网络攻击时间线:家庭用户、承包商和中小企业现在成为目标
在过去十年中,网络攻击的模式发生了显著变化。虽然大型企业仍然成为新闻的焦点,但现在最常见的受害者是家庭用户、承包商、托管服务提供商(MSP)和中小企业(SMB)。较低的可见性、较弱的控制措施以及对云服务和第三方平台的依赖,使这些环境对犯罪团伙和与国家相关的行为者变得具有吸引力。
我整理了一份从2016年到2025年的重大攻击时间线,以展示这一趋势是如何演变的。以下是文本版本,供喜欢直接阅读的人参考。
**攻击时间线(2016–2025)**
• 2016年 — Mirai僵尸网络DDoS
使用消费级物联网设备的家庭用户受到攻击,变成了一个大型DDoS僵尸网络。多个犯罪团伙重用了泄露的Mirai代码。
• 2017年 — WannaCry勒索软件
家庭用户和中小企业受到利用SMBv1漏洞的蠕虫攻击,广泛归因于拉撒路集团(Lazarus Group)。
• 2017年 — NotPetya清除工具
中小企业受到伪装成勒索软件的破坏性清除工具的影响,与俄罗斯国家相关的行为者有关。
• 2018–2020年 — Emotet/TrickBot → Ryuk/Conti
针对中小企业的凭证盗窃和勒索软件攻击,由多个犯罪团伙实施。
• 2019年 — 云服务和第三方数据泄露
中小企业和家庭用户因各种云平台上的弱访问控制和数据暴露而受到影响。
• 2020年 — Toll Group勒索软件
承包商和服务提供商因影响物流运营的勒索软件攻击而受到干扰。
• 2020–2021年 — SolarWinds供应链漏洞
通过被植入恶意代码的软件更新,第三方供应商受到攻击,归因于与俄罗斯国家相关的APT(高级持续威胁)。
• 2021年 — Kaseya VSA勒索软件
通过供应链勒索软件攻击,MSP和中小企业受到影响,归因于REvil集团。
• 2021–2023年 — 勒索软件即服务(RaaS)激增
中小企业成为多个RaaS团伙驱动的附属勒索软件操作的目标。
• 2022–2024年 — SaaS和第三方平台漏洞
家庭用户和中小企业客户因云平台上的凭证盗窃和数据外泄而受到影响。
• 2023–2025年 — 针对MSP和专业承包商
MSP和专业承包商受到犯罪和与国家相关的行为者的勒索、数据盗窃和敲诈攻击。
我一直在开发一款专注于Windows的威胁狩猎工具(www.sapience-tech.com),旨在帮助没有EDR或SIEM工具的家庭用户和中小企业。这个工具的产生源于希望帮助较小的环境在不需要企业级基础设施的情况下,识别早期的妥协迹象。欢迎对数据、时间线或方法提出问题。
查看原文
Over the last decade, the pattern in cyber attacks has shifted noticeably. Large enterprises still get headlines, but the most consistent victims are now home users, contractors, MSPs, and SMBs. Lower visibility, weaker controls, and reliance on cloud and 3rd party platforms have made these environments attractive to both criminal groups and state linked actors.<p>I put together a timeline of major attacks from 2016 to 2025 to show how this trend evolved. The text version is below for anyone who prefers reading it directly.<p>Timeline of attacks (2016–2025)<p>• 2016 — Mirai botnet DDoS
Home users with consumer IoT devices were compromised and turned into a large DDoS botnet. Multiple criminal groups reused the leaked Mirai code.
• 2017 — WannaCry ransomware
Home users and SMBs were hit by a worm exploiting SMBv1. Widely attributed to the Lazarus Group.
• 2017 — NotPetya wiper
SMBs were affected by a destructive wiper disguised as ransomware. Linked to Russian state associated actors.
• 2018–2020 — Emotet/TrickBot → Ryuk/Conti
Credential theft and ransomware campaigns targeting SMBs. Operated by multiple criminal groups.
• 2019 — Cloud and 3rd party breaches
SMBs and home users impacted by weak access controls and data exposure across various cloud platforms.
• 2020 — Toll Group ransomware
Contractors and service providers disrupted by ransomware attacks affecting logistics operations.
• 2020–2021 — SolarWinds supply chain breach
3rd party providers compromised via trojanized software updates. Attributed to a Russian state linked APT.
• 2021 — Kaseya VSA ransomware
MSPs and SMBs hit through a supply chain ransomware attack. Attributed to the REvil group.
• 2021–2023 — Ransomware as a Service surge
SMBs targeted by affiliate driven ransomware operations across multiple RaaS groups.
• 2022–2024 — SaaS and 3rd party platform breaches
Home users and SMB customers affected by credential theft and data exfiltration across cloud platforms.
• 2023–2025 — Targeting MSPs and niche contractors<p>MSPs and specialised contractors targeted with ransomware, data theft, and extortion by both criminal and state linked actors.<p>I’ve been working on a Windows focused threat hunting tool (www.sapience-tech.com) aimed at home users and SMBs who don’t have EDR or SIEM tooling. It grew out of trying to help smaller environments spot early indicators of compromise without needing enterprise grade infrastructure. Happy to answer questions about the data, the timeline, or the approach.