If it is 2020 The year of pandemic hacking, 2021 was an open season for attackers around the world. The ransomware gangs have been shockingly aggressive, targeting healthcare facilities, schools and critical infrastructure at an alarming rate. And hackers have continued to launch attacks on the supply chain with widespread repercussions. With the pandemic still in the background, system administrators, incident responders, global law enforcement, and security practitioners of all kinds have worked tirelessly to counter the barrage. Governments rushed to take more concrete action against online threats.
For now, though, the seemingly endless game of cat and mouse continues. As John Scott-Railton, senior researcher at Citizen Lab at the University of Toronto said, “2021 is the year we realize that problems we chose not to solve years or decades ago come back one after another to haunt us.”
Below is a WIRED retrospective of the worst hacks, leaks, data exposures, ransomware attacks, state-sponsored hacking campaigns, and digital chaos. With no sign of implementation being delayed in 2022, watch your back and be safe out there.
In early May, ransomware hit Colonial Pipeline, which operates a 5,500-mile pipeline that transports nearly half of East Coast fuel — gasoline, diesel and natural gas — from Texas all the way to New Jersey. As a result of the attack, the company shut down parts of the pipeline to contain the malware and because the attack disrupted its billing systems. As lines grow at gas stations across the southeastern United States, the Department of Transportation has issued an emergency order to allow for the expansion of fuel distribution by truck. The FBI also named the infamous Russia-linked DarkSide gang as the perpetrator of the attack.
Colonial Pipeline paid 75 bitcoin ransoms — worth more than $4 million at the time — in an effort to resolve the incident. Law enforcement was later able to recover some of the money, and DarkSide went underground to avoid scrutiny. In November, the State Department announced a $10 million reward for obtaining material information on the group’s leaders. The attack was one of the largest ever disruptions to critical US infrastructure by hackers, and was part of a series of disturbing hacks in 2021 that finally seemed to act as a wake-up call for the US government and its allies about the need to comprehensively address and deter ransomware attacks.
The SolarWinds hacking spree was the most memorable software supply chain attack of 2020 and 2021, but Kaseya’s IT management software compromise was another notable addition to this year’s supply chain attack records. At the beginning of July, hackers linked to the Russia-based ransomware gang, REvil, exploited a vulnerability in Kaseya’s default sysadmin tool. VSA is very popular among managed service providers, and companies that manage enterprise IT infrastructure that don’t want to do it themselves. As a result of this interconnected ecosystem, attackers were able to exploit the flaw in VSA to infect up to 1,500 organizations around the world with ransomware. REvil placed a ransom of about $45,000 to several downstream victims and up to $5 million to the managed service providers themselves. The gang also offered to release a global decryption tool for around $70 million. But then the ransomware gang disappeared, leaving everyone in the dark. At the end of July, Kaseya acquired a universal decryption tool and began distributing it to targets. At the beginning of November, the US Department of Justice announced that it had arrested one of the alleged main perpetrators of the Cassia attack, a Ukrainian national who was arrested in October and is currently awaiting extradition from Poland.
The streaming service Twitch, which is owned by Amazon, confirmed that it was hacked in October after an unknown entity released 128GB of stolen property data from the company. The breach included Twitch’s full source code. The company said at the time that the incident was the result of “a server configuration change that allowed inappropriate access by an unauthorized third party.” Twitch denied disclosing the passwords in the breach, but acknowledged the theft of revenue information for individual operators. In addition to the source code itself and broadcast payment data from 2019, the collection also contained information about Twitch Amazon Web Services’ internal systems and private software development kits (SDKs).
In the wake of Russia’s SolarWinds digital espionage wave, a Chinese state-backed hacking group known as Hafnium has exploded. By exploiting a set of vulnerabilities in Microsoft Exchange Server software, they hacked target email boxes and their organizations more broadly. The attacks affected tens of thousands of entities across the United States beginning in January and with particular intensity in the early days of March. The hack hit a range of victims, including small businesses and local governments. The campaign affected a large number of organizations outside the US as well, such as the Norwegian Parliament and the European Banking Authority. Microsoft released emergency patches on March 2 to address the vulnerabilities, but the hacking spree was already in the works and it took many organizations days or weeks to install fixes, if they did at all.
Israeli spyware developer NSO Group is increasingly becoming the face of the targeted surveillance industry, as its hacking tools are used by more and more authoritarian clients around the world. Communications platform WhatsApp sued NSO in 2019 and Apple followed suit in November, following a series of discoveries that NSO had devised tools to infect iOS targets with leading Pegasus spyware by exploiting flaws in Apple’s iMessage communications platform. In July, an international group of researchers and journalists from Amnesty International, Forbidden Stories, and more than a dozen other organizations released forensic evidence that a number of governments around the world – including Hungary, India, Mexico, Morocco, Saudi Arabia and the United Arab Emirates Emirates Airlines – they may be an NSO customer. The researchers studied a leaked list of 50,000 phone numbers linked to activists, journalists, CEOs and politicians who were all potential targets for surveillance. The NSO Group has refuted these allegations. In December, Google researchers concluded that the evolution of the NSO malware was on a par with the state hacker elite.
JBS SA, the world’s largest meat processing company, was hit by a massive ransomware attack at the end of May. Its subsidiary JBS USA said in a statement at the beginning of June that “it was the target of an organized cyber security attack, affecting some servers supporting IT systems in North America and Australia.” JBS is headquartered in Brazil and has nearly a quarter of a million employees worldwide. Although the backups were intact, JBS USA had to shut down the affected systems and worked frantically with law enforcement and an outside accident response company to correct the ship. JBS facilities in Australia, the United States and Canada faced disruptions, and the attack set off a chain of effects across the meat industry resulting in factory closures, employees being sent home, and livestock that had to be returned to farmers. The incident came just two weeks after the colonial pipeline attack, underscoring the fragility of critical infrastructure and vital global supply chains.
Firewall vendor Accellion released a patch in late December, then more fixes in January to address a set of vulnerabilities in one of its network equipment offerings. However, the patches haven’t come or been installed fast enough for dozens of organizations around the world. They have suffered numerous data breaches and faced extortion attempts due to vulnerabilities. The hackers behind this spree appear to have links to the financial crime group FIN11 and the Clop ransomware gang. Victims included the Reserve Bank of New Zealand, the state of Washington, the Australian Securities and Investments Commission, cybersecurity firm Qualys, Singapore’s Singtel Telecom, prominent law firm Jones Day, grocery chain Kroger and the University of Colorado. .
Everything old was new again in 2021, with a number of companies already notorious for past data breaches suffering new ones this year. Wireless carrier T-Mobile admitted in August that the data of more than 48 million people had been compromised in that month’s breach. Of those, more than 40 million victims were not even existing T-Mobile subscribers, but former or potential customers who applied for credit with the company. The rest were mostly from active “postpaid” customers who are billed at the end of each cycle rather than the beginning. Victims’ names, dates of birth, Social Security numbers and driver’s license details were stolen. In addition, the names, phone numbers and PINs of 850,000 customers in prepaid plans were logged into the breach. The situation was particularly absurd, because T-Mobile had two breaches in 2020, one in 2019, and one in 2018.
Another frequent offender was convenience store chain Neiman Marcus, whose data was stolen from about 4.6 million customers in a breach in May 2020. The company disclosed the incident in October, which revealed the victims’ names, addresses and other contact information, as well as login credentials and security questions/answers From Neiman Marcus online accounts, credit card numbers, expiration dates and gift card numbers. Neiman Marcus was notorious for a 2014 data breach in which attackers stole credit card data from 1.1 million customers over a three-month period.
More great wired stories