Cases

Change Healthcare demonstrated that a single ransomware attack on a dominant healthcare intermediary can cascade into a national healthcare crisis, making the case for treating healthcare claims infrastructure as critical national infrastructure.

Volt Typhoon represents the clearest case of peacetime pre-positioning in adversary critical infrastructure, forcing an urgent policy reckoning on whether such activity constitutes a threat of force and how states should respond to it below the threshold of armed conflict.

Midnight Blizzard showed that state actors will target the internal systems of foundational technology platforms, not just their customers, raising existential questions about supply chain trust and platform security accountability.

Salt Typhoon is the temporal pivot of the matched-pair argument. It is structurally similar to Belgacom (a foreign state compromising another state's telecommunications backbone) but draws a sharply higher consequence, OFAC sanctions on a named contractor, because the perpetrator is positioned outside the Western attributing coalition. Read alongside Belgacom and OPM, it shows the consequence axis tracking political relationship rather than technical facts; read alongside Volt Typhoon, it shows that the relationship can move within a short time horizon (sanctions arrived for Salt Typhoon faster than for the parallel Volt Typhoon campaign).

These intrusions highlight the emerging norm challenge of peacetime pre-positioning: states embedding access in adversary infrastructure for potential future use, blurring the line between espionage and preparation for attack.

MGM/Caesars showed that social engineering by loosely organized criminal groups can paralyze major enterprises as effectively as sophisticated malware, exposing identity and helpdesk processes as critical policy-relevant attack surfaces.

Storm-0558 revealed that a single compromised signing key could bypass the security boundaries of the cloud infrastructure underlying most government communications, making cloud identity trust a first-order national security concern.

Kyivstar represented the most destructive cyber attack against a telecommunications provider during active conflict, demonstrating ICS-equivalent destructive capability against civilian communication infrastructure and disrupting life-safety warning systems.

Viasat KA-SAT was the clearest example yet of cyber attack as an opening act of war, with cross-border collateral damage that forced NATO and the EU to treat satellite infrastructure as a shared security concern.

Costa Rica showed that ransomware can effectively disable a nation's fiscal and health systems, forcing the first-ever national emergency declaration over a cyber attack and elevating ransomware to a sovereign-level threat.

Albania's decision to sever diplomatic ties over a cyber attack, backed by NATO solidarity, set a new precedent for treating destructive cyber operations as grounds for the most serious peacetime diplomatic consequences.

Industroyer2 confirmed that grid-targeting ICS malware is now a recurring feature of armed conflict, while its successful mitigation showed that coordinated cyber defense can work under wartime conditions.

Colonial Pipeline proved that criminal ransomware can trigger national-level infrastructure disruptions, collapsing the boundary between cybercrime and national security and forcing mandatory regulation of pipeline cyber defenses.

Oldsmar made water-system cyber risk tangible for policymakers and the public, revealing how small utilities with minimal security budgets can become targets with public-health consequences.

Hafnium demonstrated how a targeted espionage operation can metastasize into a mass-compromise event affecting tens of thousands, and prompted the widest coalition cyber attribution ever directed at China.

The Bangladesh e-government intrusions exemplify a pattern common across rapidly digitizing developing states: the gap between e-government ambition and cybersecurity capability creates systemic risk to citizen data and public trust in digital services.

SolarWinds exposed systemic supply chain risk in government IT and triggered the most sweeping US cybersecurity executive order in a decade, reshaping federal procurement and zero-trust policy.

These incidents illustrate that cyber-enabled sabotage of nuclear facilities did not end with Stuxnet, the pattern persists, with implications for nonproliferation, deterrence, and the stability of diplomatic negotiations.

Gaza Cybergang operations demonstrate that non-state armed groups can develop persistent cyber espionage capabilities, complicating the state-centric framework of international cyber norms and raising questions about accountability in asymmetric conflict.

The compromise of a parliament and major parties during an election cycle demonstrated that cyber espionage against democratic institutions is a live risk, even when the collected intelligence is never publicly weaponized.

The Thailand election targeting illustrates that electoral cyber interference extends beyond the frequently studied US and European cases, affecting democratically transitional states where institutional resilience is lowest and stakes are highest.

The Ecuador data exposure demonstrates that state failure to secure contracted civilian data systems can produce population-scale privacy crises, illustrating data sovereignty as a governance challenge distinct from but parallel to offensive cyber threats.

India-Pakistan cyber operations represent the most documented case of sustained reciprocal cyber espionage between regional nuclear-armed adversaries, demonstrating that cyber conflict dynamics extend well beyond the US-Russia-China axis.

Cloud Hopper is the strongest pre-2024 data point on the indictment-without-sanctions cell at allied scale. It shows that even a broadly coordinated Five-Eyes-plus public-naming exercise against a PRC MSS contractor model did not, in 2018, escalate to OFAC sanctions. Read forward to Salt Typhoon (Jan 2025 OFAC sanctions on a comparable PRC contractor), it provides the time-series evidence that the consequence baseline for China-attributed espionage shifted in the 2024–2025 window, and that the shift was a political choice rather than a response to new technical facts.

NotPetya demonstrated that a cyber weapon aimed at one country can inflict billions in collateral damage worldwide, making it a landmark case for debating proportionality, state responsibility, and the limits of deniability in cyber conflict.

WannaCry exposed how a leaked intelligence exploit can cascade into a global healthcare crisis, sharpening the policy debate on vulnerability disclosure and the duty to protect civilian systems.

Industroyer represented a generational leap in ICS malware sophistication, a modular, protocol-aware weapon that signaled the industrialization of grid-targeted cyber capabilities.

The Bangladesh Bank heist revealed that the global financial messaging system's security depended on its weakest endpoint, and that state actors would exploit that gap to fund sanctioned programs.

Ukraine 2015 was the first confirmed cyber-caused power outage, turning a theoretical risk into an operational reality that reshaped how governments defend energy grids.

OPM is the structural pair to SolarWinds: both are large-scale espionage operations against the US federal government, both with high-confidence state attribution, both producing extensive intelligence loss. SolarWinds drew sanctions and expulsions; OPM drew none. Holding the two together isolates the political variable from the technical and consequential variables.

Sony Pictures showed that a state can weaponize cyber operations to coerce a private company and suppress speech, raising urgent questions about where corporate cybersecurity meets national security.

Belgacom is the strongest case in the dataset for the proposition that consequence in cyber conflict is determined by political relationship rather than by technical certainty. The forensic and documentary evidence base was as strong as in most cases coded 'confirmed'; the consequence was zero. Holding Belgacom alongside Salt Typhoon, a structurally similar telecom-backbone operation attributed to an adversary that drew OFAC sanctions, isolates the political variable.

APT1 is the foundational test case for indictment-as-signal in cyber statecraft. It demonstrates that the United States is willing to publicly name uniformed foreign military personnel, but that this willingness does not, on its own, translate into sanctions or any other coercive consequence. Read alongside Sandworm (indictment plus sanctions) and Salt Typhoon (sanctions on PRC contractor), it shows that the indictment-to-sanctions step is a discretionary political choice, not an automatic escalation.

Shamoon was the first large-scale destructive attack against a critical energy company, demonstrating that states could use wiper malware to inflict strategic economic signaling without kinetic force.

Flame and Stuxnet together demonstrate the consistent floor of the protected-actor cell: even when technical assessment is strong and the operation is operationally consequential, attribution to an allied state does not, in practice, draw the public-attribution machinery (joint statements, sanctions, indictments). The consistency of this floor across multiple cases is what makes the matched-pair comparison with Salt Typhoon and OPM analytically informative.

Stuxnet proved that software alone can destroy physical infrastructure, fundamentally changing how states, lawyers, and strategists think about the threshold between cyber operations and armed conflict.