The Worst Hacks of the Decade
Credit to Author: Lily Hay Newman| Date: Mon, 23 Dec 2019 12:00:00 +0000
It's been a rough 10 years in cybersecurity—and it's only getting worse.
Over the last decade, hacking became less of a novelty and more of a fact of life for billions of people around the world. Regular people lost control of their data, faced invasive surveillance from repressive regimes, had their identities stolen, realized a stranger was lurking on their Netflix account, dealt with government-imposed internet blackouts, or, for the first time ever, literally found themselves caught in the middle of a destructive cyberwar.
It's been apparent for decades that an increasingly computerized world would inevitably invite constant digital threats. But the actual evolution of hacking—with all its scams, criminal black markets, and state sponsored forces—has been characteristically human, not a sterile, dispassionate artifact of an unknown future. Here in chronological order are the data breaches and digital attacks that helped shape the decade. Take an anxiety-inducing stroll down memory lane—and stay safe out there.
Stuxnet was the first piece of malware to cause physical damage to equipment in the wild, crossing a long-feared line. Created by the United States government and Israel, the worm was used in 2010 to destroy centrifuges in an Iranian nuclear enrichment facility. Stuxnet chained four so-called zero day vulnerabilities together to first target Microsoft Windows, and then search for an industrial control software called Siemens Step7 on the compromised network. From there, Stuxnet manipulated the programmable logic controllers that automate industrial processes. Though Stuxnet hit the Iranian nuclear program, it could have been used in other industrial settings as well.
Shamoon is a Windows "wiper" that indexes and uploads a computer's files for attackers and then wipes the data and destroys the target computer's "master boot record," the fundamental first sector of a computer's hard drive. Shamoon can spread across a network, and was famously used in a destructive attack in August 2012 against the Saudi Arabian oil company Saudi Aramco, essentially bricking 30,000 computers. A few days later, Shamoon struck the Qatari company RasGas.
Shamoon was developed by Iranian state-backed hackers, seemingly drawing inspiration from offensive hacking tools created by the National Security Agency, including Stuxnet and the espionage tools Flame and Duqu. An evolved version of Shamoon resurfaced in a series of attacks during 2017 and 2018. The worm is significant for being one of the first used in nation state attacks that was built both for data destruction and to render infected devices inoperable.
On November 24, 2014 a red skeleton showed up on computer screens across the United States operations of Sony Pictures Entertainment. Hackers calling themselves "Guardians of Peace" had infiltrated the company's networks and claimed to have stolen 100 terabytes of data. They later dumped hundreds of gigabytes, including unreleased Sony films, emails, internal emails, actor compensation details, and employee information like salaries, performance reviews, sensitive medical data, and Social Security numbers. The attackers wreaked havoc on Sony's systems, not only stealing data, but releasing wiper malware to delete files and configurations so Sony would have to rebuild large portions of its digital infrastructure from scratch. The hack was eventually revealed to be the work of the North Korean government, in apparent retaliation for the release of The Interview, a comedy about the assassination of Kim Jong-un.
One of the most insidious and important data breaches of the decade is the Office of Personnel Management breach, which was really a series of breaches and infections orchestrated by China during 2013 and 2014. OPM is the human resources and administrative department for US government employees, and it stores a large amount of very sensitive data, because it manages security clearances, conducts background checks, and keeps records on every past and present federal employee. For hackers seeking insight into the US federal government, it's an unparalleled treasure trove.
WIRED looks back at the promises and failures of the last 10 years
Hackers linked to the Chinese government entered OPM’s network twice, first stealing the technical blueprints for the network in 2013, then initiating a second attack shortly thereafter in which they gained control of the administrative server that managed the authentication for all other server logins. In other words, by the time OPM fully realized what had happened and acted to remove the intruders in 2015, the hackers had been able to steal tens of millions of detailed records about every aspect of federal employees’ lives, including 21.5 million Social Security numbers and 5.6 million fingerprint records. In some cases, victims weren’t even federal employees, but were simply connected in some way to government workers who had undergone background checks. (Those checks include all sorts of extremely specific information, like maps of a subject’s family, friends, associates, and children.)
Pilfered OPM data never circulated online or showed up on the black market, likely because it was stolen for its intelligence value not its criminal value. Reports indicated that Chinese operatives may have used the information to supplement a database cataloging US citizens and government activity.
Two pivotal moments of the decade came in December 2015 and 2016 when Russia, already in a physical war with Ukraine, launched two digital attacks against the electric grid that caused two very real blackouts. Both attacks were orchestrated by the Russian government hacking group Sandworm, known for its aggressive campaigns. The first blackout was caused by a suite of malware, including one tool called BlackEnergy that allowed the hackers to steal credentials and gain access to manually turn off circuit breakers. The second targeted a single transmission station with a more evolved malware known as Crash Override or Industroyer. In this attack, the hackers could directly manipulate the systems controlling power flows, rather than using clever workarounds like they had in their first grid attack. The second blackout attack was intended to cause actual equipment destruction resulting in lasting damage if it had played out as intended. A small technical mistake, though, meant that the blackout only lasted about an hour.
Though hacker-induced blackouts have been the stuff of nightmares for decades, Sandworm was the first hacking group to actually launch real-world disruptive grid attacks. In doing so, Russia also demonstrated that it was not only fighting a kinetic war with Ukraine, but a full-fledged cyberwar.
A group calling itself the Shadow Brokers first surfaced in August 2016, publishing a sample of spy tools it claimed were stolen from the National Security Agency's Equation Group, an elite hacking team focused on international espionage. But in April 2017, the group released another, more extensive trove of NSA tools that included the Microsoft Windows exploit known as "EternalBlue."
That tool takes advantage of a vulnerability in Microsoft's Server Message Block file-sharing protocol, present in virtually all Windows operating systems at the time. Microsoft released a patch for the flaw at the NSA's request just weeks before the Shadow Brokers made EternalBlue public, but Windows users—including large institutions—were slow to adopt it. This opened the door to an onslaught of Eternal Blue-related hacking worldwide.
The first prominent example is the malformed ransomware known as WannaCry, which used EternalBlue to sweep the world on May 12, 2017. Built by state-sponsored North Korean hackers seemingly to generate revenue and cause some chaos, the ransomware hit public utilities and large corporations alike, particularly in Europe and the United Kingdom. For example, WannaCry hobbled National Health Service hospitals and facilities in the UK, impacting emergency rooms, medical procedures, and overall patient care.
Researchers suspect that WannaCry was a sort of experiment that broke out of the lab—a piece of malware that North Korean hackers were still developing when they lost control of it. This is because the ransomware had major design flaws, including a mechanism security experts were able to use as a kill switch to stop the spread of WannaCry in its tracks. The ransomware only generated about 52 bitcoins for the North Koreans, worth less then $100,000 at the time and about $369,000 currently.
The Eternal Blue leak and its subsequent mass exploitation stoked debate about whether intelligence agencies and the US military should hoard knowledge of major software vulnerabilities, and how to exploit them, for espionage and offensive hacking. The intelligence community currently uses a framework called the "Vulnerability Equities Process" to assess which bugs are of great enough importance to national security that they should remain secret and unpatched. But some argue that that oversight mechanism isn't adequate given the US government's poor track record of securing these tools, and the threat of another WannaCry-type incident.
Russian hackers didn't just spend the last decade terrorizing Ukraine. They also launched a series of destabilizing data leaks and disinformation campaigns against the United States during the 2016 presidential election campaign season. Two groups of Russian hackers known as APT 28 or Fancy Bear and APT 29 or Cozy Bear ran massive social media disinformation campaigns, used email phishing attacks to breach the Democratic National Committee and publicly leak the organization's embarrassing correspondence, and infiltrated the email account of Hillary Clinton campaign head John Podesta. Russian operatives leaked the stolen data through the anonymous platform WikiLeaks, stoking controversy just as US voters were forming their opinions about who they might vote for on election day. Russian hackers would later meddle in the French presidential election in 2017 as well.
Russia is far from the only country to attempt to promote its interests through election intereference. But the country was perhaps the most brazen ever and chose a high profile target by focusing on the US in 2016.
On June 27, 2017 a wave of what appeared to be ransomware rippled around the world. But NotPetya, as it would come to be called, was not a ransomware attack—it was destructive malware built to lock down computers, devastate networks, and create chaos. NotPetya was developed by the Russian hacking group Sandworm, seemingly to target Ukraine. The damage in Ukraine was extensive, but the malware turned out to be too virulent and spread around the world, hitting multinational companies, including in Russia. In all, the US government estimates that NotPetya resulted in at least $10 billion in damages, disrupting pharmaceutical companies, shipping, power companies, airports, public transit, and even medical services in Ukraine and around the world. It was the most costly cyberattack ever to date.
NotPetya was a so-called supply chain attack. Hackers seeded the malware out into the world by compromising the system updates of the ubiquitous Ukrainian accounting software MeDoc. When regular MeDoc users ran a software update they inadvertently downloaded NotPetya as well. In addition to highlighting the critical danger of collateral damage in cyberwar, NotPetya also underscored the very real threat of supply chain attacks, especially in software.
Though it came relatively late in the decade, the massive 2017 breach of the credit monitoring firm Equifax is the mother of all corporate data breaches, both for its scale and severity, and because Equifax handled the situation so poorly. The incident exposed personal information for 147.9 million people—the data included birth dates, addresses, some driver's license numbers, about 209,000 credit card numbers, and Social Security numbers—which means that almost half the US population potentially had their crucial secret identifier exposed.
Equifax disclosed the breach at the beginning of September 2017, and in doing so touched off another series of unfortunate events. The informational site the company set up for victims was itself vulnerable to attack, and it asked for the last six digits of people's Social Security numbers to check if their data had been impacted by the breach. This meant that Equifax was asking Americans to trust them with their data all over again. Equifax also made the breach-response page a stand-alone site, rather than part of its main corporate domain—a decision that invited imposter sites and aggressive phishing attempts. The official Equifax Twitter account even mistakenly tweeted one particular phishing link four times. Four times! Luckily, the link was a proof-of-concept research page, not an actual malicious site. There have since been numerous indications that Equifax had a dangerously lax security culture and lack of response procedures in place.
WIRED looks back at the promises and failures of the last 10 years
Though it was notably severe, the Equifax breach is just one in a long line of problematic corporate data breaches that plagued the last 10 years. The Target breach at the end of 2013 that compromised the data of 40 million customers now feels like a turning point in general awareness of data at risk. Soon after, Neiman Marcus and Michaels both announced major breaches of customer data in 2014. In September of that same year, Home Depot was also breached, exposing information from roughly 56 million customers' credit and debit cards.
And then in July 2015 hackers breached Ashley Madison, a site that exists specifically to facilitate affairs and extramarital dating. Within a month, hackers had posted almost 10 gigabytes of data that they stole from the site, which contained payment card and account details for roughly 32 million Ashley Madison users. That information included details about sexual preferences and orientation. For users who entered their real name—or a recognizable pseudonym—on the site, though, the dump simply revealed the fact that they had an Ashley Madison account in addition to tying personal information to them. Though the breach generated a lot of punch lines during the summer of 2015, it also had major consequences for the site's users.
The government identification database Aadhaar stores personal information, biometrics, and a 12-digit identification number for more than 1.1 billion Indian citizens. Aadhaar is used in everything from opening a bank account to signing up for utilities or a cell phone. And tech companies can link to Aadhaar to track customers. All of these interconnections, though, have led to numerous major exposures of Aadhaar data when third parties, or the Indian government itself, store the information improperly. As a result, researchers estimate that all 1.1 billion Aadhaar numbers and much of the associated data was breached throughout 2018 alone. There is reportedly a thriving black market for the data.
Very few institutions even have a billion people's data to lose. Then again, there's Yahoo, which suffered two separate data breaches. One, which occurred in late 2014 and was disclosed in September 2016, exposed 500 million Yahoo accounts. Another, which occurred in August 2013 and was originally disclosed in December 2016, turned out in October 2017 to have exposed all Yahoo accounts that existed in 2013, totaling three billion.
Data breaches like OPM and Equifax are complicated, because they are seemingly the result of nation state espionage and the data never leaks publicly or even in criminal forums. This means that it's difficult to assess the day to day risk for average people posed by these breaches. But with exposures like Aadhaar, Yahoo, Target, and many others where data is publicly leaked and starts circulating on the dark web, there's a very clear connection to widespread fraud, digital account compromises, and scams that follow in their wake.