2021 has been a very active year for cyberattacks in all industries, including government, infrastructure, financial services, manufacturing, and healthcare. Thanks to Gurucul, I’ve had a front-row seat to many of them, gaining an understanding of who the attackers were, what malware was used, and how many people were affected. So, what were the biggest breaches of 2021?
There were some doozies. The attacks were audacious. Many of these attacks involved ransomware. Attackers broke into networks and encrypted software and data, and demanded money to decrypt them, usually in bitcoin or other cryptocurrency.
It was more than ransomware. Enterprises are also experiencing some of the old-fashioned hacks that attempt to capture data, once again either held for ransom or for sale on the open market. In an increasing number of cases, such attacks are politically motivated, designed by a hostile foreign power to attempt to destabilize specific functionality.
Here are what I consider to be the top breaches of 2021.
The Colonial Pipeline is the principal way of getting gasoline from refineries in Texas and Louisiana to the East Coast. Attackers encrypted data on the company servers and prevented the movement of gasoline supplies unless the company paid millions of dollars in ransom. Colonial paid $4.4 million in ransomware to regain control of their network. Much of that was recovered by law enforcement, but the attackers remain at large.
The attack vector isn’t yet known, but speculation includes an unpatched vulnerability or phishing. Victims tend to be reluctant to reveal the vector, thinking that it can be used again. The attackers bought ransomware off-the-shelf from a “ransomware as a service” provider known as DarkSide. It was the administrative systems that were breached, making billing and payment impossible.
This was another ransomware attack, targeting IT infrastructure management firm Kaseya. About one thousand companies and government agencies were locked out of their systems, and the attackers, known as REvil, demanded $70 million to decrypt the systems. No ransom ended up being paid, as law enforcement was able to recover the decryption codes.
Once there were indications that ransomware had infiltrated its on-premises management product, Kaseya instructed its on-premises customers to shut down the product, and it took steps to shut down its SaaS offering. While only 60 customers were directly affected, many had downstream customers that they managed, resulting in over 1000 organizations affected.
T-Mobile had a breach involving 54 million accounts, all with highly personal information attached to them, including Social Security numbers, driver’s license information, names, and addresses. This attack is unique in that the attackers are offering to sell the most sensitive data back to T-Mobile. This makes it a type of ransomware attack, although it also involves data theft.
The databases that were breached contained the personal information on previous customers, current customers, and prospective customers. The company won’t say how these databases were compromised, but did say that several vulnerabilities have since been closed. In a nice break from companies in the recent past, T-Mobile is providing all affected customers two years of identity protection.
Hospitals and Healthcare Facilities
Rather than name one or more of the many Hospitals and healthcare facilities that have been the victims of attacks (often but not always ransomware), I’ll collectively put them into one bucket. Healthcare continues to be a ripe target, in part because of the complexity of the networks, and because of the range of different types of connected systems and devices in hospitals.
While the attack vectors and strategies used vary, attacks often get in by attacking unprotected endpoints. The various devices on a hospital network provide many possible ways to get in, and often it’s difficult to observe all of them.
The personal information of 400,000 patients of Planned Parenthood of Los Angeles was stolen and held for ransom. This was a very insidious breach in that it was likely meant to intimidate women who used Planned Parenthood services.
Planned Parenthood is calling it a ransomware attack, rather than for theft or political purposes. The identity of the attacker is unknown, but the organization says that it doesn’t believe any data was used for fraudulent purposes. The attacker accessed the network on or about October 17th, and planted malware designed to harvest this data.
No compilation of attacks is complete without including at least one DDoS attack. The Russian internet giant Yandex battled a DDoS attack that is reportedly the largest in the short history of the “Russian Internet”.
Almost five thousand email addresses were compromised as a part of this attack. It turns out that an employee had been providing access to users’ email accounts for personal gain.
Organizations are kept up at night by the prospect of being hit by ransomware demands, and now Olympus, an international tech company, is the latest victim. In the case of Olympus, it was the BlackMatter ransomware, which is essentially the same as the attack on the Colonial Pipeline.
This seems to be part of an ongoing attack that has shut down Olympus systems in Europe and the Americas. The company hasn’t said whether or not customer data was lost.
This must be a hacker with a sense of humor, although the actual loss of data is by no means funny. It’s ironic that the trading app Robinhood was hacked, with the possible loss of information on up to seven million users in a ransomware attack. After all, the historical Robin Hood was renowned for robbing from the rich and giving to the poor. We’re guessing that those who did the hack aren’t going to give it to the poor.
This attack used social engineering on a customer support individual to gain access to the customer support database, where five million email addresses were taken, along with the full names of two million others. In limited cases, phone numbers were also stolen. It’s not clear whether or not Robinhood paid the ransom.
UK Ministry of Defence
When we add up the costs of data breaches, rarely do we consider human lives. But that’s exactly what has the potential to happen with a UK Ministry of Defence data breach that inadvertently sent out an open email to those Afghans who collaborated with the British during the long war. Because all received the email addresses and personal information of everyone else, it is inevitable that this information will fall into the hands of those that wish them harm. This is an inexcusable mistake, and no amount of advice on managing risks can make up for it.
There’s no exotic technology here, just a huge mistake made by someone in the Ministry. It’s also not clear yet if there has been any loss of life this mistake.
An attacker has breached the Argentinian national database and obtain national ID card information on all citizens of that country. The data includes names, home addresses, birth dates, gender info, ID card issuance and expiration dates, labor identification codes, Trámite numbers, citizen numbers, and government photo IDs. This data is currently either being sold off to interested buyers, or held for ransom to the Argentinian government. Parts of the data have already been found for sale on the dark web.
2021 Isn’t Over Yet
Organizations are not going to keep hackers out of their networks, no matter how secure their firewall. There seems to always be vulnerabilities to exploit. Whether through internal threat, social engineering, or brute-force break-in, attacks are going to continue, and many will succeed. This makes it clear that multiple levels of protection are required.
What is a real shame is that many of these attacks can be prevented, or at least mitigated, through collection and aggregation of data from various sources, and the use of analytics to look for anomalous activities. Even if you can’t prevent a breach, either because of social engineering or because of zero day vulnerabilities, you have to be able to find an intruder in your network quickly and immediately and automatically begin remediation.
Gurucul provides solutions for all attack vectors through analytics, machine learning models, user behaviors, and the MITRE ATT&CK Framework. It is one of the most comprehensive and complete analytics-based cybersecurity solutions available from any vendor today. Gurucul SIEM, UEBA and SOAR products enable you to look for out-of-the-ordinary activities, and access the risk of these activities through a single risk score, and automate responses.
Contact us for more information. Better get ready for 2022!
Watch the Webinar
Join us as we present the biggest breaches of 2021 in a webinar. This webinar looks back at the most significant breaches of the past year, examining how attackers got in and what the results were. It details the vulnerabilities involved, and how they are exploited to give attackers access to information on a network or system. Last, it explains how Gurucul analytical solutions can help organizations identify the risk of threats, watch for those threats, and identify and remediate those threats.
On Demand Webinar: Biggest Breaches of 2021