Glossary

AES (Advanced Encryption Standard)

A symmetric block cipher adopted as a federal standard by NIST in 2001. WannaCry used AES-128 to encrypt victim files, with the session key itself protected by RSA-2048.

Air Gap

A security measure that physically isolates a computer or network from unsecured networks, including the public internet. Natanz's air-gapped environment was circumvented by Stuxnet via infected USB drives.

ALPHV / BlackCat

A Russian-speaking ransomware-as-a-service group assessed to be the evolutionary successor of DarkSide and BlackMatter — the same lineage responsible for Colonial Pipeline. Notable for using Rust-based ransomware (unusual in the ecosystem), a "triple extortion" model, and a high-profile exit scam in March 2024 in which the group faked an FBI seizure after collecting a $22M ransom from Change Healthcare, disappearing without paying their own affiliate.

Apache Struts

An open-source Java web application framework. CVE-2017-5638, a critical CVSS 10.0 remote code execution vulnerability in Struts' file upload handler, was the attack vector used to breach Equifax in 2017. A patch was available 78 days before Equifax was compromised — it had simply not been applied.

APT (Advanced Persistent Threat)

A designation for a sophisticated, typically state-sponsored threat actor that gains unauthorized access to networks and remains undetected for extended periods, pursuing strategic intelligence or destructive objectives. Examples include APT29 (Russia/SVR) and APT17/Elderwood (China/PLA).

APT1 / Comment Crew (PLA Unit 61398)

A Chinese state-sponsored threat actor operating from a twelve-story building in Shanghai's Pudong district, attributed to PLA Unit 61398. Mandiant's landmark 2013 report documented APT1's systematic theft of intellectual property from over 140 organizations. Responsible for the RSA SecurID breach, which led to follow-on attacks against Lockheed Martin and other defense contractors.

APT10 / Deep Panda / Stone Panda

A Chinese Ministry of State Security-affiliated threat actor responsible for the OPM breach (21.5M SF-86 clearance files), the Anthem health insurance breach (78.8M records), and Operation Cloud Hopper — a campaign targeting managed IT service providers globally to reach their government and defense clients. Named APT10 by Mandiant; indicted by the DOJ in 2018.

APT29 / Cozy Bear / Nobelium

Russia's Foreign Intelligence Service (SVR) cyber unit. Known for exceptionally long dwell times and living-off-the-land tradecraft. Responsible for the SolarWinds SUNBURST supply chain compromise and the 2016 DNC hack.

ARPANET

Advanced Research Projects Agency Network — the precursor to the modern internet, funded by the US Department of Defense. The Morris Worm propagated across ARPANET in 1988.

ATM Jackpotting

An attack in which criminals install malware or custom hardware on an ATM to force it to dispense cash on command. Carbanak operatives used jackpotting as one of several cash-out mechanisms, programming ATMs at compromised banks to eject their full cassette loads at precise times while waiting money mules collected the bills.

Big Game Hunting

A ransomware strategy of targeting large enterprises, government agencies, and critical infrastructure rather than individuals — maximizing ransom potential at the cost of increased law enforcement attention. DarkSide was a prominent big game hunting operation.

Blind Signing

Approving a cryptographic transaction based on what a software interface displays rather than independently verifying the raw transaction bytes. Hardware wallets show a human-readable summary of what they are asked to sign, but that summary is generated by the connected software. If the software has been compromised — as in the Bybit attack, where Safe{Wallet}'s JavaScript was modified — the displayed summary can differ from the actual transaction being signed. Blind signing was the technical mechanism that enabled the $1.5 billion Bybit theft.

Blue Box

An electronic device that reproduced the 2600 Hz tone used by AT&T's long-distance switching network to seize trunk lines, allowing callers to place free long-distance and international calls. Blue boxes were the signature tool of 1970s phone phreakers and were built and used by Kevin Mitnick early in his career — their discovery by phone company security teams sparked his first serious legal trouble.

Botnet

A network of internet-connected devices infected with malware and controlled by a central command-and-control server. Botnet operators issue commands to all enslaved devices simultaneously — typically for DDoS attacks, spam, or credential stuffing. Mirai assembled approximately 600,000 IoT devices and used them to take down Dyn DNS.

Buffer Overflow

A vulnerability that occurs when a program writes more data to a buffer than it can hold, overwriting adjacent memory. The Morris Worm exploited a buffer overflow in the fingerd daemon to hijack execution on remote hosts.

Bug Bounty

A program offered by organizations that rewards security researchers for responsibly disclosing vulnerabilities. Uber's security leadership abused the bug bounty concept in 2016 — paying extortionists $100,000 through HackerOne and framing the payment as a legitimate reward to conceal a breach from regulators. The Uber case established that bug bounty programs cannot be used to launder criminal extortion payments.

Bureau 121

North Korea's elite cyber operations unit, operating under the Reconnaissance General Bureau. Bureau 121 is the organizational home of the Lazarus Group, responsible for the Sony Pictures attack, WannaCry, the Bangladesh Bank SWIFT heist, and billions of dollars in cryptocurrency theft.

CALEA (Communications Assistance for Law Enforcement Act)

US law requiring telecommunications providers to build lawful intercept capability into their systems. Operation Aurora specifically targeted Google's CALEA surveillance infrastructure, demonstrating that government-mandated backdoors are themselves attack surfaces.

CALEA (Communications Assistance for Law Enforcement Act)

A 1994 US law requiring telecommunications carriers to build and maintain technical capability for court-authorized government surveillance — the "lawful intercept" infrastructure. CALEA compliance created a centralized, privileged access point within every US carrier network. Salt Typhoon exploited this infrastructure to intercept presidential campaign communications and senior US government officials' calls and texts, demonstrating that surveillance backdoors built for government use are also attack surfaces for adversaries.

Call Detail Records (CDRs)

Metadata generated by telecommunications networks recording who called whom, when, for how long, and from which cell tower or IP address. CDRs do not contain call content but yield powerful intelligence: organizational structures, personal relationships, political networks, and operational rhythms can be reconstructed from CDR analysis alone. Salt Typhoon exfiltrated CDRs for tens of millions of Americans via access to carrier CALEA infrastructure.

Carding

The practice of trafficking stolen payment card data — either buying, selling, or using card numbers, Track 2 data, and associated credentials for fraudulent purchases. Underground carding markets, such as the one operated under the Rescator handle, systematically sold cards stolen from Target and other retail breaches.

CERT (Computer Emergency Response Team)

An organization dedicated to coordinating responses to cybersecurity incidents. The first CERT was established at Carnegie Mellon University in 1988 by DARPA in direct response to the Morris Worm.

CFAA (Computer Fraud and Abuse Act)

US federal law enacted in 1986 criminalizing unauthorized access to computer systems. Robert Tappan Morris became the first person convicted under the CFAA following the 1988 Morris Worm incident.

CISA (Cybersecurity and Infrastructure Security Agency)

A US federal agency responsible for protecting critical infrastructure and coordinating cybersecurity response. CISA investigated the Colonial Pipeline breach, co-authored the SolarWinds advisory, and issued Emergency Directive 21-03 requiring federal agencies to both patch Microsoft Exchange and actively hunt for web shells planted by HAFNIUM.

Citizen Lab

An interdisciplinary research laboratory based at the Munk School of Global Affairs, University of Toronto, that investigates digital threats targeting civil society, journalists, and NGOs. Citizen Lab researchers Ronald Deibert, Nart Villeneuve, and colleagues were the first to publicly expose GhostNet in 2009, mapping a 10-month investigation that traced command-and-control infrastructure to Hainan Island, China.

Cl0p (TA505)

A Russian-speaking cybercriminal group tracked as TA505 (Proofpoint), LACE TEMPEST (Microsoft), and Dungeon Spider (CrowdStrike). Known for a distinctive operational pattern: acquire a zero-day in a managed file transfer platform, sit on it, then mass-exploit thousands of organizations in a single coordinated campaign window. Responsible for the Accellion FTA (2020–21), GoAnywhere (2023), and MOVEit Transfer (2023) mass exploitation campaigns.

Code-Signing (CI/CD Segregation)

The security practice of physically and logically isolating hardware security module (HSM) signing agents from automated continuous integration and deployment pipelines. When CI/CD automation has direct access to production code-signing infrastructure, a compromise of the build pipeline grants an attacker the ability to sign malicious software with legitimate organizational certificates. The Stryker attack exploited this: access to the CI/CD pipeline included access to the HSM signing agent, allowing a Sandworm-attributed firmware wiper to be signed with a valid Stryker certificate and accepted by all 340 SmartLink gateways.

Code-Signing Certificate

A digital certificate that authenticates the publisher of software and verifies that code has not been tampered with. Stuxnet used legitimate certificates stolen from Realtek Semiconductor and JMicron Technology to make its malicious drivers appear trusted.

Command and Control (C2)

Infrastructure used by attackers to communicate with and direct compromised systems. Also written as C&C. Nation-state implants like those used in Operation Aurora maintained encrypted C2 channels to exfiltrate data over extended dwell periods.

Cookie Forging

The creation of fraudulent authentication cookies that impersonate a legitimate user's session without requiring their password. Attackers who obtained Yahoo's proprietary forged cookie generation tool could create valid session cookies for any of Yahoo's three billion accounts, enabling persistent account access that bypassed two-factor authentication entirely.

Credential Stuffing

The automated injection of stolen username-and-password pairs from one breach into login portals of other services at scale, exploiting widespread password reuse. The 117 million LinkedIn credentials leaked in 2012 fueled years of credential-stuffing campaigns across the web.

Cryptoworm

Malware that combines ransomware encryption with a self-replicating worm propagation engine, spreading autonomously without requiring any user interaction. WannaCry was a cryptoworm — it scanned the internet for vulnerable hosts and deployed itself via EternalBlue.

CVE (Common Vulnerabilities and Exposures)

A standardized identifier assigned to publicly disclosed cybersecurity vulnerabilities. CVE-2017-0144 is the identifier for the SMBv1 vulnerability exploited by EternalBlue. CVE-2010-0249 was the Internet Explorer zero-day used in Operation Aurora.

Dark Web

Overlay networks, typically accessed through Tor, that are not indexed by conventional search engines and require special software. Ransomware groups operate payment portals and data leak sites on the dark web. Colonial Pipeline's stolen credentials were found in dark web password dumps.

DarkSide

A Russian-speaking ransomware-as-a-service group that operated from approximately August 2020 to May 2021. Conducted the Colonial Pipeline attack. Publicly positioned itself as professional criminals with a code of conduct — a positioning destroyed by the political fallout from Colonial. Believed to have reconstituted as BlackMatter and later ALPHV/BlackCat.

DARPA (Defense Advanced Research Projects Agency)

The US Department of Defense agency responsible for funding advanced research. DARPA funded the creation of the first Computer Emergency Response Team (CERT) at Carnegie Mellon University in direct response to the 1988 Morris Worm.

DDoS (Distributed Denial of Service)

An attack that overwhelms a target with traffic from many sources simultaneously, exhausting its capacity to respond to legitimate requests. Mirai produced the largest volumetric DDoS attacks ever recorded at the time — 620 Gbps against Krebs on Security and 1.2 Tbps against OVH.

Dictionary Attack

A password-cracking technique that tries a predefined list of words and common passwords against a hash or login prompt. The Morris Worm carried a list of 432 common passwords and used them to crack accounts on target systems.

DNS (Domain Name System)

The internet's address book — translates human-readable domain names into IP addresses. WannaCry's kill switch relied on a DNS lookup to a nonsensical domain; when Marcus Hutchins registered the domain and it resolved, hundreds of thousands of WannaCry instances shut themselves down.

Double Extortion

A ransomware strategy that combines file encryption with data theft, threatening to publish stolen data on a leak site if the ransom is not paid. DarkSide exfiltrated 100GB from Colonial Pipeline before encrypting, using the threat of publication as additional leverage.

DoublePulsar

An NSA-developed kernel-level backdoor implant, leaked by the Shadow Brokers alongside EternalBlue. WannaCry used EternalBlue to gain access to a system and then installed DoublePulsar to deploy its payload.

Dwell Time

The period of time an attacker remains inside a compromised network before being detected. APT29's SUNBURST operation went undetected for approximately nine months after initial deployment. Carbanak operators spent weeks to months inside each targeted bank studying workflows before initiating any theft — ensuring their fraudulent transactions were indistinguishable from normal operations.

Elderwood Group / Byzantine Hades

A Chinese state-affiliated threat actor (PLA/MSS) responsible for Operation Aurora and the simultaneous breach of over 34 companies including Google, Adobe, and Morgan Stanley. Also linked to the RSA SecurID breach and the theft of F-35 design data.

EMV (Chip and PIN)

A global payment card standard using embedded microchip cryptography rather than magnetic stripes. EMV transactions generate a unique cryptographic code per transaction, rendering RAM-scraped Track 2 data useless for card cloning. The Target breach accelerated US adoption of EMV from a laggard position to widespread deployment.

Equation Group

An elite NSA cyber operations unit responsible for developing EternalBlue, DoublePulsar, and Stuxnet (in collaboration with Unit 8200). The Shadow Brokers breach exposed their arsenal and indirectly caused hundreds of billions in collateral damage through WannaCry and NotPetya.

EternalBlue

An exploit developed by the NSA's Equation Group targeting a critical remote code execution vulnerability (CVE-2017-0144) in Microsoft's SMBv1 protocol. Leaked by the Shadow Brokers in April 2017 and subsequently weaponized in WannaCry and NotPetya, causing hundreds of billions of dollars in global damage.

Exit Scam (Ransomware)

A tactic in which a ransomware group collects a ransom payment and then immediately shuts down operations — faking a law enforcement seizure or simply vanishing — without paying their affiliates and often without providing decryption keys. ALPHV performed a high-profile exit scam in March 2024, taking Change Healthcare's $22M payment and dissolving their dark web infrastructure, leaving the attacking affiliate unpaid.

Exploit

Code or a technique that takes advantage of a software vulnerability to achieve an unintended or unauthorized action. Exploits may be publicly known ("n-day") or secret ("zero-day"). Nation-state actors maintain inventories of unpatched vulnerabilities as strategic assets.

FBI (Federal Bureau of Investigation)

The US domestic intelligence and law enforcement agency. In the Colonial Pipeline case, the FBI traced and seized 63.7 Bitcoin from the DarkSide ransom payment. The FBI attributed the Morris Worm and has been central to most major US cybercrime prosecutions.

FERPA (Family Educational Rights and Privacy Act)

A US federal law enacted in 1974 governing the privacy of student education records. FERPA gives parents and eligible students the right to inspect and request correction of educational records and restricts disclosure without consent. Unlike HIPAA, FERPA imposes no specific technical security requirements on record custodians and provides no direct private right of action for violations. The PowerSchool breach exposed the gap: student medical records held in an SIS were governed by FERPA's disclosure rules but not HIPAA's security standards.

Firmware Wiper

A destructive payload specifically designed to erase device firmware — the low-level software that controls hardware — rendering the device inoperable. Unlike ransomware, a firmware wiper does not encrypt data for ransom; it destroys the operating environment itself. The Stryker SmartLink wiper erased both gateway firmware and the application firmware of 34,000 connected medical devices, requiring physical on-site reflashing by field service engineers across a twelve-day recovery operation.

Five Eyes

An intelligence-sharing alliance comprising the United States, United Kingdom, Canada, Australia, and New Zealand. In February 2024, the Five Eyes agencies jointly published an advisory warning that Volt Typhoon had pre-positioned inside US critical infrastructure for five or more years — one of the most significant joint public disclosures in the alliance's history.

FNET (Citibank Cash Management)

Citibank's proprietary private dial-up network that allowed corporate clients to initiate international wire transfers via modem. In 1994, Vladimir Levin exploited weak static PIN authentication on FNET to steal $10.7 million across 40 wire transfers — the world's first major cybercrime against a financial institution.

GhostRAT

A remote access Trojan developed and widely distributed by Chinese threat actors, used as the primary implant in the GhostNet espionage campaign. GhostRAT provided full remote control of infected hosts — including file access, keylogging, and camera/microphone activation — and communicated with command-and-control servers hosted predominantly on infrastructure in Hainan, China.

GitHub Credential Exposure

A recurring failure mode in which developers accidentally commit AWS access keys, API tokens, or other credentials to public source code repositories. Automated tools continuously scan GitHub for such credentials; the window between a commit and harvesting by attackers is often minutes. The Uber 2016 breach began when hackers found Uber AWS keys in a public GitHub repository.

GRU (Main Intelligence Directorate)

Russia's military intelligence agency. Unit 74455, known as Sandworm, operates under the GRU and is responsible for the most destructive cyberattacks in recorded history, including NotPetya and the 2015/2016 Ukrainian power grid attacks.

Guardians of Peace (#GOP)

The front name used by Lazarus Group during the Sony Pictures attack. The name appeared on the skull-emblazoned screen that greeted Sony employees on the morning of November 24, 2014, alongside the message 'HACKED BY #GOP'.

Hacktivism

The use of hacking techniques to advance ideological, political, or social causes rather than for personal financial gain. The PSN breach occurred partly in the context of Anonymous's Operation Sony (OpSony), launched as retaliation for Sony's lawsuit against console hacker George "GeoHot" Hotz, illustrating how hacktivism can escalate from targeted protest into attacks affecting millions of uninvolved users.

HAFNIUM

A Chinese state-sponsored threat actor assessed to operate under direction of China's Ministry of State Security (MSS). Named by Microsoft (after element 72) for its exploitation of four zero-day vulnerabilities in Microsoft Exchange Server in January–March 2021 (ProxyLogon), compromising an estimated 250,000+ servers globally. Targets defense, aerospace, legal, research, and policy institutions.

Handle

An online alias or pseudonym used by hackers and security researchers. Robert Tappan Morris was known by the handle "rtm." The LinkedIn credential dump was posted by a user with the handle "dwdm" on a Russian cybercrime forum.

Healthcare Clearinghouse

A company that translates non-standard healthcare data into standard formats for exchange between providers, insurers, and payers. Change Healthcare processed 15 billion transactions annually — approximately one-third of all US patient records. The February 2024 ransomware attack demonstrated that a single clearinghouse failure can shut down prescription processing, insurance verification, and billing across the entire US healthcare system.

ICS / SCADA (Industrial Control Systems / Supervisory Control and Data Acquisition)

Systems used to monitor and control physical industrial processes — power grids, pipelines, water treatment, and manufacturing. Stuxnet was the first publicly known cyberweapon to cause physical destruction through ICS manipulation.

Initial Access

The first stage of compromise in an attack — gaining a foothold inside a target environment. Colonial Pipeline's initial access was a single stolen VPN credential. SolarWinds' initial access was a poisoned software build pipeline.

Intimate Data

A category of personal data that reveals the most sensitive aspects of a person's identity and private life — sexual orientation, romantic history, relationship goals, private messages, intimate photographs, and location patterns mapped to personal activity. The Match Group breach exposed intimate data for 600 million users across Tinder, Hinge, OKCupid, and twelve other platforms, enabling targeted extortion against LGBTQ users in countries where homosexuality is criminalized and fueling calls for a dedicated federal Intimate Data Protection Act.

IoT (Internet of Things)

Networked embedded devices — cameras, routers, smart appliances, industrial sensors — that are typically resource-constrained, infrequently patched, and shipped with factory-default credentials. Mirai demonstrated that the global IoT device population constituted a vast, largely undefended botnet-building resource.

IP Spoofing

The technique of crafting network packets with a forged source IP address to impersonate a trusted host. Kevin Mitnick used IP spoofing combined with TCP sequence number prediction in his 1994 attack on security researcher Tsutomu Shimomura's workstation, tricking the systems into accepting connections as if they originated from a trusted machine.

JNDI (Java Naming and Directory Interface)

A Java API allowing applications to look up objects from external naming services such as LDAP directories. Log4Shell (CVE-2021-44228) exploited Log4j's JNDI lookup feature — any string logged containing `${jndi:ldap://...}` caused the vulnerable library to reach out to an attacker-controlled server and execute the returned Java object, achieving remote code execution with no authentication.

Kill Chain

A model describing the sequential stages of a cyberattack — from reconnaissance through initial compromise, lateral movement, and final objective execution. Each blog entry includes an attack chain diagram visualizing the kill chain for that operation.

Kill Switch

A hardcoded mechanism inside malware that, when triggered, causes the malware to stop executing or spreading. WannaCry contained a kill switch: if a specific domain resolved on DNS lookup, the worm would terminate. Security researcher Marcus Hutchins registered the domain for $10.69 and halted the global outbreak.

KV Botnet

A network of approximately 650 compromised small-office/home-office (SOHO) routers operated by Volt Typhoon as a proxy layer for their intrusion infrastructure. By routing attack traffic through legitimate US-based devices, Volt Typhoon made their intrusions appear to originate from domestic sources, defeating geolocation-based detection. The FBI disrupted the KV Botnet in early 2024 via a court-authorized operation that remotely deleted the malware from compromised devices.

Lateral Movement

Techniques used by attackers to progressively move through a network after gaining initial access, seeking higher privileges or reaching target systems. The Morris Worm used .rhosts trusted-host relationships to move laterally between Unix systems. Carbanak operators moved laterally from a single phished workstation to SWIFT terminals and ATM management systems over weeks. Yahoo's attackers pivoted from an initial foothold to the user database infrastructure storing three billion account credentials.

Lawful Intercept

A legally authorized mechanism allowing government agencies to intercept telecommunications — calls, texts, and data — upon presentation of a court order. CALEA mandated that US carriers build lawful intercept capability into their network infrastructure. Salt Typhoon obtained unauthorized access to this infrastructure in 2023–2025, turning the government's own surveillance pathway against American communications.

Lazarus Group

North Korea's most prolific cyber threat actor, operating under Bureau 121. Uniquely dual-purpose: conducts both state-directed geopolitical attacks (Sony Pictures wiper) and financially motivated cybercrime to fund North Korea's sanctioned programs — including the Bangladesh Bank SWIFT heist ($81M), WannaCry ransomware, and over $3 billion in cryptocurrency theft.

LEMURLOOT

The custom ASP.NET web shell deployed by Cl0p on MOVEit Transfer servers after exploiting CVE-2023-34362. LEMURLOOT could enumerate and download files, harvest Azure Blob Storage credentials, create new administrator accounts, and exfiltrate file transfer metadata — functioning as a persistent backdoor even after the SQL injection vulnerability was patched.

Liquidation Cascade

A self-reinforcing sequence of forced position closures in a leveraged trading system, triggered when falling prices push multiple positions below their maintenance margin simultaneously. Each forced liquidation adds selling pressure, driving prices further down and triggering additional liquidations. The Drift Protocol exploit engineered a liquidation cascade by manipulating the PYTH oracle price, turning $310 million in open interest into a $780 million drain on the protocol's insurance fund and liquidity providers.

Living off the Land (LotL)

An attacker technique that uses the victim system's own built-in tools and legitimate software (e.g., PowerShell, WMI, certutil) rather than deploying custom malware, making detection far harder. APT29's SUNBURST campaign was notable for its extensive use of LotL tradecraft.

LNK File (Windows Shortcut)

A Windows shortcut file. Stuxnet exploited a zero-day (MS10-046) causing Windows to automatically execute code when a malicious .lnk file appeared in any folder rendered by Explorer — including from a USB drive — with no user interaction required.

Medical Device Management (MDM)

Infrastructure for remotely managing, monitoring, and updating connected medical devices — surgical robots, hospital beds, infusion pumps, and navigation systems. Stryker's SmartLink platform served as the central MDM system for 34,000 devices at 340 hospitals. After a nation-state actor compromised the SmartLink distribution infrastructure via the build pipeline, a single malicious firmware update was authenticated and installed by all connected gateways simultaneously, wiping devices across every enrolled hospital before any human response was possible.

MFA (Multi-Factor Authentication)

A security control requiring more than one form of verification to authenticate to a system. The Colonial Pipeline breach originated from a VPN credential with no MFA enabled — a single compromised password was all the attacker needed.

MFT (Managed File Transfer)

Enterprise software platforms used to securely exchange large volumes of files between organizations, automating compliance, audit trails, and encryption. MFT platforms — Accellion FTA, GoAnywhere, and MOVEit Transfer — became Cl0p's preferred attack vector because they sit at the intersection of sensitive data and trusted network relationships.

MITRE ATT&CK

A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Used by threat intelligence teams to classify and map attacker behavior.

Money Mule

A person who receives and transfers illegally obtained funds on behalf of another party, often unwittingly. In the Bangladesh Bank heist, funds transferred to Philippines RCBC accounts were moved by intermediaries into Manila casinos before being cashed out. Carbanak relied on networks of money mules positioned at ATMs across multiple countries to collect cash dispensed during jackpotting operations.

Multi-Signature Wallet (Multi-Sig)

A cryptocurrency wallet requiring signatures from multiple private keys — a defined threshold of N out of M authorized signers — before a transaction can execute. Multi-sig is standard security practice for institutional crypto custody. The Bybit cold wallet required 3 of 5 authorized signers. The Safe{Wallet} supply-chain attack bypassed this control by manipulating what the signers believed they were approving rather than stealing the private keys themselves.

Nation-State Actor

A threat actor sponsored by or acting on behalf of a national government, typically with access to significant resources, classified intelligence, and legal protection within their home country. Stuxnet, NotPetya, SolarWinds, and Operation Aurora were all nation-state operations.

NSA (National Security Agency)

The US signals intelligence and information assurance agency. Home to the Equation Group — the elite offensive cyber unit that developed EternalBlue, DoublePulsar, and co-created Stuxnet. The Shadow Brokers' 2017 leak of NSA tools directly caused WannaCry and NotPetya.

OAuth 2.0 (Open Authorization)

An industry-standard authorization framework allowing applications to grant limited access to user accounts without exposing passwords. Match Group's unified identity platform (Atlas) used OAuth for internal machine-to-machine API authentication. A PKCE code_verifier validation flaw in Atlas allowed an attacker to forge a system-tier OAuth token — granting API access equivalent to Match Group's own backend services and enabling the exfiltration of 600 million users' intimate data.

OGUsers / OG Account

The OGUsers forum was an underground community dedicated to stealing and trading "OG" (original, short or desirable) social media usernames — e.g., single-word handles or celebrity names — through SIM swapping and account hijacking. Graham Clark was active in this community before the Twitter 2020 attack.

Operation Olympic Games

The classified US/Israeli joint cyber operation, reportedly authorized by President George W. Bush, that produced Stuxnet. Its objective was to sabotage Iran's uranium enrichment program at Natanz without kinetic military action.

OpSony

An Anonymous-led hacktivist operation launched in 2011 in retaliation for Sony's lawsuit against console hacker George "GeoHot" Hotz. OpSony encompassed DDoS attacks, website defacements, and data theft targeting Sony properties — its overlap in timing with the separate PSN intrusion created significant attribution confusion and demonstrated how multiple threat actors can simultaneously target the same organisation for entirely different reasons.

Oracle Liquidity Mismatch

A structural vulnerability in DeFi perpetuals markets where the total open interest dependent on an oracle price feed exceeds the liquidity available in the underlying spot market used to construct that feed. Drift Protocol's DRIFT-PERP market had $310 million in open interest priced by an oracle drawn from spot pools with only $28 million in liquidity — an 11:1 mismatch that made it feasible to manipulate the oracle price with $340 million in real tokens, triggering cascading liquidations and draining the protocol's insurance fund.

Oracle Manipulation (DeFi)

An attack against decentralized finance protocols that exploits the dependence on external price feeds (oracles) by artificially moving the price of an asset on low-liquidity trading venues to trigger profitable on-chain outcomes. The March 2026 Drift Protocol exploit used $340 million in DRIFT token sell pressure to move the Pyth oracle price by 45.7% in 34 seconds, triggering a liquidation cascade that drained $780 million from the protocol in eleven minutes.

OT / ICS (Operational Technology / Industrial Control Systems)

Hardware and software systems that monitor and control physical industrial processes — power generation, water treatment, pipeline flow, manufacturing. Unlike IT systems where an attack causes data loss or service disruption, OT/ICS attacks can cause physical equipment failure, environmental damage, or civilian harm. Volt Typhoon specifically targeted OT-adjacent systems to understand and potentially disrupt critical physical infrastructure.

OTP (One-Time Passcode)

A time-based authentication code that changes every 30–60 seconds, used as a second factor in two-factor authentication systems. RSA SecurID tokens generated OTPs using a cryptographic seed value; when APT1 stole RSA's seed database in 2011, they could generate valid OTPs for any token without possessing the physical device.

P2PE (Point-to-Point Encryption)

A payment security standard that encrypts card data at the point of entry (card swipe/dip/tap) and decrypts it only inside a certified secure environment — eliminating the unencrypted data-in-memory window that RAM scrapers exploit. The Heartland breach was the primary catalyst for industry-wide P2PE adoption.

Packet

A unit of data transmitted over a network. Network packets contain headers (routing and control information) and payload (the actual data). Analyzing packets — "packet capture" or PCAP analysis — is a core skill in incident response and threat hunting.

PCAP (Packet Capture)

A file format storing captured network traffic. Analyzing a PCAP allows security researchers to reconstruct exactly what data traversed a network and infer attacker intent from raw packet sequences.

Perpetual Futures (DeFi)

A derivative instrument that mimics a futures contract but has no expiration date, allowing leveraged long or short positions on an asset's price. Perpetuals are the dominant instrument on decentralized derivatives exchanges. Their stability depends entirely on accurate oracle pricing and well-capitalized insurance funds — the two mechanisms the Drift Protocol exploit systematically destroyed in eleven minutes.

Phone Phreaking

The practice of exploiting telephone system signaling and switching mechanics to place free calls, intercept communications, or explore restricted phone company infrastructure. Kevin Mitnick began his criminal career as a phone phreak in the late 1970s, using blue boxes and social engineering to manipulate Pacific Bell switching equipment — skills that formed the technical and philosophical foundation for his later computer intrusions.

PKCE (Proof Key for Code Exchange)

A security extension to the OAuth 2.0 authorization code flow that prevents authorization code interception attacks by cryptographically binding the authorization request to the client that initiated it. The Match Group Atlas identity platform validated the PKCE code_verifier format but failed to enforce the cryptographic binding to the original code_challenge, allowing an attacker to forge OAuth tokens with system-tier authorization and exfiltrate the intimate data of 600 million users.

PLA / MSS (China)

China's People's Liberation Army and Ministry of State Security — the military and civilian intelligence organizations that sponsor Chinese cyber espionage operations. The Elderwood Group is assessed to operate under their mandate, targeting defense, aerospace, and technology sectors. HAFNIUM operates under MSS direction.

PLA Unit 54891

A unit of China's People's Liberation Army indicted by the US Department of Justice in February 2020 for the Equifax breach. Four members — Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei — are charged with stealing the financial data of 147.9 million Americans. Assessed to be part of the broader Chinese intelligence apparatus conducting large-scale personal data collection operations against the US population.

PLC (Programmable Logic Controller)

An industrial digital computer designed to control manufacturing processes and machinery in real-time. Stuxnet targeted Siemens S7-315 and S7-417 PLCs controlling the uranium enrichment centrifuges at Natanz.

PlugX

A modular remote access Trojan considered the successor to GhostRAT, widely used by Chinese state-affiliated APT groups since approximately 2008. PlugX supports plugin-based capability extension — file management, keylogging, registry access, and lateral movement tools can be loaded dynamically — and has appeared in espionage campaigns targeting government, defense, and civil society organizations across Asia, Europe, and North America.

POS Malware (Point of Sale Malware)

Malware specifically designed to run on retail point-of-sale terminals and steal payment card data by reading it from process memory during the brief window when it is unencrypted. BlackPOS, deployed in the Target breach, is the canonical example — stealing 40 million cards from 1,800 Target stores over 18 days.

Pretexting

A social engineering technique in which an attacker fabricates a convincing false scenario — a pretext — to manipulate a target into revealing information or taking an action they otherwise would not. Kevin Mitnick was a master practitioner of pretexting, routinely impersonating IT staff, law enforcement, or corporate employees to extract passwords, dial-up numbers, and source code from unsuspecting targets.

Privilege Escalation

Gaining higher-level permissions on a system than originally granted — e.g., moving from a standard user account to administrator or SYSTEM. Stuxnet used a Windows Task Scheduler zero-day (MS10-092) for privilege escalation to execute at elevated permissions.

ProxyLogon

A critical vulnerability chain in Microsoft Exchange Server (CVE-2021-26855 + CVE-2021-27065) enabling unauthenticated remote code execution on internet-facing Exchange servers. Exploited by HAFNIUM beginning January 2021, then by 10+ additional threat groups after public disclosure in March 2021, compromising an estimated 250,000+ servers globally.

RaaS (Ransomware-as-a-Service)

A criminal business model where a core team builds and maintains ransomware infrastructure and leases it to affiliate operators who conduct attacks, splitting ransom proceeds. DarkSide operated as a RaaS platform; affiliates conducted the Colonial Pipeline intrusion while DarkSide provided the tooling and negotiation infrastructure.

RAM Scraping

A technique used by POS malware to read unencrypted payment card data from a computer's RAM during the brief moment it exists in memory before encryption. The Target breach used BlackPOS to scrape Track 2 payment card data from POS terminal memory across 1,800 stores during the 2013 holiday season.

RAM Scraping (Payment Card)

A technique used against payment processing systems that reads unencrypted card data from a server's RAM during the brief window between decryption and re-encryption. Gonzalez used a custom RAM-scraping sniffer inside Heartland's payment network to capture Track 2 data from 130 million cards as it was processed — without touching encrypted storage.

RAT (Remote Access Trojan)

Malware that gives an attacker covert remote control of a compromised machine, typically with encrypted command-and-control communications. The Elderwood Group deployed custom RAT implants during Operation Aurora. Carbanak used a custom RAT delivered via spear-phishing to establish footholds inside bank workstations, then escalated to financial systems. GhostNet relied on GhostRAT for persistent access to government and civil society targets in 103 countries.

RCE (Remote Code Execution)

A class of vulnerability that allows an attacker to run arbitrary code on a target system over a network without requiring physical access or user interaction. The Morris Worm's Sendmail exploit achieved RCE via the program's debug mode.

Rescator

The online handle of a cybercriminal operator — alleged to be a Ukrainian national — who operated one of the most prominent dark web carding markets distributing stolen payment card data. Rescator sold the 40 million cards stolen from Target in December 2013, and subsequent card dumps from Home Depot and other retailers.

RSA Encryption

An asymmetric public-key cryptographic algorithm. WannaCry used RSA-2048 to encrypt the AES session keys used on each victim machine, meaning only the attackers holding the RSA private key could theoretically provide decryption.

S3 (Amazon Simple Storage Service)

Amazon Web Services' cloud object storage service. S3 buckets are a common location for database backups and large data archives. Misconfigurations or stolen credentials providing S3 access have been the root cause of numerous major breaches — including the Uber 2016 incident, where an S3 bucket containing 57 million user and driver records was accessed using AWS keys found on GitHub.

Salt Typhoon

A PRC Ministry of State Security threat actor (also tracked as GhostEmperor, FamousSparrow, Earth Estries) that compromised at least eight major US telecommunications carriers between 2023 and 2025 — including AT&T, Verizon, and T-Mobile — accessing CALEA lawful intercept infrastructure and intercepting communications of senior US officials and presidential campaign staff. Senator Mark Warner described the campaign as "the worst telecom hack in US history."

Sandworm (GRU Unit 74455)

Russia's most destructive cyber unit, operating within the GRU under the Main Centre for Special Technologies. Responsible for the Ukrainian power grid blackouts (2015, 2016), NotPetya, Olympic Destroyer, and Whispergate. Their attacks caused more documented financial damage than any other nation-state actor.

SBOM (Software Bill of Materials)

A structured inventory of all software components, libraries, and dependencies included in a software product. Log4Shell exposed the industry's lack of SBOMs — organizations could not determine which of their applications contained the vulnerable Log4j library because they had no systematic record of transitive dependencies. US President Biden's 2021 cybersecurity executive order mandated SBOMs for federal software vendors.

Screen Capture Surveillance

An intelligence-gathering technique in which malware periodically screenshots or records the victim's display to allow attackers to understand operational workflows before taking action. Carbanak operators recorded bank employee screens for months to learn exactly how money transfers, ATM commands, and SWIFT transactions were processed — enabling them to replicate legitimate operator behavior precisely when initiating fraudulent transactions.

Second-Wave Extortion

A ransomware follow-on attack in which a threat actor — or a party who has obtained stolen data from a prior breach — targets individual victims or downstream organizations with separate extortion demands, even after an initial ransom has already been paid. Both the Change Healthcare breach (via RansomHub) and the PowerSchool breach (via individual district extortion demands) resulted in second-wave extortion, demonstrating that paying a ransom cannot guarantee data deletion or prevent further monetization of stolen information.

Sendmail

A widely used Unix mail transfer agent. The Morris Worm exploited a vulnerability in Sendmail's "debug" mode that allowed an attacker to pipe commands to a remote shell without any authentication.

Session Hijacking

An attack in which an adversary takes over an authenticated user session — typically by stealing or forging a session token — without needing to know the user's password. The Yahoo breach enabled industrial-scale session hijacking: with access to the forged cookie generation tool, attackers could impersonate any account holder, bypassing login pages, password requirements, and multi-factor authentication checks.

SF-86

The Questionnaire for National Security Positions — the US government form all federal security clearance applicants must complete, covering ten years of residential history, employment, foreign contacts, financial debts, mental health treatment, drug use, and family member details. The OPM breach exfiltrated SF-86 files for 21.5 million individuals, providing Chinese intelligence with the most comprehensive personal dossier collection ever assembled on the American national security workforce.

SHA-1 (Unsalted)

SHA-1 is a cryptographic hash function. Storing passwords as unsalted SHA-1 hashes — without a random per-user value added before hashing — makes them trivially crackable with precomputed rainbow tables. LinkedIn stored its 117 million user passwords this way in 2012.

Shadow Brokers

An anonymous group or individual who in 2016–2017 leaked a massive trove of NSA offensive cyber tools, including EternalBlue and DoublePulsar. The Shadow Brokers' April 2017 dump directly enabled WannaCry and NotPetya, turning classified government weapons into globally destructive malware.

SIM Swapping

A social engineering attack that convinces a mobile carrier to reassign a victim's phone number to an attacker-controlled SIM card, intercepting SMS-based two-factor authentication codes. A technique widely practiced in the OGUsers underground community that informed the methods used in the 2020 Twitter VIP hack.

SIS (Student Information System)

Enterprise software used by schools and districts to maintain comprehensive longitudinal records for every enrolled student — including enrollment, attendance, grades, health records, IEP and 504 accommodations, disciplinary history, family contacts, and custody arrangements. PowerSchool was the dominant US K-12 SIS provider, holding records for approximately 70 million students. SIS data is governed by FERPA rather than HIPAA, leaving student medical and psychological records with weaker security and enforcement requirements than equivalent health data held by covered healthcare entities.

Smart Contract

Self-executing code deployed on a blockchain that automatically performs predefined operations when specified conditions are met, without requiring a trusted intermediary. The Bybit cold wallet was managed through a smart contract (Safe{Wallet}). The Lazarus Group attack transferred ownership of that smart contract to attacker-controlled addresses by tricking authorized signers into approving a malicious transaction — demonstrating that smart contract security depends entirely on the integrity of the signing interface.

SMB (Server Message Block)

A Windows network protocol for sharing files, printers, and other resources. SMBv1's implementation contained CVE-2017-0144, the vulnerability exploited by EternalBlue and weaponized in WannaCry and NotPetya.

Social Engineering

The manipulation of people rather than systems to obtain unauthorized access, sensitive information, or valuable assets. Kevin Mitnick elevated social engineering to an art form, routinely bypassing technical security through impersonation, pretexting, and exploiting human trust — arguing that the human element was always the weakest link in any security architecture, regardless of how sophisticated the technology protecting it might be.

Socialized Loss (DeFi)

A mechanism in decentralized derivatives protocols that distributes remaining insolvency losses proportionally across all liquidity providers when the insurance fund is depleted. Socialized loss is the protocol's last resort — it ensures no user can be owed more than the protocol holds, but it does so by reducing every LP's position. The Drift Protocol exploit depleted the $47 million insurance fund in under four minutes, triggering socialized losses of $733 million across the LP base.

Soupnazi (Albert Gonzalez)

The online handle of Albert Gonzalez — a Miami-born hacker who simultaneously operated as a paid US Secret Service informant and the architect of the two largest payment card breaches ever recorded: TJX Companies (45M cards) and Heartland Payment Systems (130M cards). Sentenced to 20 years in federal prison in 2010.

Spear Phishing

A targeted phishing attack tailored to a specific individual or organization, using personal details to increase credibility. Distinct from mass-phishing, spear phishing is a primary initial-access technique for APT groups like APT29 and the Elderwood Group. Carbanak gained initial access to banks by sending spear-phishing emails containing a malicious Word document exploiting CVE-2012-0158, dressed as plausible internal communications.

SQL Injection

An attack that inserts malicious SQL code into a query to manipulate or extract data from a database. Yevgeniy Nikulin is believed to have used SQL injection against internal LinkedIn systems as part of the 2012 breach.

SSRF (Server-Side Request Forgery)

A vulnerability that tricks a server into making HTTP requests to unintended internal or external destinations, effectively impersonating the server's own authenticated requests. CVE-2021-26855 in Microsoft Exchange was an SSRF that allowed unauthenticated attackers to bypass Exchange authentication entirely — one HTTP request, no credentials.

SUNBURST

The malicious backdoor injected into SolarWinds Orion software updates by APT29. SUNBURST lay dormant for up to two weeks after installation before activating, and communicated via disguised HTTP traffic mimicking legitimate Orion API calls.

Supply Chain Attack

An attack that compromises a target's software or hardware through a trusted third-party vendor rather than directly. SolarWinds SUNBURST is the canonical example — attackers poisoned a software build pipeline and the compromised update was distributed to 33,000 customers. NotPetya used the M.E.Doc accounting software update mechanism similarly.

SVR (Foreign Intelligence Service)

Russia's primary civilian foreign intelligence agency — the post-Soviet successor to the KGB's First Chief Directorate. APT29/Cozy Bear is assessed to operate under SVR direction, focused on long-term strategic espionage rather than destructive operations.

SWIFT (Society for Worldwide Interbank Financial Telecommunication)

A secure messaging network used by financial institutions to communicate and authorize international money transfers. Lazarus Group compromised SWIFT infrastructure to steal $81 million from the Bangladesh Bank in 2016, and similar TTPs were deployed against other financial institutions globally.

SWIFT CSP (Customer Security Programme)

A mandatory framework of baseline security controls introduced by SWIFT for all 11,000+ member financial institutions in response to the 2016 Bangladesh Bank heist. Requires network segmentation, endpoint security standards, and transaction anomaly monitoring. The programme acknowledged that SWIFT credentials are only as secure as the network they run on.

TCP Sequence Prediction

An attack that exploits predictable TCP initial sequence number generation to forge TCP connections from a spoofed source address. By predicting the sequence numbers a host would accept, an attacker can inject data into a session or complete a three-way handshake without receiving the server's responses — a technique Kevin Mitnick used in his 1994 attack against Tsutomu Shimomura to authenticate as a trusted host without a direct network path.

Telnet

An unencrypted remote login protocol (port 23) that was widely enabled on embedded IoT devices for management purposes. Mirai exploited Telnet services on internet-facing IoT devices, testing 61 default credential pairs to gain access and conscript devices into its botnet.

Threat Actor

Any entity — individual, group, or nation-state — that poses a cybersecurity threat. The term is deliberately neutral, covering criminal hackers, state-sponsored espionage units, hacktivists, and insider threats.

Track 2 Data

The data stored on a payment card's magnetic stripe — card number, expiration date, and service code — formatted as a standardized 37-character string. Track 2 data is sufficient to clone a physical payment card. BlackPOS searched RAM for Track 2 patterns across Target's POS terminals in 2013.

Tradecraft

The methods, skills, and techniques used by intelligence operatives and threat actors to conduct operations while avoiding detection. Includes choices of tooling, infrastructure, anti-forensics, and operational security. APT29 is notable for highly disciplined tradecraft designed to frustrate attribution.

TraderTraitor

An FBI designation for a Lazarus Group subunit specializing in financially motivated attacks against cryptocurrency firms, DeFi developers, and Web3 infrastructure. TraderTraitor's methodology combines social engineering (fake job offers, investment lures) with supply-chain compromise of trusted developer tooling. Responsible for the February 2025 Bybit exchange theft — $1.5 billion in ETH, the largest cryptocurrency theft in history.

Transaction Malleability

A Bitcoin protocol quirk (since patched) that allowed the transaction ID of an unconfirmed transaction to be altered without invalidating it. Mt. Gox's exchange software tracked withdrawals by transaction ID, so attackers could modify the ID, claim the transaction failed, and request a re-send — draining the exchange over years.

Transitive Dependency

A software dependency that a project does not directly declare, but which is pulled in through a chain of dependencies (Library A depends on Library B which depends on Library C). Log4Shell was catastrophic in part because Log4j was a transitive dependency in hundreds of thousands of products — organizations were vulnerable through software they did not know contained Log4j.

TTP (Tactics, Techniques, and Procedures)

The behavioral fingerprint of a threat actor — how they gain access (tactics), what specific methods they use (techniques), and the detailed implementation of those methods (procedures). Analyzing TTPs is central to threat intelligence and attribution.

Unit 8200

The Israeli Intelligence Corps' cyber unit, widely considered among the most technically capable signals intelligence organizations in the world. Co-developed Stuxnet with the NSA under Operation Olympic Games, authorized by President George W. Bush.

Vishing (Voice Phishing)

A social engineering attack conducted over the telephone — the voice equivalent of email phishing. Graham Clark used vishing to impersonate Twitter's IT helpdesk, convincing employees to provide credentials to Twitter's internal admin tool and enabling the 2020 VIP account takeover.

Volt Typhoon

A PRC state-sponsored threat actor tracked by Microsoft, CISA, and the Five Eyes intelligence alliance as a pre-positioning threat to US critical infrastructure. Volt Typhoon's mission is not espionage but the long-term, covert implantation of access and knowledge inside power grids, water systems, communications networks, and transportation hubs — held in reserve for potential activation during military conflict, particularly over Taiwan.

VPN (Virtual Private Network)

A technology that creates an encrypted tunnel for remote network access. Colonial Pipeline's attackers gained initial access through a VPN account that had not been used in months and was not protected by multi-factor authentication.

Watering Hole Attack

An attack that compromises a website frequently visited by the intended targets, infecting visitors' machines when they browse the site. Used by APT groups to achieve initial access against high-value targets whose email is carefully guarded.

Web Shell

A malicious script uploaded to a web server that provides the attacker with persistent remote command execution through HTTP requests. HAFNIUM planted ASP.NET web shells in Exchange web directories after exploiting ProxyLogon — maintaining backdoor access even on servers that subsequently applied the vulnerability patch.

Wiper Malware

Malware designed to irreversibly destroy data on compromised systems rather than encrypt it for ransom. NotPetya was wiper malware disguised as ransomware — the $300 Bitcoin demand was camouflage. Sony Pictures' Destover was a wiper that destroyed 70% of the studio's servers.

Wire Fraud (Electronic Funds Transfer)

Federal criminal offense under 18 U.S.C. § 1343 covering schemes to defraud using electronic communications, including unauthorized wire transfers. Vladimir Levin's Citibank intrusion was prosecuted under wire fraud statutes, establishing early legal precedents for prosecuting interstate and international cyber-enabled financial theft.

Y Combinator

The world's most influential startup accelerator, co-founded by Robert Tappan Morris — the same person who launched the 1988 Morris Worm. YC has funded over 4,000 companies including Airbnb, Dropbox, and Stripe.

Zero-Day (0-Day)

A software vulnerability unknown to the vendor and for which no patch exists. Named for the zero days of warning defenders have. Nation-state actors treat zero-days as strategic assets, hoarding them for high-value targets. Stuxnet weaponized four simultaneous zero-days — unprecedented at the time of discovery.