As 2024 draws to a close, numerous high-profile cyber incidents have dominated the headlines. With only two and a half months remaining and the Christmas season approaching, it's likely we'll see even more before year’s end. In this blog, the Integrity360 Incident Response team explores some of the most significant cyber attacks of the year... so far.
In January 2024, Microsoft detected a nation-state attack on its corporate systems, immediately initiating a response to investigate and mitigate the breach. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM. The attackers used techniques like password-spray attacks and OAuth application exploitation to gain unauthorized access to sensitive corporate data, including internal email.
This incident underscores the importance of balancing security with business risk. Using audit logs, Microsoft tracked the attackers' activity through Exchange Web Services (EWS), and began notifying other affected organisations. The incident remains under investigation, with ongoing analysis of Midnight Blizzard's tactics to better protect and respond to similar threats in the future.
The Russia/Ukraine war continues to rage on with cyber attacks being launched by both sides. Back in January 2024, the Main Intelligence Directorate of Ukraine's Ministry of Defence reported that pro-Ukrainian hacktivists breached the Russian Centre for Space Hydrometeorology, known as "Planeta", wiping out 2 petabytes of data. Planeta, a state research centre, uses satellite and ground data to predict weather, monitor natural disasters, and provide climate insights. Affiliated with Roscosmos, it supports sectors like the military, civil aviation, and agriculture.
Ukrainian officials stated that cyber volunteers from the "BO Team" targeted Planeta's Far Eastern branch, the largest of its three locations. They allegedly destroyed 280 servers containing 2 petabytes (2,000 terabytes) of data.
The Ukrainian intelligence service estimated the damage at $10 million, impacting supercomputer clusters and years of research. Given sanctions on Russia, restoring sophisticated computer systems would have proven difficult, posing a significant challenge to Planeta’s operations.
Ivanti's widely used Connect Secure VPNs experienced mass exploitation by threat actors following the January disclosure of two high-severity, zero-day vulnerabilities. Researchers reported that thousands of Ivanti VPN devices were compromised, with victims including the U.S. Cyber security and Infrastructure Security Agency (CISA) and Mitre, a significant provider of federally funded research and development. While additional vulnerabilities were later identified, Mandiant, a Google Cloud-owned cyber security firm, noted that the two original vulnerabilities saw extensive exploitation by a China-linked threat group known as UNC5221 and other unidentified groups. Mandiant's research indicated that attacks by UNC5221 dated back to December 3.
In response to the widespread attacks, CISA issued an urgent directive requiring civilian executive branch agencies to disconnect their Ivanti Connect Secure VPNs within 48 hours. On January 31, Ivanti released the first patch for some versions of its VPN software, three weeks after the initial vulnerability disclosure. The company stated that they prioritised mitigation releases as patches were being developed, consistent with industry best practices.
First disclosed on 22 February, the cyber-attack on Change Healthcare caused massive disruption in the US healthcare system for weeks. In response to the ransomware attack, an IT system shutdown was initiated, preventing many pharmacies, hospitals, and other healthcare facilities from processing claims and receiving payments. The Russian-speaking cybercriminal group known as BlackCat or ALPHV claimed responsibility. UnitedHealth Group CEO Andrew Witty confirmed in his Congressional testimony in May that the company paid a $22 million ransom following the attack.
Subsequently, another cybercriminal gang called RansomHub posted data it claimed was stolen from Change Healthcare. In late April, UnitedHealth revealed that data belonging to a "substantial proportion" of Americans may have been stolen in the attack against Change Healthcare, a unit of its Optum subsidiary. Witty testified that "maybe a third" of all Americans were impacted. In June, Change Healthcare disclosed that sensitive patient medical data was exposed, potentially including diagnoses, medicines, test results, images, care, and treatment.
In part 2 we will cover the months from May up until the present day. If you are worried about any of the threats outlined in this blog or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please get in touch.