It’s often said there’s a statistic to support any story you want to tell, a fact that’s borne out by the worrying increase in fake news, but some are repeated so often they’re worth listening to:
- There’s a cyber-attack every 39 seconds.
- Only 38% of global organizations claim they’re prepared to handle a sophisticated cyber-attack.
- 95% of cybersecurity breaches trace back to human error.
- Over 14 billion data records have been lost or stolen since 2013 and the number increases every day.
What’s even more compelling is real-life events that demonstrate the tangible impact on organizations from cyber-attacks, so to help illustrate just how important cybersecurity is, we’ve pulled together a list of five particularly scary attacks.
Any organization that’s hit by a hacker can reasonably describe the experience that way, but we think the differentiator is the scale and breadth of impact. Large-scale, cross-border attacks that are carefully engineered to maximize disruption are the ones that get us all worried:
- Utilities, healthcare providers, or mass-transportation systems: successful attacks could cause fatalities.
- Financial institutions: anybody can wake up to learn his/her hard-earned money was affected.
- Government operations: attacks undermine the citizen’s confidence in government to keep them safe.
Applying those criteria, here are 5 scary as heck real-life cyber-attacks you probably never heard of:
1. US Electricity Grid
The US electricity grid was attacked in late 2017, an event described by the FBI and Department of Homeland Security as “a multi-stage intrusion campaign by cyber actors who…..conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, they conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems.”
The threat wasn’t completely unexpected — DHS had been warning utility providers about the potential threat since 2014 — but highlighted the possibility of the lights going out across the country. "They got to the point where they could have thrown switches and disrupted power flows” said Jonathan Homer, a department analyst.
Large-scale disruption isn't far-fetched: in December 2015 a power cut in Western Ukraine affected 250,000 residents and was attributed to Russian hackers — in a move that many considered a dry-run of a possible attack on the US.
2. Federal Aviation Administration
No one wants to read the headline "Cyber-Attack Causes Plane to Fall from the Sky", and thankfully we haven’t yet had to. But an attack on the FAA in 2015 was a reminder of how vulnerable air space is. The FAA handles 43,000 flights carrying 2.6 million airline passengers across 29 million square miles of airspace every day and relies on over 100 different technology systems to do so; a breach to any of them being potentially fatal.
Although the 2015 event targeted administrative systems and was quickly contained, it raised the specter of hackers shutting down radar or sending false information to aircraft systems — concerns that were echoed in a report following the incident.
If you've ever moved money between banks (and that’s pretty much all of us) you've almost certainly used SWIFT, a secure messaging service that enables financial transactions between 11,000 financial institutions in over 200 countries, and handles 32 million messages, amounting to several trillion dollars, every day.
While breaching individual financial service providers requires a lot of effort, finding a way in through a connected network like SWIFT offers a lot more bang for your buck.
Trust and integrity are central to SWIFT’s business model, but in 2015 those values were overturned with a series of real-life cyber-attacks that resulted in sizable losses. The main attack centered on the Bangladesh Central Bank (BCB), with criminals attempting an eye-watering theft of $1 billion.
The bad actors used the SWIFT network to fool the US Federal Reserve into transferring them BCB funds. (It's not uncommon for the US Fed to hold international banking assets.) As a basic security check, SWIFT sends details of any transfer to the printers of the financial institution behind the request.
Under normal circumstances, with that added layer of review in place, when a BCB official sees a request of that size he or she would stay the transfer until confirmation can be had. (Especially if — as was the case here — the funds are being sent to an unknown account) In order to get the attack out of the gate successfully, therefore, the attackers cleverly used malware to disable the bank's printers.
In the end, the full attack was thwarted, but $81 million still went missing!
4. United States Central Command
Back in 2008, US Central Command (CENTCOM) was the military center for the United States military’s Middle East operations. A USB drive, found in a parking lot and containing the agent.btz worm, was inserted into a laptop connected to the CENTCOM network. From there it spread undetected to other systems, both classified and unclassified.
Opinion is divided as to what information the worm found, and what it was able to do with it. While it could open backdoors on infected computers, the classified computer network wasn’t connected to the internet – meaning that it got the chance to spread too fast and too far to be contained.
Nevertheless, the event was a wakeup call and was described by the Pentagon as “the most significant breach of U.S. military computers ever”. They banned the use of portable drives immediately and spent fourteen months removing all traces of the worm.
Since the incident occurred over 10 years ago, it’s tempting to think it won’t be repeated, but that idea, comforting as it may be, is a fantasy. A recent report on national cybersecurity found that 74% of 95 federal agencies reviewed were either "At Risk" or "At High Risk" of attack, the latter designation meaning that immediate intervention is required.
5. US Healthcare Network
Healthcare providers must be particularly vigilant about protecting themselves since the sector attracts more than its fair share of attacks. Most attacks stem from lone wolves or small-scale criminal affiliates, but the SamSam ransomware attacks challenge that norm – suggesting hostile state involvement.
The ransomware attacks took place over three years, extorting $6 million in payments and resulting in $30 million in damages. All told, only seven of the US’ 50 states escaped totally unscathed. That said, there’s still a high probably that there are other victims out there who have not disclosed their attacks or may not even be aware of them yet.
SamSam has been around since 2016, with security company Sophos reporting that attacks have occurred daily since the malware first arrived on the scene. It’s estimated healthcare accounts for about a quarter of all attacks.
Some of the prominent victims included Hollywood Presbyterian Medical Center, (which had to turn patients away before capitulating and paying the ransom), LabCorp (the nation's largest diagnostic blood testing company), and Kansas Heart Hospital (which paid the initial ransom and were then hit by another demand).
Although there were no recorded fatalities attributable to the attacks, it’s only a matter of time before a series of coordinated attacks like this one, results in such an outcome.
In November 18, US Federal prosecutors indicted two Iranian hackers. “The allegations in the indictment… outline an Iran-based international computer hacking and extortion scheme that engaged in a 21st-Century digital blackmail,” said US assistant attorney general Brian Benczkowski.
There are two particularly worrying aspects of this attack:
- The likely involvement of a hostile government that has ample resources to mount similar attacks again and again.
- The extended time period — over three years! — during which attacks took place, without drawing any suspicion of a connection.
In reviewing these attacks, aside from inducing fear, a few important takeaways emerge. First, most of these real-life cyber-attacks were helped along by human error, which underlines the importance of regularly training staff in basic cybersecurity awareness. All it takes is one click on a phishing email link to open the entire network to attack.
Second, all of these attacks were attributed to organized groups. Considerable powers are being brought to bear in support of the cyber baddies. You need to plan accordingly. And while many of these attacks originate from countries with a history of state-sponsored cyber malfeasance, it would be a mistake to hang your hopes on the government coming to your rescue. Although governments will continue to apply collective pressure to the responsible parties where possible, it must be understood that the onus lies firstly and ultimately with the breached organizations: it’s your data, your customers, your stakeholders, and your business that will suffer from a successful attack. Investing in multi-layered cybersecurity protection is therefore critical.
Finally, each of these examples are worrying in their own way, but the scariest real-life attacks probably aren’t even reported. When it comes to attacks on national security or large-scale infrastructure, can we be sure that the relevant administrators are fully aware of their cyber goings on? Even if they are, can we be expect that we would be informed whenever something goes awry?