The worst hacks of 2021



If 2020 was the year of the pandemic lockdown hack, 2021 was an open season for attackers around the world. The ransomware gangs were incredibly aggressive, targeting healthcare facilities, schools and critical infrastructure at an alarming rate. And hackers have continued to launch attacks on the supply chain with far-reaching fallout. As the pandemic still raged in the background, system administrators, incident responders, global law enforcement and security professionals of all kinds worked tirelessly to counter the barrage. And governments have rushed to take more concrete action against online threats.

For now, however, the seemingly endless cat-and-mouse game continues. As John Scott-Railton, Principal Investigator at the Citizen Lab at the University of Toronto, says, “2021 is the year we realize that the problems we chose not to solve years or decades ago are coming back again. to one haunt us. “

Here’s WIRED’s retrospective of the worst breaches, leaks, data exposures, ransomware attacks, state-sponsored hack campaigns, and digital chaos of the year. With no sign of reprieve in 2022, watch your back and stay safe there.

In early May, ransomware hit Colonial Pipeline, which operates a 5,500-mile pipeline that transports nearly half of the East Coast’s fuel (gasoline, diesel, and natural gas) from Texas to New Jersey. As a result of the attack, the company shut down parts of the pipeline both to contain the malware and because the attack took its billing systems offline. As lines multiplied at gas stations in the Southeastern United States, the Department of Transportation issued a emergency order to allow a wider distribution of fuel by truck. The FBI also named the notorious Russian-linked ransomware gang DarkSide as the perpetrator of the attack.

Colonial Pipelines paid a ransom of 75 bitcoins, worth over $ 4 million at the time, in an attempt to resolve the incident. The police were then able to recover part of the funds, and DarkSide went underground to avoid scrutiny. In November, the State Department announced a $ 10 million bounty for background information on the leaders of the group. The attack was one of the largest disruption hackers ever caused to U.S. critical infrastructure, and was part of a series of alarming hacks in 2021 that ultimately appear to have served as a wake-up call to the U.S. government and to its allies on the need to address and deter ransomware attacks.

The SolarWinds hacking wave was the most memorable software supply chain attack of 2020 and 2021, but the compromise of IT management software company Kaseya was another big addition to the attack annals of the supply chain this year. In early July, hackers associated with the Russia-based ransomware gang REvil exploited a flaw in Kaseya’s Virtual System Administrator tool. VSA is popular among Managed Service Providers, companies that manage IT infrastructure for organizations that don’t want to do it themselves. Thanks to this interdependent ecosystem, attackers were able to exploit the VSA vulnerability to infect up to 1,500 organizations worldwide with ransomware. REvil has set ransoms of around $ 45,000 for many downline victims and up to $ 5 million for the managed service providers themselves. The gang also offered to release a universal decryption tool for around $ 70 million. But then the ransomware gang was gone, leaving everyone in the dark. At the end of July, Kaseya acquired a Universal Decryptor and began distributing it to targets. In early November, the US Department of Justice announced that it had arrested one of the main alleged perpetrators of the Kaseya bombing, a Ukrainian national arrested in October and currently awaiting extradition from Poland.

Amazon-owned live streaming service Twitch confirmed it was breached in October after an unknown entity released a treasure trove of 128GB of proprietary data stolen from the company. The breach included the full source code of Twitch. The company noted at the time the incident was the result of a “change in server configuration which allowed inappropriate access by an unauthorized third party”. Twitch denied that any passwords were exposed in the breach, but admitted that information about individual streamers’ income was stolen. In addition to the source code itself and payment data from streamers since 2019, the treasury also contained information about internal Twitch Amazon Web Services systems and proprietary SDKs.

In the wake of SolarWinds’ wave of digital espionage in Russia, the Chinese state-backed hacking group known as Hafnium has broken down. By exploiting a group of vulnerabilities in Microsoft’s Exchange Server software, they compromised targets’ email inboxes and their organizations more broadly. The attacks affected tens of thousands of entities across the United States starting in January and with particular intensity in the first days of March. The hacks have affected many victims, including small businesses and local governments. And the campaign also reached a significant number of organizations outside of the United States, such as the Norwegian Parliament and the European Banking Authority. Microsoft issued emergency patches on March 2 to address vulnerabilities, but the hacking wave was already underway and many organizations took days or weeks to install the fixes, if they have done so at all.

Israeli spyware developer NSO Group has increasingly become the face of the targeted surveillance industry as its hacking tools are used by more and more autocratic customers around the world. WhatsApp communication platform sued NSO in 2019 and Apple followed suit this year in November, following a series of disclosures that NSO has created tools to infect iOS targets with its flagship spyware Pegasus by exploiting loopholes in Apple’s iMessage communications platform. In July, an international group of researchers and journalists from Amnesty International, Forbidden Stories and more than a dozen other organizations published forensic evidence that a number of governments around the world, including Hungary, India, Mexico, Morocco, Saudi Arabia and the United Arab Emirates, may be clients of NSO. Researchers studied a leaked list of 50,000 phone numbers associated with activists, journalists, executives and politicians who were all potential surveillance targets. NSO Group has refuted these allegations. In December, Google researchers concluded that the sophistication of NSO malware was comparable to that of elite nation-state hackers.

JBS SA, the world’s largest meat processor, suffered a major ransomware attack in late May. Its subsidiary JBS USA said in a statement in early June that “it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian computer systems.” JBS is headquartered in Brazil and has approximately a quarter of a million employees worldwide. Although its backups are intact, JBS USA was forced to take the affected systems offline and worked frantically with law enforcement and an outside incident response company to right the vessel. JBS’s facilities in Australia, the United States and Canada were disrupted and the attack caused a cascade of impacts in the meat industry, resulting in plant closures, workers sent home and livestock to be returned to farmers. The incident came just weeks after the attack on the colonial pipeline, underscoring the fragility of critical infrastructure and vital global supply chains.

Firewall vendor Accellion has released a room end of December, then more fixes in january, to remedy a group of vulnerabilities in one of its network equipment offers. However, the fixes did not arrive or were not installed quickly enough for dozens of organizations around the world. Many have suffered data breaches and faced extortion attempts due to the vulnerabilities. The hackers behind the party seemed to have Connections to the FIN11 financial criminal group and the Clop ransomware gang. The victims included the Reserve Bank of New Zealand, Washington State, the Australian Securities and Investments Commission, cybersecurity firm Qualys, Singaporean telecommunications firm Singtel, leading law firm Jones Day, the Kroger chain of grocery stores, and the University of Colorado. .

Everything old was new again in 2021, as a number of companies already known for their past data breaches experienced new ones this year. Wireless operator T-Mobile admitted in August that the data of more than 48 million people was compromised in a breach this month. Of these, more than 40 million victims were not even current T-Mobile subscribers, but rather former or potential customers who had applied for credit from the company. The remainder were mostly active “postpaid” customers who are billed at the end of each cycle instead of the beginning. The victims had their names, dates of birth, social security numbers and driver’s license details stolen. In addition, 850,000 customers on prepaid plans had their names, phone numbers and PIN codes caught in the breach. The situation was particularly absurd, as T-Mobile had of them violations in 2020, one in 2019, and another in 2018.

Another repeat offender was department store chain Neiman Marcus, which stole the data of around 4.6 million customers in a breach in May 2020. The company disclosed the incident in October, which revealed the names , addresses and other contact information of victims, as well as login information and security questions / answers for Neiman Marcus online accounts, credit card numbers and expiration dates and gift card numbers. Neiman Marcus suffered a data breach in 2014 in which attackers stole the credit card data of 1.1 million customers over three months.


More great WIRED stories



Comments are closed.