Far beyond affecting just the technology industry, cyberattacks in 2021 were a mushroom-cloud explosion, reaching their crafty, digital tentacles into every facet of modern life.
According to the Identity Theft Resource Center, the number of data breaches this year surpassed the total number of 2020 breaches in just the first three quarters of 2021. So, what happened? And how do we fix it? Here’s a recap of some of the biggest data breach and other cybersecurity news stories of the year, a month-by-month recap of some of the biggest hacks, attacks, and other activity from the last 12 months.
January: Federal Data Breach Sets the Tone for 2021
The year kicked off with a public reporting of the U.S. Federal Government data breach. The severity of the attack was initially downplayed, but by January 2021, the public was starting to understand the full scope. In the spring of 2020, hackers added malicious code into the software of SolarWinds, Microsoft and VMWare. When SolarWinds sent software updates, the hacked code created a back door to the customers’ information and private data. Even worse is that the breach went unnoticed for many months, potentially exposing sensitive data from 300,000 of SolarWinds’ customers, which include some Fortune 500 corporations and U.S. government agencies, among others.
February: Investigations Find Poor Communication, Lack of Standards
Seeing how vulnerable and long-reaching a simple software update could be, the government and watchdog agencies worked to figure out a solution before the next cyberattack could happen. In late February, the House Oversight and Homeland Securities committees held a hearing to help figure out what happened in the massive SolarWinds hack, and who they can blame. Cybersecurity experts are pointing their fingers at Russia’s Foreign Intelligence Service (SVR), but experts also testified that a general lack of trained cybersecurity personnel, poor communication between companies and government agencies, and absence of smart practices and global standards helped create the cybersecurity gaps. The opportunity for a breach was basically a pie cooling on the windowsill, just waiting to be eaten.
March: $40M Paid in Insurance Ransomware Incident
At first, the ransomware attacks seemed to be operating quietly, with the hackers locking down an entire network and only giving back the encryption key if the target paid up. In March, CNA Financial, a major insurance company, paid the $40 million in ransom to get their huge volume of data back. While payments aren’t usually disclosed, this ransom payment is bigger than any previously disclosed payments to hackers, according to people familiar with ransomware negotiations, and by it being made public, potentially inspires other cybercriminals to ratchet up their extortion rates.
April: Facebook, Police Departments Targeted
April came in like a lion and basically stayed that way, leading into an even more ferocious May. Early in the month, social media Goliath Facebook faced one of their biggest data breaches in the history of the company. In the first week in April, a user posted the data of over 533 million Facebook users online for free, including phone numbers, full names, locations, email addresses, and biographical information. Profiles from more than 106 countries were exposed, including more than 30 million accounts in the U.S. While the data was technically “old” (aka, from 2019), experts point out that the data contains identifiers that don’t change often, if ever, such as phone numbers, email addresses, and full names and birthdates.
Unfortunately, Facebook was not a lone victim. A company that detects software vulnerabilities turns out to be vulnerable, proving that no company is completely safe. Codecov, a software auditing company used by more than 29,000 companies, learned in April that it experienced a security breach months ago and found itself playing catch-up to mitigate further risk.
April just would not quit, because by the end of the month, the Washington, DC Police Department became the third police department to be cyberattacked in six weeks when hacked data was leaked online. The hacker group Babuk threatened to release 250 gigabytes of data, including lists of persons of interest, arrest records, and police informant information, among other pieces of information.
The police department in a small city in Maine and another in Azusa, California, were targeted in the past month (though those perpetrators have not been named), showing the public that predicting and stopping the next cyberattack is practically impossible for federal investigators. Many systems are using outdated or easily breached software, and an overhaul to the entire system will be time consuming and costly. The White House issued an executive order to help beef up cyber-defense, but until that catches up to the cybercrime spree, experts and IT departments of large and small companies alike remind users to be vigilant about identity theft, fraud schemes, and phishing scams. After all, one wrong click could bring down an entire network.
May: Colonial Pipeline Impact Was Far-Reaching
May was a tough month, with the most reported ransomware attacks and new ones cropping up faster than we could type. So much was happening on the cyberattack front that we devoted our weekly tech news round-up to the explosion of ransomware attacks, and what to do about it.
Colonial Pipeline, the nation’s largest oil fuel pipeline, became the latest victim of a ransomware attack, effectively shutting down the delivery of gas to much of the Southeast region. The gas shortage created miles-long lines at the pump as people feared rising prices and further unavailability.
The pipeline, which moves nearly half of the East Coast’s fuel, was shut down in mid-May after a cyber-criminal group called DarkSide (thought to be from the former Soviet Union) broke into servers and encrypted its data, demanding a ransom fee to restore access.
Seeing how quickly order turned to panic was the canary in the coal mine for many companies and organizations. This large-scale breach again put cybersecurity experts and the White House on notice about where the vulnerabilities are in the infrastructures and processes. To that end, April closed out with the Biden administration putting more dollars and support behind Cybersecurity and Infrastructure Security Agency (CISA), the agency tasked with shoring up critical supply chains to managing risks to U.S. election infrastructure, and most recently, and responding to the cyberattacks.
June: Continued Attacks Show Vulnerability of Our Infrastructure
First, they came for our government infrastructure (SolarWinds), then they came for our gas (Colonial Pipeline), and in June, they came for our dinner. In early June, JBS Foods, a massive meat processer, closed all of nine of its beef facilities, as well as many pork and poultry plants, across the U.S. Though the facilities reopened a day later, experts say that even the one-day disruption to such a large food processor could have impacted wholesale beef prices.
The rising spike in ransomware cyberattacks continued to sow anxiety about the vulnerability of our critical resources and businesses. While the FBI and CISA investigated the breach, the White House met with Russia’s President Putin and both agreed to steps on cybersecurity and considering some things, like infrastructure, “off limits”.
Following the Biden/Putin chat, the G7 Summit kicked off in mid-June with cybersecurity and ransomware high on the agenda. The G7 nations formally warned countries who are housing the cybercriminals—including Russia—to tackle the growing trend. Biden promised that the G7 group will “hold countries accountable…”
Meanwhile, REvil, a group presumably out of Russia, took credit for a ransomware attack on Sol Oriens, a nuclear security contractor. The cybercriminals claimed to have stolen employee and business information and threatened to release the info to military groups if they didn't get their ransom money. The FBI reported that the REvil gang is also responsible for the JBS Food Services ransomware attack earlier in the month.
July: MSPs Targetedby REvil, Affecting 1M Businesses
The Fourth of July is typically the tentpole of the summer for Americans, but while we were enjoying parades, fireworks, and barbeque, cybercriminals (and all-around terrible people) REvil launched another large-scale ransomware attack while we were OOO, affecting more than 1 million systems across 17 countries. The Russian-based hackers targeted a U.S. IT firm called Kaseya, using the VSA supply-chain software to infiltrate thousands of managed service provider (MSP) network systems, and their customers. The cyberattack hit mostly public agencies and small businesses, and REvil offered a wide range of extortion prices, depending on the victim’s network.
It wasn't all doom-and-gloom, though. Industry professionals stepped up to help affected companies where they could. For example, CompTIA Information Sharing and Analysis Organization (ISAO) offered assistance and resources—from boots on the ground to shared information and communication strategies—to any impacted organization.
Another big story broke in July when it was reported that the Israeli cyber-surveillance firm NSO Group, which created and sells the Pegasus software, was used to target the smartphones of 37 journalists, activists, and business executives, including two women associated with the murdered Saudi journalist Jamal Khashoggi, as well as three presidents, 10 prime ministers, and a king.
The military-grade spyware is sold to governments for the purpose of countering terrorism and criminal activity and can be activated without a user even touching their phone or knowing they were hacked. Things like collecting emails, call records, social media posts, user passwords, contact lists, pictures, videos, sound recordings, and browsing histories were all accessible to the cybercriminals via this spyware. It remains to be seen what this information was being collected for, but 16 media outlets across the world worked together to figure out the source of this attack and how to best secure their information moving forward.
August: Bad WFH Behavior Increases Security Risks
The end of summer brought about the hopeful end to the remote work and Zoom call carousel. After 18 months into the pandemic, many companies began to plan for a return to the office, and what that will look like from an infrastructural point of view. Following the explosion of ransomware attacks and security breaches, many security and IT experts worried about pitfalls of the transition back to in-office workforce.
Some stats showed that one-third of polled employees picked up bad security behaviors while remote working, including using unsecured networks, mixing personal and professional devices and uses, and employees thinking they can do riskier security behaviors while at home (uh, no). In one report, 69% of IT leaders thought that ransomware attacks will be a greater concern in a hybrid workplace. And they warned of an uptick in phishing scams as workers come out of the WFH fog and back to a structured professional environment.
In a cyberattack that turned weird, a hacker claimed to have stolen the sensitive data (think: driver’s license numbers, social security numbers, addresses) of more than 100 million T-Mobile customers and began peddling it online. The hacker then told a handful of reporters (via Twitter) that the purpose of targeting T-Mobile was an act of revenge on the U.S. for the country’s response to John Erin Binns, a known hacker who filed a lawsuit against the U.S. government, alleging that he was spied on and kidnapped in Germany in 2019. The hacker wanted to “harm U.S. infrastructure” and asked for 6 bitcoin (roughly $270,000) for a sample of the data.
September: 61M GetHealth User Records Exposed
September is a transition month seasonally, and we had hoped for less cybercriminal activity. While it wasn’t completely incident-free, there was a downturn from the very active summer cybercrime spree. One reported cyberattack happened to an American company called GetHealth, which makes an application programming interface (API) that collects data from fitness wearables—think Fitbit, Apple Healthkit, Google Fit—then helps users organize that data on their computers to give context to all of that data. But mid-month, security researchers found a non-password-protected database of more than 61 million records of GetHealth users from around the world, including some data that contained personally identifiable information, like names, dates of birth, and GPS logs.
The researcher who found the unsecured database, Jeremiah Fowler, quietly alerted GetHealth once he and his team could confirm they were the owners of the database, and within hours, GetHealth claimed to have fixed the issue. There’s no telling of how long the records were exposed, or if anyone else had accessed them, or even if the customer data is at risk. For now, it’s just a story of some unguarded personal user information lying around the internet, until a Good Samaritan brought it back to safety. Time will tell if anyone with a less ethical compass came across the database.
October: Cybersecurity Awareness Month Spreads the Word
October was Cybersecurity Awareness Month, which is fitting that the White House National Security Council announced that they would be hosting the Counter-Ransomware Initiative, a virtual meeting including representatives from 30 nations. This informal group is an international response to the explosion in cybercrime and ransomware attacks and has hopes that by gathering information and sharing knowledge across the globe, they can start to improve “law enforcement collaboration" on issues like "the illicit use of cryptocurrency,” according to the Biden administration.
Also this month, the Financial Trend Analysis report from the U.S. Treasury Financial Crimes Enforcement Network reported by June of 2021, financial institutions were reporting about $600 million in possible ransomware transactions, whereas the entire total for 2020 was $416 million—a 30% increase. To add insult to injury, the agency cited about $5.2 billion in suspicious bitcoin activity, underling the how the growing rise of nontraceable currency like cryptocurrency is encouraging the meteoric spike in ransomware attacks, since payout seems to be the easier method for companies dealing with millions of dollars’ worth of disruption issues. This fall, the Treasury Department announced its first sanctions against a cryptocurrency exchange for facilitating transactions involving money gained from ransomware—the hope is that the move will help staunch the flow of ransomware attacks.
November: $1.9B Earmarked for Cybersecurity Programs
Congress passed the bipartisan Infrastructure Investment and Jobs Act (INVEST). This $1.2 trillion bill allocates money to fix and maintain the country’s aging infrastructure, such as bridges, public works, and roads, while looking to invest in the future, with $1.9 billion earmarked for cybersecurity and cyber grants. Among the provisions, a $1 billion grant program is slated to help state, local, tribal, and territorial governments protect and defend themselves from cybersecurity threats, ransomware attacks, and to modernize current systems to protect sensitive data, information, and public critical infrastructure.
Also this month, we reported on a new security threat called “password spraying.” The Microsoft Detection and Response Team (DART) warned that hackers were utilizing this approach to target C-level executives and high-value cloud accounts. This tactic is what it sounds like—bombarding large lists of accounts with a small amount of commonly used passwords. A hacker who “sprays” is going for a brute force attack that is less likely to trigger an account lockout by going through an extensive password list, one account at a time. Targets included accounts from security, Exchange service, global, and Conditional Access administrators, SharePoint, helpdesk, billing, user, authentication, and company admins. So basically everyone.
IT administrators are advised to enable and enforce multi-factor authentication (MFA) across all accounts whenever possible, and if possible, implement passwordless technology to lower the risk of account compromise if or when the company is targeted by such attacks.
Lastly, the cybersecurity industry lost a legendary leader, Alan Paller. A foremost pioneer in cybersecurity threats and a megaphone for recruiting top talent for the cybersecurity and defense pipeline, Paller was known for his persistent focus on offensive and defensive cybersecurity strategies, implementing new advancements in homeland security and technology sectors, and fostering continued, evolving growth for careers in the cybersecurity field.
December: Microsoft Takes Over 42 Hacker Websites
We first talked about the Israeli surveillance company NSO Group back in July, when the phones of journalists, activities, and business executives were being illegally targeted. Then again in September, when hackers used the same software to exploit a vulnerability in Apple’s iOS. Unfortunately, this story has still more cybersecurity news to bear. Per an alert from Apple this month, at least eleven State Department officials have been the targets of hackers, using the surveillance software called Pegasus from NSO Group to access their iPhones. The hacks happened over the past several months and involved US officials either based in Uganda or had business that related to the East African country. While the Israeli company says they had no idea their tools were being used for hacking, they did cancel relevant accounts and launched an investigation. This breach marks the biggest known cyberattack on U.S. officials via NSO Group, and the attacker or attackers have not yet been identified.
While US government and NSO Group say they cannot comment on this open investigation, both promise legal action to whomever is found responsible. The Pegasus software seems to be the gift that keeps on giving when it comes to cybercriminals.
Also this month, Microsoft reported the takeover of 42 websites from hackers (known as Nickel or APT15) who were attacking organizations in 29 countries and was believed to be installing stealthy malware, which would then allow Nickel to connect the user to malicious websites, which Microsoft has now seized. It is believed that Nickel means to collect intelligence data on government agencies, think tanks, universities, and human rights organizations. Experts agree that this kind of preemptive action by Microsoft’s Digital Crimes Unit is a positive step toward mitigating the risk and extensive harm that hackers can inflict.
There’s no doubt that 2021 saw a significant uptick in ransomware attacks, data breaches, and new threats to cybersecurity. However, it’s not all doom-and-gloom. According to Microsoft, its Digital Crimes Unit dismantled more than 10,000 malicious websites used by cybercriminals and almost 600 used by nation-state actors and blocked 600,000 more from existing in the first place. The cybersecurity defense industry and job market are evolving and gaining momentum, so we can be optimistic that 2022 will bring more sophisticated development, highly skilled talent, and board support from all sectors to helping eliminate cybersecurity threats before they become disruptive. Bring it on, 2022!
To join the cybersecurity conversation, learn more about the CompTIA ISAO and Cybersecurity Community.