What is the fastest-growing type of crime in the U.S.? Cyberattacks. In a 2017 annual shareholder’s meeting for Berkshire Hathaway, CEO Warren Buffet said cybercrime is a bigger threat to humanity than nuclear weapons. The damage related to cybercrime is projected to hit $6 trillion annually by 2021, according to Cybersecurity Ventures. On a global scale, an attack occurs every 39 seconds, according to a study by the University of Maryland. Most of these attacks deploy automated scripts that indiscriminately seek out thousands of computers at a time in search of vulnerabilities.
The onset of the coronavirus pandemic in 2020 created a unique confluence of circumstances that gave cybercriminals access to a larger base of potential victims than ever before. Much of the global workforce transitioned to remote work for the first time, while the prospect of yet another economic recession loomed.
“Zoombomb” became the new photobomb—hackers would gain access to private meetings hosted on Zoom and shout profanities and racial slurs. Nation-state hacker groups mounted attacks against organizations involved in the coronavirus pandemic response, including the World Health Organization and Centers for Disease Control and Prevention, some in an attempt to politicize the pandemic.
Even garden-variety cyber attacks like email phishing, social engineering, and refund theft took on a darker flavor in response to the widespread economic precarity brought on by the pandemic. This guide includes some of the best cybersecurity stories from 2020 to date.
Top 5 Cybersecurity Stories in 2020
Here are the top 5 cybersecurity stories that hit the headlines last year.
1. Fraudulent unemployment claims rise in response to the pandemic
Unemployment claims soared to a record high of nearly 23 million claims filed in May, shortly after most U.S. states instituted lockdowns to prevent the spread of the coronavirus. Two months later, the FBI reported a spike in fraudulent unemployment claims from hackers who had stolen taxpayers’ personally identifiable information and filed for unemployment insurance while impersonating the victim.
“Tax scams tend to rise during tax season or during times of crisis, and scam artists are using the pandemic to try stealing money and information from honest taxpayers,” IRS Commissioner Chuck Rettig said in a statement.
Criminals steal this information in different ways, such as purchasing stolen personal data on the dark web, sending email phishing scams, cold-calling the victims in an impersonation scam by pretending to be an IRS agent or bank representative, or accessing the data from a previous data breach or computer intrusion.
Each year, the IRS publishes a list called the Dirty Dozen, enumerating tax- and non-tax-related scams taxpayers should watch out for. In January, a U.S. resident was jailed for using information leaked through a data breach at a payroll company to file a fraudulent tax return worth $12 million.
For national security reasons, government agencies tend to be less forthcoming about data breaches than private companies, said Mark Adams, a mentor for Springboard’s Cyber Security Career Track.
“If people think your agency is vulnerable then more people will try [to hack you]. It only takes one massive event to make it look like you don’t have your act together.”
2. T-Mobile breach exposes sensitive customer data—twice
In December, T-Mobile revealed that it had been hacked once again, the fourth incident in three years.
Companies that are repeat offenders for weak cybersecurity infrastructure often make a conscious choice to forgo extra protections because it’s more cost-effective to pay the fines levied by the Federal Trade Commission in the event of a breach. It’s unclear if T-Mobile is one of them.
“Some companies, including banks, do a cost/benefit analysis,” he said. “In some cases, it’s cheaper to take the hit. Slap us on the wrist so we can move on.”
The first T-Mobile attack of 2020 was confirmed in March 2020, when a cybercriminal gained access to employee email accounts and stole data on T-Mobile employees and some of its customers. For some users, “social security numbers, financial account information, and government identification numbers” were stolen, while others simply had their account information seized.
The second attack was limited to what the FCC regards as “customer proprietary network information” such as phone numbers, the number of lines associated with the account, and information about calls placed. T-Mobile was careful to mention that the breach affected just 0.2% of its 100 million-strong customer base, which still equates to about 200,000 people. Stealing customer metadata (information about a customer’s transaction history that doesn’t personally identify them) does not enable a hacker to steal your identity or seize money from your bank account, but they can use this information in conjunction with another scheme.
For example, they can launch coordinated phishing attacks and phone scams. Social engineering refers to the practice of using verbal manipulation to coerce a victim into divulging their personal information. These methods become more convincing when a hacker has detailed information on you, such as your transaction history, making them seem like a legitimate call center representative.
3. Hackers try to meddle with the coronavirus pandemic response
In April, hackers targeted top officials who were working on the global response to the pandemic. While the World Health Organization itself wasn’t hacked, employee passwords were leaked through other websites. Many of the attacks were phishing emails to lure WHO staff into clicking on a malicious link in an email that would download malware onto their device.
Users of internet forum 4chan, which is now a breeding ground for alt-right groups, circulated over 2,000 passwords they claimed were linked to WHO email accounts, according to Bloomberg. Details spread to Twitter and other social media sites, where far-right political groups claimed the WHO had been attacked in a bid to undermine the perceived veracity of public health guidelines.
“There is definitely a political aspect to many [cyberattacks] and they will sometimes do it to gain a political advantage or send a message to an adversary,” said Adams. “Or maybe it’s just to put that adversary on the defensive to see how they behave.”
In another example of hackers seizing upon the pandemic zeitgeist, some sent phishing emails impersonating the WHO and urging the general public to donate to a fictitious coronavirus response fund, not the real COVID-19 Solidarity Response Fund.
4. The FireEye attack exposed a major breach of the U.S. government
When California-based cybersecurity company FireEye discovered that over 300 of its proprietary cybersecurity products had been stolen, it uncovered a massive breach that had gone undetected for an estimated nine months. That breach extended to over 250 federal agencies run by the U.S. government, including the U.S. Treasury Department, Energy Department, and even parts of the Pentagon.
But the breach didn’t start with FireEye. The attack began when an IT management software company called SolarWinds was hacked, causing some of its most high-profile customers to be breached, including Fortune 500 corporations like Microsoft, Intel, Deloitte, and Cisco. This domino effect is known as a “supply chain” attack, where the infiltration of one company’s cybersecurity defenses renders all of its customers vulnerable to attack.
Hackers also monitored the internal emails of the U.S. Treasury and Commerce departments, according to Reuters, which broke the news of the cyberattack in mid-December. Government officials and cybersecurity experts say that Russia’s Foreign Intelligence Service, known as SVR, is behind the attacks. Investigators are still piecing together the details of the breach to surmise the hacker’s intentions.
Software companies are prime targets for cyberattacks for two reasons. First, they’re under immense pressure to release new iterations and updates ahead of their competitors, which can mean cutting corners on cybersecurity protections.
“This is something that has plagued the software industry in general for the last twenty to thirty years,” said Adams. “If there are delays in getting that next product or update out it just doesn’t look good because that’s revenue sitting on the table.”
Secondly, attacking a software company enables hackers to breach more victims than if they targeted a single company or government entity. When a software company is hacked and the breach goes undetected, hackers need only infect a new software update or patch to breach the company’s customers. When the company unwittingly ships the infected software, all of its customers who download it inadvertently install the hacker’s malware onto their systems.
5. Compromised Twitter handles used for a get-rich-quick Bitcoin scheme
The Twitter account hijacking incident of 2020 is another prime example of how hackers exploited the zeitgeist for personal gain. Criminals compromised the login credentials for some of the most influential Twitter handles in the country, including former president Barack Obama and Tesla CEO Elon Musk. Hackers issued fake tweets from these accounts saying things like “I am giving back to my community due to COVID-19!” and asking followers to send Bitcoin to an anonymous URL in exchange for having their money doubled.
For example, by sending $1,000 in Bitcoin, you would supposedly get $2,000 back. Scammers received over 400 payments of Bitcoin and made $121,000, according to Elliptic, according to Elliptic, a cryptocurrency compliance firm. The largest transaction received by the scammers was one payment of $42,000. Shortly after the wallet started receiving funds, it started transferring them to a different address so the hackers could exchange the cryptocurrency for cash.
Top 5 Cybersecurity Stories in 2021
Here are the top 5 cybersecurity stories that hit the headlines this year.
1. A hacker tried to poison a water system in Florida
In February, an attacker hacked into a computer system at a water treatment plant in Oldsmar, Florida, and boosted the level of sodium hydroxide—also known as lye—in the water to dangerous levels. Lye poisoning can cause burns, vomiting, severe pain, and even bleeding. A plant operator witnessed the mouse cursor on his computer being moved around on his screen and opening various software functions that control water treatment. He watched, unable to intervene, while the attacker raised sodium hydroxide levels in the water to 100 times the normal level, which could have poisoned 15,000 people in the city of Oldsmar. The normal level of lye in drinking water is 100 parts per million, but the hacker raised it to 11,100 parts per million. Luckily, the operator was able to restore chemical levels to normal once the hacker had exited the system.
The attack made national headlines and brought attention to the lack of cybersecurity controls for the nation’s most critical infrastructure. In a news conference, the Pinellas County Sheriff said that even if the damage hadn’t been quickly reversed, the system has safeguards and the water would have been checked before it was released, so the public was never at risk. Still, the breach alarmed state and local officials across the country. Many local governments that run water systems lack the funds to invest in cybersecurity. In Massachusetts, the Department of Environmental Protection issued an advisory to public water treatment plants cautioning them to be “on heightened alert” for any unusual activity. Some states have started training staff on how to guard against a cyberattack and including more cybersecurity-related questions in their inspections, which are typically conducted once every three years.
2. Security flaws in Microsoft Exchange lead to a mass cyber attack
A global wave of cyberattacks began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange servers, giving attackers full access to user emails and passwords on affected servers, admin privileges on the server, and access to connected devices on the same network. A zero-day exploit occurs when hackers discover an unpatched vulnerability in a software application before the developers do. Hackers then exploit the known vulnerability and release malware into the victim’s computer system. It can take days, months, or even years before developers learn of the vulnerability that led to an attack.
As of March 9, it was estimated that 250,000 servers fell victim, including servers owned by 30,000 organizations in the US, 7,000 servers in the UK, and even the European Banking Authority and the Norwegian Parliament. Research shows plenty of unpatched systems remain. Microsoft announced that it suspected the attack was carried out by a state-sponsored Chinese hacking group known as Hafnium.
Hackers used several Exchange vulnerabilities to gain access to the computer systems of all 30,000 organizations, compromising email accounts and installing web shell malware, giving the criminals ongoing administrative access to the victim’s servers. This is known as a supply chain attack, where a service provider is attacked, which then gives the criminals access to that company’s customers. The hackers’ endgame is not the on-premises servers they put web shells in, but setting themselves up for future attacks of higher value targets those servers may be connected to.
3. Acer forced to pay a $50 million ransom, the largest known ransom
Acer ransom demand on Tor payment site
The ransomware attack on Acer, a computer manufacturer, was a casualty of an earlier attack on Microsoft Exchange (see above), in which hackers used a vulnerability in Microsoft’s ProxyLogon to target Acer. The purported perpetrators go by the name REvil group, which executed a ransomware attack on Travelex in 2020. The group is known for its high ransom demands, having recently attempted to extract $30 million from pan-Asian retail giant Dairy Farm in February 2021. Ransomware attacks occur when hackers install malware on the victim’s device, which encrypts files and renders a system inoperable. The data can only be accessed with a decryption key. Attackers also sometimes steal sensitive corporate data and threaten to expose it or sell it on the dark web unless a ransom is paid.
Acer’s identity and corporate data were reportedly posted on a data leakage site “Happy Blog” on March 18, and the attackers gave the company until March 28 to pay the ransom of $50 million. If the ransom was not paid by the stipulated date, it would double to $100 million. Research shows that ransomware attacks are on a downward trend from 2020, but that didn’t stop hackers from demanding the largest ransom in recorded history.
4. Hackers shut down U.S. fuel pipeline
Fuel prices in the U.S. soared as gas stations went dry—the result of the Colonial Pipeline being shut down by a cyberattack. A Russian gang known as DarkSide took down the largest fuel pipeline in the U.S. using a single compromised password, according to a cybersecurity consultant who responded to the attack. The consultant claimed an employee may have used the same password on another account that was hacked. While many organizations are transitioning to ZTNAs (Zero-Trust Network Access) to enable employees to access corporate networks remotely, Colonial was still using a VPN (Virtual Private Network). VPNs became a known vulnerability in 2020 as many companies shifted to remote work for the first time. Furthermore, the VPN was not protected by multifactor authentication (the practice of requiring a second or third form of authentication to enter a system), which allowed hackers to access the network using only a username and password. It’s not known whether the attackers located the correct login credentials from somewhere or if they figured it out using a brute force attack (repeatedly trying different password and username combinations until the correct one is found). Hackers stole nearly 100 GB of data and threatened to leak it if a ransom wasn’t paid.
Just over an hour after attackers entered the system, the intruders had succeeded in shutting down the entire Colonial Pipeline for the first time in its 57-year history. The outage, which started on May 7, led to long lines at gas stations, many of which ran out of fuel. Colonial did not resume service until May 12. The company paid the attackers a $4.4 million ransom shortly after the attack.
5. The attack on the U.S. Capitol raises concerns about physical security
Following the January 6 attack on the U.S. Capitol, in which throngs of Trump supporters stormed the building to contest the results of the presidential election, law enforcement raised concerns regarding stolen laptops, lost data, and possible espionage. As the technology behind ransomware and phishing attacks grows more sophisticated, physical security tends to be an afterthought as a cybersecurity control. But during the attack on the Capitol, in which attackers gained access to individual chambers and offices, every device, computer, server, network outlet, Wi-Fi hotspot, router, and internet connection in the Capitol and Congressional office buildings were vulnerable to attack. The intruders could have easily stolen passwords, documents, access codes, and confidential information.
One of the most iconic images from the riot drives this point home: a rioter posted a photo of a laptop allegedly stolen from House Speaker Nancy Pelosi’s desk. On the screen was a warning in a black box that read “Capitol: Internet Security Threat: Police Activity.”
As organizations increasingly recognize the importance of IT security, they run the risk of overlooking physical security. In the case of an IT security breach, forensic analysts can use logs to track what systems were infiltrated, track down malware, and determine whether the intruder is still in the system—provided the attacker did not delete these logs—but with a physical attack, it’s harder to piece together what happened and perform coordinated incident response.
Is cybersecurity the right career for you?
According to Cybersecurity Ventures, the cybersecurity industry is expected to have 3.5 million high-paying, unfilled jobs this year. With Springboard’s comprehensive Cyber Security Career Track, you’ll work 1:1 with an industry mentor to learn key aspects of information technology, security software, security auditing, and finding and fixing malicious code. Learning units include subject-expert approved resources, application-based mini-projects, hands-on labs, and career-search-related coursework.
The course will culminate in a multi-part capstone project that you can highlight on your resume for prospective employers or use to demonstrate your technical knowledge in your job interview. The learning materials will also help prepare you to pass the globally recognized CompTIA Security+ certification so you stand out when applying for cybersecurity roles.
Learn more about Springboard’s Cyber Security Career Track here.