As we draw back the curtain on another eventful year in cybersecurity, let’s review some of the high-profile cyber incidents that occurred in 2023.
December 28, 2023
5 minutes. read
It’s been another monumental year for cybersecurity. Malicious actors have thrived amid persistent macroeconomic and geopolitical uncertainty, using every tool and ingenuity at their disposal to circumvent corporate defenses. For consumers, it’s been another year spent anxiously clicking on headlines to see if their personal information has been affected.
According to Verizon Data Breach Investigation Report (DBIR), external actors are responsible for the vast majority (83%) of violations, and financial gain accounts for almost all (95%) of violations. This is why most of the incidents featured in this list will be due to ransomware or data theft extortionists. But it’s not always the case. Sometimes the cause may be human error or malicious insider. And sometimes attacks have an outsized impact, even if the number of victims is relatively low.
Here, in no particular order, is our selection of the 10 biggest attacks of 2023.
1. MOVE it
Traced to Lace Tempest (Storm0950) ransomware subsidiary Clop, this attack had all the hallmarks of the group’s previous campaigns against Accellion FTA (2020) and GoAnywhere MFT (2023). The modus operandi is simple: use a zero-day vulnerability in a popular software product to gain access to customer environments, then exfiltrate as much data as possible for ransom. It is still unclear exactly how much data was collected or how many victims. But a few estimates suggest more than 2,600 organizations and more than 83 million individuals. The fact that many of these organizations were themselves suppliers or service providers to others only added to the downstream impact.
2. The British Electoral Commission
The UK’s independent regulator for party and election finance revealed in August that malicious actors stole personal information from approximately 40 million registered voters. He claimed a “complex” cyberattack was responsible but the reports have has since suggested its security posture was poor – with the organization having failed a basic Cyber Essentials security audit. One not patched Microsoft Exchange Server That may be the fault, although why it took 10 months for the commission to notify the public is unclear. He also claimed that malicious actors may have been probing his network since August 2021.
3. The Police Service of Northern Ireland (PSNI)
This is an incident that falls into both the category of internal violations and the category of violations involving a relatively small number of victims who may suffer a disproportionate impact. THE PSNI announced in August, an employee accidentally posted sensitive internal data to the WhatDo TheyKnow website in response to a Freedom of Information (FOI) request. The information included the names, ranks and departments of approximately 10,000 officers and civilian personnel, including those working in surveillance and intelligence. Although the information was only available for two hours before it was removed, this was enough to allow the information to circulate among Irish republican dissidents, who then spread it. Two men have been released on bail after being arrested for terrorist offences.
4. Dark beam
Biggest data breach of the year viewed 3.8 billion records revealed by digital risk platform DarkBeam after misconfigured an Elasticsearch and Kibana data visualization interface. A security researcher noticed the privacy issue and informed the company, which quickly fixed the problem. However, it is unclear how long the data was exposed or whether anyone ever accessed it with nefarious intent. Ironically, the data contained emails and passwords from previously reported and unreported data breaches. This is another example of the need to closely and continuously monitor systems for misconfigurations.
5. Indian Council of Medical Research (ICMR)
Another mega-breach, this time one of India’s largest, was revealed in October, after a threat actor put the personal information of 815 million residents up for sale. It appears that the data was exfiltrated from the ICMR COVID testing database and included name, age, gender, address, passport number and Aadhaar (government identification number ). This is particularly damaging because it could give cybercriminals everything they need to attempt a range of identity theft attacks. Aadhaar can be used in India as a digital identification and for bill payment and Know Your Customer checks.
6. 23 and me
A the threat actor claimed having stolen up to 20 million data from the American Society for Genetics and Research. It appears they first used classic credential stuffing techniques to gain access to user accounts – essentially using previously breached credentials that these users had recycled on 23andMe. For users who had opted into the DNA Relatives service on the site, the threat actor was then able to access and retrieve much more data from potential relatives. Among the information listed in the data dump were profile photo, gender, year of birth, location and genetic ancestry results.
7. Fast Reset DDoS Attacks
Another unusual case, this one involves a zero-day vulnerability in the HTTP/2 protocol revealed in October, which allowed malicious actors to launch some of the largest DDoS attacks ever seen. Google said these reached a peak of 398 million requests per second (rps), up from a previous higher rate of 46 million rps. The good news is that internet giants like Google and Cloudflare have fixed the bug, but companies that manage their own internet presence have been urged to follow suit immediately.
The American telecom operator has suffered numerous security breaches in recent years, but the the one he revealed in January is one of the largest yet. It affected 37 million customers, whose addresses, phone numbers and dates of birth were stolen by a malicious actor. A second incident disclosed in April only reached about 800 customers, but included many more data points, including T-Mobile account PINs, Social Security numbers, government ID details, dates of birth, and internal codes that the company uses to manage customer accounts.
9. MGM International/Caesars
Two of the biggest names in Las Vegas were hit within days of each other by the same ALPHV/BlackCat ransomware affiliate known as Scattered Spider. In MGM’s case, they gained access to the network simply through a LinkedIn search and then a vishing attack on the person in which they impersonated the IT department and asked for their credentials. Still, the compromise had a major financial impact on the company. It was forced to shut down major computer systems, disrupting slot machines, restaurant management systems and even room key cards for days. The company estimated a cost of $100 million. The cost to Cesars is unclear, although the company admitted pay his extortionists $15 million.
10. Pentagon leaks
The last incident is a warning to the US military and any large organization concerned malicious insiders. Jack Teixeira, a 21-year-old member of the intelligence wing of the Massachusetts Air National Guard, leaked highly sensitive military documents to gain bragging rights with his Discord community. This information was then shared on other platforms and reposted by Russians following the war in Ukraine. They gave Russia a trove of military intelligence for its war in Ukraine and undermined America’s relations with its allies. Incredibly, Teixeira was able to print and take top secret documents home to photograph and then upload.
Hopefully these stories will provide useful lessons. On the road to a safer 2024.