Breaches and Ransomware: A Look Back at 2021
As 2021 draws to a close, there’s another annual tradition observed at The New Stack: our informal review of a few special or significant moments. I’ve traditionally called it “a massive MapReduce on the year gone by,” highlighting events that seemed to foreshadow things to come, in a final closing ceremony for the year where we ponder what it all ultimately meant.
But besides celebrating our successes, 2021 was also a year with some truly spectacular failures. There were outages, breaches, and lots and lots of ransomware.
If there’s any silver lining, it’s that 2021 made cybersecurity into a problem too large to ignore. So as we head off into 2022, our challenges ahead are now crystal clear.
Down Time and Disruptions
The year 2021 taught us ordinary outages at cloud providers could start ripples all across the internet. June found a configuration issue at cloud CDN Fastly impacting top sites like PayPal, Reddit and GitHub. Dec. 17 saw an AWS outage disrupting service at top sites like Facebook, Slack, Hulu and DoorDash.
“A similar disruption took place Dec. 7,” recalled NBC News, “crippling video streams, halting internet-connected robot vacuum cleaners and even shutting down pet food dispensers in a series of reminders of how much life has moved online, especially during the coronavirus pandemic.”
But what was the lesson to be learned? NBC argued that the incidents “helped to explode the illusion … that everyday consumers can rely on online services to be available without fail.” Sean O’Brien, an apparently cynical cybersecurity lecturer at Yale Law School, even told NBC bluntly that “‘The cloud’ has never been sustainable.”
O’Brien — also the chief security officer at blockchain-based messaging service PanQuake — insisted to NBC that the cloud “is merely a euphemism for concentrated network resources controlled by a centralized entity,” suggesting that alternatives like peer-to-peer technology and edge computing might gain popularity over what he called our “feudal” system of concentrating power among a few giant cloud companies.
But the solution could also be as simple as more cloud, argued Vahid Behzadan, an assistant professor of computer science at the University of New Haven, with companies considering the resilience potential of multicloud solutions.
The outages in 2021 could just spur more improvements, Behzadan tells NBC, quipping that whatever doesn’t kill the internet will make it stronger.
But even if that’s true, 2021 showed us lots of other areas for improvement.
The Rise of Russian Cyber Soldiers
This year began with a scramble to address what Microsoft President Brad Smith later called “the largest and most sophisticated attack the world has ever seen,” estimating that “certainly more than a thousand” engineers must have worked on assembling the exploit.
On the CBS News show “60 Minutes,” Smith said Microsoft assigned 500 engineers just to investigate the breach of a widely used network-managing platform that was first disclosed in mid-December of 2020.
The attackers hit SolarWinds Orion, which 60 Minutes described as “one of the most ubiquitous software products you probably never heard of … made up of millions of lines of computer code. Four thousand thirty-two of them were clandestinely re-written and distributed to customers in a routine update, opening up a secret backdoor…” 18,000 companies downloaded what Reuters later described as “bugged network-management software,” in an attack CBS blamed on “Russian cyber soldiers” which involved both private and public networks.
“The U.S. Justice Department acknowledged the Russians spent months inside their computers accessing email traffic — but the department won’t tell us exactly what was taken,” CBS reported. “It’s the same at Treasury, Commerce, the NIH, Energy. Even the agency that protects and transports our nuclear arsenal.” Reuters also identified Intel, Cisco, and Microsoft as being breached after downloading SolarWinds’ software. In an email this weekend a SolarWinds representative stressed that “a much smaller number” than 18,000 were actively compromised through their security hole, though Reuters reported as recently as September that the actual impact “remains largely unknown.” Reuters even spoke to a consultant who works with dozens of publicly traded companies that downloaded SolarWinds’ compromised software, and the consultant admitted that “most companies have had unreported breaches.”
Of course the year ended with another widespread security issue — and a scramble to address Log4j vulnerabilities (which this week were calculated to impact 35,863 Java packages). But in between, it was a year in which breaching security actually turned into a highly lucrative profession, impacting everything from cream cheese suppliers to a pre-Christmas attack on Kronos’ payroll system.
‘The Year of Ransomware’
In fact, network security vendor SonicWall even decided to name 2021 “the year of ransomware” — and the numbers the company provided were startling.
Using data gathered from more than 1 million security sensors in nearly 200 countries, SonicWall calculated an average of 1,748 ransomware attempts per customer by the end of September, along with a 33% rise in IoT malware. This added up to a whopping 495 million ransomware attempts by the end of September.
And the researchers ultimately predicted 219 million more ransomware attempts for the last three months of 2021, so that by New Year’s Eve the total number of 2021 ransomware attacks would reach 714 million.
Some of the attacks were so colossal, they made national headlines. May saw a ransomware attack on Colonial Pipeline, a major East Coast fuel supplier. (Bloomberg reported that within hours the company had desperately paid $4.4 million ransom to their Eastern European attackers — of which $2.3 million was later recovered.)
Bloomberg also cites estimates the average ransom paid by organizations in 2020 had already reached $312,493. In June of this year, CNET reported that meat producer JBS USA paid an $11 million ransom after attackers shut down operations at five of their beef-processing plants.
It turns out some ransomware now even shares the distribution model of Tupperware: multilevel marketing. ZDNet reported the growth of the Ransomware-as-a-Service industry, in which malware creators lease their products to interested cyberattackers in exchange for a cut of extorted money. (Some apparently even offer their software on a subscription basis.)
ZDNet also got a discouraging prediction for 2022 from a senior product marketing manager at Zerto (a company whose products for virtualized infrastructures and cloud environments include backup and disaster recovery solutions). “We’re going to see a continued increase in the severity and volume of ransomware attacks,” the source said.
In the same article, the chief security scientist at cloud security provider Thycotic even wondered if another subscription model might evolve, where companies set up regular payments directly to ransomware gangs to avoid being attacked.
‘A New International Era’
Of course, there were other security issues too. The year 2021 was when more than 40 million Americans had their health information exposed in data breaches, according to The Verge, “a significant jump from 2020 and a continuation of a trend toward more and more health data hacks and leaks.”
About 220 million Brazilians also had their personal data exposed in January after a leak at credit-reporting service Experian.
But some thefts were more lucrative than others. At the end of the year, NBC News calculated there’d been 20 different cryptocurrency heists over $10 million — with six over $100 million.
Elsewhere, some old threats returned in new forms, and October found Microsoft warning of more “nation-state activity” from the same group behind the SolarWinds attack, “attempting to gain access to downstream customers of multiple cloud service providers” (as well as customers of managed service providers and other IT services organizations).
Rather than exploiting a single vulnerability, the cyber attackers instead relied on, according to Microsoft, “a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.”
The attack “shares the hallmarks of the actor’s compromise-one-to-compromise-many approach,” Microsoft added, warning that the attackers were “targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems.”
In October, Microsoft’s Smith made the cheery assessment that “We’ve entered a new international era that falls short of war but with constant foreign cybersecurity attacks that threaten not only our businesses, but our students, healthcare and daily lives.”
A New Hope
Amid the bad news, there was a fond look back to the days when the internet was young, and the Linux operating system was just a dream for ambitious young Linus Torvalds. As Linux approached its 30th anniversary, the month of May found Torvalds looking back and remembering that Linux “literally grew kind of haphazardly from me initially just trying to learn the in-and-outs of my new PC hardware.”
It was a simpler time, a point driven home by Dirk Hohndel, an early Linux contributor (now also the chief open source officer and vice president at VMware). In a conversation with Torvalds in September, Hohndel pondered the new complexity of software today, in a world of containers and Kubernetes and wide varieties of microservices.
“If I grew up today,” Torvalds acknowledged, “I’m not sure if I would get close enough to the hardware where I would feel comfortable understanding.”
But at the same time, he pointed out, younger developers today can experiment with a wide variety of Raspberry Pi single-board computers and accessible microcontrollers, online architecture manuals, etc. So it’s also a world with more information.
And maybe that’s where the hope lies for the future. Microsoft’s Smith writes that in assessing America’s response to SolarWinds, Microsoft had also discovered a sobering truth: “a shortage of trained cybersecurity workers slowed our customers’ responses.”
He then pledged a national campaign with U.S. community colleges to increase America’s cybersecurity workforce by 250,000 over the next four years. Their goal is to try to help fill the 464,200 still-open (and high-paying) positions requiring cybersecurity skills, representing a full 6% of all job openings in the country.
“While some of these individuals will work at Microsoft,” Smith wrote, “the vast majority will work for tens of thousands of other employers across the country.”
The campaign involved a free curriculum (including materials aligned with Microsoft Azure Security Technologies certification), as well as training at 150 community colleges and scholarships and “supplemental resources” for 25,000 students (including some mentorship from Microsoft employees and GitHub student developer packs).
“On many days and on many issues, disagreements can divide our country,” Smith’s blog post concludes. “But we need a cybersecurity jobs campaign that protects the nation and brings us all together.”
Buried in all these news stories is that glimmer of hope: that instead of remembering all the cybersecurity challenges faced by technology workers in 2021, maybe history will also recognize this as the year we began mobilizing resources to meet those challenges.
But whatever happens next, 2021 has raised questions that 2022 will have to answer.