Major Cybersecurity Incidents of 2020
January 8, 2021
From ransomware schemes to supply chain attacks, this year melded classic hacks with extraordinary circumstances.
WHAT A WAY to kick off a new decade. 2020 showcased all of the digital risks and cybersecurity woes you’ve come to expect in the modern era, but this year was unique in the ways Covid-19 radically and tragically transformed life around the world. The pandemic also created unprecedented conditions in cyberspace, reshaping networks by pushing people to work from home en masse, creating a scramble to access vaccine research by any means, generating new fodder for criminals to launch extortion attempts and scams, and producing novel opportunities for nation-state espionage.
Here’s a look back at this strange year and the breaches, data exposures, ransomware attacks, state-sponsored campaigns, and digital madness that shaped it. Stay safe out there in 2021.
SolarWinds Supply Chain Hack
On Tuesday, December 8, the well-respected cybersecurity and incident response firm FireEye made a stunning disclosure. The company had suffered a breach, and hackers had stolen some of the firm’s internal threat-intelligence data as well as a cache of its “red team” hacking tools—used to probe the systems of paying customers for weaknesses so they can be fixed before attackers find them. In itself, the FireEye breach, which The Washington Post quickly attributed to Russian state-backed hackers, was significant but not a catastrophe. What no one knew that day, though, was that 18,000 other shoes were about to drop.
Beginning on Sunday, December 13, news broke in waves that United States government agencies like the Commerce, Treasury, Homeland Security, and Energy Departments, corporations, and international targets had all been victims of a massive nation-state espionage campaign. The hackers, who have widely been reported as Russian, were on a rampage that was largely made possible by what’s known as a supply chain attack. In other words, all of the attacks were made possible by one initial compromise, in this case at the IT infrastructure firm SolarWinds. Hackers had breached the company as early as October 2019 and planted malicious code in software updates for its network-monitoring tool, Orion. Without knowing it, any customer that installed an Orion patch released between March and June was also planting a Russian backdoor on their own network.
There is also some evidence that the attackers compromised victims through other means aside from the SolarWinds breach, but through that one intrusion the attackers created access for themselves in roughly 18,000 SolarWinds customer networks, according to the company. The impact of the attack varied among victims. In some cases the hackers planted a backdoor but didn’t go any farther. In other cases they used the access just long enough to figure out that they didn’t care about the target. And for an unlucky subset, the attackers moved deep within victim networks for reconnaissance and data exfiltration. For example, critical infrastructure companies like more than a dozen in the oil, electric, and manufacturing sectors seem to have installed the backdoor, but it’s not clear how extensively they were actually infiltrated by attackers. The situation underscores the threat posed by supply chain attacks, because they can efficiently undermine all of a company’s customers in one fell swoop.
Russian hackers have used the technique before, sometimes with more expressly destructive goals. The SolarWinds attacks so far seem to have been largely for espionage, though some experts warn that it’s too soon to tell whether there was a destructive component. Even if the attacks were purely for information-gathering, which is usually a globally accepted activity, some politicians and researchers say that the intrusions cross a line or are out of step with espionage norms because of their scale and scope. As former CIA agent Paul Kolbe put it last week in a New York Times essay, though, “The United States is, of course, engaged in the same type of operations at an even grander scale. We are active participants in an ambient cyberconflict that rages, largely unseen and unacknowledged, across the digital globe. This is a struggle that we can’t avoid, and there is no need to play the victim.” The question now is how the United States will respond to the SolarWinds hacking spree and approach digital espionage and conflict in the future as the Trump administration ends and the Biden administration begins.
In July, a wave of stunning takeovers swept across Twitter, hijacking the accounts of Joe Biden, Barack Obama, Elon Musk, Kanye West, Bill Gates, and Michael Bloomberg, as well as major corporate accounts like that of Apple and Uber. The accounts tweeted out variations of a common theme: “I am giving back to the community. All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.”
Attackers had full access—a nightmare security scenario that would be any nation-state hacker’s dream. Instead, the assault was simply part of a bitcoin scam that ended up netting about $120,000. In all, the scammers targeted 130 accounts and took control of 45. In a mad scramble to contain the situation, Twitter temporarily froze all verified accounts, blocking their ability to tweet or reset the account password. Some of the lockdowns lasted hours.
Subsequent investigation revealed that the attackers had called Twitter’s customer service and tech support lines and tricked reps into accessing a phishing site to harvest their special backend Twitter credentials, including username, password, and multifactor authentication codes. Then the attackers were able to use their access to these support accounts to reset the passwords on target user accounts. At the end of July, three suspects were arrested and charged with committing the hack, including 17-year-old Graham Ivan Clark of Tampa, Florida, who allegedly led the digital assault. In the wake of the breach, Twitter says it launched a major effort to overhaul its employee access controls, particularly with November’s US presidential election looming. Blueleaks
On Juneteenth, the leak-focused activist group Distributed Denial of Secrets published a 269-gigabyte trove of United States law enforcement information, including emails, intelligence documents, audio, and video files. DDOSecrets said the data came from a source claiming to be part of the ephemeral hacking collective Anonymous. Published in the wake of George Floyd’s murder, the dump of more than a million files included documents and internal police communications about law enforcement initiatives to identify and track protesters and share intelligence about movements like Antifa. A lot of the information came from law enforcement “fusion centers,” which gather and share intelligence with law enforcement groups around the country. “It’s the largest published hack of American law enforcement agencies,” Emma Best, cofounder of DDOSecrets, told WIRED in June. “It provides the closest inside look at the state, local, and federal agencies tasked with protecting the public, including [the] government response to Covid and the BLM protests.”
University Hospital Düsseldorf
In September, a ransomware attack apparently targeted at Heinrich Heine University in Düsseldorf instead crippled 30 servers at University Hospital Düsseldorf, throwing the hospital’s systems and patient care into crisis. Unfortunately, ransomware actors have long targeted hospitals, because of their pressing need to restore service in the interest of patient safety. It’s also somewhat common for university-affiliated hospitals to get hit inadvertently. The University Hospital Düsseldorf incident was especially significant, though, because it may represent the first time a human death can be attributed to a cyberattack. As a result of the ransomware attack, an unidentified woman in need of emergency treatment was rerouted from Düsseldorf University Hospital to a different provider in Wuppertal, about 38 miles away, causing an hour-long delay in treatment. She did not survive. Researchers note that it is difficult to definitively establish causality. The incident is clearly an important reminder, though, of the real-world impacts of ransomware attacks on health care facilities and any critical infrastructure.
At the end of October, amidst a sobering wave of health-care-focused ransomware attacks, hackers threatened to release data stolen from one of Finland’s largest psychiatric service networks, Vastaamo, if individuals or the organization as a whole didn’t pay to keep the data under wraps. The hackers may have obtained the information from an exposed database or through an inside operation. Such digital extortion attempts have been around for decades, but the Vastaamo situation was particularly egregious, because the stolen data, which went back roughly two years, included psychotherapy notes and other sensitive information about patients’ mental health treatment. Vastaamo worked with the private security firm Nixu, Finland’s Central Criminal Police, and other national law enforcement agencies to investigate the situation. Government officials estimate that the episode impacted tens of thousands of patients. Hackers demanded 200 euros’ worth of bitcoin, about $230, from individual victims within 24 hours of the initial ask, or 500 euros ($590) after that to hold the data. Finnish media also reported that Vastaamo received a demand for around $530,000-worth of bitcoin to avoid publication of the stolen data. A hacker persona “ransom_man” posted leaked information from at least 300 Vastaamo patients on the anonymous web service Tor to demonstrate the legitimacy of the stolen data.
In late July, hackers launched a ransomware attack against the navigation and fitness giant Garmin. It took down Garmin Connect, the cloud platform that syncs user activity data, as well as large chunks of Garmin.com. The company’s email systems and customer call centers were knocked out, as well. In addition to athletes, fitness buffs, and other regular customers, airplane pilots who use Garmin products for position, navigation, and timing services also dealt with disruption. The flyGarmin and Garmin Pilot apps both had days-long outages, which impacted some Garmin hardware used in planes, like flight-planning tools and updates for required FAA aeronautical databases. Some reports indicate that Garmin’s ActiveCaptain maritime app also suffered outages. The incident underscored how exposed internet-of-things devices are to systemic failures. It’s bad enough if your GPS-equipped, activity-tracking watch stops working. When you have to ground planes over instrument issues caused by a ransomware attack, it’s very clear how tenuous these interconnections can be.
Picture from freepik.com