The Worst Hacks of 2017, from Equifax to Crash Override
Credit to Author: Lily Hay Newman| Date: Sun, 31 Dec 2017 12:00:00 +0000
2017 was bananas in a lot of ways, and cybersecurity was no exception. Critical infrastructure attacks, insecure databases, hacks, breaches, and leaks of unprecedented scale impacted institutions around the world—along with the billions of people who trust them with their data.
This list includes incidents disclosed in 2017, but note that some took place earlier. (Speaking of which, you know it's a heck of a year when Yahoo reveals that it leaked info for three billion accounts, and it's still not a clear-cut winner for worst incident.) The pace has been unrelenting, but before we forge on, here’s WIRED’s look back at the biggest hacks in 2017.
Security doomsayers have long warned about the potential dangers posed by critical infrastructure hacking. But for many years the Stuxnet worm, first discovered in 2010, was the only known piece of malware built to target and physically damage industrial equipment. But in 2017, researchers from multiple security groups published findings on two such digital weapons. First came the grid-hacking tool Crash Override, revealed by the security firms ESET and Dragos Inc., which was used to target the Ukrainian electric utility Ukrenergo and cause a blackout in Kiev at the end of 2016. A suite of malware called Triton, discovered by the firm FireEye and Dragos, followed close behind and attacked industrial control systems.
Crash Override and Triton don't seem to be connected, but they have some similar conceptual elements that speak to the traits that are crucial to infrastructure attacks. Both infiltrate complex targets, which can potentially be reworked for other operations. They also include elements of automation, so an attack can be put in motion and then play out on its own. They aim not only to degrade infrastructure, but to target the safety mechanisms and failsafes meant to harden systems against attack. And Triton targets equipment used across numerous industrial sectors like oil and gas, nuclear energy, and manufacturing.
Not every electric grid intrusion or infrastructure probe is cause for panic, but the most sophisticated and malicious attacks are. Unfortunately, Crash Override and Triton illustrate the reality that industrial control hacks are becoming more sophisticated and concrete. As Robert Lipovsky, a security researcher at ESET, told WIRED in June, "The potential impact here is huge. If this is not a wakeup call, I don’t know what could be.”
This was really bad. The credit monitoring firm Equifax disclosed a massive breach at the beginning of September, which exposed personal information for 145.5 million people. The data included birth dates, addresses, some driver's license numbers, about 209,000 credit card numbers, and Social Security numbers—meaning that almost half the US population potentially had their crucial secret identifier exposed. Because the information Equifax coughed up was so sensitive, it's widely considered the worst corporate data breach ever. For now.
Equifax also completely mishandled its public disclosure and response in the aftermath. The site the company set up for victims was itself vulnerable to attack, and asked for the last six digits of people's Social Security numbers to confirm if they were impacted by the breach. Equifax also made the breach response page a standalone site, rather than part of its main corporate domain—a decision that invited imposter sites and aggressive phishing attempts. The official Equifax Twitter account even mistakenly tweeted the same phishing link four times. Four. Luckily, in that case, it was just a proof-of-concept research page.
Observers have since seen numerous indications that Equifax had a dangerously lax security culture and lack of procedures in place. Former Equifax CEO Richard Smith told Congress in October that he usually only met with security and IT representatives once a quarter to review Equifax's security posture. And hackers got into Equifax's systems for the breach through a known web framework vulnerability that had a patch available. A digital platform used by Equifax employees in Argentina was even protected by the ultra-guessable credentials "admin, admin"—a truly rookie mistake.
If any good comes from Equifax, it's that it was so bad it may serve as a wake-up call. "My hope is that this really becomes a watershed moment and opens up everyone’s eyes," Jason Glassberg, cofounder of the corporate security and penetration testing firm Casaba Security, told WIRED at the end of September, "because it's astonishing how ridiculous almost everything Equifax did was."
Yahoo disclosed in September 2016 that it suffered a data breach in late 2014 impacting 500 million accounts. Then in December 2016 the company said that a billion of its users had data compromised in a separate August 2013 breach. Those increasingly staggering numbers proved no match for the update Yahoo released in October that the latter breach actually compromised all Yahoo accounts that existed at the time, or three billion total. Quite the correction.
Yahoo had already taken steps to protect all users in December 2016, like resetting passwords and unencrypted security questions, so the the revelation didn't lead to a complete frenzy. But three billion accounts exposed is, well, really a lot of accounts.
The Shadow Brokers first appeared online in August 2016, publishing a sample of spy tools it claimed were stolen from the elite NSA Equation Group (an international espionage hacking operation). But things got more intense in April 2017, when the group released a trove of NSA tools that included the Windows exploit "EternalBlue."
That tool takes advantage of a vulnerability that was in virtually all Microsoft Windows operating systems until the company released at a patch at the NSA's request in March, shortly before the Shadow Brokers made EternalBlue public. The vulnerability was in Microsoft's Server Message Block file-sharing protocol, and seems like a sort of workhorse hacking tool for the NSA, because so many computers were vulnerable. Because large enterprise networks were slow to install the update, bad actors were able to use EternalBlue in crippling ransomware attacks—like WannaCry—and other digital assaults.
The Shadow Brokers also rekindled the debate over intelligence agencies holding on to knowledge of widespread vulnerabilities—and how to exploit them. The Trump administration did announce in November that it had revised and was publishing information about the "Vulnerability Equities Process." The intelligence community uses this framework to determine which bugs to keep for espionage, which to disclose to vendors for patching, and when to disclose tools that have been in use for awhile. In this case, at least, it clearly came too late.
On May 12, a type of ransomware known as WannaCry spread around the world, infecting hundreds of thousands of targets, including public utilities and large corporations. The ransomware also memorably hobbled National Health Service hospitals and facilities in the United Kingdom, impacting emergency rooms, medical procedures, and general patient care. One of the mechanisms WannaCry relied on to spread was EternalBlue, the Windows exploit leaked by the Shadow Brokers.
Luckily, the ransomware had design flaws, particularly a mechanism security experts were able to use as a sort of kill switch to render the malware inert and stem its spread. US officials later concluded with "moderate confidence" that the ransomware was a North Korean government project, and they confirmed this attribution in mid-December. In all, WannaCry netted the North Koreans almost 52 bitcoins—worth less than $100,000 at the time, but over $800,000 now .
At the end of June another wave of ransomware infections hit multinational companies, particularly in Ukraine and Russia, creating problems at power companies, airports, public transit, and the Ukrainian central bank. The NotPetya ransomware impacted thousands of networks, and led to hundreds of millions of dollars in damage. Like WannaCry, it partially relied on Windows exploits leaked by the Shadow Brokers to spread.
NotPetya was more advanced than WannaCry in many ways, but still had flaws like an ineffective payment system, and problems with decrypting infected devices. Some researchers suspect, though, that these were features, not bugs, and that NotPetya was part of a political hacking initiative to attack and disrupt Ukrainian institutions. NotPetya spread in part through compromised software updates to the accounting software MeDoc, which is widely used in Ukraine.
In late October a second, smaller wave of destructive ransomware attacks spread to victims in Russia, Ukraine, Turkey, Bulgaria, and Germany. The malware, dubbed BadRabbit, hit infrastructure and hundreds of devices. Researchers later found links in how the ransomware was built and distributed to NotPetya and its creators.
On March 7, WikiLeaks published a data trove of 8,761 documents allegedly stolen from the CIA. The release contained information about alleged spying operations and hacking tools, including iOS and Android vulnerabilities, bugs in Windows, and the ability to turn some smart TVs into listening devices. Wikileaks has since released frequent, smaller disclosures as part of this so-called "Vault 7" collection, describing techniques for using Wi-Fi signals to track a device's location, and for persistently surveilling Macs by manipulating their firmware. WikiLeaks claims that Vault 7 reveals "the majority of [the CIA] hacking arsenal including malware, viruses, trojans, weaponized 'zero day' exploits, malware remote control systems and associated documentation."
At the beginning of November, WikiLeaks launched a parallel disclosure collection called "Vault 8," in which the organization claims it will reveal CIA source code for tools described in Vault 7 and beyond. So far, Wikileaks has posted the code behind a hacking tool called "Hive," which generates fake authentication certificates to communicate with malware installed on compromised devices. It's too early to say how damaging Vault 8 may be, but if the organization isn't careful, it could wind up aiding criminals and other destructive forces much like the Shadow Brokers have.
2017 was a year of diverse, extensive, and deeply troubling digital attacks. Never one to be outdone on sheer drama, though, Uber hit new lows in its lack of disclosure after an incident last year.
Uber's new CEO Dara Khosrowshahi announced in late November that attackers stole user data from the company's network in October 2016. Compromised information included the names, email addresses, and phone numbers of 57 million Uber users and the names and license information for 600,000 drivers. Not great, but not anywhere near, say, three billion compromised accounts. The real kicker, though, is that Uber knew about the hack for a year, and actively worked to conceal it, even reportedly paying a $100,000 ransom to the hackers to keep it quiet. These actions likely violated data breach disclosure laws in many states, and Uber reportedly may have even tried to hide the incident from Federal Trade Commission investigators. If you're going to be hilariously sketchy about covering up your corporate data breach, this is how it's done.