The key word here is ‘significant’. It would be easy to classify hacks according to how many people were compromised, but that is only one factor in determining if a hack is significant or not. Other factors must include the value of the information stolen or compromised, the uniqueness of the mode of attack, and the possibility of leveraging the attack to a more serious level. With all of these criteria in mind, here are my top 10 choices for the most significant attacks of 2015.
10. Car Hacks
A variety of car hacks took place this year and indications are that they will become more common and more destructive in years to come, especially as the number of driverless cars begins to increase. Security expert Samy Kamcar showed how an app connected to the GM OnStar system could be hacked. He was able to locate cars with this system and then open the doors and remotely start them. He was also able to intercept communications between the app and the cars to gain access to the users’ accounts. Other hackers have been able to take control of a car’s brakes, steering, and entertainment systems. Though some have downplayed such attempts, the future for such hacks looks better everyday.
9. The Scottrade Hack
This attack was significant in the manner in which it used stolen information to manipulate the stock market. Once the attackers had information on individual investors’ accounts, they tricked them into investing money into companies that the attackers had previously purchased stock in, usually at a low price. The sudden surge in interest in these companies led to their share prices rising, at which point the attackers sold their shares and cashed in. Scottrade announced this hack in October, but it had apparently been going on for at least two years. The same criminal group had already launched similar attacks against JPMorgan Chase and Etrade. Although more money-making angles were bundled into these hacks, it was the manipulation of stocks through false, often spammed, information that made this hack significant.
8. The T-Mobile/ Experian Hack
15 million T-Mobile customer accounts were compromised through their credit checking partner, Experian. It was interesting how Experian tried to downplay the seriousness of the breach.
“Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile’s own credit assessment were accessed. No payment card or banking information was obtained.”
Whew! That’s a relief. They didn’t access credit card data but enough information to make credit cards, bank accounts, IRS returns, etc. in the victim’s name for the rest of their lives.
What makes the hack significant is that the attackers bypassed the company itself and got all the information it needed from a partner. Experian has information on over 200 million people. Why was T-Mobile the only company affected? Could more undiscovered breaches be out there? Experian stated that T-Mobile information was stored on a separate server. Was this server protected differently, to a lower standard, than the servers which hold information from other customers? The T-Mobile server was protected with encryption which did not deter the attackers. The bad news? T-Mobile continues its partnership with Experian.
7. The Ashley-Madison Hack
Okay, I’m going to finally have to acknowledge this hack, even though there was nothing particularly novel about the way this people-seeking-affairs dating site was hacked. What was significant was the amount of media attention the hack received. The hack itself was more of a hacktivist/extortion attack. The attackers, The Impact Team, appeared to be upset by the Ashley-Madison business model which charged people money to have their accounts completely deleted… and then not completely delete them. They were also angry that some female accounts seemed to be created by the company. Some female accounts? It was found that only 0.2% of females who were said to have accounts ever actively used them. In short, men were being scammed. While many far more serious cyber attacks went unnoticed, this one captured the headlines for weeks. I suppose there’s some lesson about human nature here.
6. Banking Hacks: The Carbanak Hack
The banking and financial sector saw the greatest increase in the number of reported attacks in 2015, up 84% from 2014. Of all of these hacks, the Carabanak malware attack was the most innovative and most dangerous. The group behind the Carabanak malware is said to have stolen between $500 million and $1 billion from banks and individual customers all over the world. The attack begins with a phishing email to someone on the bank network, which is usually an employee. The malware then sits in the network and observes how transactions occur. This is done so that, when the time is right, they can emulate a legitimate transaction without attracting any attention. They never steal more than $10 million from any one bank so as to keep under the radar. They can manipulate individual accounts by pumping money into them and then transferring it to their own accounts. Since the original balance is not affected, it usually doesn’t attract attention. One of the more unique aspects of Carabanak is its ability to make ATM machines pump out money to a waiting accomplice, apparently, without a bank card ever being used. The massive financial damage done by this attack and the complexity of its architecture make it one of the most significant attacks of the year.
This was a bug that targeted Android devices… up to one billion of them. It used a hole in the code to take remote control of any Android device. The attacker could use an MMS or text message to take over the device, even if the device owner didn’t open the message. This means that all the attacker needed was the user’s telephone number. Although Google patched the initial vulnerability, the bug persists with different modes of attack. Researchers claim that “nearly every Android device is susceptible to the bug”. This means that any company or institution that allows Android endpoints to access their networks is in jeopardy of an attack launched through such endpoints. The potential of such a significant mode of attack makes this one of the most significant bugs of 2015.
4. The John Brennan Hack
Though more of a social engineering attack than an attack that required technical skills, it was significant in that it proved once and for all that anyone can be fooled. Say what you want about the value of what the attackers got from hacking into Brennan’s email, this is the head of the CIA we’re talking about. They also broke into an email account belonging to Homeland Security Secretary, Jeh Johnson. For sheer embarrassment, this was one of the most significant hacks of the year. You have to wonder whether either of these guys fully understands the nation’s cyber security over which they have ultimate control.
3. The Hacking Team Hack
This hack was significant because one group of hackers were able to hack another team of hackers. It was also significant in that it highlighted the growing use of hacktivism – hacking for ideological purposes. You see, the Hacking Team was famous, or infamous, for selling surveillance software to repressive governments around the world, something he Hacking Team repeatedly denied doing. The hack exposed who the Hacking Team clients really were and what they were really selling. Many of their clients were repressive governments but others were governments not known to be repressive, which may not make them look good in all of this. The point is that enough people in the cyber community were angered by the Hacking Team’s business model to put them out of business. Call it cyber vigilantism. Unlike Anonymous, which mainly relies on DDoS attacks on groups it doesn’t agree with, this was a true hack which not only disrupted their business, but actually ended it.
2. The Kaspersky Hack
Worst than being a hacking group that gets hacked is being a cyber security firm that gets hacked. This is what happened to Kaspersky back in June. “It was complex, stealthy, it exploited several zero-day vulnerabilities, and we’re quite confident that there’s a nation state behind it.” This attack was designed to gather information on Kaspersky’s technology. It was a complex design. “The thinking behind it is a generation ahead of anything we’d seen earlier.”
Kaspersky claimed that no damage was done, and, I suppose, we’ll have to take their word for that. What else could a security company say? However, the malware, did manage to get on their network and was positioned to steal information. Kaspersky, in fact, tried to put a positive spin on the attack by stating that the attackers have “now lost a very expensive technologically advanced framework they’d been developing for years.” Yeah, okay.
The attack was significant in that it emphasizes the fact that no one and no company is safe from cyber attacks. If one of cybersecurity’s most respected firms can be breached, then what does this say about everyone else? In short, if someone really wants your information and has the resources, they will get it.
1. The Office of Personnel Management (OPM) Attack
What else can you say about an attack that jeopardized every branch of the US government. Though first reported in June of this year, the attack actually began in 2013 when the attackers broke into OPM’s network and stole some manuals. This didn’t seem like much at the time, but these manuals gave the attackers the information about the architecture of the network that would guide them to the more interesting material that they would steal later. Shortly after this initial breach, the attackers broke into the networks of USIS and a contractor called, KeyPoint Government Solutions. Both agencies conduct background checks on national security workers. The path to the OPM’s sensitive records likely began with these agencies. The attackers began taking personal information about government workers from OPM in May of 2014, but this went unnoticed for over a year. Through the rest of 2014, OPM maintained that they had detected some suspicious activity on its networks but that no personal information was compromised. They did, however, cut ties with USIS. KeyPoint breaches were also disclosed.
OPM continued to be in denial until June of this year when they did, finally, admit they were hacked and had lost control of the personal information of 4.5 million current and former employees. That number has since been increased to 21.5 million. Despite these devastating losses, a recent audit found that OPM continues to be vulnerable to more attacks. (see my post, Latest OPM Audit Finds it Vulnerable to More Attacks ) According to some reports, the Chinese hackers want to build a database on all government workers and possibly on all Americans. Since this is the same group that may have stolen the personal data of 80 million Anthem insurance customers (an attack that would have made this list if insurance company attacks were not so routine), the attackers seem well on their way to attaining their goals. The real problem here, and one that makes this attack the most significant of anything we’ve seen this year, is that these attackers may have used OPM as a platform to infiltrate other, if not all, government agencies. In other words, national security may have been and may still be, compromised. This is something we may learn about in the new year.
I’ll be giving my predictions for 2016 in my next post.