The 5 Worst Cyberevents of 2014
If nothing else, 2014 proved that no organization was above compromise from cybercriminals. The retail world, Hollywood and even the U.S. government were all stung by some form of cybercrime this year, and research indicates that events like this are likely to happen more and more frequently in 2015.
Our increasing reliance on the Internet for commerce, connections and entertainment means that there is plenty of valuable information ready for plunder. With motivations and strategies evolving at breakneck pace, it’s nearly impossible to predict where the next target (no pun intended) will emerge.
But as cybercrime has serious ramifications for our privacy and safety online, it’s critical to learn from history. Here we’ll take a look at the cases that brought novelty to 2014 and what they say about the future of cybersecurity.
With the Target fiasco of December 2013 still looming, it seemed that for the first half of the year, the media and the public were on high alert for the next big cyberattack. However, it wasn’t a criminally initiated event that would be the first of 2014 to cause panic, rather it was a widespread bug in multiple network systems that was the culprit.
Read also: Heartbleed Impact Still Yet to Be Known
Heartbleed, as it would come to be known, existed as a flaw in the coding of many server systems that could be exploited to obtain the personal information from website users. Finnish security firm Codenomicon, which helped discover the bug, says that this could be one of the worst invasions of privacy in Internet history. The exploit was later confirmed by Kaspersky Labs, another security software company.
“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content,” Codenomicon said. “This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
While testing the exploitable code on its own servers, Codenomicon reported that it was able to enter and leave without a trace. Open SSL, which made the popular code, has released a fixed version that does not have this vulnerability, although widespread adoption may take some time.
Multiple, well-known internet services were potentially compromised by the exploit, including popular mail services like Yahoo and Gmail.
Unfortunately, because the issue is a coding glitch rather than an active attack, little is known about the extent to which it was used to gain access to sensitive systems. Security experts have likened Heartblled to leaving the front door unlocked and exiting the house; no sign of forced entry makes it difficult to confirm that anyone was there while you were out.
By virtue of Heartbleed being a new and frightening security flaw, it’s certainly one of the cyber-security events that defined 2014, and the incident raises the question: what other exploitable flaws exist in the networks we use every day?
2014 marked the first times that the Department of Justice actually filed action against outernational cybersaboteurs.
In May, the DOJ announced its intentions to hold individuals working for the Chinese military accountable for an attack. The charges target five individuals of the People’s Liberation Army who allegedly stole information about the design and operation of nuclear power plants in the U.S. The charges will be filed in the Western District of Pennsylvania.
Read also: Credit Unions and State Sponsored Attacks
The move marked a shift to a more aggressive stance from the United States in its ongoing cyber-battle with China over frequent intrusions. China had previously received stern warning from the DOJ about the espionage tactics it employed against the United States, contending that the theft of propriatery information is an effort to gain an unfair economic advantage.
Attorney General Eric Holder said in a statement, that "The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.” The official charges are expected later today, and should offer more clarity.
Since revelations that the U.S. and Israel used “Stuxnet” malware to cripple Iranian nuclear enrichment facilities, it’s been common knowledge that governments around the world are involved in quiet cyberwarfare, keeping tabs on one another, stealing valuable information and even attacking infrastructure when the mood strikes.
This event was critical to 2014’s cybersecurity history as it drags the details of shadowy campaigns waged around the world into the open, showing the public an on-going cyberwar brimming just beneath the surface of polite society. It also shows the increasing worth of intellectual property as a target for hackers.
Whispers over the summer indicated that a security event may have compromised the systems of several large financial institutions. While details were scarce, those close to the event said at the time that it may have been committed by organized hacking groups based out of Russia.
Among those affected, JPMorgan Chase released details in early October stating that information of up to 76 million households and 7 million small businesses may have been compromised in the event. Other companies in the financial industry reported similar incidents at the time, leading some to suspect a larger persistent effort, potentially linking the organized group to government-backed efforts.
Read also: Massive Phish at JPMorgan
The details of the attack were released in accordance with Securities and Exchange Commission’s transparency standards a few weeks later. According to the notice, user contact information was the mostly likely piece of data to have been stolen.
Unlike similar events at Target and Home Depot, intruders may have gained access to more sensitive customer details held by the bank, including account details and social security numbers. JPMorgan claims that there is no evidence that this occurred.
This incident makes the list for two reasons. First of all, the financial industry poses a particularly attractive target for hackers due to the cache of sensitive information it collects. Second, the alleged involvement of government-backed actors also shows the direction that the space is going in. Such groups have become increasingly involved in cyber-warfare, and the news on them this year is likely a sign of things to come.
4. Home Depot
In early September, cybersecurity blogger Brian Krebs, who had previously broken news of the Target breach by identifying a pattern in the batches of credit cards flagged by banks, warned that home improvement giant Home Depot was likely the most recent target of such an attack. Shortly thereafter, Home Depot confirmed the incident.
Read also: Home Depot Breach Costs Credit Unions $60M
While the company did not immediately release estimated figures of how many people were affected by the breach, it did say that all Home Depot stores in the region —1,977 stores in the United States and 180 in Canada — were affected. Home Depot said that Mexican stores and HomeDepot.com were not part of the breach.
The method of intrusion was similar to those used against Target in 2013, infecting point-of-sale kiosks to steal customer card information and personal details.
In a release issued on Nov 6, the home improvement giant announced what had been suspected; the event was one of the largest on record. In addition to roughly 56 million payment card details which were stolen, up to 53 million e-mail addresses were also compromised. While the company does not believe that hackers were able to get their hands on the passwords of these emails, it has warned customers to be vigilant of phishing attempts and other e-mail-based scams.
The company also said in that release that the malware responsible had been isolated and removed from the system. They have also taken additional steps to prevent similar incidents from occurring in the future.
Retail hacks have never been uncommon; however, the Home Depot events show the absurd sizes they can be achieve. As one of the largest hacks of 2014, it’s essential that corporation consider this and other retail cyber-catastrophes when they build their defenses. This is a record we’re sure no one wants to top.
5. 'The Interview,' Sony Pictures and North Korea
When we think about cybercrime, we think about the theft of tangible assets: bank accounts, personal info, social security numbers and the like. But with this case marks one of the first times something of much more basic value has been threatened -- our rights to free speech and expression.
After threats of violence against audiences and refusal from multiple theater chains to play the film, on Dec. 17 Sony Pictures canceled its theater release plans for “The Interview.” The movie, which starred James Franco and Seth Rogen as characters on mission to assassinate North Korean leader Kim Jung-Un, was the impetus for persistent cyber-attacks perpetrated by hacker group Guardians of Peace or #GOP, which investigators have now confirmed has ties to the North Korean government.
In November, #GOP gained access to the private databases of Sony Pictures leaking sensitive information that included financials, unreleased films and private communications. Though unconfirmed, at the time reports suggested that the movie, which features a Jung-Un death scene may have been the cause.
Following what has been described as a “crippling” attack on the studios critical infrastructure, threats of violence were made to Sony Pictures.
The threat, which appeared on Sony Pictures computers, said warned Sony and theaters to “remember the 11th of September 2001…We recommend you to keep yourself distant from the places at that time.” According to the New York Times, U.S. officials have determined that North Korea was “centrally involved” in the incident. Those allegations have since been challenged by cyber-security experts, but regardless of who actually perpetrated the intrusion, the result remains the same.
While the movie has since been released via on-demand options like YouTube, the attack did--at least for a brief period--successfully deny an artistic outlet its freedom of speech, setting a chilling precedent for government-on-government cyber-warfare.
Originally published on InsideCounsel. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.