2022’s Biggest Cyber Attacks
A new year brings new resolutions; a renewed dedication to improvement. That’s certainly true for the cybersecurity industry, which continues to launch and refine tools, technologies, and solutions to better combat threat actors. The bad news is that it’s also true for cybercriminals, whose innovations can leave organizations feeling always several steps behind. The advancements and enhancements of hackers have turned cybercrime into big business — with an estimated $1 billion in annual revenues and a ransomware attack every 11 seconds.
Claiming the first spot on a list no organization wants to top is the November ransomware attack on Australian health insurance company Medibank.
Russian-based hackers believed to have ties to the infamous REvil ransomware gang made off with the personal information of 9.7 million customers, including data on 1.8 million international customers and high-profile Australian politicians Prime Minister Anthony Albanese and cybersecurity minister Clare O’Neil. The information stolen included patient names, dates of birth, social security numbers and, for some, even medical records. The cybercriminals demanded a $10M ransom Medibank refused to pay, stating, "We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published."
For cybercriminals, the troves of data stored in the network of any sizable religious organization make for a tempting target.
That proved to be the case in a March hack of the Church of Jesus Christ of Latter-day Saints which yielded personal data of an unknown number of church members and employees. While a church spokesperson denied that any financial or donation-related data was impacted, the thieves accessed a good amount of personally identifiable information, including names, addresses, and email addresses.
The most interesting and concerning element of this breach is reportedly also why it was kept quiet even from impacted members for nine months, not being revealed until October. The church was apparently working with federal law enforcement agencies who believe this breach was the work of a state-sponsored cybercrime organization.
At the time of this writing, it isn’t known what foreign powers might be under suspicion. It’s also unconfirmed whether the LDS was targeted specifically or simply fell victim to a broad-ranging attack. Either way, “state-sponsored” is seldom an adjective any organization likes to see attached to its data breach.
A UK-based telecommunications giant added to its reputation for attracting high-profile data breaches with November’s acknowledgment that an attack on a third-party vendor had compromised a large volume of personal information from Vodafone Italy subscribers.
The attack may have been mounted by the KelvinSecurity hacker collective, which claimed to be selling Italian Vodafone data on a cybercrime forum. Stolen information includes both Vodafone account data and personally identifiable information, although the company did not incur any network disruptions.
This is the latest in a long string of cybersecurity incidents at Vodafone branches around the world, including a data leak in India this August and a network shutdown in Portugal this February.
Vodafone’s pattern of being unable or unwilling to safeguard its subscribers’ personal data puts the company at risk of severe reputational damage that will eventually drive users to seek alternatives. Adding financial injury to reputational insult, Vodafone was recently fined heavily by the European Union for repeated violations of the EU’s General Data Privacy Regulation (GDPR).
Some people commit cybercrimes for the money. Some do it as a form of protest or political espionage. Maybe the most disturbing, though, are the people who do it for the “lulz.” That seems to be the case with a hacker couple based in Vietnam known as TeaPea, who breached the database of InterContinental Hotels (IHG) in early September in an attempted ransomware attack.
When IHG’s security team repeatedly foiled those efforts, TeaPea switched to plan B and simply deleted a large swath of internal data in a move the hackers described as “having some funny.”
To make matters worse for IHG — the parent company of Holiday Inn, Crown Plaza, and Regent Hotels — it appears that the incident began as a spearphishing attack that was made considerably easier by the database’s comically simple password: Qwerty1234. The breach took booking systems offline for much of the IHG network and also severely hampered internal communications for days afterward, though no customer data is believed to have been compromised.
It appears that IHG’s internal security measures were on point and working as intended, since they were able to shut down multiple ransomware breach attempts. Unfortunately, they happened to cross paths with a particularly nihilistic team of hackers who had no qualms about venting their annoyance by permanently deleting large amounts of data. For their part, the hackers remain unrepentant, telling a reporter, “We don’t feel guilty, really. We prefer to have a legal job here in Vietnam but the wage is average $300 per month. I’m sure our hack won’t hurt the company a lot.”
Elgin County, Ontario
The public sector data remains an appealing target for thieves due to the combination of sensitive materials and limited security budgets found in that field.
Identity thieves made off with the personal data of 330 county employees and long-term care residents. That theft included data from 33 people that was deemed “highly sensitive” and potentially “devastating” by a county official. Compounding the issue, county services were down for a month and authorities have cited a troubling lack of transparency around the breach from county administrators.
The incident seems to have taken place sometime in March, but was not revealed to the affected parties for nearly two months. The nature of the attack has not been clarified beyond being called a “cybersecurity incident,” although it would appear to have the earmarks of a ransomware attack—a number of the county’s functions were offline for much of April.
The tiny nation of Luxembourg became the latest victim in a worldwide rash of ransomware attacks that have exposed the fragility of the energy industry’s security and infrastructure.
A late July breach employed BlackCat ransomware to steal around 150 GB of documents and data from subsidiaries of Enevco, a large energy company partially owned by the government of Luxembourg. The fallout was swift and painful, with the gang threatening to release over 100 GB of data if the ransom was not paid. Parts of services were offline for more than two weeks while the company worked to keep the power grid from grinding to a halt.
Authorities believe the Luxembourg attack to be the work of the Alphav gang, a cybercrime group thought to have been behind the notorious 2021 Colonial Pipeline attack in the U.S. This is the latest in a wave of energy-focused breaches that have plagued Western Europe for the past year, including attacks on multiple oil ports and wind power businesses.
It’s been a challenging couple of years in the logistics industry, with supply chain interruptions and new pandemic-related dynamics wreaking havoc on shipping and transportation processes all across the globe. But there’s no difficult situation that can’t be further complicated by cybercrime, as the Seattle-based logistics company Expeditors International learned in mid-February.
A February 20 company announcement revealed its business had been hit with what a spokesperson called a “targeted cyberattack” that took many of its operations offline. As of early March, many of the company’s key functions were still shut down or limited, including freight booking and tracking. The security crisis made a profound impact on Expeditors’ finances, with several clients leaving its roster and stock prices taking a dive in the wake of the disclosure.
It’s another example of why it’s crucial for businesses to keep their cybersecurity needs front-of-mind even while their resources are being diverted in other directions, and highlights how a single cyber attack on one organization can have ramifications across an entire industry.
Marquard & Bahls Group
In what was already a fraught year for gasoline providers and consumers worldwide, a March cyber attack on a German oil and gas company injected even more uncertainty into the situation.
Threat actors targeted two oil-related subsidiaries of energy giant Marquard & Bahls and disrupted IT services across the company’s many holdings. This forced the temporary closure of approximately 200 gas stations across Germany and left companies like Shell scrambling to reroute supplies and switch to alternate oil sources. With international uncertainty about gas prices and supplies running rampant, this is an industry that can ill afford further disruptions, which likely made the organization all the more appealing of a target for criminals, especially those with political motivations.
Investigators say this hack has the earmarks of the notorious BlackCat cybercrime gang, the Russian group thought to be responsible for last year’s damaging Colonial Pipeline attack. The current international climate and ongoing conflict in Ukraine suggests that more energy industry incidents of this nature are likely in the coming months and years.
Shields Health Care Group
Criminals took advantage of lax security and the eccentricities of the United States healthcare system to score a trove of personal data from patients at a large New England medical imaging facility.
An early June announcement from Shields Health Care Group revealed that hackers had accessed the company’s network some time in March, making off with a large volume of personally identifiable information, including names, Social Security numbers, medical diagnoses, insurance numbers, and other highly sensitive data.
The theft impacts around two million patients of more than 30 medical facilities around New England. Since patients often pay for medical imaging procedures such as MRI, PET, and CT scans using credit cards, the thieves have access to a significant amount of financial data as well.
While Shields has taken measures to inform all affected patients of the breach, that seems unlikely to rectify this type of violation during some uniquely vulnerable times of their lives. Especially now that impacted patients have joined a class-action lawsuit against Shields alleging that the company should have done more to keep their data protected.
There is no honor among thieves. For proof, look no further than the January cyber attack on a third-party contractor which compromised more than half a million sensitive Red Cross records, including personal records the organization classifies as “highly vulnerable.”
The data was pulled from a network of 60 Red Cross- and Red Crescent-affiliated facilities around the world, encompassing more than 515,000 aid recipients as well as 2,000 employees. Officials worry that the stolen information will be used to target thousands of people who already live in dire conditions.
In a January 19 statement, the International Committee of the Red Cross (ICRC) confirmed that an attack on a data storage company contracted by the humanitarian organization compromised the data of thousands of people who are currently missing, unhoused due to disasters, being held in detention facilities, or otherwise vulnerable.
The ICRC took its servers offline to investigate and mitigate further damage. It also issued a heartfelt plea to the criminals through the IRC director general: “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak, or otherwise use this data.”
A major social media technology company that has already suffered multiple breaches added one more to its list this July. Twitter found itself grabbing headlines for all the wrong reasons when a hacker made off the personal information of over 5 million users.
The threat actor took advantage of a Twitter vulnerability first identified back in January and used it to scrape the site’s data for personally identifiable information. That data turned up on a dark web marketplace in July, with the seller advertising access to private phone numbers and email addresses for around 5.4 million users, including “celebrities, companies, and randoms.”
Making matters worse, the vulnerability used to access the data was one the company was aware of. Twitter paid a reward to a white hat hacker who pointed out this vulnerability months before the breach. That advance notice seems to have been for naught, however, emphasizing the importance of acting quickly to close security gaps as soon as they are identified.
Costa Rican Government
Cybercriminals’ willingness to endanger the lives and livelihoods of strangers took a large leap forward into an overt attempt to destabilize a government when the agency that administers social security for Costa Rica was shut down by a late May ransomware attack.
The May 31 hack by the ransomware-as-a-service group known as The Hive came on the heels of a flurry of similar attacks on Costa Rican government agencies in April by the Russia-based Conti gang (the two criminal groups are thought to be working together to at least some degree). Why exactly Costa Rica has been targeted is unclear, but the damage has been extensive. President Rodrigo Chaves Robles declared a state of national emergency after the first round of attacks, which saw Conti members making verbal threats to overthrow the government via repeated hacks.
The government became aware of this latest attack when printers in government offices suddenly began firing off sheets of “gibberish.” The attack ultimately forced multiple public health services offline and shut down healthcare facilities in some rural communities, although it does not appear as though the personally identifiable information of citizens was impacted.
Navigating the always-rocky landscape of social media got even trickier for users of a popular online gaming platform in July.
The high-profile virtual pet and social site reported in mid-July that a cyberattack had stolen the personal data of more than 69 million of its members. A theft made even more troubling by the fact that many Neopets users are teens. A message posted to a dark web forum claimed that the hacker had stolen Neopets’ “complete database and source code,” with personal data including birth dates, countries, IPs, genders, names, and email addresses. The hacker offered the entire database for 4 Bitcoin, equivalent to $94,000 at the time.
This is Neopets' second high-profile data breach, following a 2012 attack that saw hackers trying to sell the data of over 25 million users on the dark web. That data appeared online again — in its entirety, and for free — in 2016.
The always interesting cryptocurrency landscape developed a few more rough patches in March, as the blockchain gaming platform Ronin Network fell victim to a large-scale cyberheist that ranks as the second-largest crypto theft in history.
Ronin’s Axie Infinity mobile game, which allows players to earn digital coins and NFTs as they fight Pokemon-style battles, has become quite popular in the crypto community, which made Axie Infinity an especially tempting target for hackers. A temporary loosening of security standards helped the platform successfully scale to accommodate the volume of players, but it also left the door open for bad actors who compromised the security system’s validator nodes and eventually made off with roughly $600 million worth in cryptocurrency.
Infamous North Korean cybercriminal group Lazurus has since been leaked to the breach, which impacted an untold number of users. In a strong move to rebuild their reputation, Ronin later announced a funding round that would be paired with funds from the company's balance sheet to reimburse all customers for their losses.
August was an awful month for cyber attacks. Hot on the heels of the Uber breach came another on the food delivery giant DoorDash. The organization claimed a threat actor gained access via a connection to a third-party vendor, who had themselves fallen prey to a phishing attack.
The breach exposed the personal information of both customers and employees, including names, email addresses, delivery addresses, and phone numbers. For what the company is calling a "small subest" of customers, stolen data also included partial payment card information (card type and last four digits of card number).
The company revealed to TechCrunch that the hack was related to another data breach from earlier in 2022. That attack on communications API company Twilio exposed the data of over a hundred customers, meaning those companies were at greater risk of being attacked themselves. While DoorDash has not stated explicity that they were one of the Twillio customers who had their data stolen, this admission makes a compelling argument for it.
The Guardian called it “the biggest hack in history.” While that title might be in doubt, it’s certainly the messiest entry on this list. While the Aussie telecom company initially announced the breach in mid-September, that announcement included little in the way of details. We now know breach exposed the personal information of nearly 10 million users, including names, email addresses, postal addresses, phone numbers, dates of birth, and — for nearly a quarter of the affected customers — passport information, driver’s license numbers, and Medicare accounts. The damage was so severe that the country had to issue new identification documents to impacted citizens.
However, while many of the entries on this list are the work of experienced cybercriminals and ransomware gangs, it appears this was the work of an amateur who got lucky. Someone going by the name of “Optusdata” posted a message on an online forum demanding a ransom of $1M, a relatively small sum given the sheer volume of user data that was breached.
Even stranger, after posting the information of 10,000 users as proof, Optusdata later deleted the post and apologized for the breach, claiming they had destroyed the only copy of the evidence. As of January 2023, it is unclear whether the ransom was paid, if Optusdata was really the hacker, and how the breach really occurred.
Los Angeles Unified School District
The nation's second-largest school district was hit with a ransomware attack in early September that had the southern California collective dealing with a massive fall out. The Los Angeles Unified School District encompasses over 1,000 schools serving over 600,000 students and hackers made off with 500 gb of personal information on an untold number of those students, their parents, and the schools' employees.
Vice Society — a ransomware gang with a particular taste for attacking the education industry — later claimed responsibility for the breach and, after the school district refused to pay the ransom, dropped all 500 gb of data on the dark web in early October.
Reports claim the data drop included social security numbers, passport information, bank account details, health information, student disciplinary records and even psychological assessments. Experts believe that this data could be used to launch future cyber attacks and identity theft attempts against the users whose data was stolen.
The massively popular password manager had a very bad year. After initially disclosing an attack of unknown scope on their network back in August, the company revealed in November that the hackers had indeed made off with the organization's crown jewels — customers' encrypted password vaults.
Making matters worse, LastPass appears to be doing a poor job of disclosure post-breach. At the end of 2022 there is still little known about how the hackers gained access or how many customers were impacted.
LastPass assures customers that their encrypted data remains secured and can only be decrypted with a unique encryption key derived from a user’s master password. That's cold comfort, however, for the unknown number of users who've had their good faith efforts at securing their data come up so short.
Claiming the first spot on a list no organization wants to top is the November ransomware attack on Australian health insurance company Medibank.
Russian-based hackers believed to have ties to the infamous REvil ransomware gang made off with the personal information of 9.7 million customers, including data on 1.8 million international customers and high-profile Australian politicians Prime Minister Anthony Albanese and cybersecurity minister Clare O’Neil. The information stolen included patient names, dates of birth, social security numbers and, for some, even medical records. The cybercriminals demanded a $10M ransom Medibank refused to pay, stating, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”
Things got worse for Medibank after the hackers began posting the stolen data on the dark web, dividing the initial user data into "naughty" and "nice" lists and linking "naughty" patients to numerical medical codes related to HIV, alcohol abuse, and drug addiction. By the end of the month, the hackers had reportedly dumped their entire cache of stolen data on a hacker forum, stating, "Case closed."