Insights

Cyber security year in review: Notable cyber attacks in 2021

Corporate | Insurance Law & Litigation

2021 saw a dramatic increase in the frequency and severity of cyber attacks, with ransomware the predominant mode and COVID-19 continuing to prove difficult for organisations shifting to remote working and cloud-based services. Below is a snapshot of significant cyber attacks and their impact on the targeted organisations.


SolarWinds (US)

December 2020

  • Supply chain attack
  • Breach went undetected for months and could have exposed sensitive data in the highest reaches of US government
  • Third-party claim: resulted in shareholder class action
  • SVR suspected

SolarWinds is an American software company that provides system management tools for network and infrastructure monitoring for entities ranging from Fortune 500 companies to the US government. Among their products is Orion, an IT performance monitoring system.

On 13 December 2020, it was reported that multiple government agencies' systems had been breached in a cyber attack. It was revealed that in September 2019, hackers infiltrated SolarWinds' Orion and added malicious code into the system. From March 2020 onwards, SolarWinds regularly sent out updates to its systems, unaware that these updates contained the hacked code.

The code created a backdoor to customers' systems that allowed the hackers to install further malware. Up to 18,000 customers installed the updates that left them vulnerable to the attack, with attacks confirmed by several high-profile customers including cybersecurity firm FireEye, the US Treasury Department, the Department of Homeland Security, Microsoft, Intel and Deloitte.

The attack has been labelled as extremely sophisticated with the attackers having approximately 14 months of access to SolarWinds' systems. It is believed that the intrusion of multiple servers and mimicking of legitimate network traffic allowed the attackers to circumvent threat detection tools used by SolarWinds, private companies and the US Government.

In January 2021, a shareholder cyber disclosure class action lawsuit was filed against SolarWinds as a result of the significant decrease in share price following the disclosure of the cyber attack, as well as allegations of misleading and deceptive conduct regarding the known security failures of the company.

Accellion

December 2020

  • Supply chain attack
  • Zero-day vulnerabilities
  • UNC2546 and UNC2582 identified as perpetrators

Accellion specialises in secure collaboration and file-sharing software.

Accellion suffered a zero-day attack targeting its File Transfer Appliance (FTA) software in December 2020. Hackers exploited four zero-day vulnerabilities in the FTA software to launch attacks on numerous Accellion customers and partners. A second exploit (code that takes advantage of a security flaw) was found on 20 January 2021 despite patches released in December 2020.

This supply chain attack impacted over 100 companies, organisations, universities and government agencies around the world, including the Australian Securities and Investments Commission, NSW Health, Morgan Stanley, Bombardier, Flagstar Bank, Kroger, Jones Day law firm, Qualys, Singtel, Reserve Bank of New Zealand, Royal Dutch Shell, Stanford University, Trinity Health, University of California and University of Colorado.

Microsoft Exchange Server (US)

January to March 2021

  • Microsoft Exchange Server zero-day vulnerabilities and patching
  • Vulnerabilities exploited by threat actors to launch cyber attacks
  • Hafnium and at least nine others suspected

In January 2021, a global wave of cyber attacks began after zero-day exploits were discovered in Microsoft Exchange servers. Hackers used these vulnerabilities to gain access to victims' entire servers, giving them access to user emails and passwords and administrator privileges. The hackers also used the vulnerabilities to insert backdoors into systems.

As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks. It is believed a number of significant US organisations were affected, including state and local governments, academic institutions, infectious disease researchers and law firms. It was not until 23 March 2021 that Microsoft announced 92% of Exchange servers had had the exploitation either patched or mitigated.

Florida water supply (US)

February 2021

  • Critical infrastructure: water supply
  • Hacker's attempt to poison water supply. An example of a cyber-physical industrial control systems (ICS) incident that could cause cyber-physical losses such as property damage or bodily injury
  • Hacker unknown

On 5 February 2021, a hacker gained remote access to the computer of a plant operator for the city of Oldsmar in Florida. The hacker opened various software functions that controlled the water being treated and increased the level of sodium hydroxide, or lye, in the water supply to 100 times higher than normal.

The hacker then exited the computer and a water treatment plant employee quickly returned the lye levels to normal and notified the appropriate people. No actual damage was done but it demonstrated the ease with which a cyber-physical industrial control systems (ICS) incident could potentially cause cyber-physical losses such as property damage or bodily injury.

Nine Network Australia

March 2021

  • Media network
  • Malware attack with no ransom demanded
  • Valuable sensitive data, disruption of media services
  • Perpetrator unknown

On 28 March 2021, the Nine Network suffered a variation of a ransomware attack. Its television and digital production systems were offline for more than 24 hours and Channel Nine was unable to broadcast from its Sydney studios, forcing the media outlet to shift operations to its Melbourne studios.

Investigations suggested that the hackers used Nine systems to send fraudulent updates to workers’ computers. These updates encrypted data and made the machines unresponsive. The attackers had therefore spent time within the networks prior to the attack, filtering around information, looking at systems and gaining access to devices. Unlike most ransomware attacks, however, there was no demand made, suggesting that the hackers were after sensitive company data or trying to disrupt its media services.

CNA Financial (US)

March 2021

  • Largest ransomware payout at US$40 million, setting a world record
  • One of the biggest US insurance companies
  • Ransomware attack: Phoenix CryptoLocker encrypted remote workers' devices logged into VPN
  • Destroyed and disabled certain CNA back-ups
  • Suspected: Evil Corp

CNA is the seventh largest commercial insurance provider in the United States. In late March, it experienced a disruption to its network and several systems, including corporate email. The investigation revealed that the threat actor accessed certain CNA systems at various times from 5 March 2021 to 21 March 2021. During this time, the attacker copied a "limited amount of information" before deploying the ransomware. The data breach affected 75,349 individuals.

Whilst CNA refused to comment on the matter other than that they followed all laws, regulation and guidance, it was confirmed that they paid US$40 million in ransom.

Acer (Taiwan and India)

March 2021 and two attacks in October 2021

  • Leveraging off Microsoft Exchange Server "zero-day" vulnerabilities
  • Multiple attacks across global servers. Large ransom demanded
  • Ransomware attack, stealing valuable data and cyber attack to expose poor cybersecurity practices and vulnerable global servers
  • Perpetrators: REvil and Desorden Group

On 18 March 2021, Russian-based attacker REvil posted on its data leakage site that it had infiltrated Acer and stolen data including client lists, payment form applications and financial documents. REvil leveraged the Microsoft Exchange Server zero-day vulnerabilities to complete the attack on Acer. The ransom note revealed that Acer had until 28 March 2021 to pay US$50 million.

At the beginning of the incident, Acer offered US$10 million as payment. REvil responded by offering Acer a 20% discount if it made the payment by 17 March 2021. Acer was then given until 28 March 2021 to pay the US$50 million or the ransomware demand would double to US$100 million. It is not known if Acer ever paid the ransom.

In early October 2021, Acer suffered a second cyber attack by the Desorden Group on its local after-sales service system in India. The Desorden Group claimed to have breached servers and stolen 60GB of files, including customer and corporate business data as well as financial information. No ransom was demanded but it appears the data stolen was posted to cybercriminal forum RAID as well as being sent to reporters.

A week later, Acer suffered another cyber attack on its servers in Taiwan by the Desorden Group. In particular, the group hacked servers that stored data on its employees and product information, and the only data stolen related to employee details. No ransom was demanded. It was reported that part of the reason why the Desorden Group conducted a second attack was to prove its point "that Acer is way behind in its cybersecurity effects on protecting its data and is a global network of vulnerable servers." In particular, Malaysia and Indonesia servers were vulnerable too.

Facebook (US)

April 2021 

  • Social media platform
  • Personal information exfiltrated
  • Perpetrators unknown

In April 2021, more than 500 million Facebook users' details were posted online on an underground low-level hacking forum. The exposed data included personal information such as phone numbers, Facebook IDs, full names, locations, birthdates and, in some cases, email addresses for users from 106 countries. It was estimated, however, that only about 2.5 million records contained a valid email address, an important factor if the data was to be used for identity theft and exploitation.

The data breach had occurred in 2019, with Facebook fixing the vulnerability in August 2019. Facebook announced a decision not to notify the users whose personal data was lifted in the breach.

Colonial Pipeline (US)

May 2021 

  • Critical infrastructure: oil and gas
  • Ransomware attack
  • Perpetrator: DarkSide, a ransomware-as-a-service (RaaS) provider
  • US$4.4 million ransom paid (although more than half was recovered)

Colonial Pipeline is the largest pipeline system for refined oil products in the United States. The pipeline is used to carry gasoline, diesel, and jet fuel interstate, with approximately 45% of all fuel on the East Coast arriving via this system.

On 7 May 2021, Colonial Pipeline suffered a ransomware attack that impacted its computerised equipment. Almost 100 gigabytes of data was stolen and threatened to be released on the internet if the ransom was not paid. Colonial Pipeline halted its operations as a precautionary measure due to a concern that the hackers might have obtained information that would allow them to carry out further attacks on vulnerable parts of the pipeline.

The company, with the assistance of the FBI, paid the ransom of US$4.4 million in Bitcoin. Following the payment, the Russia-based cyber-extortionist DarkSide sent a decryption tool to the company and it was able to recover its data. Operations, however, did not resume until 6 days later, on 12 May 2021.

At the time of the attack, supply shortage concerns resulted in petrol prices reaching their highest level in three years as well as panic buying. For example, 71% of petrol stations ran out of fuel in Charlotte, North Carolina on 11 May 2021. These fuel shortages also impacted travel, with American Airlines in North Carolina having to change its flight schedules temporarily to allow for plane changes and fuel stops.

On 7 June 2021, it was reported by the US Department of Justice that US$2.3 million of the cryptocurrency ransom paid had been recovered.


JBS Foods (Brazil, US, Aus)

May 2021 

  • Critical infrastructure: food industry and supply chain
  • Ransomware attack
  • Perpetrator unknown; REvil suspected
  • US$11 million ransom paid

JBS, a Brazil-based meat processing company, is the world's largest producer of beef, chicken and pork. It supplies approximately one-fifth of meat globally. On 30 May 2021, a ransomware attack brought down JBS's systems, forcing it to close temporarily all of its beef plants in the United States, as well as a plant in Canada. The company also paused beef and lamb kills in Australia and temporarily stood down 7,000 employees.

JBS is reported to have spent more than US$200 million on maintaining its IT systems annually and employs more than 850 tech specialists. Even then, it was still susceptible to attack. The FBI described the group that carried out the attack as “one of the most specialised and sophisticated” in the world.

JBS paid the group US$11 million in Bitcoin. JBS said the vast majority of its facilities were operational at the time of payment, however it decided to pay in order to avoid any unforeseen issues and ensure no data was exfiltrated.

Kaseya (US)

July 2021 

  • Supply chain attack
  • Ransomware attack with malicious Sodinokibi/REvil code deployed
  • Large ransom of US$70 million demanded although Kaseya did not negotiate or pay the ransom
  • REvil, Yaroslav Vasinskyi arrested

On 2 July 2021, Russian-based attacker REvil committed a ransomware attack on American information technology software company, Kaseya. The attack was on the Virtual System Administrator (VSA), which is a remote monitoring and management software. According to cybersecurity firm Huntress Labs, there was an authentication bypass vulnerability in the VSA web interface that allowed REvil to circumvent authentication controls and distribute a malicious payload through hosts managed by the software.

It is believed that the ransomware was distributed by an automated, fake, and malicious software update. In response, Kaseya shut down its VSA cloud and SaaS servers and issued a notification to all customers. The attack had a widespread impact, notably on Swedish supermarket chain Coop. The supermarket chain was forced to close all of its 800 stores after the attack prevented it from opening its cash registers.

REvil demanded $92 million (US$70 million) in Bitcoin for a decryptor tool following the attack. Kaseya did not negotiate with the attackers or pay the ransom and by 5 July 2021, Kaseya began deploying a security patch. Kaseya also obtained a universal decryptor key from a third party on 23 July 2021 and assisted its customers in unlocking the encrypted files.

Ukrainian national Yaroslav Vasinskyi was arrested in Poland on 8 October 2021 and charged with conducting several ransomware attacks, including the July 2021 attack against Kaseya. If convicted on all charges, Vasinskyi faces a maximum penalty of 115 years in prison. In the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks. After remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organisations around the world that used Kaseya software.

Frontier Software / South Australian Government

December 2021 

  • Ransomware and supply chain attack
  • State government impacted and employee data exfiltrated
  • Suspected: Russian hackers

On 10 December 2021, the South Australian (SA) Government announced that it was the victim of a supply chain attack, after its external payroll software provider, Frontier Software, was hit by a ransomware attack on 13 November 2021. Frontier's systems were down for four days at the time of the attack and it warned its customers about the attack. However, it wasn't until 8 December 2021 that it advised the government that it had identified traces of data exfiltration on its systems.

It appears at this stage that the SA Government is the only affected customer, with the attack affecting all of its departments except for the Education Department, which uses a different payroll system.

The SA Government has confirmed that the records of at least 38,000 employees were accessed and up to 80,000 employees could be affected, including potentially the Premier. The personal data stolen included employees' names, addresses, tax file numbers and banking and superannuation details.

No ransom demand has been made to the SA Government, although it is believed Russian hackers are responsible for the attack.

Frontier services approximately 27 per cent of employers with more than 2,000 staff and is a top payroll product in the healthcare and hospitality industries. This is not the only cyber attack on the SA Government this year, with reports of an attack on the government network in April 2021. Whilst little is known about the attack, it appears to be part of a series of attacks that occurred during 2021, which are believed to have been conducted by "a sophisticated state-based cyber actor."

Log4j2

December 2021 

  • Zero-day vulnerability
  • Ransomware
  • State-sponsored attacks

On 9 December 2021, a zero-day vulnerability was disclosed relating to Log4j2 software, a logging tool used by numerous Java-based applications, particularly Apache frameworks. The flaw was first detected in late November when signs of exploitation appeared in the popular Microsoft game Minecraft. Minecraft users were able to use it to execute programs on the computers of other users by pasting a short message in a chat box.

The vulnerability, known as Log4Shell or CVE-2021-44228, allows for remote code execution, giving hackers a potential opening to internal networks where they can then commit a number of attacks. These include exfiltrating valuable data, planting malware, coin mining and erasing crucial information. The vulnerability has been given a severity score of 10 out of 10 by the US National Vulnerability Database, and it is believed that this new threat will affect cybersecurity globally for a long time. It has been likened to Heartbleed, a vulnerability in SSL that affected many major websites and services, but was also difficult to detect and manage, as it is built in down the supply chain, and many vendors continue to investigate whether their products are affected.

The bulk of attacks seen to date have been related to mass scanning by attackers attempting to thumbprint vulnerable systems. Microsoft has also observed the vulnerability being used by multiple state-based groups originating from China, Iran, North Korea and Turkey, including the deployment of ransomware. Crowdstrike has also identified several advanced exploitations, including the deployment of web shells, and conducting lateral movement.

Cyber security company Check Point has stated that since implementing its protection, it has already prevented over 1,272,000 attempts to exploit the vulnerability, with 46 per cent of those attempts being made by known malicious groups. Check Point estimates that attackers have attempted to exploit over 40 per cent of global networks. Whilst the fallout of this vulnerability is still largely unknown, the ease of exploitation and breadth of applicability has led many experts to believe that the impact will be widespread and severe, particularly through ransomware attacks.

We will no doubt witness the effects of this zero-day vulnerability in 2022.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.