2021 Year in Review - Significant Cybersecurity Events

The year is 2021.  We don’t have flying cars or robot maids, but nearly 5 billion souls worldwide are now connected to the Internet and to each other.  This is a beautiful thing and a remarkable feat of human ingenuity.  However, every rose has its thorn (to borrow from the great post-modern philosopher Bret Michaels) and to us who work in cybersecurity, 2021 was thornier than ever. 

Here is Appalachia’s 2021 Cybersecurity Year in Review!

1) The Colonial Pipeline Hack.  This pipeline serves as an “Achilles heel” for the U.S., in that it is a vital part of our national infrastructure for both economic and national security reasons.  When it comes to energy infrastructure, there are four main ways for hackers to attack – the Market Systems (responsible for buying and selling), Energy Management Systems, Substation Automation Systems, and SCADA (Supervisory Control and Data Acquisition) systems.  In the case of Colonial Pipeline, it was the market systems that were compromised, which interrupted the ability of Colonial Pipeline to buy and sell energy.  This is (informed) speculation, but this hack may have been a shot across America’s bow, rather than just an attempt to extract money from Colonial Pipeline.

2)  SolarWinds.  This one gets a nod for both the sophistication and the sheer brazenness of it.  Russia compromised SolarWinds itself and then used them to distribute malware on Russia’s behalf, and in so doing gained access to some well hardened, high-value targets.  Despite their problems, Russia has always done a superb job of educating its citizens in STEM fields, and it shows.  If Russia (or China) wanted to shut down our power grids, it is highly likely they would succeed in doing so.

3) Hacker steals government ID database for the entire population of Argentina.  This one did not get a lot of news coverage in the U.S., at least not for those of us who do not work in cybersecurity.  That hack is reminiscent of the 2013 OPM (Office of Personnel Management) breach that happened in the US about 10 years ago.  In both cases, there was a massive exfiltration of PII (Personally Identifiable Information) --- but in the case of Argentina, it was the entire population.  Whether we like it or not, at this particular juncture in history, it is highly likely that your identity will get stolen at some point.  We are all stuck in proactive mode and being reactive just is not enough.  I wrote a comprehensive blog about identity theft here.

4) JBS Foods Hack.  According to Bleeping Computer, “JBS is currently the world's largest beef and poultry producer and the second-largest global pork producer, with operations in the United States, Australia, Canada, the United Kingdom, and more.”  In May JBS was hit with a ransomware attack which caused them to halt operations in North America and Australia.

According to a press release by JBS USA, “On Sunday, May 30, JBS USA determined that it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems. The company took immediate action, suspending all affected systems, notifying authorities, and activating the company's global network of IT professionals and third-party experts to resolve the situation. The company’s backup servers were not affected, and it is actively working with an Incident Response firm to restore its systems as soon as possible.”

For the most part, this was an unremarkable incident, in that JBS was an obvious target and appears to have had an incident response plan in place.  However, this one gets a mention here because it had a direct impact on ordinary working-class consumers who probably had no idea this company even existed.

5) The DoD Downgrades the CMMC (Cybersecurity Maturity Model Certification).  America has a very serious problem with the theft of military technology from our massive defense base, at least half of which are small family-owned companies.  First came CMMC 1.0, which was a robust, thoughtfully conceived step towards addressing a very serious economic and national security problem.  Initially, the CMMC was marshaled by the hard-charging, take no prisoners Katie Arrington.  Katie was fired, and within a few months, the cloddish CMMC 2.0 was released.  Now we are back to where we started, with China and Russia treating American companies as a free shopping mall for intellectual property.  I wrote extensively of my disdain for CMMC 2.0 here. 

6) Kaseya VSA Exploit Ransomware.  Kaseya VSA is software that IT and MSP (Managed Services Provider) companies use to manage the computers and networks of their clients, so this hack ultimately affected thousands of businesses who rely on outside technical expertise.

Like SolarWinds, Kaseya is a well-hardened target, and this goes to show that we must respect our adversaries' capabilities.  Furthermore, this attack was pulled off using what we call a “zero-day” exploit.  A “zero-day” exploit is a security flaw that is known only to the attackers, or at least NOT known to the public.  Nation-states have been known to sit on zero-day exploits so that they can be used against other nation-states.  If you happen to discover a good enough zero-day exploit, you can fetch a six-figure sum for it in both legal and illegal ways.

The takeaway from the Kaseya exploit is Response and Recovery.  You can do everything “right” and still get hacked – which is why you need an Incident Response Plan as well as a Recovery Plan.  Think of your network as being like a house on the coast of Florida – someday the storm WILL come, it is just a matter of when.  You must prepare when the seas are calm -- not wait until the sky turns to mud.

7) FBI’s Own E-mail Server Hacked, Used to Send SPAM.  One would think that the FBI’s own e-mail servers are “impenetrable” but the fact is any computer system can be penetrated, especially if it is connected to the Internet.  Publicly available information about this hack suggests that it wasn’t even the FBI that first noticed the problem, but rather the international non-profit organization Spamhaus.

According to Bleeping Computer, “The messages came from a legitimate email address - - which is from FBI’s Law Enforcement Enterprise Portal (LEEP) and carried the subject ‘Urgent: Threat actor in systems.’”  All emails came from the FBI’s IP address 153.31.119.142 (mx-east-ic.fbi.gov), according to Spamhaus.

I polled the staff of Appalachia for ideas for this article, and within 10 minutes I had several dozens of excellent suggestions, so here are a few honorable mentions to close out our 2021 list:

• MS Exchange Proxylogon flaw
• Western Digital MyCloud 0 day
• Rampant COVID Unemployment Scams
• Experian API Credit disclosure SNAFU
• Twitch Data Dump
• CNA Ransomware
• Ireland’s Health Care System Shut Down
• Widespread Security Flaws Found in Hotels’ Guest Wi-Fi Systems
• MLB Hacked by Pirate Site Operator
• Kronos Ransomware Attack Impacts Employees’ Paychecks
• Massive Comcast Outage Impacts Customers Nationwide
• HBO Max Email SNAFU (This one is just plain funny.)

We could easily go on here, but you get the point – 2021 was one thorny year for cybersecurity.  Hopefully 2022 will offer a few more roses and a few less sad, sad songs.  Now that would be “Something to Believe In.”

Jason McNew  

Senior Engineer, Cybersecurity Risk and Compliance, Appalachia Technologies 

Jason McNew is a CISSP and a CMMC RP (Registered Practitioner).  Jason, a United States Air Force veteran, holds a Master’s degree from Penn State University in Information Sciences, Cyber Security and Information Assurance, in addition to a Bachelor of Science and two Associate of Science degrees. Penn State’s Cyber Security program has been reviewed and endorsed by the National Security Agency (NSA) and the Department of Homeland Security (DHS).  He also worked for the White House Communications Agency from 2003 until 2015.  In 2017 he founded Stronghold Cyber Security, which was acquired by Appalachia Technologies in 2020.