Cybercrime comes in many forms, and cost the global economy an estimated $450 billion last year. Though tallies have yet to come in, 2017 will likely end with even bigger figures–more money lost, more time stolen, and more data breached than any year in digital history. It got us asking, what are the worst cyber security disasters? More importantly, what do they have in common, (assuming that common threads can provide additional insight on disaster preparedness)?
We found some interesting and surprising answers. So here’s a case study of ten remarkably disastrous security incidents, and what you should know for future preparedness.
First up, a quick history lesson: in the year 2000, the Dot Comm Bubble had not yet burst. Yahoo was the biggest search engine on the web. Amazon was primarily a bookseller. And a 15 year-old boy from Quebec gave the digital era a wake-up call. The self-described “bratty kid,” Michael Calce is now a Montreal, Canada-based security consultant. After years of silence on the topic of his hacking past, in 2011, with a memoir on the horizon, he began accepting some requests for interviews, including conducting an interview with CNN–one of the very sites he had hit with a cyber attack!
Back in Y2K, Calce hijacked nearly 200 university networks for his targeted attack on CNN, after several highly successful DNS (denial of service) attacks on Yahoo!, Amazon, Dell, E*Trade and Ebay. When you consider the size of his Yahoo! attack, it would be like bringing Google to its knees today. The estimated cost of the damage: as much as $1.7 billion in economic impact.
The manhunt and subsequent trial of Mafiaboy led to the formation of the first US national cybersecurity conference and the creation of some of the first cyber security laws. Awareness of cybersecurity became a thing. The fact that cybercrime crosses national borders also first got noticed (like the drug trafficking of an invisible world). Despite such lessons learned, botnet armies have continued to lead to massive cyber attacks, which slow or cripple the internet, to great economic impact. More on that, next.
Around the time of Mafiaboy, DDoS attacks became a thing. Distributed denial of service occurs when a server gets overwhelmed with requests (in the case of an attack, bogus requests), which slow or stop actual web traffic and transactions. For most lay users, a slowed connection or inability to access a site could lead to taking business elsewhere. For larger businesses, times that by about a million (or in the case of Amazon at its peak, as much as 27 million transactions in a single day). Obviously, higher volume sites also have bigger engines under the hood, but attacks still happen.
Then, last year, rather than to attack sites directly, hackers went for the host and attacked Dyn, causing poor or stopped service to such sites as Twitter, Paypal, Netflix, and Spotify. As the UK-based Independent reported:
The widespread disruption was the result of a coordinated assault on some of the underlying infrastructure that powers the Internet. Dyn, one of several companies responsible for hosting the crucial web directory known as the Domain Name Service (DNS), suffered a sustained so-called “distributed denial of service” (DDoS) attack, leading many people intermittently to lose access to specific sites or the Internet entirely.
If you notice all of that explanatory lay-speak, it’s because this particular DDoS attack gained international attention in an unprecedented way–you halt that much business and suddenly everyone wants to know what DNS stands for.
That’s another thing the disasters on this list have in common: each in their own way got the kind of attention that can both bring awareness and, unfortunately, breed copycats. It wasn’t the first time a DDoS attack made headlines (just look at this report from 2002), but it brought a new level of attention to the idea of a botnet army. Manufacturers also learned an important lesson: every device should have password capability, so your baby monitor doesn’t become a zombie attacker.
It’s hard to assign a date to Yahoo’s massive email breaches, the largest known email hacks in history. One major attack was reported in September, 2016, but had taken place two years earlier. Estimated impact: 500 million accounts. Then, in a moment of deja vu, only a couple of months later, Yahoo announced a separate hack. Headlines read things like, “Yahoo says new hack affected 1 billion users, separate from earlier attack” (CNBC).
That’s right, they beat their own record. In addition to drawing national attention to things like two-factor authentication, the hacks led to major acquisitions and merger upset. Verizon Communications had planned to purchase Yahoo!. The deal only recently went through, with a $350 drop in price tag, according to CNN Money.
The data breach continues to haunt Yahoo!, under their new ownership. Many account users just received notice on October 3, 2017, of data that may have been compromised. “The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
As you’ll see when we get to Target, some of these cyber events take years to resolve (another thing many have in common).
In the Yahoo! breach, usernames, and passwords were stolen and one and a half billion accounts were affected. Yet rating higher on our list is the breach last year of FriendFinder Networks (parent company of Ashley Madison and Penthouse.com, among others). Leakedsource first made the report, but news rapidly spread.
An estimated 412 million user accounts were affected when the “world’s largest sex and swinger community” suffered a local file inclusion exploit. Apparently, usernames and passwords were stored in either plaintext or using the highly-hackable SHA1 algorithm. The content of the sites, the size of the breach, the weakness of the password storage, the fact that it included deleted accounts, and the volume of .gov extension user emails all made this fiasco one for the record books. Sites of all kinds learned about safer encryption for user credentials.
Retailers have seen major increases in cyber attack. Point of sale systems, vendor and supplier connected portals, even on-site system administrators, pose potential risks. All of these potential weak links in the chain came to light when Target got hit in the bullseye, beginning on the biggest US shopping day, Black Friday, of the year 2013.
The cyber attack on Target hit all of the wrong numbers, (or right, depending on your point of view):
All told, Target lost an estimated $300 million and became a case study for security vendors in economic impact, security risks, and response actions. Now that enough time has passed to really drill-down on what happened, security researcher Brian Krebs reported that the attack, “appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer.” That’s right, a phishing attack against an unsuspecting HVAC guy may have cost a fortune to one of the largest retailers in the United States.
Even bad ideas start somewhere. In the case of phishing schemes, it’s hard to pinpoint an exact start, but there’s one type of beginning researchers can agree on: Melissa the virus. Melissa’s impact is still felt today, which is why she rates so high on this list:
Melissa was created by programmer David L. Smith, who claimed to have named the virus after an exotic dancer in Florida. Whether or not it was done intentionally, Melissa also took advantage of what was a monoculture at the time: Microsoft-based systems dominated corporate America, ripe for the spread of a Microsoft-macro-based virus, like the great potato famine of Ireland.
Melissa really began the phishing era, but also the security research area. The whole game of software development changed, requiring a cybersecurity component beyond just standard anti-virus software and firewalls. That’s an important lesson, but one that many companies have still not learned, as shall be demonstrated with security disaster #4, the worst virus outbreak ever.
Melissa had an impact. At the time, creator David L. Smith said, “I did not expect or anticipate the amount of damage that took place. When I posted the virus, I expected that any financial injury would be minor and incidental.” Yet, major companies such as Microsoft, Intel, Lucent Technologies and Lockheed Martin were forced to shut down their email systems at the time, to prevent further spread of the virus. People first became aware of the dangers of an email attachment. Yet Melissa is a nostalgia from nearly 20 years ago compared with the wave of recent viruses that hit the cyberverse.
In the WannaCry timeline, you have to backtrack a little to the Shadow Brokers, the NSA, and Korea. WannaCry first widely struck in May 2017, but it was based on security weaknesses in Microsoft Windows’ Server Message Block (SMB) networking protocol, known as EternalBlue, leaked by the hacking group Shadow Brokers. Those vulnerabilities were patched by Microsoft in March 2017, but backing up further, Microsoft learned of those weaknesses from the NSA, who had reportedly already utilized those vulnerabilities.
WannaCry was set up as malware, demanding bitcoin. By many accounts, WannaCry was unsuccessful as a form of ransomware, since it lacked a tracking protocol to verify payment and release hijacked files. Despite that, the economic impact of WannaCry is higher than any other virus in history, $4 billion to date. 150 countries have reportedly been affected. If you include copycats like NotPetya, the costs get even higher.
WannaCry had a fatal flaw, exploited by UK-based cyber researcher Marcus Hutchins. When the virus would execute, it would first check an obscure domain name, which Hutchins registered, essentially creating a sinkhole. (In another twist of events in the bazaar WannaCry story, Hutchins has been indicted on charges related to the Kronos banking Trojan).
WannaCry makes the list at number 4, then, because of expense, impact, and also the state backing. In addition to being based on US government created exploits, North Korea may have been behind the attack. The only thing preventing WannaCry from earning the number 1 spot was the ease with which it was both stopped and prevented (by updating with the Microsoft-issued patch). It could have done even more damage and may have been more about creating havoc than about earning a ransom.
With state players and trojans, hacking has come a long way since Mafiaboy.
Unfortunately, on the heels of WannaCry and NotPetya, Americans may have grown numb to cyber attacks. But this one hit right in the kisser: potential identity theft for 145 million Americans (more than half of the nation’s population). Stolen data included names, dates of birth, physical addresses, social security numbers, and likely account-specific data such as account numbers. The CEO of the Atlanta-based company has resigned, but still, faces testimony before a congressional committee. If we learned anything from the Target data breach, it’s that it may be years before final answers and financial impact can be accurately determined.
The US Department of Homeland Security issued a warning in March about an Apache Struts 2 vulnerability. One can only assume that Equifax knew of the security alert, considering they sell their own data breach products (advertised as assisting companies with being prepared for cyber event). By May of 2017, hackers identified that Equifax used the faulty versions of Struts 2. In July, Equifax knew of the breach, but it would be September before Equifax would issue its limp announcement to the public. Facing immediate criticism for its inaction, Equifax continues to handle the PR-maelstrom, including the fact that a couple of top executives sold millions in stock after the breach but before public notification.
(By the way, the official statement on the stock sales, provided from an Equifax spokesperson to Gizmodo, said, “Equifax discovered the cybersecurity incident on Saturday, July 29. The company acted immediately to stop the intrusion. The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the the time they sold their shares.”)
No doubt, the insider trading speculation will also be part of the ongoing investigation. But beyond the shady nature of some of the details of the event, what makes this Equifax hack also such a big deal? Both the scope of the impact (even the FTC has had to create a response and action page) and the silence of the impact. How many of those millions of affected Americans will take any action whatsoever against what amounts to outright theft? That also remains to be seen. At the moment, it looks like not very many.
Unfortunately, a lack of widespread action can look like a written invitation to would-be copycat threat actors.
Interfering in foreign elections is actually nothing new, it’s just taken a digital turn. Rather than to wax politically philosophical, though the cyber attacks of a global political nature rate so high on this list because of potential impact. It is not an exaggeration to say that the future of global politics may come down to outside cyber actors.
At the moment, Russia is in the hot seat. International committees have met to discuss their meddling in US and European elections. The NSA testified before a congressional committee about Russian involvement in political “infrastructure” on both sides of the Atlantic. New data in the ongoing investigation of the 2016 US election continues to expand the extent to which Russian-sponsored cyber threats played a role. While no one can say, definitively, if the outcome of the election would have been different without that interference, the implications to cybersecurity are clear: Russia has an aggressive cyber protocol they are running on a global scale.
Russia isn’t the only one taking to the cyberverse for espionage and warfare, however. According to the Department of Defense testimony to the Senate Armed Services Committee:
As of late 2016 more than 30 nations are developing offensive cyber attack capabilities. The proliferation of cyber capabilities coupled with new warfighting technologies will increase the incidence of standoff and remote operations, especially in the initial phases of conflict. Cyber attacks against critical infrastructure and information networks also will give actors a means of bypassing traditional defense measures and minimizing the advantage of geography to impose costs directly on their targets from a distance. Russian officials, for example, have noted publicly that initial attacks in future wars might be made through information networks in order to destroy critically important infrastructure, undermine an enemy’s political will, and disrupt military commands and control.
Did you catch that? Experts in the US expect cyberwarfare will be the next form of warfare, at least initially. So each time an election gets messed with, a power outage happens somewhere in the world, or a virus exploits a computer weakness, it may actually be a warm-up act to cyber warfare, from any of more than 30 different countries!? So, while heads are down worrying about the Equifax breach, behind the scenes there may be larger threats than identity theft.
It’s like you can’t say “fake news anymore” without starting a political debate. We’re not going to go there, but we are calling fraudulent reporting the greatest cybersecurity threat in the world today. Why is that? Because it cuts into the very heart of what has gone wrong and could continue to go wrong, in the cyberverse.
“Fake news” got lots of heat around the 2016 US election, but the news isn’t new. Back in 2012, CNN reported that an estimated 83 million Facebook accounts weren’t real. Now, the social media giant is purging tens of thousands of accounts and turned thousands of Russian-backed ads over to the ongoing investigation by Congress. But the misinformation out there isn’t just fueled by a political agenda or sparring nations. Clickbait is a burgeoning business, harnessing the power of social media, groupthink, miseducation and “confirmation bias” to fool algorithms and humans alike.
Fraudulent reporting, then, isn’t just a security risk. Backed by state-sponsored threat actors, it is the non-friendly Olympics of hacking–nations recruiting their best to compete, and in doing so threatening national security. They have the potential to harness the power of the digital era to determine the future leaders and agendas of entire nations. There may be no gold medal to hand out, but by affecting elections they have the potential to threaten economies. Fake stories, backed by state-sponsored threat actors, will decide international destiny unless cyber security improves.
As we learn from these cyber security disasters or see cyber-warfare between nations in the years to come, one thing remains certain: human beings are necessary. While an algorithm can decipher massive quantities of data, without human analysis you get more fraudulent reporting and mass confusion (sometimes mass hysteria). The underlying thread, uniting all of these cyber threats, then, is a continual rise in intensity. As the risks mount, with higher stakes and greater force, the need for human cooperation also increases.
The future of artificial intelligence includes human intelligence, not just for the programming, but also for the judgment of which human beings are distinctly capable. Whether or not we exercise that humanity, or use it to generate more computer viruses, remains to be seen.