2020 was a tough year for a lot of reasons, not least of which were breaches and hacks that visited pain on end users, customers, and the organizations that were targeted. The ransomware menace dominated headlines, with an endless stream of compromises hitting schools, governments, and private companies as criminals demanded ransoms in the millions of dollars. There was a steady stream of data breaches as well. Several mass account takeovers made appearances, too.
What follows are some of the highlights. For good measure, we’re also throwing in a couple notable hacks that, while not actively used in the wild, were impressive beyond measure or pushed the boundaries of security.
The SolarWinds hack
2020 saved the most devastating breach for last. Hackers that multiple public officials say are backed by the Russian government started by compromising the software distribution system of SolarWinds, the maker of network monitoring software that tens of thousands of organizations use. The hackers then used their position to deliver a backdoored update to about 18,000 customers. From there, the hackers had the ability to steal, destroy, or modify data on the networks of any of those customers.
It’s going to take time for investigators to assess the damage. That’s because not everyone who installed the malicious update received follow-on attacks. So far, security firm FireEye has said the hackers sought information about its government customers and also stole red-team tools used to test customers’ security defenses. US officials, meanwhile, have said that dozens of Treasury Department email accounts have also been hacked.
While the full effects of the breach won’t be known for another few months, it’s already clear the SolarWinds hack is one of the most damaging espionage hacks visited on the US in the past decade, if not of all time. It was carried out by attacking a software supply chain that’s vital to some of the biggest companies and government agencies in the world. Attackers then used that pipeline to burrow deep into the networks of the most interesting entities.
Besides the loss of so much valuable data, the SolarWinds hack is notable for the top-tier tradecraft it used. The attackers, according to Yahoo News, had control of SolarWinds update system no later than October 2019. They started pushing out malicious updates in March. The industry-wide compromise came to light not by government agencies tasked with uncovering such things, but rather because of the investigation FireEye did.
Mass compromises of Twitter, Nintendo accounts
In July, Twitter lost control of its internal systems to hackers pushing a Bitcoin scam. The breach was notable because it compromised accounts belonging to politicians, celebrities, and business executives, many with millions of followers.
While the damage was modest—about $100,000 in phony Bitcoin promotion payments and some personal data stolen from some account holders—a hack like this could have been used to do much worse things (think an announcement from government or business leaders that manipulates the stock market or stokes geopolitical tensions).
Another thing that made this breach significant was the people who perpetrated it and the tactics they used. Authorities charged a 17-year-old, a 19-year-old and a 22-year-old with using a spear phishing attack that stole an administrative password from a Twitter employee working from home during the COVID-19 pandemic.
A runner up for another hack that led to the mass compromise of accounts was the one that hit Nintendo in April.
Ransomware attacks on Dusseldorf University Hospital, Garmin, and Foxconn
These are separate breaches, but together they underscore the cost ransomware attacks are exacting, not only on the targeted organizations but the millions of people who rely on them.
During an outage that hit one of the hospitals near Dusseldorf, Germany, a patient seeking life-saving treatment was turned away and died as she tried to obtain services from a more distant facility. It’s possible or even likely that the patient would have died anyway, but the compromise nonetheless illustrates the potentially fatal role ransomware and other types of damaging hacks can have.
The Garmin attack, meanwhile, caused a four-day outage that knocked out GPS services to millions of people, some of them aircraft pilots doing flight planning and mapping.
Another ransomware attack that attracted attention was the breach of electronics giant Foxconn. Attackers demanded $34 million for the return of the data, making it the highest ransom ever sought.
Data breaches hitting Marriott and EasyJet
These were also separate hacks, but they led to compromise of personal data belonging to hundreds of millions of individuals.
An iPhone zero-click exploit and the extraction of an Intel CPU crypto key
Not all hacks are bad. More often than not, they’re done by the good guys. And occasionally, they’re so elegant that you just have to admire them for the ingenuity that went into them.
This year’s most impressive hack came from Ian Beer, a member of Google’s Project Zero vulnerability research team. He devised an attack that, until Apple issued an update, gave him full access to every iPhone within range of his malicious Wi-Fi access point.
His attack didn’t require the iPhone user to do anything, and it was wormable, meaning exploits could spread from one nearby device to another. The exploit is one of the most impressive hacking feats in recent memory and shows the damage that can result from a single garden-variety vulnerability. Apple patched a buffer overflow flaw after Beer privately reported it.
Another top hack this year was the extraction of a secret key used to encrypt microcode on an Intel CPU—a first in the annals of security and reverse engineering.
The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse-engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn’t survive a reboot.
There’s an old saying in security circles that attacks only get better. 2020 proved the saying to be true once again, and no doubt 2021 will do the same.