Cyber Security • Attack Methods

How Cyber Attacks Happen: Attack Methods Explained

Understanding how attacks actually happen is more useful than theoretical threat models. Real incidents show us the specific methods attackers use, the vulnerabilities they exploit, and how simple mistakes can lead to catastrophic breaches.

Here are six high-profile attacks, broken down by exactly how they were executed — and what organisations can learn from each.

1. Colonial Pipeline: One Compromised Password

In May 2021, Colonial Pipeline — a major U.S. fuel pipeline operator — was hit by ransomware that shut down operations for days, causing fuel shortages across the eastern United States.

How it happened:

  • Attackers found a compromised password for an inactive VPN account
  • The VPN account had no multi-factor authentication (MFA)
  • Using this single credential, they gained access to the corporate network
  • They deployed DarkSide ransomware, encrypting critical systems
  • Operations were shut down to prevent the attack from spreading

The vulnerability:

An old, unused VPN account with a weak or compromised password, protected only by a password — no MFA. This is exactly the kind of account that gets forgotten: inactive, but still active in the system.

What to learn:

  • All remote access accounts must have MFA — no exceptions
  • Regularly audit and disable unused accounts
  • Monitor for compromised credentials (password breach databases)
  • VPN access should be restricted to what's necessary

This attack cost Colonial Pipeline $4.4 million in ransom (though some was later recovered) and caused widespread disruption. All because of one unprotected account.

2. SolarWinds: Supply Chain Compromise

In 2020, attackers compromised SolarWinds' Orion software, inserting malicious code into legitimate software updates. This backdoor was then distributed to thousands of customers, including U.S. federal agencies and Fortune 500 companies.

How it happened:

  • Attackers gained access to SolarWinds' build environment
  • They inserted malicious code (SUNBURST backdoor) into the Orion software
  • The compromised code was signed with SolarWinds' legitimate certificates
  • When customers installed the "legitimate" update, the backdoor was installed
  • The backdoor allowed attackers to conduct long-term espionage

The vulnerability:

Compromised software build and distribution systems. Customers trusted SolarWinds' signed updates, so the malicious code bypassed security controls.

What to learn:

  • Software supply chains are attack vectors — vet your vendors
  • Monitor for unusual network activity even from "trusted" software
  • Implement zero-trust principles — don't trust based on signatures alone
  • Have visibility into what software is running in your environment

This attack affected thousands of organisations and demonstrated that even trusted software vendors can be compromised.

3. Sony Pictures: Phishing Impersonation

In 2014, Sony Pictures was targeted by a phishing attack that led to the leak of private emails, personal information, and unreleased movies.

How it happened:

  • Attackers sent emails impersonating Apple
  • Employees received emails asking them to verify their Apple IDs
  • When employees entered their credentials, attackers captured them
  • Using these credentials, attackers accessed Sony's email system
  • They exfiltrated sensitive data and leaked it publicly

The vulnerability:

Employees falling for phishing emails that looked legitimate. The emails impersonated a trusted brand (Apple), making them seem credible.

What to learn:

  • Regular phishing awareness training is essential
  • Implement email security controls (SPF, DKIM, DMARC)
  • Use MFA so stolen passwords aren't enough
  • Monitor for unusual email access patterns
  • Have a clear process for reporting suspicious emails

This attack showed how effective social engineering can be — even at large organisations with security teams.

4. Equifax: Unpatched Vulnerability

In 2017, Equifax suffered a breach that exposed the personal information of approximately 147 million individuals — one of the largest data breaches in history.

How it happened:

  • Attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638)
  • The vulnerability had been publicly disclosed in March 2017
  • Equifax failed to patch the vulnerability promptly
  • Attackers exploited it in May 2017, gaining access to web applications
  • They accessed databases containing personal information

The vulnerability:

A known, patchable vulnerability in a web application framework. Equifax had months to patch it but didn't.

What to learn:

  • Patch management is critical — known vulnerabilities are exploited quickly
  • Have a process for identifying and patching critical vulnerabilities
  • Monitor for known vulnerabilities in your software stack
  • Test patches before deploying to production
  • Consider vulnerability scanning and penetration testing

This breach cost Equifax over $1.4 billion in settlements and demonstrated the cost of poor patch management.

5. Lapsus$: Social Engineering and SIM-Swapping

In 2022, a group of British teenagers known as Lapsus$ orchestrated attacks against major tech companies including Microsoft, Nvidia, and others.

How it happened:

  • Attackers used social engineering to target employees
  • They conducted SIM-swapping attacks to intercept MFA codes
  • They used phishing to obtain employee credentials
  • They found and exploited weaknesses in authentication processes
  • They gained access to internal systems and stole sensitive data

The vulnerability:

MFA that relied on SMS (text messages) can be bypassed through SIM-swapping. Attackers convinced mobile carriers to transfer phone numbers to SIM cards they controlled, intercepting MFA codes.

What to learn:

  • Use app-based MFA (like Authenticator apps) instead of SMS when possible
  • Train employees to recognize social engineering attempts
  • Implement additional verification for sensitive operations
  • Monitor for unusual authentication patterns
  • Have processes for verifying identity before making account changes

These attacks showed that even tech-savvy organisations can be compromised through social engineering and MFA weaknesses.

6. Bangladesh Bank: SWIFT System Exploitation

In February 2016, attackers attempted to steal nearly $1 billion from Bangladesh Bank's account at the Federal Reserve Bank of New York, successfully transferring $101 million.

How it happened:

  • Attackers gained access to the bank's SWIFT messaging system
  • They issued 35 fraudulent transfer instructions
  • They exploited vulnerabilities in the bank's SWIFT infrastructure
  • There may have been insider assistance or compromised credentials
  • They used malware to hide evidence of the fraudulent transactions

The vulnerability:

Weaknesses in SWIFT system security, possibly combined with insider threats or compromised credentials. The bank's controls weren't sufficient to detect or prevent the fraudulent transactions.

What to learn:

  • Financial transaction systems need strong controls and monitoring
  • Implement transaction limits and approval processes
  • Monitor for unusual transaction patterns
  • Separate duties — no single person should be able to authorize large transfers
  • Regular security assessments of critical financial systems
  • Consider insider threat programs

This attack demonstrated that even highly secure financial systems can be compromised through a combination of technical vulnerabilities and process weaknesses.

Common Patterns Across These Attacks

Looking at these incidents together, several patterns emerge:

1. Simple Mistakes Lead to Major Breaches

Most of these attacks exploited basic security failures:

  • Missing MFA on critical accounts
  • Unpatched known vulnerabilities
  • Weak or compromised passwords
  • Insufficient monitoring

These aren't sophisticated "zero-day" exploits — they're fixable problems.

2. Attackers Use Multiple Methods

Many attacks combine multiple techniques:

  • Phishing to get initial access
  • Social engineering to bypass controls
  • Exploiting vulnerabilities to escalate privileges
  • Using legitimate tools to avoid detection

Defence needs to be layered — no single control is enough.

3. Supply Chain and Third-Party Risk

Several attacks exploited trust in third parties:

  • SolarWinds: compromised software vendor
  • Sony: impersonated trusted brand (Apple)
  • Lapsus$: exploited mobile carrier processes

You're only as secure as your weakest supplier or partner.

4. Detection Often Comes Too Late

In many cases, attackers had access for days, weeks, or months before detection. This gave them time to:

  • Explore the network
  • Steal credentials
  • Prepare for the final attack
  • Cover their tracks

Effective detection and monitoring can significantly reduce impact.

What Organisations Can Do

Based on these attack methods, here's what matters:

1. Implement MFA Everywhere

Especially for:

  • Remote access (VPN, RDP)
  • Email accounts
  • Administrative accounts
  • Cloud services

Use app-based MFA instead of SMS when possible.

2. Patch Promptly

Have a process for:

  • Identifying critical vulnerabilities
  • Testing patches
  • Deploying patches quickly
  • Verifying patches are applied

3. Train Employees

Regular training on:

  • Recognizing phishing emails
  • Social engineering tactics
  • Reporting suspicious activity
  • Secure practices

4. Monitor and Detect

Implement:

  • Logging of authentication attempts
  • Monitoring for unusual network activity
  • Alerts for suspicious patterns
  • Regular security assessments

5. Manage Third-Party Risk

Assess:

  • Software vendors' security practices
  • Service providers' access to your systems
  • Supply chain security
  • Contract terms for cyber expectations

6. Plan for Incidents

Have:

  • An incident response plan
  • Regular testing of the plan
  • Clear roles and responsibilities
  • Communication plans

The Bottom Line

These attacks show us that most breaches exploit basic security failures — failures that can be identified and fixed.

The methods aren't mysterious:

  • Compromised credentials
  • Missing MFA
  • Unpatched vulnerabilities
  • Phishing and social engineering
  • Supply chain compromises

Understanding how attacks actually happen helps organisations prioritize their security efforts. Focus on the basics first: MFA, patching, training, monitoring, and third-party risk management.

These aren't theoretical threats — they're real methods used in real attacks. The good news is that they're also preventable with the right controls and processes.