Insecure in ‘24: A look back at a grim year in cyber

The ‘worst ever,’ the ‘biggest’ and the ‘mother of all’ breaches all happened this year

So farewell then 2024. You’ve been quite the year for superlatives, but not in a good way. You brought us the worst ever telecom hack, the biggest IT outage and the mother of all breaches. Can’t say we’re going to miss you. Roll on 2025.

Tech as target

A tough infosec year for many tech companies, began with the revelation that state-backed Russian hackers had successfully infiltrated Microsoft's corporate email system, gaining unauthorised access to the accounts of senior company leaders. This was just the latest of a string of high-profile incidents at the company.

Later a damning report by the US Cyber Safety Review Board found a “cascade of errors” and security failures at Microsoft. The company, which is undergoing major security overhaul, has vowed to tie executive pay to its goals in this area.

Other companies that will be glad to see the back of 2024 include Ivanti, who at one stage seemed to be in the news every week after yet another critical flaw in its firewalls and VPNs was discovered. Several of these glitches were exploited by threat actors.

Another regular was Fortinet, which has had a busy year fixing holes in its security appliances and SIEM platform. Meanwhile remote access firm TeamViewer attracted predictable but unwelcome attention from Russian hackers; Cisco patched numerous holes including one in Secure Email Gateway (SEG) that could grant attackers complete control over vulnerable systems; and Dell notified customers after a data breach compromised information of nearly 49 million users.

There were plenty of others too, of course. The lesson here is that companies that are meant to protect us are prime targets for ne’er-do-wells. Unfortunately, some are not above a spot of ne’er-do-welling themselves, case in point Avast, which was fined for unlawfully harvesting and selling customer data without consent.

But for shear disruptive impact these bungles all pale into insignificance compared with CrowdStrike’s record breaking boo-boo in July, which singlehandedly brought the term BSOD back into fashion.

Around the world (with the notable exception of China which largely eschews both Microsoft and CrowdStrike), hundreds of thousands of hospitals, banks, airlines, train companies, broadcasters and other businesses experienced OS crashes and the infamous blue screen of death.

The culprit was CrowdStrike Falcon, a dodgy update to which caused a boot-loop on any Windows machine running it. CrowdStrike is now caught in a sue-loop, playing a game of claim and counter-claim with disgruntled customers. Meanwhile the world is left wondering, not for the first time, whether it’s such a great idea to be so dependent on a small number of big tech companies.

Breaches and leaks

CrowdStrike may have been the world’s largest IT outage, but it wasn’t the only incident to have journalists reaching for superlatives. Dubbed the Mother of all Breaches, researchers discovered a “supermassive” 12TB hoard containing tens of billions of records culled from numerous attacks on sites, apps and databases.

England’s beloved water industry was hosed by hackers again, including by the Black Basta ransomware group, which claimed to have stolen gigabytes of data from Southern Water, including passport scans, ID cards and personal information.

In the face of threats to critical national infrastructure, it was not comforting to find that some of nearly-bankrupt Thames Water’s critical systems still rely on Lotus Notes software from the early 1990s, which hasn’t been supported for years. Too busy with financial engineering to modernise them, no doubt.

Medical facilities are a soft target, and in March the INC Ransom group stole 3TB of data from NHS Dumfries and Galloway, publishing sensitive information on the dark web when the ransom was not paid.

In June, another Russian ransomware-as-a-service group called Qilin targeted Synnovis, a private company responsible for medical testing for the NHS. Hospitals were forced to cancel operations, tests, and even blood transfusions in several London boroughs, and the disruption continued for months.

And towards the end of the year services in Merseyside were hit, including the Wirral University Teaching Hospital, where staff were forced to resort to pen-and-paper methods, Alder Hey Children's Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust, which manages one of Europe's busiest paediatric hospitals. The INC Ransom group leaked samples of patient data as it attempted to extract a ransom.

Meanwhile the Police Service of Northern Ireland (PSNI) decided to miss out the middleman and leak data themselves, mistakenly publishing a spreadsheet containing the data of its entire workforce in response to a FoI request – and landing the force with a hefty fine.

Local government is another sector with a broad attack surface, and in April it was Leicester City Council’s turn to play unwilling host to INC Ransom’s malware.

Educational establishments also find it hard to defend themselves, and are frequently targets of extortionists and hacktivists. A study by regulator Ofqual found that more than a third of schools and colleges in England had experienced a cyber incident during the last academic year.

February saw a DDoS attack on Cambridge University, leaving hundreds of researchers and staff unable to access important systems for weeks. Wolverhampton and Manchester universities were also attacked around the same time by the same group, which calls itself Anonymous Sudan, but is apparently based in – you guessed it - Russia.

In September a ransomware attack by Rhysida disrupted several schools in Lancashire. Data was later found to have been leaked onto the dark web, presumably after the £1.2 million ransom demand was unmet.

A ‘clearly widening gap’

No doubt, stories like these were behind the decision of the National Cyber Security Centre (NCSC) to offer a free cyber service defence service to UK schools to protect against online threats.

The agency also joined forces with three prominent insurance associations to offer a framework organisations can use to make more informed decisions in the event of a ransomware attack.

In December, NCSC’s new head Richard Horne warned that “hostile activity in UK cyberspace has increased in frequency, sophistication and intensity,” and that there is a “clearly widening gap between the exposure and threat we face, and the defences that are in place to protect us.”

This was just the latest of a series of warnings by NCSC, which is a branch of intelligence agency GCHQ, starting the year with a notice that AI would exacerbate the ransomware menace.

NCSC CTO Ollie Whitehouse took aim at security products, saying that the industry lacks a strong incentive to produce more secure products. “We know how to design and build resilient, secure technology. We just need a market that supports and rewards it,” he said.

NCSC’s concerns about the country’s defensive posture were backed up by a report by the Department for Science, Innovation and Technology (DSIT) which revealed alarming statistics about the state of cybersecurity preparedness among UK businesses.

Ministry of Defenceless

Maybe DSIT should have wandered down the corridors of Whitehall to have a word with the MoD. Of all the government bodies you’d have hoped would have its cyber-house in order, that would be the one. Unfortunately though, the Ministry of Defence was found to have by far the worst protected IT systems of any Whitehall department, with 11 "red-rated" systems.

In May, it emerged that an IT contractor for the department was breached, compromising the data of hundreds of thousands of current and former military personnel.

And in December, passwords belonging to nearly 600 MoD employees were stolen and leaked onto the dark web.

Another organisation one would hope would take cybersecurity seriously is Sellafield, the world’s largest store of radioactive waste. Alas, the site’s networks were found to be as leaky as hopefully its containment vessels aren’t, and the company was fined for a sting of failures.

The UK is far from alone in feeling the pressure, of course. Ukraine continues to suffer daily attempts to take out its infrastructure, and the Salt Typhoon attacks on at least eight telecoms companies in the US (and many more elsewhere) were described as the worst telecom hack in US history by one senator, with Chinese hackers apparently listening in on calls and intercepting communications in real time for many months. China has denied this.

And the Internet Archive, which maintains the invaluable WaybackMachine at archive.org was laid low by a DDoS attack.

LockBit takedown

But it wasn’t all one-way traffic. In February an international coalition of law enforcement agencies trumpeted their takedown of the notorious LockBit ransomware gang, obtaining troves of data and identifying its leader as 31-year-old Dmitry Yuryevich Khoroshev. Khoroshev remains at large, presumably in Russia, but in October four suspected members or affiliates of the gang were arrested in the UK, France and Spain. At the same time 15 Russian nationals involved in Evil Corp, a cybercrime group closely linked to LockBit, were sanctioned.

Weakest link

Supply chain attacks continued to be a menace in 2024. Bank of America suffered a breach of customer records in February after Lockbit attacked one of its suppliers. And software repositories such as PyPi and npm remain a target for those seeking to get their malicious code incorporated into others’ software. Meanwhile while awareness of mitigating measures such as SBOMs is growing, there remains a gap between awareness and practice.

Linux, the operating system that runs on the majority of the world’s servers, almost became host to a backdoor thanks to a malicious version of a module present in most major distributions which has passed initial security tests before being discovered, and later the re-emergence of a critical SSH flaw.

Blame game

Insurer Howden publishes reckons that UK business have lost £44 billion over the past five years as the result cyberattacks.

Many businesses lack even basic cybersecurity measures, and some struggle to employ the required skills. Meanwhile those that are employed in a defensive role can be prone to burnout, as both the workload and the consequences of failure ratchet inexorably upwards. This has led some CISOs to call for an end to the stigma of blame. “The asymmetry between attack and defence is getting bigger and bigger,” said one “Taking that shame out of the equation is so important."

Technical solutions can take a lot of the strain, of course and it was encouraging to see Google Cloud among those rolling out mandatory MFA, although some may wonder what took them so long.

Some companies have already moved on from MFA, turning to biometric cryptographic security keys and device-level checks utilising the TPM chip.

Another welcome shift was the move towards post-quantum cryptography (PQC) algorithms, by Google Cloud and other vendors. While quantum computers capable of breaking commonly used encryption are probably still some way off, that ‘probably’ is carrying a lot of hope.

Computing's research in February found that just 5% of UK organisations polled were looking to upgrade their cryptosystems to PQC.