The Biggest Hacks of 2021 (So Far)

Call it a “ransomware apocalypse,” or maybe just a huge pain in the ass. Whatever you want to call it, the malicious cyberattack on global IT provider Kaseya just ahead of the July 4 weekend has certainly screwed up a lot of stuff for a lot of people, affecting potentially as many as 1,500 businesses all over the world, bringing down local governments, shuttering a popular Swedish chain of supermarkets, and squeezing an already strained U.S.-Russia relationship at the worst possible time.

The attack, which infected a popular Kaseya software product called VSA, was used to spread malware to dozens of the company’s customers—many of which were managed service providers, or MSPs, firms that help small businesses and government agencies with outsourced IT tasks. As a result, the malware infected the MSPs’ customers, too, resulting in hundreds and hundreds of businesses being affected.

The cybercriminal gang behind the attack, the Russian-speaking group REvil, initially asked for $70 million in return for a “universal decryptor” that would unlock all of the files that the single attack has frozen worldwide. By mid-July, however, the group appeared to have gone underground, conveniently disappearing after making a mess of truly global proportions.

Yeah, even by recent standards, this attack is big—potentially one of the biggest of its kind the world has ever seen.

A big protean mess that seems to have no real beginning or end, the “SolarWinds” hack will likely continue to influence the conversation around U.S. cybersecurity for years to come. The hack, which U.S. authorities believe involved Russian (and maybe Chinese) threat actors worming their way into the networks of major federal agencies and American companies via compromised software, helped said hackers gather untold amounts of intelligence on the U.S. government and private sector. While the incident was first publicized in December, subsequent disclosures about the extent of the hack have continued over the past six months, leading to multiple congressional hearings, audits, and investigations.

Despite being commonly referred to as “SolarWinds,” the hack actually involved a compromise of at least three different software firms, including SolarWinds, Microsoft, and VMWare, according to the Cybersecurity and Infrastructure Security Agency (CISA). A total of 12 federal agencies are confirmed to have been penetrated by the hackers—including the Department of Defense, the Department of Homeland Security, the Federal Aviation Administration, the judiciary, and NASA, among others. The hackers also allegedly wormed their way into the networks of major Fortune 500 companies.

As dramatic and massive a fuckup as SolarWinds was, what came next was possibly even more widespread: the discovery in March of a smattering of security flaws in Microsoft Exchange—a widely used email product—the likes of which set off a global epidemic of cyberattacks. At the time, Bloomberg reported that the vulnerabilities in Exchange had possibly led to “at least 60,000 known victims globally,” around 30,000 of which were inside the U.S. Many of the attacks were blamed on a group dubbed “HAFNIUM,” potentially located in China. However, the vulnerabilities set in motion what was basically a rat-king of hacker activity—with close to a dozen different cybercrime groups reportedly pillaging vulnerable servers and implanting backdoors.

The Colonial Pipeline attack is likely the most important cyberattacks of the year so far—both for its ability to show the devastating potential of cybercrime and for the robust federal response it inspired. It also showed our country is still completely and utterly addicted to oil and will be for the foreseeable future.

In May, hackers affiliated with the ransomware gang DarkSide managed to get inside the network of Colonial Pipeline, one of America’s largest oil and gas companies. By temporarily halting the pipeline’s operations, the attack not only spurred a short-lived energy crisis throughout the Southeast—the likes of which devolved into a panicked melee at gas stations in multiple states—it also fundamentally shifted how the federal government approaches cyberattacks of this nature. Following the attack, the FBI managed to trace and seize a significant portion of the cryptocurrency ransom payment that Colonial made to the hackers—a somewhat unprecedented development. At the same time, the event helped to catalyze an accelerating government initiative to crack down on cybercriminals, including a new ransomware task force put together by the Justice Department and other defensive policies put out by the Biden administration.

A gargantuan theft of data from Amazon-owned streaming giant Twitch has spilled vast swaths of the platform’s contents onto the internet for all to see.

On Oct. 6th, an anonymous leaker posted a 125GB cache of Twitch’s data to 4chan as a torrent. Among many other things, the leak included the company’s source code, internal company documents, and red teaming tools. It also revealed the salaries and other personal information of some of the platform’s biggest stars and channel operators—causing no small amount of controversy. Twitch has clarified that its data was actually exposed to the web as the result of “an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.” In other words, Twitch got itself into trouble with its own security hiccup.

The anonymous culprit behind the leak claims to have carried it out to “foster more disruption and competition in the online video streaming space.” They also called Twitch a “disgusting toxic cesspool,” one that “we have completely pwnd.”

CNA, one of America’s largest insurance companies, has made a big push to sell cyber insurance—a product that, ironically, is designed to protect businesses from exactly the kind of scenario that CNA itself recently wound up in. In March, a ransomware group calling itself “Phoenix” attacked the company, successfully grabbing large amounts of its data. CNA should definitely get, like, an award or something for its subsequent philanthropic contribution to the digital underworld: the company allegedly paid their data-captors a whopping $40 million—a figure that certainly sets the record for publicly known payments in these scenarios.

At the time, security professionals commented on how dangerous it was that a hacker group may have gained control of cyber insurance policy holder information, as it could allow for more targeted attacks calibrated exactly to victims’ financial information. On the other hand, “Phoenix” operators may have been so rich after their big CNA payout that they just decided to call it a day, forego all future attacks, and retire to some undisclosed hacker paradise.

On May 30, JBS, a Brazilian meat processor that serves as America’s largest source for beef and pork, discovered that hackers affiliated with the ransomware gang REvil successfully compromised its networks. JBS then reportedly paid REvil $11 million for the decryption of their data—providing yet another example of the kinds of havoc a well-placed cyberattack can wreak on pivotal consumer supply chains. Between Colonial Pipeline and this, you’d start to wonder whether these hacker gangs were secretly a bunch of vegan, anarcho-environmental activists looking to teach Americans the error of their gas-guzzling, cow-slaughtering ways. Alas, no. They’re likely just ruthless opportunists, hellbent on extorting big money by hitting our country where it hurts the most: our love of all things environmentally unfriendly.

While maybe not one of the biggest attacks of the year, the hacking of Washington, D.C.’s Metropolitan Police Department was certainly one of the most dramatic incidents in recent memory—and showed a new willingness by ransomware gangs to target law enforcement agencies with increasingly dangerous tactics. The ransomware gang Babuk attacked MPD in April, making off with 250 gigabytes of sensitive internal data—including disciplinary files on past and current police officers, intelligence on local protest activity, and, most alarmingly, information on informants embedded in criminal networks scattered throughout the city. The hackers then threatened to leak the data if their demands of a $4 million ransom were not met. Cops were so distressed they offered to pay $100,000 for the files, though the hackers declined—and subsequently dumped everything online.

The biggest “sleeper” attack of the year so far, the hacking of a little-known cloud company called Accellion didn’t get as much press as other hacks but had big implications worldwide. In December, the ransomware gang ClOP used security flaws in one of Accellion’s most widely used products to hack the files of dozens of prominent entities throughout the world. The victims included Shell Oil, about a half dozen American universities, a Canadian aerospace manufacturer, banks and transportation agencies, a telecom conglomerate in Singapore, and one of America’s largest supermarket chains, Kroger, among others.

Of course, as of this writing, 2021 is only halfway over. At the rate we’re going so far this year, these major hacks are unlikely to be the last.

Update 12:10 pm ET, July 13: Added Kaseya hack.

Update 6:10 pm ET, Oct. 7: Added Twitch hack.