Skip to content ↓ | Skip to navigation ↓

The 2014 Verizon Data Breach Investigations Report (DBIR) is out. Although many notable security reports are issued each year, this one has been the leader in the field for ten years now, and a must-read for any security professional.

This year, Wade Baker, Jay Jacobs, and the team have taken the prior ten years of research data, normalized as much as possible, and found some very interesting patterns applying big data analytics to the data. Bravo! In summary – nine attack patterns, overlaid onto eight industries, with three key attack types standing tall. More on that research in a different post.

There are so many points to cull from the research that this has to be just the first post of several. I wanted to start with their chronology for 2013 because it’s such a comprehensive view of the year’s breach “highlights?”  In the report writers’ own words:


Here’s a fast-read summary:

JANUARY – State-Sponsored Actors

  • Red October cyber-espionage campaign targeting government and institutions globally
    • Focused in Russian-speaking countries
    • Connected to actors using the Elderwood framework
  • Boxing Day 2012 start of complex “watering hole” attacks on Council on Foreign Relations (
  • Operation Ababil Distributed Denial of Service (DDoS) attacks on U.S. financial services companies
    • “Phase II” by the  Izz ad-Din al-Qassam Cyber Fighters (QCF)

FEBRUARY – Enter New POS Breaches

  • New reports of targeted cyber-espionage by New York Times and Wall Street Journal
  • Sophos reported a new Citadel-based Trojan crafted to attack Point-of-Sale (POS) systems using a Canadian payment card processor
  • became a watering hole using a surprise attack on Java
  • Mandiant (now part of FireEye) released its APT1 report
  • Reports of data breaches from large enterprises, courtesy of the iPhoneDevSDK: Facebook, Twitter, Apple, and Microsoft – all victims
  • Retailer POS data breaches reported by Bashas’ and Sprouts, two different grocery chains in the U.S.
  • Bit9 reported a data breach that began in July 2012, attacking its code-signing infrastructure

MARCH – POS Trojan Surfaces Publicly – Later Seen In Target Breach in December

  • Fifty million Evernote users forced to change their passwords
  • The Republic of Korea suffered a large-scale cyber-attack that included disk corruption
  • The Cyberbunker-CloudFlare-Spamhaus DoS attack
  • Group-IB reported “Dump Memory Grabber” (a.k.a. BlackPOS), a new POS Trojan (same one used at Target)

APRIL – AP’s Twitter Account Hijacked

  • Grocery retailer, Schnucks, reported a POS data breach
  • The Syrian Electronic Army (SEA) hijacked the Associated Press’ Twitter account sending a tweet reporting an explosion at the White House Wall Street repercussions
  • Operation Ababil’s DoS attacks continued on several European banks to the QCF (though Verizon’s report says that OSINT (Open Source Intelligence) can’t really confirm

MAY – More Cyber-Espionage

  • QinetiQ and the U.S. Army Corps of Engineers reported cyber-espionage
  • The SEA hijacked the Twitter accounts of both The Guardian and The Financial Times
  • U.S. nuclear weapons researchers targeted for cyber-espionage using a watering hole attack, probably China
  • More cyber-espionage: Operation Hangover targeting Pakistan, Safe, targeting Mongolia, and Sunshop actors against Tibetan activists
  • Liberty Reserve (go-to Bank for cyber-criminals) shut down by the U.S. Department of Justice


  • U.S. grocer Raley’s reported its payment card systems were breached
  • NetTraveller, a global cyber-espionage campaign targeting diplomats not aligned with China
  • Edward Snowden’s first intelligence leak published by The Guardian
  • InfoSec intelligence became the “All-Snowden-All-the-Time” channel

JULY – Largest Retailer Data Breach Yet – POS Continues

  • Harbor Freight, a U.S. tool vendor with 445 stores and nearly 200 million customers was breached
    • (Verizon notes that we still don’t know how many records were compromised)
    • I’ll add that this month both Roy’s retail restaurants and in May, MAPCO Express convenience stores publicly announced their POS breaches though both occurring earlier in the year and Roy’s started with a desktop PC and phishing
    • The QCF initiated Phase IV of Operation Ababil (DDos)
    • The SEA breached Viber, Tango, and the Daily Dot (Twitter account hijacks)
    • Heartland and Global Payments breaches from prior years now saw four Russions and one Ukrainian indicted by the U.S.Department of Justice

AUGUST – Syrian Electronic Army – Continuing Twitter Hijacks on Media

  • The SEA hijacked the Twitter accounts of CNN, The Washington Post, Time Magazine, SocialFlow, and both The New York Times and New York Post
  • Cyber-espionage by Calc Team actors targeting G-8 Summit in St. Petersburg, Russia

SEPTEMBER – Bit9 Attack Linked to Others, and Cryptolocker Extortions

  • Vodafone notified two million customers their personal and financial information was breached
  • Espionage reports involving the EvilGrab Trojan and separately the Hidden Lynx actors who do both espionage and cybercrime
  • Bit9 attack (from February) linked with Operation Deputy Dog, Hidden Lynx
  • Watering hole attacks on Japanese financial institutions
  • Brian Krebs began reporting on intelligence extracted from ssndob[dot]ms – a location for stolen data from some of the U.S’s largest data brokers: Lexis-Nexis, Dun & Bradstreet, and Kroll
  • Cryptolocker surfaced extortions from victims willing to pay for decryption of their essential files

OCTOBER – Adobe=ssndob[dot]ms and Nordstrom POS Skimmers

  • Adobe announced its systems had been breached; eventually 38 million accounts were identified as affected.  Intelligence connected this to the ssndob[dot]ms actors.
  • Nordstrom, discovered skimmers on some of its cash registers
  • Two of 2013’s big wins –
    • Dmitry “Paunch” Fedotov, the actor responsible for the Blackhole exploit kit was arrested in Russia
    • Silk Road, an online fraud bazaar, was taken down

NOVEMBER – Largest Bitcoin Heist to Date

  • Banking malware evolved with reports of Neverquest and another version of IceIX
  • BIPS, a major European bitcoin payment processor, was the victim of one of the largest bitcoin heists recorded up to that point in time

DECEMBER – Infosec Became the “All-Target-All-the-Time” Channel

  • Operation Ke3chang targeted foreign ministries in European countries for cyber-espionage
  • Washington Post reported its second breach of the year
  • Infosec intelligence became the “All-Target-All-the-Time” channel
    • Though Verizon notes that Target’s breach was half the size of Heartland and three-fourths the size of TJX it’s due to become the event for which 2013 will always be remembered

In hindsight, it’s apparent that 2013 was the year of breach discoveries with notable reports on espionage (our own included ala Snowden reports), and POS via malware. Breach discovery lagged the breaches themselves by significant amounts of time (2013’s DBIR instructed that this factor alone was the place to focus attention and spend.

Recommendation that dollars shift from “Prevention” measures to “Detection” because it’s not a question of “if” it’s a question of “when” you discover you’ve been breached. Their point bears out.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock