This article takes a look at the top 10 most disastrous cyber hacks carried out on organisations in the 2020s, so far
Whether financial or reputational, cyber attacks are capable of bringing the operations of even the largest, most secure organisations to a halt. Threat actors are constantly evolving their techniques to get past security measures, to the point where cyber crime — projected to cost businesses $10.5tn annually by 2025 — has grown into its own industry.
Below is a list of 10 of the most disastrous cyber hacks of the 2020s, so far.
>See also: The Dark Web: a cyber crime bazaar where data is a hot commodity
Marriott International (2020)
In early 2020, the network of Marriott International was infiltrated by attackers who obtained the login credentials of two members of staff. Identified in February 2020 and determined to date back to January of that year, this resulted in the data of a reported 339 million Marriott customers being breached. Affected details included contact details, Marriott Bonvoy loyalty scheme information, and stay preferences.
Following the breach, the hotel reached out to customers with personal information monitoring services, and reset its Bonvoy account password, as well as warning clients affected of possible phishing attacks to come as a result of details being breached. The ICO fined Marriott £18.4m in October 2020.
The hotel chain has reported three breaches in four years (a previous attack had been carried out in 2018), most recently in July 2022, this time by a threat actor gaining access from an employee via social engineering.
In December 2020, cyber security experts FireEye (now Trellix) discovered that advanced persistent threat (APT) actors had breached the supply chain of SolarWinds, implementing trojan horses masquerading as its SolarWinds Orion commercial application.
Organisations that downloaded the rogue application included the US Department of Defence, Treasury and Commerce and other government departments, as well as 425 of the US Fortune 500. FireEye’s network was also accessed as a result of the supply chain attack. However, in line with White House estimates, SolarWinds announced that the actual number of customers hacked through the attack was fewer than 100.
It’s believed that the Russian cyber crime group Cozy Bear were behind the attack, and that they took advantage of a vulnerability in the Orion application that allowed for authentication bypass. Action taken by the group is believed to date back to March 2020.
>See also: The next SolarWinds crisis is closer than you think
Colonial Pipeline (2021)
One of the US’s biggest national pipelines, Colonial Pipeline, was taken offline in May 2021 after 100GB of data from its network was taken hostage. The culprits of the ransomware attack are believed to be the cyber crime group DarkSide.
The fuel supplier paid the ransom of 75 Bitcoin — or $4.4m — before a tool was granted to get its system back online, which took several days. In June 2021, the Department of Justice announced the recovery of 63.7 Bitcoin (approximately $2.3m) from the initial ransom taken by DarkSide.
With fuel shortages occurring as a result of the attack, US airlines needed to reschedule flights, and fuel prices surged to their highest since 2014.
>See also: Colonial Pipeline cyber attack “a real-world catastrophe”
Microsoft Exchange (2021)
Data hosted by the Microsoft Exchange was infiltrated between January and March 2021, starting with four zero-day exploits being discovered. As a result of the attacks — believed to have been carried out by the Chinese state-sponsored hacker network Hafnium — over 250,000 company servers globally were impacted. These belonged to organisations including US government agencies, academic institutions and law firms.
While Microsoft stated that the cloud-based Exchange Online and Microsoft 365 products were not affected, businesses were left open to breach attempts targeting emails. Attackers are known to have taken contact information and entire address books, as well as implementing malware to facilitate longer-term access.
Following the attacks, Microsoft released emergency security patches, and released a tool allowing customers to detect malicious activity in their networks.
>See also: Microsoft Exchange attacks highlight the wider issue: email is outdated
Quanta Computer (2021)
Apple device manufacturer Quanta Computer had an array of product plans stolen in April 2021, with Apple becoming the victim of a $50m ransomware attack in exchange for safe return of the schematics. The cyber attack was found to have been carried out by REvil, and occurred just hours ahead of Apple’s Spring Loaded summit.
According to a message posted on the Dark Web by the cyber crime group, Quanta had failed to pay the ransom asked, leading to the group changing tact to target Apple. The messages went on to threaten to post new data from the Macbook schematics obtained per day until they received payment.
Following the ransom orders though, REvil took all reference of the attacks down from its website, which previously hosted screenshots of the stolen Macbook plans.
A ransomware attack was carried out on IT management vendor Kaseya and its customers, by the Russian-based cyber crime group REvil, in July 2021. The first vulnerabilities to appear within Kaseya’s software dated back to April of that year, and despite four of the seven main vulnerabilities being fixed, an authentication bypass flaw within its Virtual System Administrator (VSA) was leveraged. In response, the company shut down its VSA cloud and SaaS servers.
Between 800 and 1,500 downstream organisations were found to be impacted by the attack. These included 50 managed services providers (MSPs), and cyber security firms such as Huntress. Along with data being encrypted, ransoms asked by REvil ranged from a few thousand Dollars to over $5m.
REvil, the group that was also behind the Quanta Computer ransomware attack, was taken offline in October 2021.
>See also: Kaseya: the turning point for supply chain attacks?
News Corp (2022)
The email infrastructure of publishing corporation News Corp was found to have been hacked in January 2022, by threat actors believed to be linked to the Chinese government. Intrusion of its system dated back to February 2020 at the earliest, according to an investigation carried out by US law enforcement and Mandiant.
Email accounts and documents hosted by News Corp HQ, News Technology Services, Dow Jones, News UK and The New York Post had been impacted. The number of journalists affected by the attack was not specified.
In January 2022, the Crypto.com cryptocurrency exchange had an estimated $33.7 million in Bitcoin and Ether tokens stolen from it. The company found that user accounts were subject to unauthorised activity, with transactions taking place without the standard submission of two-factor authentication (2FA) codes. Tokens obtained were sent to Tornado Cash, making them impossible to monitor further.
Following the attack, Crypto.com suspended withdrawals from all accounts for 14 hours while an investigation took place. Users were then asked to follow a new 2FA process. According to the company, no customers received a loss of funds, with withdrawals being blocked or customers being reimbursed.
Marquard & Bahls (2022)
Oiltanking GmbH Group and Mabanaft Group, subsidiaries of Germany-based oil supply corporation Marquard & Bahls, were subjects to a cyber attack in February 2022. Oiltanking Terminals became limited in capacity as a result. This led to 233 petrol stations across Northern Germany being impacted, hosted by the likes of Aral — the largest petrol station network in Germany — and Shell.
Following this attack, Shell announced that it has re-routed supply to alternative supply depots.
International Committee of the Red Cross (2022)
The network of the non-profit International Committee of the Red Cross came under attack in January 2022, with servers hosting personal data belonging to over 515,000 people worldwide being hacked. An unpatched critical authentication vulnerability was leveraged by threat actors, leading to administrator credentials and Active Directory files being compromised. Hackers then masqueraded as legitimate users by utilising adversarial security tools.
Individual victims enlisting Red Cross’s services included conflict refugees and missing people. Data breached came from at least 60 Red Cross and Red Crescent societies across the world.
The ICRC was forced to shut down its systems, and advised those affected to contact their local Red Cross, Red Crescent society, or ICRC office. The organisation’s services later returned online with enhanced 2FA processes.
How to ensure 5G wireless network security – 5G creates opportunity for users but also for cybercriminals, so how can organisations ensure 5G wireless network security?
Combating common information security threats — What are the security threats most often faced by businesses today and how can they be overcome?
Establishing a strong information security policy — There are several considerations for companies creating an information security policy. So, how can organisations ensure they have a strong policy in place which reflects the needs of the business?
Mitigating common network management security issues — While technology is key to securing networks, it’s integral that businesses have the right network management policies and procedures in place to avoid falling victim to cyber attacks.