have seen", operating alongside the creators of Stuxnet and](https://en.wikipedia.org/wiki/Stuxnet) [Flame.[4][5]](https://en.wikipedia.org/wiki/Flame_(malware)) Most of their targets
[have been in Iran,](https://en.wikipedia.org/wiki/Iran) [Russia,](https://en.wikipedia.org/wiki/Russia) [Pakistan,](https://en.wikipedia.org/wiki/Pakistan) [Afghanistan,](https://en.wikipedia.org/wiki/Afghanistan) [India,](https://en.wikipedia.org/wiki/India) [Syria, and](https://en.wikipedia.org/wiki/Syria) [Mali.[5]](https://en.wikipedia.org/wiki/Mali)


The name originated from the group's extensive use of encryption. By 2015, Kaspersky
[documented 500 malware infections by the group in at least 42 countries, while](https://en.wikipedia.org/wiki/Malware)
acknowledging that the actual number could be in the tens of thousands due to its selfterminating protocol.[5][6]

[In 2017, WikiLeaks published a discussion held within the CIA on how it had been possible](https://en.wikipedia.org/wiki/Vault_7)
to identify the group.[7] One commenter wrote that "the Equation Group as labeled in the
report does not relate to a specific group but rather a collection of tools" used for hacking.[8]


## Discovery

At the Kaspersky Security Analysts Summit held in Mexico on February 16, 2015, Kaspersky
Lab announced its discovery of the Equation Group. According to Kaspersky Lab's report,
the group has been active since at least 2001, with more than 60 actors.[9] The malware
used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of
[reprogramming hard disk drive](https://en.wikipedia.org/wiki/Hard_disk_drive) [firmware.[4]](https://en.wikipedia.org/wiki/Firmware) Because of the advanced techniques involved
and high degree of covertness, the group is suspected of ties to the NSA, but Kaspersky Lab
has not identified the actors behind the group.


-----

## Probable links to Stuxnet and the NSA

In 2015 Kaspersky's research findings on the Equation Group noted that its loader,
["Grayfish", had similarities to a previously discovered loader, "Gauss",[repository]](https://github.com/loneicewolf/Gauss-Src) from another
attack series, and separately noted that the Equation Group used two zero-day attacks later
used in [Stuxnet; the researchers concluded that "the similar type of usage of both exploits](https://en.wikipedia.org/wiki/Stuxnet)
together in different computer worms, at around the same time, indicates that the EQUATION
group and the Stuxnet developers are either the same or working closely together".[10]: 13


### Firmware

[They also identified that the platform had at times been spread by interdiction (interception of](https://en.wikipedia.org/wiki/Interdiction)
[legitimate CDs sent by a scientific conference organizer by mail),[10]: 15 and that the platform](https://en.wikipedia.org/wiki/Mail)
[had the "unprecedented" ability to infect and be transmitted through the hard drive](https://en.wikipedia.org/wiki/Hard_drive) [firmware](https://en.wikipedia.org/wiki/Firmware)
of several major hard drive manufacturers, and create and use hidden disk areas and virtual
disk systems for its purposes, a feat which would require access to the manufacturer's
[source code to achieve,[10]: 16–18 and that the tool was designed for surgical precision, going](https://en.wikipedia.org/wiki/Source_code)
so far as to exclude specific countries by IP and allow targeting of specific usernames on
[discussion forums.[10]: 23–26](https://en.wikipedia.org/wiki/Discussion_forum)


### Codewords and timestamps

The NSA codewords "STRAITACID" and "STRAITSHOOTER" have been found inside the
[malware. In addition, timestamps in the malware seem to indicate that the programmers](https://en.wikipedia.org/wiki/Timestamps)
worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 (8:00
AM - 5:00 PM) workday in an Eastern United States time zone.[11]

### The LNK exploit


Kaspersky's global research and analysis team, otherwise known as GReAT, claimed to have
found a piece of malware that contained Stuxnet's "privLib" in 2008.[12] Specifically it
contained the LNK exploit found in Stuxnet in 2010. Fanny is classified as a worm that
affects certain [Windows operating systems and attempts to spread laterally via network](https://en.wikipedia.org/wiki/Microsoft_Windows)
[connection or USB storage.[repository]](https://en.wikipedia.org/wiki/Universal_Serial_Bus) Kaspersky stated that they suspect that the Equation
Gr[4] oup has been around longer than Stuxnet, based on the recorded compile time of Fanny.

### Link to IRATEMONK


-----

[The NSA's listing of its Tailored Access Operations program named IRATEMONK from the](https://en.wikipedia.org/wiki/Tailored_Access_Operations)
[NSA ANT catalog.](https://en.wikipedia.org/wiki/NSA_ANT_catalog)
[F-Secure claims that the Equation Group's malicious hard drive firmware is](https://en.wikipedia.org/wiki/F-Secure) [TAO program](https://en.wikipedia.org/wiki/Tailored_Access_Operations)
"IRATEMONK",[13] one of the items from the [NSA ANT catalog exposed in a 2013 Der](https://en.wikipedia.org/wiki/NSA_ANT_catalog)
_Spiegel article. IRATEMONK provides the attacker with an ability to have their software_
application persistently installed on desktop and laptop computers, despite the disk being
[formatted, its](https://en.wikipedia.org/wiki/Disk_formatting) [data erased or the operating system re-installed. It infects the hard drive](https://en.wikipedia.org/wiki/Data_erasure)
[firmware, which in turn adds instructions to the disk's master boot record that causes the](https://en.wikipedia.org/wiki/Master_boot_record)
[software to install each time the computer is booted up.[14]](https://en.wikipedia.org/wiki/Booting) It is capable of infecting certain
hard drives from [Seagate,](https://en.wikipedia.org/wiki/Seagate_Technology) [Maxtor,](https://en.wikipedia.org/wiki/Maxtor) [Western Digital,](https://en.wikipedia.org/wiki/Western_Digital) [Samsung,[14]](https://en.wikipedia.org/wiki/Samsung) [IBM,](https://en.wikipedia.org/wiki/IBM) [Micron Technology](https://en.wikipedia.org/wiki/Micron_Technology)
[and Toshiba.[4]](https://en.wikipedia.org/wiki/Toshiba)

## 2016 breach of the Equation Group


[In August 2016, a hacking group calling itself "The Shadow Brokers" announced that it had](https://en.wikipedia.org/wiki/The_Shadow_Brokers)
stolen malware code from the Equation Group.[15] Kaspersky Lab noticed similarities
between the stolen code and earlier known code from the Equation Group malware samples
it had in its possession including quirks unique to the Equation Group's way of implementing
the [RC6 encryption algorithm, and therefore concluded that this announcement is legitimate.](https://en.wikipedia.org/wiki/RC6)

[16] The most recent dates of the stolen files are from June 2013, thus prompting Edward

Snowden to speculate that a likely lockdown resulting from his leak of the NSA's global and
domestic surveillance efforts stopped The Shadow Brokers' breach of the Equation Group.
[Exploits against Cisco Adaptive Security Appliances and](https://en.wikipedia.org/wiki/Cisco_Adaptive_Security_Appliance) [Fortinet's firewalls were featured in](https://en.wikipedia.org/wiki/Fortinet)
some malware samples released by The Shadow Brokers.[17] EXTRABACON, a Simple
[Network Management Protocol exploit against Cisco's ASA software, was a zero-day exploit](https://en.wikipedia.org/wiki/Zero-day_(computing))
as of the time of the announcement.[17] Juniper also confirmed that its NetScreen firewalls
were affected.[18] The [EternalBlue exploit was used to conduct the damaging worldwide](https://en.wikipedia.org/wiki/EternalBlue)
[WannaCry ransomware attack.](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)

## See also


-----

[Global surveillance disclosures (2013–present)](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present))
[United States intelligence operations abroad](https://en.wikipedia.org/wiki/United_States_intelligence_operations_abroad)
[Firmware hacking](https://en.wikipedia.org/wiki/Firmware#Firmware_hacking)

## References

1. ^ _Fox-Brewster, Thomas (February 16, 2015). "Equation = NSA? Researchers Uncloak_

_Huge 'American Cyber Arsenal'"._ _[Forbes. Retrieved November 24, 2015.](https://en.wikipedia.org/wiki/Forbes)_
2. ^ _Menn, Joseph (February 17, 2015). "Russian researchers expose breakthrough U.S._

_spying program"._ _[Reuters. Retrieved November 24, 2015.](https://en.wikipedia.org/wiki/Reuters)_
3. ^
4. ^ a b c d _GReAT (February 16, 2015)._ _["Equation: The Death Star of Malware Galaxy".](https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/)_


_Securelist.com._ _[Kaspersky Lab. Retrieved August 16, 2016. SecureList, Costin Raiu](https://en.wikipedia.org/wiki/Kaspersky_Lab)_
_(director of Kaspersky Lab's global research and analysis team): "It seems to me_
_Equation Group are the ones with the coolest toys. Every now and then they share_
_them with the Stuxnet group and the Flame group, but they are originally available only_
_to the Equation Group people. Equation Group are definitely the masters, and they are_
_giving the others, maybe, bread crumbs. From time to time they are giving them some_
_goodies to integrate into Stuxnet and Flame."_
5. ^ a b c _Goodin, Dan (February 16, 2015). "How "omnipotent" hackers tied to NSA hid for_

_14 years—and were found at last"._ _[Ars Technica. Retrieved November 24, 2015.](https://en.wikipedia.org/wiki/Ars_Technica)_
6. ^ _Kirk, Jeremy (17 February 2015). "Destroying your hard drive is the only way to stop_

_this super-advanced malware"._ _[PCWorld. Retrieved November 24, 2015.](https://en.wikipedia.org/wiki/PCWorld)_
7. ^ _Goodin, Dan (7 March 2017). "After NSA hacking exposé, CIA staffers asked where_

_Equation Group went wrong"._ _[Ars Technica. Retrieved 21 March 2017.](https://en.wikipedia.org/wiki/Ars_Technica)_
8. ^ _["What did Equation do wrong, and how can we avoid doing the same?". Vault 7.](https://wikileaks.org/ciav7p1/cms/page_14588809.html)_

_[WikiLeaks. Retrieved 21 March 2017.](https://en.wikipedia.org/wiki/WikiLeaks)_
9. ^ _["Equation Group: The Crown Creator of Cyber-Espionage". Kaspersky Lab. February](http://www.kaspersky.com/about/news/virus/2015/Equation-Group-The-Crown-Creator-of-Cyber-Espionage)_

_16, 2015. Retrieved November 24, 2015._
10. ^ a b c d _["Equation Group: Questions and Answers (Version: 1.5)" (PDF).](https://web.archive.org/web/20150217023145/https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)_ _Kaspersky_

_[Lab. February 2015. Archived from the original (PDF) on February 17, 2015. Retrieved](https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)_
_November 24, 2015._
11. ^ _Goodin, Dan (March 11, 2015)._ _"New smoking gun further ties NSA to omnipotent_

_"Equation Group" hackers". Ars Technica. Retrieved November 24, 2015._
12. ^ _["A Fanny Equation: "I am your father, Stuxnet"". Kaspersky Lab. February 17, 2015.](https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/)_

_Retrieved November 24, 2015._
13. ^ _["The Equation Group Equals NSA / IRATEMONK".](https://www.f-secure.com/weblog/archives/00002791.html)_ _[F-Secure Weblog : News from the](https://en.wikipedia.org/wiki/F-Secure)_


_Lab. February 17, 2015. Retrieved November 24, 2015._
14. ^ a b _[Schneier, Bruce (January 31, 2014). "IRATEMONK: NSA Exploit of the Day".](https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html)_

_Schneier on Security. Retrieved November 24, 2015._
15. ^ _Goodin, Dan (August 15, 2016). "Group claims to hack NSA-tied hackers, posts_

_exploits as proof". Ars Technica. Retrieved August 19, 2016._


-----

16. Goodin, Dan (August 16, 2016). Confirmed: hacking tool leak came from

_"omnipotent" NSA-tied group". Ars Technica. Retrieved August 19, 2016._
17. ^ a b _Thomson, Iain (August 17, 2016). "Cisco confirms two of the Shadow Brokers'_

_'NSA' vulns are real"._ _[The Register. Retrieved August 19, 2016.](https://en.wikipedia.org/wiki/The_Register)_
18. ^ _Pauli, Darren (August 24, 2016). "Equation Group exploit hits newer Cisco ASA,_

_Juniper Netscreen"._ _[The Register. Retrieved August 30, 2016.](https://en.wikipedia.org/wiki/The_Register)_

## External links

[Wikimedia Commons has media related to Equation Group.](https://commons.wikimedia.org/wiki/Category:Equation_Group)

_[Equation Group: Questions and Answers by](https://web.archive.org/web/20150217023145/https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)_ [Kaspersky Lab, Version: 1.5, February](https://en.wikipedia.org/wiki/Kaspersky_Lab)
2015
[A Fanny Equation: "I am your father, Stuxnet" by](https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) [Kaspersky Lab, February 2015](https://en.wikipedia.org/wiki/Kaspersky_Lab)

[fanny.bmp source - at GitHub, November 30, 2020](https://github.com/loneicewolf/fanny.bmp)

[Technical Write-up - at GitHub, February 10, 2021](https://github.com/loneicewolf/fanny.bmp/blob/main/Reports/Fanny.BMP(DementiaWheel)_Technical_Report_By_WilliamMartens-2021-10Feb.pdf)

**Hacking in the**
**2010s**

[Timeline](https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history#2010s)

**Major incidents**

[Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora)
[Australian cyberattacks](https://en.wikipedia.org/wiki/February_2010_Australian_cyberattacks)
[Operation ShadowNet](https://en.wikipedia.org/wiki/Shadow_Network)
[Operation Payback](https://en.wikipedia.org/wiki/Operation_Payback)

**2010**

[DigiNotar](https://en.wikipedia.org/wiki/DigiNotar)
[DNSChanger](https://en.wikipedia.org/wiki/DNSChanger)
[HBGary Federal](https://en.wikipedia.org/wiki/HBGary)
[Operation AntiSec](https://en.wikipedia.org/wiki/Operation_AntiSec)
[Operation Tunisia](https://en.wikipedia.org/wiki/Operation_Tunisia)
[PlayStation](https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage)
[RSA SecurID compromise](https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise)

**2011**


-----

**2012**

**2013**

**2014**

**2015**

**2016**

**2017**


[LinkedIn hack](https://en.wikipedia.org/wiki/2012_LinkedIn_hack)
[Stratfor email leak](https://en.wikipedia.org/wiki/2012%E2%80%9313_Stratfor_email_leak)
[Operation High Roller](https://en.wikipedia.org/wiki/Operation_High_Roller)

[South Korea cyberattack](https://en.wikipedia.org/wiki/2013_South_Korea_cyberattack)
[Snapchat hack](https://en.wikipedia.org/wiki/Snapchat#December_2013_hack)
[Cyberterrorism Attack of June 25](https://en.wikipedia.org/wiki/June_25_cyber_terror)
[2013 Yahoo! data breach](https://en.wikipedia.org/wiki/Yahoo!_data_breaches#August_2013_breach)
[Singapore cyberattacks](https://en.wikipedia.org/wiki/2013_Singapore_cyberattacks)

[Anthem medical data breach](https://en.wikipedia.org/wiki/Anthem_medical_data_breach)
[Operation Tovar](https://en.wikipedia.org/wiki/Operation_Tovar)
[2014 celebrity nude photo leak](https://en.wikipedia.org/wiki/2014_celebrity_nude_photo_leak)
[2014 JPMorgan Chase data breach](https://en.wikipedia.org/wiki/2014_JPMorgan_Chase_data_breach)
[Sony Pictures hack](https://en.wikipedia.org/wiki/Sony_Pictures_hack)
[Russian hacker password theft](https://en.wikipedia.org/wiki/2014_Russian_hacker_password_theft)
[2014 Yahoo! data breach](https://en.wikipedia.org/wiki/Yahoo!_data_breaches#Late_2014_breach)

[Office of Personnel Management data breach](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)
[Hacking Team](https://en.wikipedia.org/wiki/Hacking_Team#2015_data_breach)
[Ashley Madison data breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach)
[VTech data breach](https://en.wikipedia.org/wiki/VTech#2015_data_breach)
[Ukrainian Power Grid Cyberattack](https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack)
[SWIFT banking hack](https://en.wikipedia.org/wiki/2015%E2%80%932016_SWIFT_banking_hack)

[Bangladesh Bank robbery](https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery)
Hollywood Presbyterian Medical Center ransomware
incident
[Commission on Elections data breach](https://en.wikipedia.org/wiki/Commission_on_Elections_data_breach)
[Democratic National Committee cyber attacks](https://en.wikipedia.org/wiki/Democratic_National_Committee_cyber_attacks)
[Vietnam Airport Hacks](https://en.wikipedia.org/wiki/Vietnamese_airports_hackings)
[DCCC cyber attacks](https://en.wikipedia.org/wiki/Democratic_Congressional_Campaign_Committee_cyber_attacks)
[Indian Bank data breaches](https://en.wikipedia.org/wiki/2016_Indian_Banks_data_breach)
[Surkov leaks](https://en.wikipedia.org/wiki/Surkov_leaks)
[Dyn cyberattack](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack)
[Russian interference in the 2016 U.S. elections](https://en.wikipedia.org/wiki/Russian_interference_in_the_2016_United_States_elections)
[2016 Bitfinex hack](https://en.wikipedia.org/wiki/2016_Bitfinex_hack)

[2017 Macron e-mail leaks](https://en.wikipedia.org/wiki/2017_Macron_e-mail_leaks)
[WannaCry ransomware attack](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)
[Westminster data breach](https://en.wikipedia.org/wiki/2017_Westminster_data_breach)
[Petya cyberattack](https://en.wikipedia.org/wiki/Petya_(malware))

[2017 cyberattacks on Ukraine](https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine)
[Equifax data breach](https://en.wikipedia.org/wiki/2017_Equifax_data_breach)
[Deloitte breach](https://en.wikipedia.org/wiki/Deloitte#E-mail_hack)
[Disqus breach](https://en.wikipedia.org/wiki/Disqus#October_2017_security_breach)


-----

**2018**

**2019**


[Trustico](https://en.wikipedia.org/wiki/Trustico#DigiCert_and_Trustico_spat,_2018)
[Atlanta cyberattack](https://en.wikipedia.org/wiki/Atlanta_government_ransomware_attack)
[SingHealth data breach](https://en.wikipedia.org/wiki/2018_SingHealth_data_breach)

[Sri Lanka cyberattack](https://en.wikipedia.org/wiki/2019_cyberattacks_on_Sri_Lanka)
[Baltimore ransomware attack](https://en.wikipedia.org/wiki/2019_Baltimore_ransomware_attack)
[Bulgarian revenue agency hack](https://en.wikipedia.org/wiki/2019_Bulgarian_revenue_agency_hack)
[Jeff Bezos phone hacking](https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking)


**[Hacktivism](https://en.wikipedia.org/wiki/Hacktivism)**


[Anonymous](https://en.wikipedia.org/wiki/Anonymous_(group))

[associated events](https://en.wikipedia.org/wiki/Timeline_of_events_associated_with_Anonymous)
[CyberBerkut](https://en.wikipedia.org/wiki/CyberBerkut)
[GNAA](https://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America)
[Goatse Security](https://en.wikipedia.org/wiki/Goatse_Security)
[Lizard Squad](https://en.wikipedia.org/wiki/Lizard_Squad)
[LulzRaft](https://en.wikipedia.org/wiki/LulzRaft)
[LulzSec](https://en.wikipedia.org/wiki/LulzSec)
[New World Hackers](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack#Perpetrators)
[NullCrew](https://en.wikipedia.org/wiki/NullCrew)
[OurMine](https://en.wikipedia.org/wiki/OurMine)
[PayPal 14](https://en.wikipedia.org/wiki/PayPal_14)
[RedHack](https://en.wikipedia.org/wiki/RedHack)
[TeaMp0isoN](https://en.wikipedia.org/wiki/TeaMp0isoN)
[TDO](https://en.wikipedia.org/wiki/The_Dark_Overlord_(hacker_group))
[UGNazi](https://en.wikipedia.org/wiki/UGNazi)
[Ukrainian Cyber Alliance](https://en.wikipedia.org/wiki/Ukrainian_Cyber_Alliance)


-----

**Advanced**

**persistent threats**

**[Individuals](https://en.wikipedia.org/wiki/Hacker)**


[Bureau 121](https://en.wikipedia.org/wiki/Bureau_121)
[Charming Kitten](https://en.wikipedia.org/wiki/Charming_Kitten)
[Cozy Bear](https://en.wikipedia.org/wiki/Cozy_Bear)
[Dark Basin](https://en.wikipedia.org/wiki/Dark_Basin)
[Elfin Team](https://en.wikipedia.org/wiki/Elfin_Team)
Equation Group
[Fancy Bear](https://en.wikipedia.org/wiki/Fancy_Bear)
[Guccifer 2.0](https://en.wikipedia.org/wiki/Guccifer_2.0)
[Hacking Team](https://en.wikipedia.org/wiki/Hacking_Team)
[Helix Kitten](https://en.wikipedia.org/wiki/Helix_Kitten)
[Iranian Cyber Army](https://en.wikipedia.org/wiki/Iranian_Cyber_Army)
[Lazarus Group (BlueNorOff) (AndAriel)](https://en.wikipedia.org/wiki/Lazarus_Group)
[NSO Group](https://en.wikipedia.org/wiki/NSO_Group)
[PLA Unit 61398](https://en.wikipedia.org/wiki/PLA_Unit_61398)
[PLA Unit 61486](https://en.wikipedia.org/wiki/PLA_Unit_61486)
[PLATINUM](https://en.wikipedia.org/wiki/PLATINUM_(cybercrime_group))
[Pranknet](https://en.wikipedia.org/wiki/Pranknet)
[Red Apollo](https://en.wikipedia.org/wiki/Red_Apollo)
[Rocket Kitten](https://en.wikipedia.org/wiki/Rocket_Kitten)
[Syrian Electronic Army](https://en.wikipedia.org/wiki/Syrian_Electronic_Army)
[Tailored Access Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations)
[The Shadow Brokers](https://en.wikipedia.org/wiki/The_Shadow_Brokers)
[Yemen Cyber Army](https://en.wikipedia.org/wiki/Yemen_Cyber_Army)

[George Hotz](https://en.wikipedia.org/wiki/George_Hotz)
[Guccifer](https://en.wikipedia.org/wiki/Guccifer)
[Jeremy Hammond](https://en.wikipedia.org/wiki/Jeremy_Hammond)
[Junaid Hussain](https://en.wikipedia.org/wiki/Junaid_Hussain)
[Kristoffer von Hassel](https://en.wikipedia.org/wiki/Kristoffer_von_Hassel)
[Mustafa Al-Bassam](https://en.wikipedia.org/wiki/Mustafa_Al-Bassam)
[MLT](https://en.wikipedia.org/wiki/MLT_(hacktivist))
[Ryan Ackroyd](https://en.wikipedia.org/wiki/Ryan_Ackroyd)
[Sabu](https://en.wikipedia.org/wiki/Hector_Monsegur)
[Topiary](https://en.wikipedia.org/wiki/Topiary_(hacktivist))
[Track2](https://en.wikipedia.org/wiki/Roman_Seleznev)
[The Jester](https://en.wikipedia.org/wiki/The_Jester_(hacktivist))


-----

**Major**
**[vulnerabilities](https://en.wikipedia.org/wiki/Vulnerability_(computing))**

**publicly** **[disclosed](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security))**

**[Malware](https://en.wikipedia.org/wiki/Malware)**


[Evercookie (2010)](https://en.wikipedia.org/wiki/Evercookie)
[iSeeYou (2013)](https://en.wikipedia.org/wiki/ISeeYou)
[Heartbleed (2014)](https://en.wikipedia.org/wiki/Heartbleed)
[Shellshock (2014)](https://en.wikipedia.org/wiki/Shellshock_(software_bug))
[POODLE (2014)](https://en.wikipedia.org/wiki/POODLE)
[Rootpipe (2014)](https://en.wikipedia.org/wiki/Rootpipe)
[Row hammer (2014)](https://en.wikipedia.org/wiki/Row_hammer)
[JASBUG (2015)](https://en.wikipedia.org/wiki/JASBUG)
[Stagefright (2015)](https://en.wikipedia.org/wiki/Stagefright_(bug))
[DROWN (2016)](https://en.wikipedia.org/wiki/DROWN_attack)
[Badlock (2016)](https://en.wikipedia.org/wiki/Badlock)
[Dirty COW (2016)](https://en.wikipedia.org/wiki/Dirty_COW)
[Cloudbleed (2017)](https://en.wikipedia.org/wiki/Cloudbleed)
[Broadcom Wi-Fi (2017)](https://en.wikipedia.org/wiki/Broadcom_Corporation#soc-wifi-vulns)
[EternalBlue (2017)](https://en.wikipedia.org/wiki/EternalBlue)
[DoublePulsar (2017)](https://en.wikipedia.org/wiki/DoublePulsar)
[Silent Bob is Silent (2017)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Silent_Bob_is_Silent)
[KRACK (2017)](https://en.wikipedia.org/wiki/KRACK)
[ROCA vulnerability (2017)](https://en.wikipedia.org/wiki/ROCA_vulnerability)
[BlueBorne (2017)](https://en.wikipedia.org/wiki/BlueBorne_(security_vulnerability))
[Meltdown (2018)](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability))
[Spectre (2018)](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability))
[EFAIL (2018)](https://en.wikipedia.org/wiki/EFAIL)
[Exactis (2018)](https://en.wikipedia.org/wiki/Exactis)
[Speculative Store Bypass (2018)](https://en.wikipedia.org/wiki/Speculative_Store_Bypass)
[Lazy FP State Restore (2018)](https://en.wikipedia.org/wiki/Lazy_FP_State_Restore)
[TLBleed (2018)](https://en.wikipedia.org/wiki/TLBleed)
[SigSpoof (2018)](https://en.wikipedia.org/wiki/SigSpoof)
[Foreshadow (2018)](https://en.wikipedia.org/wiki/Foreshadow)
[Microarchitectural Data Sampling (2019)](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling)
[BlueKeep (2019)](https://en.wikipedia.org/wiki/BlueKeep)
[Kr00k (2019)](https://en.wikipedia.org/wiki/Kr00k)

[Bad Rabbit](https://en.wikipedia.org/wiki/Ransomware#Bad_Rabbit)
[SpyEye](https://en.wikipedia.org/wiki/SpyEye)
[Stuxnet](https://en.wikipedia.org/wiki/Stuxnet)

**2010**

[Alureon](https://en.wikipedia.org/wiki/Alureon)
[Duqu](https://en.wikipedia.org/wiki/Duqu)
[Kelihos](https://en.wikipedia.org/wiki/Kelihos_botnet)
[Metulji botnet](https://en.wikipedia.org/wiki/Metulji_botnet)
[Stars](https://en.wikipedia.org/wiki/Stars_virus)

**2011**


-----

**2012**

**2013**

**2014**

**2015**

**2016**

**2017**


[Carna](https://en.wikipedia.org/wiki/Carna_botnet)
[Dexter](https://en.wikipedia.org/wiki/Dexter_(malware))
[FBI](https://en.wikipedia.org/wiki/FBI_MoneyPak_Ransomware)
[Flame](https://en.wikipedia.org/wiki/Flame_(malware))
[Mahdi](https://en.wikipedia.org/wiki/Mahdi_(malware))
[Red October](https://en.wikipedia.org/wiki/Red_October_(malware))
[Shamoon](https://en.wikipedia.org/wiki/Shamoon)

[CryptoLocker](https://en.wikipedia.org/wiki/CryptoLocker)
[DarkSeoul](https://en.wikipedia.org/wiki/DarkSeoul_(wiper))

[Brambul](https://en.wikipedia.org/wiki/Brambul)
[Carbanak](https://en.wikipedia.org/wiki/Carbanak)
[Careto](https://en.wikipedia.org/wiki/Careto_(malware))
[DarkHotel](https://en.wikipedia.org/wiki/DarkHotel)
[Duqu 2.0](https://en.wikipedia.org/wiki/Duqu_2.0)
[FinFisher](https://en.wikipedia.org/wiki/FinFisher)
[Gameover ZeuS](https://en.wikipedia.org/wiki/Gameover_ZeuS)
[Regin](https://en.wikipedia.org/wiki/Regin_(malware))

[Dridex](https://en.wikipedia.org/wiki/Dridex)
[Hidden Tear](https://en.wikipedia.org/wiki/Hidden_Tear)
[Rombertik](https://en.wikipedia.org/wiki/Rombertik)
[TeslaCrypt](https://en.wikipedia.org/wiki/TeslaCrypt)

[Hitler](https://en.wikipedia.org/wiki/Hitler-Ransomware)
[Jigsaw](https://en.wikipedia.org/wiki/Jigsaw_(ransomware))
[KeRanger](https://en.wikipedia.org/wiki/KeRanger)
[MEMZ](https://en.wikipedia.org/wiki/MEMZ)
[Mirai](https://en.wikipedia.org/wiki/Mirai_(malware))
[Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware))
[Petya (NotPetya)](https://en.wikipedia.org/wiki/Petya_(malware))
[X-Agent](https://en.wikipedia.org/wiki/X-Agent)

[BrickerBot](https://en.wikipedia.org/wiki/BrickerBot)
[Kirk](https://en.wikipedia.org/wiki/Kirk_Ransomware)
[LogicLocker](https://en.wikipedia.org/wiki/LogicLocker)
_[Rensenware ransomware](https://en.wikipedia.org/wiki/Rensenware)_
[Triton](https://en.wikipedia.org/wiki/Triton_(malware))
[WannaCry](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)
[XafeCopy](https://en.wikipedia.org/wiki/Xafecopy_Trojan)


-----

**2019**


[Grum](https://en.wikipedia.org/wiki/Grum_botnet)
[Joanap](https://en.wikipedia.org/wiki/Joanap)
[NetTraveler](https://en.wikipedia.org/wiki/NetTraveler)
[R2D2](https://en.wikipedia.org/wiki/Chaos_Computer_Club#Staatstrojaner_affair)
[Tinba](https://en.wikipedia.org/wiki/Tinba)
[Titanium](https://en.wikipedia.org/wiki/Titanium_(malware))
[Vault 7](https://en.wikipedia.org/wiki/Vault_7)
[ZeroAccess botnet](https://en.wikipedia.org/wiki/ZeroAccess_botnet)


-----