Welcome to our first annual “Most Impactful” Edition of The Week in Breach. Let’s take a look at some of the most notable and memorable breaches of 2021.
The Week in Breach: Our 10 Biggest Impact Breaches of the Year & Their Takeaways
The Hack Heard Round the World: Colonial Pipeline
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-data-breach-news-05-05-21-05-11-21/
Exploit: Ransomware
Colonial Pipeline: Fuel Pipeline Operator
On May 6, 2021, A major Russian hacking gang has successfully mounted a ransomware attack on major US fuel transporter Colonial Pipeline. The company is the operator of the largest fuel pipeline in the US, moving fuel into states on the Eastern seaboard, transporting more than 100 million gallons of gasoline and other fuel daily from Houston to the New York Harbor. Founded in 1962 and headquartered in Alpharetta, Georgia, privately-held Colonial Pipeline provides roughly 45% of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel and military supplies.
The point of entry for the gang was reportedly a single compromised employee password. Using that stolen password, the DarkSide affiliate slipped inside Colonial Pipeline’s admittedly lax digital security and delivered their cargo, DarkSide’s proprietary ransomware, to encrypt Colonial Pipeline’s systems and data. A little more than one week after the initial intrusion, an employee starting their day’s work in the Colonial Pipeline central control room saw a ransom note demanding cryptocurrency pop up on their computer and called in their supervisor. Then the race began for Colonial Pipeline as they tried to outpace the infection to preserve their systems and data. After shutting down the pipeline to try to mitigate the damage and prevent the hackers from further penetration, Colonial had to scramble to bring in experts to help. The company purportedly paid a ransom of 75 bitcoin or $4.4 million. In addition, the gang stole an estimated 100 gigabytes of data that had the potential to be highly sensitive. Shortly after this attack, DarkSide went dark for good.
Read a complete breakdown of the attack timeline with more details: https://www.graphus.ai/blog/diary-of-a-ransomware-attack-inside-the-colonial-pipeline-incident/
Key Takeaway: Cyberattacks against infrastructure targets have become a hot topic, and companies that own and operate them should be cognizant of their elevated risk.
An International Incident: Microsoft
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-data-breach-news-03-03-21-03-09-21/
Exploit: Product Vulnerability (Nation-State Hacking)
Microsoft: Software Developer
Microsoft reported that suspected Chinese nation-state actors that it identified as Hafnium exploited a flaw in Exchange that gave them access to an unspecified amount of data or email accounts. In its blog, Microsoft stated that Hafnium had engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. The company detailed the exact method that was used as a three-step process. First, Hafnium would gain access to a victim’s Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create a web shell to control the compromised server remotely. Third, it would use that remote access (run from US-based private servers) to steal data from the victim organization’s network.
Microsoft estimated that 30,000 or so customers were affected. This flaw impacted a broad range of customers, from small businesses to local and state governments and some military contractors. The hackers were able to steal emails and install malware to continue surveillance of their targets. Patches were quickly made available, but the damage had been done.
Key Takeaways: This incident had an impact that is still being measured. Companies that quickly patched the flaw fared better than companies that didn’t. This incident is a reminder that risk can come from unexpected directions at any time.
Food for Thought: New Cooperative & Crystal Valley Cooperative
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-news-09-22-21-09-28-21/
Exploit: Ransomware
New Cooperative & Crystal Valley Cooperative: Agricultural Services
Twin breaches in agriculture had the potential to cause significant disruptions in the US food supply chain. Iowa-based farm service provider New Cooperative was the first ag company hit with a ransomware attack in late October, causing the company to shut down its IT systems. As part of its announcement, the company stated that there would be “public disruption” to the grain, pork and chicken supply chain if its operations are not restored quickly. Following the incident, New Cooperative officials said that 40% of the nation’s grain production runs through its software.
New ransomware group BlackMatter claimed responsibility, releasing proof on their dark web leak site, saying that they have 1,000GB of data. BlackMatter demanded a $5.9 million ransom from New Cooperative, which the organization refused to pay. Minnesota-based farm supply and grain marketing cooperative Crystal Valley was the next hit by a ransomware attack a few days later. The company announced that all of its corporate IT systems were shut down and they were unable to process credit card payments. It also noted that this is a very bad time for cyberattacks in the industry as it is harvest season.
Key Takeaway: Ransomware attacks that against industries that are both under pressure and in essential economic positions became a regular occurrence during 2020 and that trend is continuing.
Hactivism at Work: Epik
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-news-09-15-21-09-22-21/
Exploit: Hacking
Epik: Webhosting
Legendary hacktivist group Anonymous has struck again, this time claiming to have snatched gigabytes of data from Epik, a domain name, hosting and DNS service provider for a variety of right-wing sites including Texas GOP, Gab, Parler and 8chan and extremist groups like the Proud Boys. The hacktivist collective announced in a press release that the data set, which is over 180GB in size, contains a “decade’s worth of data from the company.” It has been released as a torrent. The more than 150 gigabytes of data swept up in the breach shine a light on years of online activities from far-right groups, including those who tried to overturn the 2020 US presidential election.
Members of the whistleblower site Distributed Denial of Secrets (DDoSecrets) have also made the data set available via alternate means. The Ars Technica story on the incident is absolutely worth reading and includes the press release as well as other actions by Anonymous in the same vein. The group perpetrated this hack as part of its Operation Jane campaign.
Key Takeaway: Hacktivists have the power to do big things quickly. ENISA ‘s 2021Threat Landscape Report predicts that the focus of hacktivists’ activity will remain regional although new movements are gaining traction that are likely to develop hacktivism side-tactics and attract wider public participation for online protest and disruption.
Invasion of the Data Snatchers: Accenture
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-news-08-11-21-08-17-21/
Exploit: Ransomware
Accenture: Consulting Firm
The LockBit ransomware gang hit consulting giant Accenture in mid-August. In a post on its dark web announcement site, the gang offered multiple Accenture databases for sale. The LockBit gang also chose to poke fun at Accenture’s security. The leak site showed a folder named W1 purportedly containing contains a collection of PDF documents stolen from the company. The LockBit ransomware gang reported the theft of 6 terabytes worth of Accenture’s data. LockBit requested a $50 million ransomware payment.
Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit the company’s systems in August 2021 in its fourth quarter and full fiscal year financial reporting. After the incident, the ransomware group reportedly told BleepingComputer that it had leveraged stolen Accenture data to hit several other businesses, potentially including attacks on Bangkok Airways and Ethiopian Airlines.
Key Takeaway: Companies that store large amounts of data like financial records or PII were high on cybercriminal hit lists in 2021 because that data was an especially valuable commodity in the booming dark web data markets.
Stealing Straight from the Source: Electronic Arts (EA)
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-news-07-28-21-08-03-21/
Exploit: Ransomware
Electronic Arts (EA): Video Game Maker
Hackers leaked an estimated 751GB of compressed EA data containing FIFA 21 source code on a dark web forum. Initially, they released a cache of 1.3GB of FIFA source code on July 14 as part of a demand for payment to stop them from releasing the rest, but after EA refused to play ball, the rest was added. According to reports, the hackers used the authentication cookies to mimic an already-logged-in EA employee’s account and access EA’s Slack channel and then tricked an EA IT support staffer into granting them access to the company’s internal network, ultimately allowing them to download more than 780GB of source code from the company’s internal code repositories.
On June 10, the hackers posted a thread on an underground hacking forum claiming to be in possession of EA data, which they were willing to sell for $28 million. When they failed to find a buyer, they attempted to extort EA, and that effort was also unsuccessful. EA did not pay the extortionists, who then dumped the data on the dark web. The source code of the FIFA 21 soccer game, including tools to support the company’s server-side services, reportedly hit dark web forums shortly thereafter.
Key Takeaway: Cybercriminals are hungry for data and that includes proprietary data about projects and products. This trend also tracks with medical research and pharmaceutical data.
A Meaty Haul for Cybercriminals: JBS SA
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-data-breach-news-05-26-21-06-01-21/
Exploit: Ransomware
JBS SA: Meat Processor
International meat supplier JBS SA was hit by a crippling ransomware attack in late May 2021. The world’s largest meat producer, Brazil-based JBS has operations in 15 countries and serves customers worldwide including the US, Australia and Canada. JBS is the No. 1 beef producer in the U.S., accounting for 23% of the nation’s maximum capacity compared to rival Tyson Foods Inc.’s 22% share, according to an investor report by Tyson. JBS accounts for roughly a fifth of pork capacity.
The company said that it was immediately in contact with federal officials and brought in a “top firm” to investigate and remediate the incident. JBS initially stated that the attack only impacted some supplier transactions and no data was stolen, but later admitted that data was exposed. JBS ended up paying an $11 million ransom to the REvil ransomware group after the attack caused meat shortages across the US, Australia and other countries.
Key Takeaway: Industrial production of all sorts from food to computer chips was firmly in cybercriminals sights in 2021 as part of double and triple extortion ransomware operations, and that likely won’t change in 2022
Stopping Traffic: Transnet
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-news-07-22-21-07-27-21/
Exploit: Hacking
Transnet: Port Authority
A cyberattack at South Africa’s biggest port operator, Transnet, snarled maritime traffic around the world and left companies waiting for raw materials. The state-owned freight enterprise, comprised of shipping, railways and other logistics, was forced to halt operations at container terminals in Durban, Ngqura, Port Elizabeth and Cape Town. The company also placed many employees on leave. Transnet’s Durban port handles 60% of the nation’s shipments, including freight for other African nations.
Officials said in a statement: “Transnet, including Transnet Port Terminals, experienced an act of cyberattack, security intrusion and sabotage, which resulted in the disruption of TPT normal processes and functions or the destruction or damage of equipment or information.” Some services were restored b using limited, manual means. News outlet Fin24 reported that perishable food was stuck in containers and freight trucks, amid massive frustration among both importers and exporters in the peak period for citrus exports.
Key Takeaway: Cybercriminals took shots at the maritime and freight transportation/logistics sectors all year long, likely looking for quick ransom payments from companies that might have low security but needed to remain operational at all times, and they were frighteningly successful. That bodes ill for those sectors in 2022.
Theft from the Rich and The Poor: Robinhood
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-news-11-10-21-11-16-21/
Exploit: Hacking
Robinhood: Financial Services Platform
Financial services platform Robinhood made the news after disclosing a data breach on November 3. The company blamed the security incident on vishing. Threat actors obtained access to the organization’s customer support systems by obtaining systems access over the phone. This is the same technique that proved successful in the 2020 Twitter hack. According to reports, after accessing the data, the cybercriminals then demanded an extortion payment to keep the data safe.
Bleeping Computer reported that two days after Robinhood disclosed the attack, a threat actor named ‘pompompurin’ announced that they were selling the stolen information on of 7 million Robinhood customers’ for at least five figures, which is $10,000 or higher.on a hacking forum
Key Takeaway: Stock trading became trendy with meme stocks gaining traction on social media as new investors entered the market quickly and easily through apps like Robinhood. But FinTech and similar sectors also caught the eye of cybercriminals who stepped up their hacking efforts looking for quick scores of cryptocurrency and financial data.
System Shock: Newfoundland and Labrador Health
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-news-11-03-21-11-09-21/
Exploit: Ransomware
Newfoundland and Labrador Health: Healthcare System
What may be the largest cyberattack in Canadian history crippled the healthcare system of the province of Newfoundland and Labrador on October 30. The ransomware attack hit scheduling and payment systems, causing interruptions in patient care including the cancellation of all non-urgent imaging and medical appointments well as a reduction in chemotherapy sessions and significant complications for the province’s COVID-19 response. Eastern Health reported that their payment systems to suppliers and vendors were also targeted by the attack.
Hackers stole personal information connected to both patients and employees in the Eastern Health and Labrador-Grenfell Health regions of Newfoundland and Labrador’s healthcare system in this attack. The information was accessed through the province’s Meditech data repository, which includes a patient information database as well as core communication tools, such as email.
Key Takeaway: Hacking and ransomware against everything medical was the big trend of 2020 as COVID-19 treatment and research data became valuable in dark web markets. Bad actors will continue to hunt for data from medical sector targets because it often results in a quick harvest of valuable PII and financial information.
Tales of Crypto Crime: BTC-Alpha
Original Story Published: https://www.idagent.com/blog/the-week-in-breach-news-11-23-21-11-30-21/
Exploit: Ransomware
BTC-Alpha: Cryptocurrency Exchange
In one of this year’s most bizarre breach sagas, UK-based cryptocurrency exchange BTC-Alpha was hit with a ransomware attack in early November. The Lockbit ransomware group claimed responsibility and posted a threat to its leak site to expose BTC-Alpha’s data if a ransom was not paid by December 1. The company disclosed that although hashed passwords were compromised, users’ balances were not impacted, and the company and its users lost no money. The company also advised users to avoid password reuse, update or reinstall their apps, and employ MFA.
Here’s where it gets strange. Alpha founder and CEO Vitaly Bodnar alleged the attack was the work of a competing cryptocurrency firm in a press release on the same day that Lockbit’s announcement was made. “These are the methods of our competitors, with whom we refused to cooperate and add their coins to our platform. They launch their exchange and on the same day there is a massive attack on us. I don’t believe in coincidences like that,” Vitaly Bodnar said. The release goes on to state that a rival was launching a cryptocurrency exchange on the same day as the attack and may be involved in the incident.
Key Takeaway: Everything crypto is under siege by cybercriminals as they vie to take control of cryptocurrency assets. That trend will continue and may expand into NFTs.