The largest cyberattacks are evaluated according to three criteria: the scale of compromised data, quantifiable economic cost, and strategic impact on critical infrastructure.
Threats have evolved from simple malicious programs (malware) in the 1980s, such as the Morris Worm (1988), which caused millions of dollars in damages, to sophisticated espionage operations supported by nation-states.
At present, financial risk, fueled by ransomware and global interconnection, has reached peak levels. The global average cost of a data breach rose to $4.88 million in 2024. For organizations in the U.S., this figure jumps to an average of $10.22 million.
Acts of Sabotage with the Highest Economic Cost
The most destructive cyberattacks are not defined by the number of victims. Instead, they can be ranked by the colossal economic damage caused by halting operations.
1. NotPetya (2017): The $10 Billion Maskirovka Attack
NotPetya is considered the most costly global cyberattack in history, with estimated worldwide damages of around $10 billion.
- Destructive Purpose: Attributed to Russia’s military intelligence service (GRU), the attack used the tactic of maskirovka (military deception). It disguised itself as ransomware, demanding a payment of $300, but its real purpose was purely destructive: destabilizing Ukraine’s economy.
- Attack Vector: It spread rapidly through the compromise of Ukraine’s MeDoc accounting software and by exploiting the EternalBlue vulnerability – a powerful cyber weapon stolen from the U.S. National Security Agency (NSA). The attack crippled multinational corporations, including pharmaceutical giant Merck, which suffered losses of over $1.4 billion.
2. WannaCry (2017): The Global Ransomware Pandemic
Just a few months before NotPetya, WannaCry became the first major incident to exploit the EternalBlue vulnerability on a massive scale.
- Impact and Cost: The attack spread to hundreds of thousands of computers across more than 150 countries, with estimated economic losses between $4 and $8 billion.
- Critical Targets: The healthcare sector was hit hardest. The UK’s National Health Service (NHS) was severely affected, resulting in the cancellation of many urgent appointments.
- Hybrid Attribution: WannaCry is attributed to the Lazarus Group from North Korea, an unusual state actor that does not limit itself to espionage. Its main objective is financial gain, using massive ransomware campaigns to generate revenue for the North Korean regime.
Strategic Sabotage and the Supply Chain Weapon
Some of the most impactful cyberattacks are those that successfully target the foundations of critical infrastructure or use third-party suppliers to infect vast networks.
3. Stuxnet (2010): The Birth of Physical Sabotage
Stuxnet set the benchmark for sophisticated digital sabotage. It was the first widely recognized cyberweapon, designed to cause real physical destruction.
- Advanced Technique: The malware targeted industrial control systems (SCADA) and Siemens programmable logic controllers (PLCs) used in industrial facilities such as nuclear power plants.
- Payload: The attack exploited four zero-day vulnerabilities. It was programmed to target only specific configurations, such as those controlling gas centrifuges in Iran’s nuclear program, causing them to self-destruct. To mask its actions, Stuxnet fed operators’ consoles with a loop of normal values, hiding the physical sabotage in progress.
4. SolarWinds Orion (2020): The Unprecedented Supply Chain Compromise
The SolarWinds campaign redefined the risks of the supply chain. Attributed to Russia’s Foreign Intelligence Service (SVR), it was one of the most sophisticated hacking campaigns ever recorded.
- Attack Vector: The APT actor compromised SolarWinds’ development environment, injecting malicious code named SUNBURST into legitimate updates of the Orion monitoring software.
- Scale: Nearly 18,000 customers received the compromised update, granting attackers access to numerous government entities, critical infrastructure operators, and private companies worldwide.
Subsequent attacks, such as Kaseya VSA (2021) and MOVEit Transfer (2023), confirmed that third-party vendors remain the weakest link. In the MOVEit case, the CL0P (FIN11) ransomware group exploited a zero-day SQL injection vulnerability to install a web shell named LEMURLOOT, enabling massive data theft.
The Future of Threats and Global Response
The continuous evolution of threats forces governments and companies to adapt constantly.
- The Rise of GenAI and Deepfakes: The next generation of attacks will be accelerated by Generative Artificial Intelligence (GenAI). Approximately 47% of organizations consider adversarial GenAI developments as the most urgent concern, as they can facilitate advanced phishing, vishing, and deepfake attacks, overcoming defenses based on human vigilance.
- Regulatory Adaptation: In response to systemic failures, governments have imposed structural changes. For example, U.S. Executive Order 14028, issued after SolarWinds, accelerated the shift toward Zero Trust Architecture (ZTA).
- In Europe, the NIS2 Directive (2024) requires critical infrastructure companies to report major incidents within 24 hours of detection, under penalty of heavy fines.
The lesson from the largest cyberattacks in history is clear: defense can no longer be static. The priority must shift from mere prevention to resilience, continuous verification of every access point, and rapid management of correlated risks.
