With the pandemic Entering an amorphous new phase and increasing political polarization around the world, 2022 has been a challenging and often perplexing year for digital security. And while hackers often relied on old chestnuts like phishing attacks and ransomware attacks, they still found new malicious options to undermine protection.
Here’s WIRED’s look at the biggest hacks, leaks, ransomware attacks, government-sponsored hacking campaigns, and digital takeovers of the year. Judging by the early years of the 2020s, the field of digital security in 2023 will be more bizarre and unpredictable than ever. Be vigilant and stay safe there.
For years, Russia has unleashed vicious digital attacks on Ukraine, resulting in power outages, theft and destruction of data, interference in elections, and the release of destructive malware to disrupt the country’s networks. However, since the invasion of Ukraine in February, times have changed for some of Russia’s most notorious and most dangerous military hackers. Astute long-term campaigns and darkly inventive hacks have largely given way to a stricter and more regimented series of quick incursions into Ukrainian institutions, reconnaissance and widespread destruction of the network, and then re-access again and again, whether through a new breach or retaining the old access. The Russian strategy on the physical battlefield and in cyberspace appears to be the same: brutal bombing that projects power and inflicts as much pain as possible on the Ukrainian government and its citizens.
However, Ukraine was not digitally passive during the war. The country formed a volunteer “IT army” after the invasion, and it, along with other actors around the world, orchestrated DDoS attacks, disruptive hacks and data leaks against Russian organizations and services.
Over the summer, a group of researchers called 0ktapus (also sometimes known as “Scatter Swine”) launched a massive phishing scam, compromising nearly 10,000 accounts at more than 130 organizations. Most of the victim institutions were located in the US, but there were dozens in other countries, the researchers said. The attackers primarily sent victims text messages with malicious links that led to fake authentication pages for the Okta identity management platform, which can be used as a single sign-on tool for multiple digital accounts. The goal of the hackers was to steal Okta’s credentials and two-factor authentication codes so they could access multiple accounts and services at the same time.
One of the companies affected during the riots was the communications firm Twilio. In early August, it was hacked, affecting 163 client organizations. Twilio is a large company, so it’s only 0.06% of its customers, but sensitive services like the secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta were in the cut and were secondary victims of the hack. Since one of the services offered by Twilio is a platform for automatically sending SMS text messages, one of the side effects of the incident was that the attackers were able to compromise two-factor authentication codes and compromise the accounts of some Twilio customers.
As if that wasn’t enough, Twilio added. October Report that it was also hacked by 0ktapus in June and that the hackers stole customer contact information. The incident highlights the true power and threat of phishing, where attackers strategically choose their targets to amplify the effect. Twilight wrote in August “we are very disappointed and upset by this incident.”
In recent years, countries around the world and the cybersecurity industry have increasingly focused on countering ransomware attacks. Despite some progress in containment, in 2022, ransomware gangs were still on the rampage and continued to attack vulnerable and vital social institutions, including healthcare providers and schools. For example, the Russian-speaking group Vice Society has long specialized in both categories and this year has focused its attacks on the education sector. The group had a particularly memorable run-in with the Los Angeles Unified School District in early September, in which the school ended up taking a stand and refusing to pay the attackers even as its digital networks went down. LAUSD was a high-profile target, and the Vice Society may have bitten off more than it could chew, given that the system includes more than 1,000 schools with about 600,000 students.
Meanwhile, in November, the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services issued a joint warning about a Russian-linked ransomware group and malware producer known as HIVE. The agencies said the group’s ransomware was used to attack more than 1,300 organizations around the world, resulting in about $100 million in ransoms being paid from the victims. “From June 2021 to at least November 2022, attackers used the Hive ransomware to attack a wide range of critical infrastructure businesses and sectors,” the agencies write, “including government agencies, communications, critical manufacturing, information technology, and especially healthcare and healthcare. “
In early 2022, the Lapsus$ digital ransomware gang was active in hacking attacks, stealing source code and other sensitive information from companies such as Nvidia, Samsung, Ubisoft and Microsoft and then leaking samples in an apparent ransomware attempt. Lapsus$ has a sinister talent for phishing, and in March it compromised a contractor with access to Okta’s ubiquitous authentication service. The attackers appeared to be based primarily in the United Kingdom, and British police arrested seven people associated with the group in late March and charged two in early April. However, in September, the group came back to life, ruthlessly hacking into the Uber platform and apparently Major car theft Rockstar developer as well. September 23 British police they said they were arrested an unnamed 17-year-old from Oxfordshire who appears to be one of the individuals previously arrested in March in connection with Lapsus$.
Besieged by the giant password manager LastPass, which repeatedly handed out with data breaches and security incidents over the years, said at the end of December that her cloud storage breach in August led to another incident in which hackers targeted a LastPass employee to compromise cloud storage credentials and keys. The attackers then used this access to steal encrypted vaults of some users’ passwords—files containing customer passwords—and other sensitive data. Additionally, the company claims that some source code and technical information was stolen from our development environment during the August incident.
LastPass CEO Karim Tubba said in a blog post that in later attacks, hackers compromised a backup copy that contained customer password vaults. It is not clear when the backup was made. The data is stored in a “native binary format” and contains both unencrypted data such as website URLs and encrypted data such as usernames and passwords. The company did not provide technical details about its proprietary format. Even if the LastPass vault encryption is strong, hackers will try to break into the password mine by trying to guess the “master passwords” that users set to protect their data. With a strong master password, this may not be possible, but weak master passwords may be at risk A since the vaults have already been stolen, LastPass users cannot stop these brute-force attacks by changing their master password. Instead, users must confirm that they have deployed a two-factor can, so even if their passwords are compromised, attackers still can’t crack them. And LastPass customers should consider changing the passwords on their most valuable and sensitive accounts.