Top 10 biggest cyber attacks of 2020

Toll Group cyber attack

Here is a list of 10 of the largest cyber attacks of a pandemic-dominated 2020, including several devastating ransomware incidents and a massive supply chain attack.

A pandemic-focused year made the events of 2020 unprecedented in numerous ways, and the cyber attacks were no different.

As the world transitioned to virtual everything — work, school, meetings and family gatherings — attackers took notice. Attackers embraced new techniques and a hurried switch to remote access increased cyberthreats across the board. For example, K-12 schools took a brunt of the hit, and new lows were reached like the exfiltration of student data. The list of top cyber attacks from 2020 include ransomware, phishing, data leaks, breaches and a devastating supply chain attack with a scope like no other. The virtually-dominated year raised new concerns around security postures and practices, which will continue into 2021.

While there were too many incidents to choose from, here is a list of 10 of the biggest cyber attacks of 2020, in chronological order.

  1. Toll Group

Toll Group tops the list for the year’s worst cyber attacks because it was hit by ransomware twice in three months. However, a spokesperson for Toll Group told SearchSecurity the two incidents were not connected and were “based on different forms of ransomware.” On Feb. 3 the Australia-based logistics company announced on Twitter that it had suffered a cyber attack. “As a precautionary measure, Toll has made the decision to shut down a number of systems in response to a cyber security incident. Several Toll customer-facing applications are impacted as a result. Our immediate priority is to resume services to customers as soon as possible,” Toll Group wrote on Twitter. The most recent attack occurred in May and involved a relatively new ransomware variant: Nefilim.

  1. Marriott International

For the second time in two years, the popular hotel chain suffered a data breach. On March 31, Marriott released a statement disclosing the information of 5.2 million guests was accessed using the login credentials of two employees at a franchise property. According to the notice, the breach affected an application used by Marriott to provide guest services. “We believe this activity started in mid-January 2020,” the statement said. “Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.” While the investigation is ongoing, Marriott said it has no reason to believe that the information included the Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers. However, compromised information may have involved contact details and information relating to customer loyalty accounts, but not passwords.

  1. Magellan

On May 12, the healthcare insurance giant issued a letter to victims stating it had suffered a ransomware attack. Threat actors had successfully exfiltrated logins, personal information and tax information. The scope of the attack included eight Magellan Health entities and approximately 365,000 patients may have been impacted. “On April 11, 2020, Magellan discovered it was targeted by a ransomware attack. The unauthorized actor gained access to Magellan’s systems after sending a phishing email on April 6 that impersonated a Magellan client,” the letter said. The company, which has over 10,000 employees, said at the time of the letter they were not aware of any fraud or misuse of any of the personal information. Phishing, a common attack vector, intensified over the year as threat actors refined their impersonation skills.

  1. Twitter

The popular social media company was breached in July by three individuals in an embarrassing incident that saw several high-profile Twitter accounts hijacked. Through a social engineering attack, later confirmed by Twitter to be phone phishing, the attackers stole employees’ credentials and gained access to the company’s internal management systems; dozens of high-profile accounts including those of former President Barack Obama, Amazon CEO Jeff Bezos, and Tesla and SpaceX CEO Elon Musk, were hacked. The threat actors then used the accounts to tweet out bitcoin scams that earned them over $100,000. Two weeks after the breach, the Department of Justice (DoJ) arraigned the three suspects and charged 17-year-old Graham Ivan Clark as an adult for the attack he allegedly “masterminded,” according to authorities.

  1. Garmin

The navigation tech supplier suffered a cyber attack that encrypted some of its systems and forced services offline. Though Garmin first reported it as an outage, the company revealed on July 27 that it was the victim of a cyber attack which resulted in the disruption of “website functions, customer support, customer-facing applications, and company communications.” The press release also stated there was no indication that any customer data was accessed, lost or stolen. Speculation rose that the incident was a ransomware attack, although Garmin never confirmed. In addition, several media outlets reported that they gave in to the attackers’ demands, and a ransom had been paid. Some news outlets reported it as high as $10 million.

  1. Clark County School District

The attack on the Clark County School District (CCSD) in Nevada revealed a new security risk: the exposure of student data. CCSD revealed it was hit by a ransomware attack on Aug. 27 which may have resulted in the theft of student data. After the district declined to pay the ransom, an update was posted saying it was aware of media reports claiming student data had been exposed on the internet as retribution. While it’s unclear what information was, the threat of exposing stolen student data was a new low for threat actors and represented a shift to identity theft in attacks on schools.

  1. Software AG

The German software giant was the victim of a double extortion attack that started on Oct. 3, which resulted in a forced shutdown of internal systems and ultimately a major data leak. Files were encrypted and stolen by operators behind the Clop ransomware. According to multiple news outlets, a $20 million ransom was demanded, which Software AG declined to pay. As a result, the ransomware gang followed through with its promise and published confidential data on a data leak site including employees’ passport details, internal emails and financial information. Operators behind the Clop ransomware weren’t the only group utilizing a double extortion attack. The name-and-shame tactic became increasingly common throughout 2020 and is now the standard practice for several ransomware gangs.

  1. Vastaamo Psychotherapy Centre

The largest private psychotherapy provider in Finland confirmed it had become the victim of a data breach on October 21, where threat actors stole confidential patient records. The attack set a new precedent; rather than making demands of the organization, patients were blackmailed directly. As of last month, 25,000 criminal reports had been submitted to Finland police. In addition, the government’s overall response to the incident was significant, both in urgency and sensitivity. Finland’s interior minister called an emergency meeting with key cabinet members and provided emergency counseling services to potential victims of the extortion scheme.

  1. FireEye and SolarWinds supply chain attack victims

FireEye set off a chain of events on Dec. 8th when it disclosed that suspected nation-state hackers had breached the security vendor and obtained FireEye’s red team tools. On Dec. 13, the company disclosed that the nation-state attack was the result of a massive supply chain attack on SolarWinds. FireEye dubbed the backdoor campaign “UNC2452” and said it allowed threat actors to gain access to numerous government and enterprise networks across the globe. According to a joint statement Dec. 17 by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence, the attacks are ongoing. Additionally, the statement revealed that the supply chain attack affected more than just the Orion platform. CISA said it has “evidence that the Orion supply chain compromise is not the only initial infection vector leveraged by the APT actor.” Since the statement, major tech companies such as Intel, Nvidia and Cisco disclosed they had received the malicious SolarWinds updates, though the companies said they’ve found no evidence that threat actors exploited the backdoors and breached their networks. However, Microsoft disclosed on Dec. 31 that threat actors infiltrated its network and viewed — but did not alter or obtain — the company’s source code. Microsoft also said there is no evidence the breach affected customer data or the company’s products and services.

  1. SolarWinds

The scope of the attack, the sophistication of the threat actors and the high-profile victims affected make this not only the biggest attack of 2020, but possibly of the decade. The incident also highlights the dangers of supply chain attacks and brings into question the security posture of such a large company. Threat actors, who had performed reconnaissance since March, planted a backdoor in SolarWinds’ Orion platform, which was activated when customers updated the software. SolarWinds issued a security advisory about the backdoor which the vendor said affected Orion Platform versions 2019.4 HF5 through 2020.2.1, which were released between March 2020 and June 2020. “We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted and manually executed attack, as opposed to a broad, system-wide attack,” the company said. In the three-week-long investigation since, the full breadth of the attack has grown immensely, but is still not yet fully understood.

Five ways COVID-19 will change cybersecurity

Five ways COVID-19 will change cybersecurity

The most important story of 2021 is not goint to be the illness, but the vaccine. With three efficient, promising vaccines in improvement as of November, COVID-19 (and its therapy) will proceed inflicting main shifts in practically each aspect of our lives.

That is especially true for cybersecurity. Our sector reworked in 2020, and we’ve nonetheless not completed adapting to the virus. Here are 5 ways in which COVID-19 and its vaccines will trigger cybersecurity to alter in 2021:

Returning to workplace will create complicated cybersecurity challenges

Given the probability of vaccinations beginning sooner or later subsequent 12 months, it’s seemingly that we’ll see some staff return to the workplace in 2021. Having a major variety of staff head again to the workplace would be the first main cybersecurity development of 2021 and can end in a variety of complicated challenges.

Last 12 months, many organizations rushed out work-from-home assets to make sure enterprise continuity, resulting in an unprecedented 42 percent soar within the variety of U.S. staff working from residence full-time as of June. The coronavirus compelled CISO’s fingers: in some notable instances, safety groups needed to launch distant work over the weekend to adjust to native work-from-home orders.

I perceive the need driving that decision-making, however these measures may have severe ramifications in 2021.

CISOs will retrench and rebuild their safety insurance policies

Next 12 months, CISOs must grapple with the results of the selections they made (or have been compelled to make) in 2020. One of their first orders of enterprise will probably be to “un-cut” the corners they took within the spring to face up distant work capabilities.

We’re already beginning to see this development play out, with zero belief – an rising safety mindset that treats every part as hostile, together with the community, host, functions, and companies – gaining in traction: in November, 60 percent of organizations reported that they have been accelerating zero belief initiatives. That’s due in no small half to CISOs and CSOs retrenching and taking a extra deliberate strategy to making sure operational safety.

The safety leaders who assist their organizations efficiently navigate the zero belief journey will acknowledge {that a} zero belief mindset has to include a holistic suite of capabilities together with, however not restricted to: sturdy multifactor authentication, complete identification governance and lifecycle, and efficient risk detection and response fueled by means of complete visibility throughout all key digital property.

To handle the rising digital complexity induced by digital transformation, efficient safety leaders will embrace the notion of prolonged detection and response (XDR), striving for unified visibility throughout their networks, endpoints, cloud property, and digital identities.

Vaccinated staff will return with contaminated gadgets

We’ll actually start to see the results of the 2020 “rush jobs” when staff get again within the workplace. Though an rising variety of staff will obtain vaccinations in 2021, their gadgets and functions will nonetheless be contaminated. In June, researchers reported a sudden spike in assaults and knowledge breaches originating from cell endpoints.

As extra compromised gadgets re-enter the workplace and start connecting with company property and methods, we’ll see the complete affect of hasty distant work insurance policies.

Threat actors will prioritize SaaS functions and cloud companies

Likewise, as a result of many companies started counting on distributed workforces in 2020 and broadened their footprints with SaaS functions and cloud companies, risk actors will seemingly prioritize these targets and discover new methods to use them. They might use a two-step strategy, compromising finish customers after which connecting to the cloud companies to which these people have entry.

Vaccines will give rise to misinformation and phishing assaults

Finally, and possibly worst of all, the provision of actual vaccines in 2021 will present risk actors with a brand new “channel” to distribute misinformation and new targets to prioritize. Last 12 months confirmed us that cybercriminals by no means waste a very good disaster, utilizing the coronavirus to disguise phishing, Trojan, and rogue app attacks.

Threat actors will adapt with the disaster: pandemic aid “offers” and contract tracing apps will give solution to vaccine-related phishing assaults. These targets will goal particular person customers in addition to the organizations growing, distributing, researching, and administering actual vaccines.

These schemes might harm public confidence in actual vaccines and undercut their efficacy: given how vital widespread adoption of those vaccines will probably be to making sure public well being, social media corporations might want to take stronger actions to curb misinformation. A latest alliance between Facebook, Twitter, and YouTube to fight vaccine conspiracies is an efficient begin, however social media must act rapidly to flag, refute, and take away misinformation.

Hopefully, some classes have been realized

Our sector confronted unimaginable challenges final 12 months. I’m so happy with how hard-working cybersecurity professionals tailored their work, innovated new options, and helped organizations all over the place proceed delivering companies to the individuals who relied on them.

It was a brutal 12 months, however I feel it was a helpful one, too. The pandemic demonstrated our strengths – and it additionally uncovered a few of our flaws, assumptions, and weaknesses.

Let’s be taught from this. If 2020 taught us something, it’s that the subsequent disruption is coming. Being protected now isn’t sufficient.

In that vein, 2020 has taught us the facility of human ingenuity once we come collectively in direction of a typical trigger. In the wake of COVID-19, folks have quickly developed novel therapies, created new approaches to testing, accelerated analysis on vaccines, recognized methods to mass-produce private protecting tools, and designed new ventilators.

Crises create exceptional moments of fact and power progress in essential areas. At the identical time, we have to be cautious about whether or not options developed throughout this time of urgency are the correct long-term options for us. We will finally enter a post-COVID period armed with new insights about society and should acknowledge that the alternatives we make in the present day will form what that society appears to be like like.

Vaccines use items of viruses to coach the immune system and shield in opposition to future infections. My hope is that the coronavirus helped inoculate cybersecurity in opposition to the subsequent problem – that we now know extra about what we have to battle again in 2021 and past.

A wake-up call for the world on cyber security

A wake-up call for the world on cyber security

Imagine intruders break into your house and loiter undetected for months, spying on you and deciding which contents to steal. This in essence is the type of entry that hackers, assumed to be Russian, achieved in current months at US authorities establishments together with the Treasury and departments of commerce and homeland safety, and doubtlessly many US corporations. If the concern within the Cold War was of occasional “moles” getting access to secrets and techniques, that is akin to a small military of moles burrowing by way of laptop methods. The impression remains to be being assessed, but it surely marks one of many greatest safety breaches of the digital period.

Hackers infiltrated updates to community administration software program from SolarWinds to smuggle malware into the pc methods of its authorities and company purchasers. The malware can switch information, reboot computer systems and disable system providers. It seems thus far to have been used for espionage, albeit on a grand scale. But since purchasers included infrastructure operators, it may have been used for sabotage — or reveals how comparable strategies is likely to be used for devastating cyber assaults sooner or later.

The incident ought to increase purple flags throughout the private and non-private sectors that there isn’t a such factor as excellent safety. Even essentially the most delicate establishments are susceptible to compromise operations by subtle gamers; on this case, a number one cyber safety firm, FireEye, was itself affected. The US and its allies can not assume technological superiority over their most decided and succesful cyber-foes: Russia, China, North Korea and Iran.

Any IT system, furthermore, is just as safe as its weakest hyperlink. A central function of this assault is that it utilised the provision chain, gaining entry by way of software program from a industrial provider. While the US and allies have labored to exclude foreign-owned potential safety dangers comparable to China’s Huawei from essential infrastructure, threats can emerge by way of unwitting home sources. Private companies will not be geared up to hold out vetting just like authorities departments.

Government businesses and personal corporations alike ought to subsequently take a leaf out of the safety providers’ e-book — working below the fixed assumption that they’ve been compromised, and regularly scanning for intruders. The quicker breaches might be positioned and closed, the extra seemingly essential information might be protected. Cybersecurity needs to be handled as a precedence proper as much as essentially the most senior ranges, and monetary and human sources made out there to make sure corporations and public our bodies have the perfect defences.

To strengthen authorities safety, president-elect Joe Biden can be well-advised to reinstate the White House “cyber tsar” function the Trump group axed in 2018. A equally ready successor is required to Chris Krebs, lately fired by Donald Trump as director of the well-regarded Cybersecurity and Infrastructure Security Agency. Though Mr Trump has threatened to veto it, the National Defense Authorization Act considerably beefs up CISA’s largely advisory authority, giving it energy to take over working businesses’ cyber safety programmes.

A return to multilateralism would additionally assist. Mr Biden ought to liaise with allies on collective cyber safety, and joint sanctions on states partaking in abuses. A “digital Geneva Convention” may replace the norms of battle for the cyber age; Russian president Vladimir Putin — whose Kremlin has denied being behind hacks of the US — has proposed a mutual cyber truce. But the type of controls as soon as adopted, say, on nuclear arms are difficult to translate into the realm of cyber area.

Cooperation between Norway’s security agencies planned following cyber attack on parliament

Norway Parliament

Government seeks to develop enhanced national IT infrastructure with an embedded early warning system and defense shield to protect the IT systems of public and private organizations.

Norway is to implement a more robust plan to scale up its IT security infrastructure against the backdrop of increasingly malicious attacks from cyber space. This follows a high-profile cyber attack that targeted the email system at the Norwegian parliament (Storting) on 4 August.

The Norwegian government accused Russia of launching the attack, but Moscow has denied any involvement.

In the immediate aftermath of the attack, the Norwegian government called an emergency meeting with the heads of the country’s top security agencies. The meeting resulted in a plan to accelerate the development of an enhanced national IT infrastructure incorporating an embedded early warning system and defense shield to protect the IT systems of public and private organizations.

“The digital domain makes it easier for foreign states to deploy non-military means in an entirely different manner than has been the case,” said Monica Mæland, Norway’s justice minister. “We need to know more about the exact purpose of the attack on the Storting and whether it was part of a specific or broader state-run espionage operation.”

The pivotal agencies at the post-Storting attack emergency meeting included the National Security Authority (Nasjonal Sikkerhets Myndighet), the National Cyber Security Centre (Nasjonalt Cyber Sikkerhets Senter), the Norwegian Police Security Service (Politiets Sikkerhetstjeneste) and the Norwegian Intelligence Service (E-tjenesten).

The Norwegian government’s strengthened cyber protection plan involves fast-tracking collaboration between national security agencies tasked with cyber defense and the private sector. The objective is to create a collaborative platform to develop improved early warning systems, deterrents and defenses against a wide range of common and unconventional cyber threats and attacks on critical IT infrastructure.

A central feature of the new plan is closer cooperation between the Norwegian Intelligence Service¸ the Norwegian Armed Forces’ military intelligence wing and the National Cyber Security Centre to develop a broad range of defensive and offensive options.

“The combined resources of Norway’s security and intelligence services will cooperate in an unprecedented way to deal with cyber threats and attacks at a national level,” said Ine Eriksen Søreide, Norway’s foreign minister.

Naming Russia as the aggressor in the August attack on the Storting, Søreide said the accusation was based on preliminary intelligence provided by Norway’s national security agencies and leading cyber defense experts.

“Based on the intelligence that is available to the government, it is our assessment that Russia was behind the attack on Norway’s most important democratic institution,” said Søreide.

Denying any involvement in the attack on the Storting, Moscow described the accusation as a “serious and deliberate provocation” by Norway that threatened to complicate existing and future bilateral political, trade and security relations.

“Norway has provided no evidence of involvement by Russia,” said Konstantin Kosachev, chairman of the Russian Federation Council’s foreign affairs committee. “This accusation lacks concrete evidence. If evidence exists, it should be examined by experts from our two countries. We received no such invitation from Norway.”

The cyber attack on the Storting targeted the email accounts of MPs and senior government officials. Email accounts breached included those belonging to MPs both in the ruling Conservative (Høyre) and opposition Labour (Arbeiderpartiet) parties. Email messages and data from several compromised accounts was downloaded in the cyber attack.