Until relatively recently, cyberattacks were seen as an issue for organisations and cybersecurity professionals to worry about. Now they’re everyone’s problem. No year embodied this more than 2021, which gives us the best predictor for the year ahead, indeed every year for the foreseeable future – as with pandemics and climate change, when things go wrong they increasingly affect large parts of the population.
This article looks back at 2021 and explores the biggest cyber-attacks across a range of methods and industries.
The year 2021 was notable for big cyberattacks but should any of them worry us unduly? One way to answer this question is to imagine travelling back a decade and predicting a future world in which the following incidents would occur:
– A ransomware attack on an oil pipeline leads to long fuel queues for tens of millions of Americans
– A mass data breach compromises thousands of companies and US Government departments in a single incident
– A small nation’s health service is severely disrupted by a ransomware attack with resulting clean-up costs of $600 million
– A cyber attack comes close to poisoning a small town’s water supply.
Readers from 2011 would surely have been shocked by this list, even in a world where nation-state attacks, cyber-extortion, and consumer data breaches were far from unknown. And yet all the above incidents happened in 2021 within a few weeks of one another.
Until relatively recently, cyberattacks were seen as an issue for organisations and cybersecurity professionals to worry about. Now they’re everyone’s problem. No year embodied this more than 2021, which gives us the best predictor for the year ahead, indeed every year for the foreseeable future – as with pandemics and climate change, when things go wrong they increasingly affect large parts of the population.
Ransomware
The top business cyber risk of 2021 was ransomware, with sums demanded reaching the tens of millions amid society-disrupting effects. Although most incidents expressed the same M.O. (modus operandi) as previous years, innovations included the targeting of software supply chains as a shortcut to infecting large numbers of victims, attacking critical infrastructure (we’ve broken out those developments as separate categories of attack), and rapidly exploiting major zero-day vulnerabilities to extort enterprises.
The Irish health service
The possibility of a major ransomware attack on a public health organisation has been a worry ever since WannaCry disrupted health organisations, including Britain’s NHS, in 2017. What happened to Ireland’s Health Service Executive (HSE) in May 2021 shows these fears weren’t exaggerated. The agent this time was the Conti ransomware, leaving numerous hospitals with no working IT systems, in the middle of a pandemic. Patient appointments dropped by up to 80% followed by months of disruption that required the rebuilding of parts of the organisation’s network from scratch, at a staggering cost of $600 million.
The ransom demand was $20 million in Bitcoin, which the country’s politicians refused to pay before the attackers handed over the encryption keys anyway. As blogger Brian Krebs pointed out, what stood out about Ireland’s attack response was that as a centralised, tax-funded system, managers were able to both refuse the ransom demand and prioritise major cybersecurity investment. Would the same have happened in a private health organisation with constrained budgets?
Acer ransomware attack
The top ransomware group of the year was REvil, which targets large companies able to pay huge ransoms. In that context, the suspected March REvil attack on Taiwanese computer maker Acer, reportedly exploiting Exchange ProxyLogon flaws (see separate entry on nation-state attacks), should have been no surprise, nor the world-record $50 million ransom demand that came with it.
The attackers deployed the double extortion tactic of releasing data in public to increase pressure, which in this case included spreadsheets, bank balances, and other sensitive communications. This tactic has become standard for many ransomware attacks in the last year and is based on the realisation by attackers that large companies can often now recover from ransomware attacks without paying, hence the need for other forms of persuasion.
The attackers even offered to send Acer a report outlining the vulnerabilities that led to the compromise. This could be a ransomware trend for 2022 – turning the concept of penetration testing into a protection racket.
Nation-state attacks
Attacks with a suspected nation-state motive used to be special cases that happened from time to time. No longer. There are now so many significant attacks linked to nation-state activity they could consume an entire article on their own. The perception remains that nation-state attacks are usually targeted and low key. That remains true but a growing number are affecting services in ways noticeable to the wider public.
Microsoft Exchange zero-days
Zero-days – flaws not known to defenders for which there is often no available patch – are being exploited at lightning speed. One example was April’s targeting of on-premises Exchange servers to steal emails using four separate ProxyLogon zero days. Allegedly carried out by the Chinese Hafnium group, it transpired out that Microsoft had offered patches in March but lacking a clear indication of their urgency many organisations didn’t apply them. Reportedly, several hundred thousand organisations were hit by exploits, including a least 7,000 in the UK. Little wonder that an emergency directive from the US Cybersecurity & Infrastructure Security Agency (CISA) recommended either patching the issue or disconnecting affected servers from the network. A Rapid7 estimate in October was that as many as 32% of vulnerable servers still weren’t patched.
Channel 9 TV attack
Australian TV station Channel 9 suffered a suspected ransomware attack in March that disrupted its programme schedule. As is often the case with ransomware, numerous systems were affected, including email servers and software used for editing. An unusual element of this story is that although the attack bore the hallmarks of ransomware, reportedly no ransom demand was received. This raises the possibility that either the attackers got cold feet, or the malware was simply the delivery end of a nation-state attack at a time when the country has been singled out for such attacks. The latter explanation is widely believed, which puts it in the category of similar attacks on the media in the past, including attacks on the BBC’s Persian service in 2012, French TV station TV5 Monde in 2015 by alleged Russian hackers, and the Weather Channel in 2019.
Government spyware
The NSO group’s Pegasus software operates in a grey area between the illegal and the legitimate brought into existence by the obsession some governments have for monitoring citizens and opponents. During 2021, Pegasus was everywhere. This fact has started upsetting some governments, a diplomatic fact that might or might not curtail its activities in the year ahead. Even if the NSO Group relents, putting this type of malware back into its box will not be easy. It is simply too good at what it does.
NSO Group spying v the US Government
Not all cyberattacks emanate from traditional cybercriminals, as shown by the controversy of how the Israeli NSO Group’s Pegasus spyware was allegedly used to target the iPhones of nine US State Department officials based in Uganda. For a supposedly legitimate company to be accused of being complicit in an attack on US Government officials is unheard of but shows how a grey zone now exists between outright illegality and nation-state behaviour.
The incident might explain why the company was blacklisted earlier in 2021 by the Biden Administration, which accused it of acting “contrary to the foreign policy and national security interests of the US.” NSO Group spyware is widely used by governments across the world to spy on rivals and NGOs but allowing it to be used against the US might turn out to be a step too far. Separately, Apple announced it was suing the company, which follows a similar case against it by Facebook’s WhatsApp in 2019.
Internet infrastructure
Every year sees incidents affecting the Internet infrastructure, usually attacks on BGP (Border Gateway Protocol) route hijacking or interference with DNS (Domain Name System). This year was quiet on that front, at least officially. However, DDoS (Distributed Denial of Service) attacks are still an issue. Most are dealt with very effectively, far more so than in previous years – at last, a success story to point to.
Azure customer hit with 2.4Tbps DDoS
Remember when DDoS attacks were big news? These days you hear a lot less about them, mainly because their effects have become less noticeable now that enterprises use rapid mitigation services. Nevertheless, every now and again, news of a large attack emerges, with the August 2021 DDoS affecting one of Microsoft’s Azure cloud hosting customers in Europe a good illustration of what’s still possible. At 2.4tbps, this was the second biggest ever recorded (Google recently said it suffered a 2.54tbps UDP attack in 2017, still the largest publicly admitted), with short bursts of traffic over a 10 minute period.
The source was 70,000 botnet devices in and around Asia and the US, which Microsoft was able to mitigate. The main containment technique is geographical isolation keeping traffic within its originating domain and away from distant targets. Despite this, Microsoft said it had experienced a 25% increase in DDoS attacks during the first half of 2021.
Critical infrastructure
The challenge of securing critical infrastructure is that it depends on defending every single company in these sectors, including ones nobody has heard of. The Colonial Pipeline attack was the perfect example – an attack aimed at office IT and billing systems that inadvertently took down an obscure pipeline leading to paralysis in parts of the US.
Colonial Pipeline
The most-noticed cyberattack of the year was May’s Colonial Pipeline incident, which left drivers across large parts of the Eastern US unable to refuel their vehicles. Very few of them had heard of the company or its pipeline, which moves 2.5 million barrels of gasoline each day between Houston and New York. That’s the thing about critical infrastructure – people only notice it when something goes wrong.
Carried out by the Russian DarkSide group, this was another ransomware incident. Reportedly, they got in through a single old VPN account the password for which was discovered circulating in a dark web cache. This wasn’t reassuring but much worse was that the vital account lacked multi-factor authentication. The attackers never got near the pipeline systems, but the company shut down everything just to be sure. The company also paid a $4.4 million Bitcoin ransom which US officials were able to recover some of in mysterious circumstances.
Florida water supply attack
The small but psychologically alarming attack on the water treatment system of Florida city Oldsmar in February was always going to grab people’s attention. On February 5, in an incident lasting a few minutes, an attacker remotely accessed a computer used to control chemical levels in the water system, upping the amount of sodium hydroxide (caustic soda) from 100ppm to a toxic 11,100ppm. The interference was noticed before any damage was done but the incident brought home that an attack on water systems is no longer theoretical. Indeed, the attack was so obvious some wondered whether the attacker might simply have been trying to prove this very point.
Supply chains
The SolarWinds supply chain attack of December 2020 was described by Microsoft president Brad Smith as “the largest and most sophisticated attack the world has ever seen.” The year 2021 saw several follow-ups on the same theme.
Kaseya ransomware/supply chain attack
What happened to customers of Kaseya’s VSA software in July is a great example of how a weakness in one company can affect thousands of others using it through a third party. Was this a supply chain attack? Arguably, yes, because the software wasn’t being used by the estimated 2,000 organisations that ended up being ransomed by the REvil Group but dozens of managed service providers (MSPs) using Kaseya’s software on their behalf to carry out remote management. It looked like the most efficient ransomware attack in history; one company compromised; countless victims extorted.
Data loss
The idea of data breaches as a separate category of attack is almost redundant at a time when every cyberattack involves a data breach of some sort. Where the issue comes into its own, however, is around the issue of how large organisations gather, store and trade data for profit. In many countries, the laws on disclosure when something goes wrong mean that victims don’t always find out about an incident for years, if at all.
Facebook data leak
Tech giants are supposed to collect user data, not lose it as Facebook did when a cache relating to 533 million people was discovered circulating on a web forum in April. Personal data included names, phone numbers, birth dates, locations, Facebook IDs and, in 2.5 million cases, email addresses. According to Facebook, the leak happened when a vulnerability it patched in 2019 was used to scrape data, something it didn’t reveal at the time.
Conclusion
As these examples demonstrate, no amount of infrastructure or investment, guarantees protection from a cyber attack, but with cybercrime on the increase it makes sense to address the most common cyber security weaknesses and causes of data breaches. Our cyber security checklist is a great place to start if you’re looking for some quick and simple measures you can implement to protect your business. Alternatively, if you are able to invest in third-party assessment and verification of your security measures, they can provide your stakeholders with comfort and your business with some much-needed protection. Find out more about Cyber Essentials, Cyber Essentials Plus and ISO 27001 or take a look at our cyber training courses.
