Dossiers
Pieces that span agencies or countries — single operations told in depth, scandals reconstructed from primary documents, thematic surveys.
Cyber operations & breaches
Cyber operations occupy the same space — sabotage, espionage, theft, pre-positioning — that earlier intelligence services pursued through human and signals means; the public record is unusually rich because attribution and incident-response disclosure have become a sustained editorial enterprise of their own. Stuxnet, the worm deployed against the Natanz centrifuge cascade, is documented through Symantec and Langner technical analysis. The OPM, SolarWinds, and HAFNIUM dossiers reconstruct three of the most consequential intrusions of the 2010s: the Chinese MSS exfiltration of US personnel-vetting data, the Russian SVR supply-chain compromise of the Orion update channel, and the Chinese mass-exploitation of Microsoft Exchange. Vault 7 covers the 2017 disclosure of the CIA's offensive cyber arsenal. Each dossier works from the technical record and the government attribution that followed.
HAFNIUM — Microsoft Exchange
The early-2021 mass-exploitation campaign against on-premises Microsoft Exchange Server installations, in which four previously undisclosed vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — collectively the "ProxyLogon" cluster) were exploited at scale across more than 250,000 servers globally — formally attributed by the United States, the United Kingdom, the European Union, NATO, Japan, Australia, New Zealand, and Canada in a coordinated statement of 19 July 2021 to actors associated with the People's Republic of China's Ministry of State Security.
SolarWinds — SUNBURST
The 2019–2020 supply-chain compromise of the SolarWinds Orion network-management product, in which a software-build-server intrusion enabled the surreptitious insertion of the SUNBURST trojan into legitimate signed Orion update packages distributed to approximately 18,000 customers worldwide, with subsequent active exploitation against approximately 100 high-value organisations including nine United States federal agencies — attributed by the United States Government on 15 April 2021 to the Foreign Intelligence Service of the Russian Federation (SVR).
NotPetya
The 27 June 2017 destructive cyber operation that began as a Ukrainian-targeted attack via a supply-chain compromise of the M.E.Doc accounting software and spread globally within hours, weaponising the leaked NSA EternalBlue SMB exploit for lateral movement. The operation is the most economically destructive cyber attack in history — approximately $10 billion in damages worldwide — and was attributed to GRU Unit 74455 (Sandworm) by the Five Eyes intelligence partners in February 2018. Indicted as part of the United States Department of Justice's 19 October 2020 charging of six GRU officers.
Vault 7
The 2017 series of WikiLeaks publications of approximately 8,761 documents and files describing the cyber-tools and operational tradecraft of the Central Intelligence Agency's Center for Cyber Intelligence — sourced by former CIA software engineer Joshua Schulte, who was convicted in 2022 by the United States District Court for the Southern District of New York and sentenced in February 2024 to forty years' imprisonment.
The Shadow Brokers
The institutional disclosure sequence by the anonymous entity self-designated The Shadow Brokers, between August 2016 and April 2017, of NSA Tailored Access Operations hacking tools — the operational inventory of the Equation Group, including ETERNALBLUE, DOUBLEPULSAR, ETERNALROMANCE, EXPLODINGCAN, and adjacent exploits and persistence frameworks. The downstream operational consequences across the May 2017 WannaCry ransomware (North Korean Lazarus Group) and the June 2017 NotPetya destructive malware (Russian GRU Sandworm Team) impacted approximately 200,000 systems in 150 countries with documented damages exceeding $10 billion.
The 2015 OPM Data Breach
The 2014–2015 cyber-intrusion campaign against the United States Office of Personnel Management — disclosed in June 2015 and attributed by the United States Government to Chinese state actors, subsequently associated by analysts with the People's Republic of China's Ministry of State Security — that resulted in the exfiltration of approximately 22.1 million records, including the SF-86 security-clearance background-investigation files of approximately 21.5 million current and former federal employees, contractors, and family members, and 5.6 million sets of fingerprints.
Stuxnet — Operation Olympic Games
The joint US-Israeli cyber-sabotage operation that physically damaged Iranian uranium-enrichment centrifuges at Natanz between 2007 and 2010.
Bullrun and EDGEHILL
The NSA's Bullrun and GCHQ's parallel EDGEHILL programmes — the institutional cryptographic-defeat effort operating from approximately 2000 onward to undermine the encryption protecting internet communications, through influence on standards bodies, covert intervention with US technology vendors (most prominently the Dual_EC_DRBG backdoor in NIST SP 800-90A), and cryptanalytic exploitation of widely deployed protocols. Disclosed in joint *New York Times*, *Guardian*, and ProPublica reporting on 5–6 September 2013.
How dossiers differ from agency pages
An agency page sits in one country and covers one service — its history, statutory basis, role, and the public record of its operations. A dossier crosses those boundaries. A dossier picks up an operation, a scandal, or a thematic question and follows it across whichever services and states are implicated, footnoted to primary documents and the most defensible secondary record.
The Salisbury attack is a dossier rather than an agency entry because it implicates the GRU, MI5, the SIS, the Metropolitan Police, the OPCW, and the parallel Czech investigation into Vrbětice — no single agency page can carry it. The Snowden disclosures are a dossier because they involve the NSA, GCHQ, CSE, ASD, GCSB, the partner services that received the product, the journalism that processed the archive, and the long arc of post-disclosure legal and policy change. MKULTRA is a dossier because the operation was institutional in a way that has now been substantially documented by the Senate, the Rockefeller Commission, the Church Committee, and successive declassifications.
Coverage here is editorial: dossiers are written when there is a coherent public-record account that can be reconstructed at depth. The list grows as new dossiers are written and as additional declassifications expand what can responsibly be said about cases that remain partly closed.
