Three landmark incidents — Stuxnet, Colonial Pipeline, and REvil/Kaseya — that changed how the industry thinks about defence. Each illustrates a different class of failure and a different lesson.
⚡ Quick Bite · 30s
Air-gap bypass via USB, PLC infiltration, and physical sabotage — the anatomy of the world's first true digital weapon.
Watch this 30-second summary before diving into the full article. Sign in to earn 5 leaderboard points.
Reading about malware types in a table builds vocabulary. Reading about real incidents builds judgement. The three cases below illustrate three different classes of failure, and each changed how the industry thinks about defence.
All three share one pattern worth noting: the technical sophistication of the initial access was inversely proportional to the damage caused. Stuxnet used four zero-days and damaged one facility. Colonial Pipeline used one stolen password and disrupted fuel supply for 17 states. Kaseya used one authentication bypass and hit 1,500 organisations. The most expensive attacks are not necessarily the most clever ones.
Stuxnet was not ordinary malware. It was a precision weapon. Discovered in June 2010 by VirusBlokAda, it exploited four separate zero-day Windows vulnerabilities in a single campaign — an investment so expensive that it pointed immediately to state sponsorship.
The worm spread via USB drives and network shares, but its payload was surgically targeted: it attacked Siemens Step 7 software running on specific Siemens S7-315 and S7-417 programmable logic controllers (PLCs) connected to variable-frequency drives operating between 807 Hz and 1210 Hz. Those parameters matched the gas centrifuge cascades at Iran's Natanz uranium enrichment facility.
Once inside the right PLC, Stuxnet subtly altered centrifuge rotation speeds, causing mechanical stress and physical damage over weeks. Meanwhile, it replayed pre-recorded "normal" sensor readings to the monitoring system, so operators saw nothing wrong. An estimated 1,000 centrifuges were damaged over several months.
| Component | Detail |
|---|---|
| Propagation | USB autorun, network shares (MS08-067), printer spooler (MS10-061) |
| Zero-days used | 4 (LNK file handling, print spooler, two privilege escalation) |
| Code signing | Stolen certificates from Realtek Semiconductor and JMicron Technology |
| Target system | Siemens S7-315/S7-417 PLCs, Step 7 SCADA software |
| Payload effect | Altered centrifuge frequency drives (807–1210 Hz range) |
| Concealment | Replayed pre-recorded sensor data to operator consoles |
| Estimated damage | ~1,000 centrifuges at Natanz |
Air-gapped networks are not immune. If malware can reach a USB port, it can reach the control system behind it. Stuxnet also cannot be classified under a single malware type — it combined worm propagation, rootkit concealment, signed drivers, and industrial sabotage code. Real-world threats do not respect taxonomy boundaries.
In May 2021, the DarkSide ransomware group compromised Colonial Pipeline — the largest refined fuel pipeline in the United States, supplying 45% of the US East Coast's fuel.
The entry point: a single VPN account belonging to a former employee. No longer in active use. Never disabled. No multi-factor authentication. The password had appeared in a separate data breach.
Once inside, the attackers:
Colonial Pipeline paid $4.4 million in Bitcoin within hours. The US Department of Justice later recovered approximately $2.3 million by tracing the Bitcoin through the blockchain.
The pipeline shut down for six days. Seventeen US states declared fuel emergencies. Panic buying emptied petrol stations across the Southeast.
The attack required no zero-day, no supply chain compromise, and no sophisticated exploit. It required one stale VPN account without MFA. The gap between "trivial to prevent" and "catastrophic in impact" is rarely illustrated so starkly.
The lesson is not technical — it is operational. Identity hygiene, offboarding procedures, and MFA enforcement would have stopped this attack completely.
In July 2021, an affiliate of the REvil (Sodinokibi) RaaS group exploited a zero-day authentication bypass (CVE-2021-30116) in Kaseya VSA — a remote monitoring and management (RMM) tool used by Managed Service Providers (MSPs).
The exploit allowed the attacker to push a malicious "software update" through the VSA agent. Because MSPs trusted VSA implicitly, the update propagated to approximately 60 MSPs and cascaded to over 1,500 downstream businesses. The payload disguised itself as a legitimate Kaseya update and excluded itself from antivirus scanning by exploiting the agent's own built-in AV exclusion policy.
REvil demanded $70 million for a universal decryptor. Individual victims received demands ranging from $44,000 to $5 million. The FBI obtained the decryption key through undisclosed means and distributed it to victims roughly three weeks later.
Supply chain attacks are disproportionately efficient. One vulnerability in one trusted tool compromised 1,500 organisations. Every RMM agent, every auto-update mechanism, and every trusted software pipeline is a potential single point of failure.
| Incident | Initial Access | Complexity | Impact Scale |
|---|---|---|---|
| Stuxnet | 4 zero-days via USB | Extreme | 1 facility, ~1,000 centrifuges |
| Colonial Pipeline | 1 stale VPN credential | Trivial | 17 states, $4.4M ransom |
| REvil/Kaseya | 1 authentication bypass | Moderate | 1,500 organisations |
The inverse relationship between technical sophistication and impact scale is consistent. Defenders who focus only on advanced technical threats miss the simpler, higher-impact attack vectors.
Sign in to mark this article as read and track your progress.