With 2023 right around the corner, we at CyberMaxx wanted to recap some of the big events that happened in 2022.
Threat actors continue to get smarter and find ways to cause chaos for organizations, but, it’s not all doom and gloom as the good defenders stay one step ahead with people, processes, and technology to help organizations avoid becoming the victim of a breach.
Russia’s Cyber-attacks on Ukraine
Starting the year off, the world saw the Russian state-sponsored cyber operations deploy DDoS, SMS spam campaigns, wiper malware, air traffic control attacks, and Sandworm malware on Linux systems.
Not stopping there, Russia also utilized phishing emails on Ukrainian military personnel, the Conti ransomware gang, and a two-component malware called FoxBlade for DDoS attacks.
The list continues extensively through the year as the Russian and Ukrainian war has now escalated into a full-on war.
Healthcare is Still a Top Target (And Probably Always Will Be)
The healthcare industry continues to be a top target for cybercriminals with 849 incidents where 571 of those resulting in data exposure (Verizon DBIR 2022 Report).
Healthcare also remains at #1 for the most costly data breaches among all industries reaching $10.10 million this year and expected to grow year over year for the foreseeable future. (IBM cost of a data breach)
The list is extensive for individual organizations that were affected by cyberattacks this year so we will only go over a few in no particular order:
- Eye Care Leaders (ECL) – ECL experienced the largest and most headline-grabbing breach reported this year with approximately 3.6 million patients affected. There was plenty of drama associated with this ransomware attack because of the timing in which the vendor reported the attacks. Several providers filed a lawsuit against the practice management system vendor for “concealing” multiple ransomware attacks and related outages. ECL reported to providers impacted, but not until after the 30-day timeframe required by HIPAA, causing many patient led lawsuits.
- Advocate Aurora Health – In late October, Advocate Aurora reported the disclosure of protected health information to Google and Facebook because of the use of Pixels on their patient portals, website, and applications. The pixels have been removed but not before almost 3 million patients’ IP addresses, insurance information, proxy names, locations, procedure types, and appointment times were leaked. Advocate Aurora is currently defending itself against multiple class action lawsuits in the wake of the Pixel outcome.
- Connexin Software – Pediatric electronic medical records and practice management software vendor, Connexin Software, experienced a network hack and data theft in early December that affected 119 provider offices and some 2.2 million patients. The threat actor gained access to offline patient data used for troubleshooting and removed it from the network. Data stolen includes: names, contact details, SSNs, guarantor names, parent or guardian names, dates of birth, highly specific health insurance information, treatments, procedures, diagnoses, prescriptions, provider names, medical record numbers, and billing and/or claims data.
Additionally, this year saw an increase to 90% of the 10 biggest healthcare breaches that were a result of third-party vendors being infiltrated.
This is on trend with 2021 where vendors were responsible for 60% of the 10 largest healthcare breaches. There is an obvious need for organizations to revisit relationships and contracts with vendors to assess security measures and how these third parties are protecting themselves from potential breaches.
Cyber Insurance Rates Reach New Heights
Insurance rates are increasing dramatically as well with one report showing a 24.5% increase in Q1 of 2022 adding onto 2021 Q4’s 74% increase.
The drastic increase in premiums is due to many factors, but the most glaring is the increase in ransomware attacks and the claims made to payout the ransom causing loss ratios for insurance companies.
Cyber insurance underwriters are now more cautious when assessing risk for insureds and will continue to thoroughly review internal security controls and cyber risk procedures.
One positive outcome for the security industry is that insurance providers are requiring that companies either have an in-house MDR solution in place or an outsourced partner to help defend their networks and devices. Without these measures, insurance companies are denying requests for new policies until these steps are taken.
Google Blocks DDoS Attack in June
On June 1st, a Google Cloud Armour customer endured a DDoS attack over HTTPS that peaked at 46 million requests per second (RPS).
This is considered the largest amount of blocked RPS to date being 80% more than the previous record which was 26 million RPS. The attack was 69 minutes and the operations ran according to plan because the customer had already deployed the recommended rule.
Even though the DDoS attack lasted over an hour, the speed at which the requests were sent is impressive. Starting at just 10,000 RPS on the victim’s load balancer, eight minutes later Google Cloud Armour Protection began sending alerts and signals when the load jumped to 100,000 RPS. Two minutes go by and the attack peaked at 46 million RPS and slowly dwindled over the next hour.
Google employees stated that the attackers were not getting the desired outcome and spending more to execute than they were gaining. The malware has not been identified yet but there are signs that point to Mēris botnet that was responsible for other DDoS attacks with close to record RPS.
Google Becomes a Security Player with Mandiant
Although Google Cloud Platform (GCP) was considered to be one of the big three cloud providers, it was in a distant third place after AWS and Microsoft Azure.
Now with the $5.4 billion acquisition of Mandiant, Google looks to become an even bigger player in the security space. GCP looks to combine its already existing security portfolio with Mandiant’s cyber threat intelligence to give it a new more bolstered position for cloud offerings.
Conti Cybercrime Group
The cybercrime group, Conti, attacked Costa Rican healthcare organizations and national businesses with ransomware.
Early in the year on April 15th, the Conti group of cybercriminals deployed its first attack on Costa Rica. The initial attack was on the Ministry of Finance, where the group gained access over a VPN connection using stolen credentials from an installed malware.
From there, a Conti operator gained access to every host on Costa Rica’s interconnected networks, uploaded 672GB of data, and executed ransomware.
The ransom amount was $10 million and came with the threat of attacking the rest of Costa Rica’s ministries if it wasn’t paid.
Costa Rica refused to pay and Conti kept the promise and continued the attacks on the following agencies:
- The Administrative Board of the Electrical Service of the province of Cartago (Jasec)
- The Ministry of Science, Innovation
- Technology and Telecommunications
- The Ministry of Labor and Social Security (MTSS)
- The National Meteorological Institute (IMN)
- Radiographic Costarricense (Racsa)
- The Interuniversity Headquarters of Alajuela
- The Social Development and Family Allowances Fund (FODESAF)
- Costa Rican Social Security Fund (CCSS)
The attacks led to disruptions costing millions of dollars for Costa Rican businesses, healthcare systems, and government agencies.
On May 8th, Costa Rican President declared a national emergency but 11 days later Conti leaders started to disband. The Conti negotiation and news website was down along with chatrooms, servers and proxies began to go offline.
By late June, the data leak site was removed and Conti’s operations were declared dead. The cybercriminal group Conti has since rebranded under several different names but has left its mark, proving that a cyber gang can execute country-wide extortion.
Other Notable Statistics
- Ransomware breaches (outside of healthcare) cost businesses an average of $4.62 million. (Varonis)
- Approximately sixty percent of data breaches are caused by stolen credentials. (Comparitech)
- A breach lifecycle goes undetected for 200 days and takes 77 days to become contained on average
- Nearly half (43%) of all cyber-attacks are specifically targeted at small businesses. (Dataprot)
- Mega breaches (involving $50 million to $65 million records) cost an average of $401 million. This figure is significantly higher than previous estimates and highlights just how costly these types of incidents can be. (Varonis)