A year in cyber: Computing's biggest security stories of 2022

A month-by-month look at the most important happenings in cyber

Here's our round-up of the security stories that have shaped the cyber year in what has been yet another rollercoaster ride for infosec professionals.

January

Last year ended with a sting in its tail, with the Log4J vulnerability Log4Shell emerging just as security folks felt it might be safe to start winding down for the holidays. There have been reports of the vulnerability being exploited by state sponsored actors, including an attack on Belgium's Defence ministry, but it's probably fair to say the damage - so far as we know - hasn't been as bad as feared.

Prior to Log4Shell, the major priority for many was defending against ransomware, and 2022 continued as 2021 left off with an attack on schools website provider FinalSite leading to a lengthy loss of access to many online services in thousands of schools and colleges around the world.

North Korea's veteran hacking organisation Lazarus started the year as it meant to go on using Windows Update and GitHub to deploy malware as part of a new spear-phishing campaign aimed at US defence contractor Lockheed-Martin.

February

February was marked - and marred in so many ways - by Russia's invasion of Ukraine. Before the tanks started rolling in, and afterwards too, Ukrainian institutions suffered a wave of DDoS and wiper ransomware attacks, but the county, which has been bolstering its defences since the anexation of Crimea in 2014, proved surprisingly resilient.

And it was not just one way traffic. Some Russian websites down and TV broadcasts were interrupted as Ukraine asked hacking groups for help, something advised against by the UK government for fear of unpredictable knock-on effects. Cyber attacks and counter attacks related to the war punctuated the news cycle throughout the rest of the year, but Russia's much feared skills in alternative warfare seemed mostly confined to disinformation.

The UK Foreign, Commonwealth & Development Office (FCDO) was in the news after a public tender document was posted on the government's website asking for 'urgent business support' following a 'serious cyber security incident'. What that incident was and when it occurred was not made clear.

In presumably unrelated news, the Foreign Office's out-of-date IT systems were said by insiders to be causing "chaos", hampering the government's ability to respond to the Ukraine war.

March

If the Oxford Dictionary published a cyber-word of the year Lapsus$ would surely be in with a shout. The prolific yet seemingly scattergun hackers got the better of Okta, Nvidia, Microsoft and other household names before one of their number was tracked down. The ‘mastermind' behind some of the attacks was revealed to be a 16-year-old boy living just a stone's throw from the dreaming spires.

As TalkTalk and countless others have found out over the years, you underestimate teenagers at your peril, especially when there's prestige and money involved. The Lapsus$ mastermind is now in custody, while former TalkTalk CEO Dido Harding went on to greater, at least more lucrative, things.

'Let's go places' is a favourite Toyota slogan, but in March the Japanese car giant was going nowhere fast thanks to an attack on a supplier of air conditioning and steering wheel components Kojima Industries, one of many supply chain attacks this year. It halted Toyota's car production in Japan for a few days and closure of its production lines set its schedule back by about 13,000 cars, this coming on top of an existing slowdown caused by the global chip shortage.

And one of the biggest cyber attacks of the war so far hit Ukraine's state-owned telecommunications company Ukrtelecom at the end of the month, resulting in the country's most severe Internet disruption since Russia invaded in late February.

Despite the some techies taking up arms and others being forced to move to safer locations, the country's IT sector remains very much open for business said Konstantin Vasyuk head of the IT Ukraine Association. The sector remains very resilient he insisted, with the country's turbulent history having forced it to be adaptable.

A year in cyber: Computing's biggest security stories of 2022

A month-by-month look at the most important happenings in cyber

April

Currently Russia is hitting Ukraine's power grid with explosives delivered by rockets and drones, but attacks in March and April used of a version of the Industroyer malware it had deployed successfully against the country's infrastructure in 2016 and CaddyWiper data destruction malware. The perpetrators were thought to be Sandworm, a military hacking unit also believed to also be responsible for 2017's NotPetya. On this occasion their plan to unleash mayhem on April 8th was detected and rebuffed.

According to Oscar Wilde, the only thing worse being talked about is not being talked about, but he was not thinking of spyware manufacturers when he wrote his famous aphorism. In 2022 Israel's NSO Group was in the headlines almost as often as Harry and Meghan, and certainly far more than its executives would have wanted. Israeli police were found to be snooping on activists and politicians without a court order. The European Justice Commissioner and four other officials phones were found to have had their phones with NSO's subtely named ForcedEntry malware.

And the EU's nemesis Boris Johnson was not spared either with his office reportedly the target of NSO Pegasus spyware. The company denied that such a thing were possible, of course, in much the same way that Johnson said it was impossible he could have attended parties during lockdown.

May

Cyberattacks on Ukraine's powergrid having fizzled, what should Vlad hack next? Why, the Eurovision Song Contest of course. Russia was banned from the contest, which was held in Turin, Ukraine's Kalush Orchestra was bound to win and even the UK looked to be in with a shot for a placing. Sadly though the Italian police were waiting. Nil points.

Supply chain attacks, where threat actors go after suppliers to their target rather than directly to the target itself, are on the rise, and in May cyber agencies from the UK, Australian, Canadian, New Zealand and the US (collectively known as Five Eyes) sent out a warning that MSPs should be on their guard. A managed services provider can provide a ready platform to target its customers for follow-on activity, such as cyber espionage and ransomware. Last year's attack on Kaseya, monitoring software used by many MSPs, was just the start of what could be a very nasty trend, the multinational spooks collective warned.

US cyber agency CISA has become increasingly proactive and vocal in telling organisations to get a move on with fixing vulnerable systems. It maintains a catalogue of Known Exploited Vulnerabilities (KEV) which it updates on a regular basis, issuing warnings as it does so. In May it was the turn of VMware customers who were told in no uncertain terms that Workspace ONE Access, VMware Identity Manager and vRealize Automation were under attack and should be patched immediately.

June

Summer arrived and with it a flaw, this one in Windows and named after the Italian town of Follina. Made public right at the end of May, it took Microsoft two weeks to patch it. The zero-day flaw, which allowed attackers to execute arbitrary code via the Microsoft Support Diagnostic Tool (MSDT), was apparently already being used by Chinese cyber attackers against the Tibetan activists, and once made public QBot actors and Russian hackers leapt into action too.

CISA was wagging its finger again, this time about active attacks on a Linux security vulnerability called PwnKit which had been been actively exploited in attacks.

After the reversal of Roe vs Wade in the US, the fact that smartphones can reveal an awful lot about their owners activities and whereabouts, such as visits to abortion clinics, suddenly became an urgent and critical issue for a lot more people. US Democratic politicians called for a probe into the app ecosystems operated Apple and Google over the way tracking data can be sold on to data brokers or otherwise made available without customers' consent. A congressional investigation was launched in July and in August data broker Kovacha was sued for selling sensitive geolocation data and some makers of period tracking apps were fined. "Where consumers seek out health care, receive counselling, or celebrate their faith is private information that shouldn't be sold to the highest bidder", the Federal Trade Commission said.

And after a slew of stories about AI facial recognition and emotion detection systems getting things wrong or being biased against certain groups, Microsoft announced the ‘retirement' of some of its capabilities including inferring emotional states, age, gender, smile, hair and makeup, although what this retirement meant in practice was not clear.

A year in cyber: Computing's biggest security stories of 2022

A month-by-month look at the most important happenings in cyber

July

Ransomware attackers generally go after companies of a certain size or providers essential services, from whom they stand the best change of receiving a quick and sizeable payoff, but there have been a few instances of an entire town being hit. In July, LockBit operators went after St Marys in Ontario, Canada, a municipality of 7,000 people. While the town managed to keep most essential services going, the gang said it had stolen 67 GB of documents pertaining to health, finance, safety, sewage treatment, property and public works, which they threatened to publish. An investigation is ongoing. In November, Ontario police arrested a dual Russian-Canadian national on suspicion of playing a role in LockBit ransomware attacks.

Meanwhile hotel giant Marriott continued to be a hackers piñata. The much-attacked hotel chain was walloped again when hackers tricked staff using social engineering into giving them access to 20 GB of sensitive data, including credit card details of customers.

After a six-year quest to find quantum computing-proof encryption algorithms, US National Institute of Standards and Technology (NIST) finally alighted upon four finalists to be be standardised and ratified. One of the alternatives to these four, which made it to the final stages of the contest, was rather embarrassingly cracked in an hour on an ordinary laptop.

This month's dire warning from CISA was a zero-day vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS) under active exploitation by attackers.

August

A critical system used for ambulance dispatch and emergency prescriptions in England was hit by a ransomware attack on NHS supplier Advanced. The attack locked the Adastra patient records system preventing access to patient records, with some systems still not fully functional months later.

Amid rising tensions with China, the UK Parliament shut down its TikTok account after a group of MPs and peers voiced concerns about the platform's links to the Chinese Communist Party and its treatment of user data. The account had only been opened a week previously.

The Cl0p gang posted a trove of documents belonging to customers of South Staffordshire Water on the dark web. These featured personal data including passport scans, screenshots of user interfaces and spreadsheets. Tut-tutting about "very bad practice" at the the utilities firm, Cl0p also claimed to have gained access to the company's SCADA systems. The validity of claim is questionable, however, given that the attackers apparently thought they'd breached Thames Water rather than South Staffordshire. In December the utilities company finally got round to formally informing customers about the risk of Direct Debit as a result of the breach. "It's absolutely disgraceful that customers are only finding out about this data breach (and that out details are now on the dark web) four months afterwards," one customer said.

Cloud communications provider Twilio said threat actors were able to access some of its customers' data after a successful social engineering attack led some employees to share their login credentials with the attackers. It was proving to be a good year for social engineers.

September

Microsoft Exchange is a favourite target of hackers because of its complexity and widespread use in businesses and organisations. SQL Server is another one, and in September and October Microsoft's premier database system was hit by two types of malware: FARGO ransomware disables database protections then encrypts records within corporate espionage malware, while Maggie, seen on hundreds of devices around the world, is a multi-functional toolkit that acts as a bridgehead into the server's network environment and brute-forcing admin logins to other Microsoft SQL servers.

In another high profile social engineering attack, Uber said it was investigating a "total compromise" This is not the first time Uber has suffered a breach. In 2016, 57 million passengers and drivers were affected and in October former CSO Joe Sullivan was found guilty of trying to cover it up and faces up to eight years in jail.

It's all very well reporting bugs but it can make things worse if having been made public the company involved fails to fix them. Six firmware security vulnerabilities found in HP's high-end business notebooks and PCs remained unpatched in more than a month after their public disclosure.

Blimey. Everything came to a head in September. First it was reported that a cybercriminal pewrhaps the same one who had hit Uber - had breached Rockstar Games and stolen the source code for its upcoming game, Grand Theft Auto 6. The spotlight turned on Lapsus$ whose teenage mastermind was arrested in March, but for whom the thrill of hacking a major company was obviously too hard to resist. He was charged with breach of bail and computer misuse offences.

Over the year it became apparent that despite a few successes by the country and its affiliates, Russia was more effective at spreading confusion and distrust than it was at offensive cyber attacks. In September Meta said it had taken down a massive Russian disinformation network targetting Europe. The operation was based on a network of over 60 websites that impersonated authentic European news organisations.

A year in cyber: Computing's biggest security stories of 2022

A month-by-month look at the most important happenings in cyber

October

To counter active attacks on two zero-day vulnerabilities in Exchange, Microsoft announced mitigation measures as it worked on a fix. Unfortunately getting round these measures was child's play, researchers found.

At the start of a particularly cold crypto-winter, which saw the collapse of exchange FTX and the arrest of its founder Sam Bankman-Fried in December, rival exchange Binance suffered a $570 million hack when attackers targeted a cross-chain bridge - software that enables crypto tokens to move between different blockchains - and made off with the loot. No user funds was lost, according to the company, but it was a severe reputational blow.

A 'critical' zero-day bug, the first since Heartbleed, was identified in OpenSSL. It affected versions 3.0.x and was patched on November 1st.

The UK's cyber workforce grew 12% year-on-year but there was still a 73% shortfall, according to a study by (ISC)2, a non-profit association of certified cyber security professionals.

Politicians have long been warned about the dangers of using their own personal devices for government business but have largely ignored the risks. At the end of the month Russian spies were found to have hacked Liz Truss's personal phone. The hack apparently happened while Truss was Foreign Secretary with hackers able to access to 'top-secret details' including conversations with foreign officials about the Ukraine war and information on arms shipments, according to press reports.

November

Speaking of surveillance, Meta found itself under legal spotlight in UK once again for allegedly ignoring the Facebook opt-out settings by which users can limit the amount of personal data used to target them with advertising. Meanwhile Amazons acquisition of iRobot, manufacturer of the Roomba robotic vacuum cleaner, was under fire. "Amazon aren't just buying a fun little automated hoover: their aim is to leapfrog into pole position in home robotics", said litigant nonprofit Foxglove, urging the UK's Competition and Markets Authority (CMA) to open an antitrust probe into the deal.

The Online Safety Bill, which in its four years of existence has been dragged down by government turmoil and endless additions and amendments, edged closer to a parliamentary debate. But security experts and rights groups were worried at the government's continued insistence on weakening end-to-end encryption as one of the Bill's provisions. There is no such thing as a back door that can only be used by the good guys, they pointed out, arguing that children and other vulnerable people are protected online by encryption. However, the promise of the Bill finally becoming law was welcomed as a 'relief' by some campaigners.

A "sophisticated" cyberattack on the European Parliament website on caused service disruptions just moments after members voted to designate Russia as a state sponsor of terrorism. Coincidence? Probably not.

And research by Kasaya found that half of all ransomware attacks are easily preventable - if only admins would patch vulnerable systems more quickly.

December

Rarely out of trouble with regulators, yet frequently large and be-lawyered enough to avoid punishment, Meta was hit with €265 million fine by the Irish Data Protection Authority, for a 2019 breach which exposed the personal details of about 533 million users from more than 100 countries. The company also faces a $1.6 billion lawsuit for allowing its platform to be used to stoke the conflict in Ethiopia.

Adding its voice to the chorus of disapproval over the government's plans for government inspection of all internet traffic, Meta subsidiary WhatsApp threatened it could abandon the UK altogether if the government bans end-to-end encryption as part of the Online Safety Bill. Since much government business is apparently done over WhatsApp these days that might give the politicians some pause for thought.

And cloud computing giant Rackspace confirmed it had been the victim of a ransomware attack that affected several Hosted Exchange customers and prevented them from accessing their email accounts. The service was down for several days after the attack.

Finally, to round off a bad year for the ride sharing firm, Uber suffered yet another data leak after supplier breach caused the personal information of at least 77,000 employees to be exposed.

And that's it for another year.

Here's hoping another Log4J doesn't pop up before the holiday season, fingers are firmly cossed (not that that's a recommended security posture). We wish you a relaxing, peaceful and prosperous Christmas and New Year.