The Top 10 Biggest Cyber Attacks Of 2021
A throwback on some of the most high profile cyberattacks of 2021, how they were remediated, and what could have been done to prevent them.
2021 was a year that carried forward a lot of the chaos from 2020. This couldn’t be truer for cybersecurity, as we saw seemingly almost every kind of attack increase exponentially in number and grow in sophistication.
In fact, according to a recent report by SonicWall, 2021 saw ransomware attacks increase by 105% from the previous year and encrypted threats rise by 167%. While ransomware might have been front and center in the report, there were also significant concerns over phishing and business email compromise (BEC) attacks, which also saw significant rises.
As business-aimed attacks have continued to increase in severity, cost, and sheer prevalence throughout 2022, we’ve rounded up some of the most high-profile cases that hit headlines last year—and how they could potentially have been prevented. The suggestions made, however, aren’t standalone and work best when working in tandem with each other.
While we pride ourselves on accuracy, we like to note that this isn’t an exhaustive list and barely scratches the surface of the sheer scale of cyberattacks that occurred throughout all of 2021 but includes a portion of the ones everyone was talking about last year.
Without further ado are (some of) the highest profile cyberattacks of 2021:
Microsoft Exchange Attack, January – March
When governments and businesses were still reeling from the SolarWinds attack of December 2020, opportunistic attackers from a Chinese hacking group took advantage of the residual chaos to instigate their own attack against Microsoft’s Exchange Server. The group, called Hafnium, are usually associated with espionage, and historically have frequently leveled attacks at US organizations.
Rather than instigating a single attack, the perpetrators conducted waves of attacks after their four successful zero-day exploits granted attackers access to user emails and passwords, admin privileges, and access to connected devices within the network on affected servers. Hackers were able to access the accounts of at least 30,000 organizations in the USA alone, with 250,000 globally reported as being affected.
By the end of March, Microsoft had announced that nearly all servers affected by the attack had been patched and mitigated. It was still costly and time consuming to rectify, however, and caused significant damage to companies who had suffered subsequent breaches and attacks as a result.
These waves of attacks were borne out of multiple vulnerabilities within the network that attackers took advantage of. Companies can sidestep this issue by ensuring that their network perimeter stays secure by employing a strong, automated patch management solution that finds vulnerabilities and patches them before they result in a breach.
For more on patch management and how it actually works and why you might need it, read on in our blog:
Accellion Supply Chain Attack, January
As we saw with Microsoft, even trusted tech providers aren’t safe from experiencing devastating attacks and breaches. And security software specialist Accellion (now Kiteworks) is no exception.
In late January, the company reported a successful supply chain attack that affected many of its high-profile clients. Supply chain attacks involve an attacker infiltrating a company network through an affiliated partner, suppliers or any other party that would have access to the network.
In this instance, Accellion was the “secondary” target, as attacking through it gave threat actors access to numerous Accellion customers and partners. The attack was achieved via a zero-day attack that targeted Accellion’s File Transfer Appliance (FTA) software. Hackers were able to find a P0 vulnerability in the software to exploit and launch a widespread attack with four zero-day attacks.
Of Accellion’s 300 clients, roughly 100 were affected by this breach. Big names like Kroger, Reserve Bank of New Zealand, and the University of Colorado were affected. Remediation of the vulnerabilities and breach for both Accellion and their affected customers took weeks to achieve.
The zero-day attack was successful in that it also took advantage of vulnerabilities within Accellion’s network perimeter, much like what we saw with the Microsoft Server attack. A robust patch management software solution that automatically searches for and patches vulnerabilities is a must for most organizations:
Florida Water Supply, February
In an attack that erred more on the side of horrifying and harmful than actually financially damaging, a hacker managed to—albeit briefly—take control of a Floridian city Oldsmar’s water supply and change the amount of lye in the supply to dangerous levels. Lye is used in water supplies to treat the water, but in high enough levels can cause serious harm if touched or ingested.
In the early stages of the attack, a plant operations employee noticed that their cursor was moving on its own and setting the amount of lye to dangerous levels. After quickly reverting the levels back down to where they should be, the employee raised the breach with their superiors.
The remote-access system, TeamViewer—used by employees and what was used by the hacker to access the operating systems—was disabled in response. The FBI released a statement that they suspected poor password hygiene and out-of-date software were the cause of the issue. It was also further reported that credentials tied to the plant had been leaked prior.
While poisoning the water supply with lye sounds like something Arthur Conan Doyle would write about, the method to instigate this potentially harmful attack was less Victorian in nature. It was later suspected by security firm Dragos that the origin of the attack could have also stemmed from a watering hole attack—an attack that compromises a particular site visited by the actual target rather than directly attacking the target itself.
Dragos reported that it had found damaging code inserted into a WordPress-run website affiliated with a Floridian water infrastructure construction company that liaises with the Oldsmar water plant. With the code inserted, attackers were able to harvest information, including operating systems, browsers, touchpoints, input methods, what hardware was in use such as cameras and microphones, and much more. Dragos’ best guess was that threat actors harvested this information to help improve the botnet malware’s ability to mimic legitimate web browser activity.
Making sure credentials don’t become compromised is a critical part of overall strong password hygiene. You can do this by making them hard to guess and having them regularly rotated and changed whenever there’s a detected breach, as well as through the deployment of a password manager.
Australia Channel 9 News Ransomware Attack, March
In March, threat actors were successfully able to disrupt Australia’s Channel 9 News live broadcast, preventing the channel from airing several other shows and affecting 9 News’ print production. The confirmed ransomware attack, in addition to successfully taking shows off the air, also locked staff out of their emails, blocked their internet access, and halted print production systems. At the time, it was the largest cyber-attack on an Australian media company.
After isolating the incident, admins were able to bring production back online but only after several hours of disruption to operations. While it was never made public or discovered what the root cause was, 9 News admins suspected it was probably either due to vulnerabilities that hadn’t been patched or from a phishing email, yet the possibility of a state-sponsored attack hadn’t been ruled out either and at the time they closely consulted with the Australian Signals Directorate and the Australian Cyber Security Centre.
No ransom was reported as being requested and nor was one paid, with 9 News working on remediation of the issue.
Having strong anti-phishing solutions in place can prevent your employees from inadvertently downloading malicious code that acts as a gateway for a ransomware attack. Most phishing attacks occur via email, so enhancing email security is an excellent preventative step against ransomware attacks.
CNA Financial Ransomware Attack, March
Ransomware attacks are particularly devastating, as companies can experience severe financial losses from disruption in activities. And, more often than not, companies can’t afford the downtime, which results in them paying the ransom to get servers back up and running.
The ransomware attack leveled at CNA Financial, a finance company based in Chicago, had this unfortunate end result, with CNA paying a hefty $40 million ransom in exchange for the key to un-encrypt its files and data. In its report, it noted that the breach had affected a staggering 75,349 individuals.
So, how did it happen?
Phoenix, the attacker group responsible for the hack, used a type of malware called Phoenix Locker, which was derived from Hades—a popular form of ransomware created by REvil. The ransomware works by masquerading as a browser update which entices employees into downloading it before moving laterally across the network until it can gain enough privilege to identify important and sensitive data. It then continues by sending copies outside of the network and encrypts data at rest in the network and instigating the ransom attack.
A couple of tools appropriately deployed and configured could’ve prevented and mitigated the attack here. Data loss prevention solutions, when properly configured, can prevent sensitive data from leaving the network if the solution notices that certain information or data is leaving the network without proper authorization.
The second important measure that could have helped in this instance is security awareness training (SAT). The entire attack was instigated by employees clicking and downloading on a bogus browser update, which worked as an attack vector for Phoenix. Having staff appropriately trained to spot these tactics and respond accordingly could have prevented the breach.
Not sure what SAT is? Check out our guide:
Quanta Ransomware Attack, April
Quanta is an original design manufacture (ODM) supplier to Apple, Dell, Lenovo, Cisco, Microsoft, and others, who were hit with a financially crippling ransomware attack in April last year by Russian ransomware-as-a-service group, with perhaps the most appropriate, Resident Evil-esque name ever, REvil. While not quite Umbrella Corporation level, they’re still able to do a lot of damage and requested a cool $50 million by way of ransom.
Initially, the attack began with REvil demanding the ransom from Quanta in exchange for all data they had encrypted in the attack, but after accessing the server and acquiring unreleased designs for future products, REvil quickly changed tactics and demanded the sum from Apple in exchange for not leaking more designs for future products.
While the exact specifications of the attack are unclear, it was reported by Quanta that only a small part of the network had actually been affected by the breach and that they were working closely with local authorities to contain and remediate the attack.
REvil did make good on their promises to release designs until the ransom was paid, insisting that the ransom needed to be paid by May 1 of that year. However, as luck may have it, the situation de-escalated just as quickly as it had begun, with all Apple-related content disappearing from the attackers’ website. At the time, it left us in the dark about what actually happened and why the ransomware attack seemingly ran out of steam, but as it happens Quanta hadn’t been its only target and plenty of other countries and organizations had personal beef with the ransomware group. REvil had targeted Acer with another $50 million ransom attack earlier that year, amongst plenty of others in the past. In a joint operation between several governments, REvil was targeted and hacked last year and their operations disbanded.
While Quanta and Apple might have had a happy ending in this particular instance, it was still a high-profile case in that a ransomware attack was able to significantly affect and target a huge–and ironically–, tech company, showing that no one is truly safe.
Ransomware attacks are particularly devastating as in addition to the ransomware fee, they can also run costs accrued via lost business and downtime needed to get operations up and running again, so safeguarding against these types of attacks is critical:
Brenntag Ransomware Attack, April
In April, hackers successfully deployed a high-profile ransomware attack against German chemical distribution company Brenntag. Brenntag is a large corporation and a world leader in their field, with thousands of employees across the world at over 670 locations.
The perpetrators in this scenario were hacker group DarkSide, who netted an eye-watering $4.4 million ransom paid for in Bitcoin by Brenntag in a bid to prevent stolen data from being released and for the key to decrepit their files to be handed over.
The attack, which focused on the North American side of the business, managed to encrypt the company network and steal 150GB of data, including highly sensitive personal information pertaining to the company’s employees.
The ransom had originally been much higher but was reduced to $4.4 million after negotiations. Part of these negotiations included DarkSide telling Brenntag how they managed to pull off the attack. When it came down to it, the “gateway” to this attack turned out to be stolen credentials, or so DarkSide claims.
This article has already stressed the importance of proper management of credentials and strong password hygiene, but it’s also worth pointing out that alongside this, having sensitive data and information stored elsewhere is also a beneficial step in mitigating risk and data losses from ransomware attacks. Cloud storage solutions can store data away from the main network, making it more difficult for attackers to access.
Colonial Pipeline Ransomware Attack, May
And who could forget the Colonial Pipeline ransomware attack of May 2021?
For those not in the know, the Colonial Pipeline is an oil pipeline that delivers gasoline and jet fuel to a large number of states in the southeastern part of the USA. The pipeline saw the halting of production while the company worked to contain and respond to the threat. The pause in production resulted in the cancellation of flights and fuel shortages, the latter of which was exacerbated by panic buying.
After some deliberation, and in a move that was overseen by the FBI, the company paid the $4.4 million ransom within a few hours of receiving the ransomware notification in exchange for the decryptor needed to bring the network back up. However, the processing time for this was incredibly long which resulted in the company having to use planning tools and time and effort in getting everything up and running again anyway.
But how did this all happen? Well, the attack vector into the Colonial Pipeline’s network turned out to be a set of compromised credentials. Strongly suspected that the credentials in question were acquired from the dark web, the account in question reportedly was no longer in use and was regarded as a dead account—except for the fact that it still could provide access to the Pipeline’s network.
It’s unsurprising, seeing as stolen credentials account for 61% of all breaches. It was further reported that the account that led to the breach and subsequent ransomware attack didn’t have multi-factor authentication in place either.
Having a robust identity and access management (IAM) solution in place perhaps would’ve circumvented the issue. IAM solutions combine the processes of identifying, managing, and authorizing accounts within a system. This usually entails having a database that contains all user identities and access privileges, tools to help manage these privileges including monitoring them, and a system that enables the auditing of login and access history.
Regularly cleaning up accounts and removing any dead and unused accounts would have proven beneficial in preventing the breach. Any unused or dead accounts are often left unmanaged and forgotten about, which is a huge risk. Every single set of credentials—used or not—are entry points into a network and therefore potential attack vectors, and need to be managed accordingly.
JBS Foods Ransomware Attack, May
JBS Foods is a Brazilian company that is one of the largest meat processing companies in the world and supplies one-fifth of the world’s meat. It was also hit with a particularly devastating ransomware attack in spring, 2021.
The ransomware attack was highly successful in halting production in the US, Canada, and Australia, before JBS paid the ransom of $11 million in bitcoin to resume production—one of the largest ransom payments to date. Prior to the ransom, JBS had apparently consulted with cybersecurity experts and made the decision to prevent any more data exfiltration and pay the ransom.
While no one took credit for this attack, it is still strongly suspected that Russian hacking group REvil was to blame, though the incident was being investigated by the FBI to find the culprits. Since the attack, it hasn’t come to light who was behind the attack or indeed the specifics of how the attack actually functioned.
However, data exfiltration took place in the two months preceding June 1 when the attack hit and JBS staff found their network encrypted. Data exfiltration was directed towards the file-sharing site Mega, along with some other locations. Prior to this, Security Scorecard found in their research that leaked credentials belonging to JBS Australia employees had been found on the dark web, adding to suspicions that a breach had occurred in February of that year.
While the situation remains unclear as to how the attack actually happened, it’s clear that data loss prevention tools, IAM solutions, and patch management could have potentially mitigated risk.
Kaseya VSA Ransomware Attack, July
The Kaseya VSA ransomware attack was also perpetrated by Russian (or at the least, Russian speaking) hacking group, REvil. Kaseya is a software company specializing in IT products that are particularly suited for MSPs.
The whole issue actually began in April, when Kaseya was made aware of seven, easy-to-spot vulnerabilities in their software by the Dutch Institute for Vulnerability Disclosure. While there was considerable effort to patch these vulnerabilities, Kaseya was not able to patch all of them in time, leading to REvil’s attack in early July.
The root cause of the attack stemmed from Kaseya’ Virtual System Administrator, which is a remote monitoring and management software tool that became compromised. Attackers spread the ransomware through hosts managed by the software and increase the overall attack surface. The company, in response, shut down the VSA’s cloud and SaaS servers.
By mid-to-late July, Kaseya had announced that they had received the key to unlock all remaining encrypted files from a “trusted third party” and that they were working closely with still affected businesses within their network. While they had not paid the ransomware to REvil and had worked hard to contain the issue, significant financial losses were still accrued from heavy downtime and anywhere from 800 to 1500 business had been affected.
Like with the Microsoft Exchange attack listed above, Kaseya’s ransomware attack stemmed from vulnerabilities within their network which hadn’t been patched yet. Having a strong patch management solution in place can mitigate the brunt of attacks if properly configured and automated, as mentioned above.