Lessons learned from 2021 cyberattacks

Written by: Csaba Krasznay, Director of Cybersecurity Research Institute at National University of Public Service

Created: 2022-03-16

What are the key learning points of 2021 from a cybersecurity point of view? Csaba Krasznay, Director of Cybersecurity Research Institute at National University of Public Service shares his thoughts.

Lessons learned from 2021 cyberattacks
2021 had some infamous cyberattacks, such as SolarWinds, Colonial Pipeline, JBS, Kaseya, and Pegasus, and the emergence of some nasty vulnerabilities, like Microsoft Exchange Server and Log4J. Was it a bad year or not from a cybersecurity perspective? Were there any novelties, or was it just business as usual? The answer is not so simple. It is certainly unusual for an Executive Order from the President of the United States to deal with technical details of IT security (namely Zero Trust), but at the end of January 2022, two memorandums (Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems and MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES - Moving the U.S. Government Toward Zero Trust Cybersecurity Principles) reminded us of the imbalance of the capabilities of attackers and the challengers for defenders. Yet neither ransomware nor 0-day vulnerabilities show us something new. In this article, we try to outline the most important lessons we’ve learned in 2021.

Cybercrime gangs began acting as APT groups: The connection between secret services and organized crime is always a grey zone, but also part of their daily business. We can assume this relation is true in cyberspace too. However, in the most serious ransomware attacks, it seems that cybercriminals used detailed operation planning, high-quality open-source intelligence, and multiple attack vectors. We don’t know yet whether they just learned from the bests or hired some ex-officers who supported the operations, but in the past, groups like REvil were not as prepared as they were in 2021.

Sin deserves its worthy punishment: Apropos of REvil. They were arrested in January and the infrastructure was ’neutralized’. In Russia. Which is quite unusual. But there were other interesting cases in the last year in Ukraine, Hungary, and Romania, to name but a few. It seems that the US-European law enforcement cooperation is working well, and if they get the right political support, even Russia is willing to do something to combat the significant rise in cybercrime.

Temporary silence in state-sponsored attacks: Okay, we started 2021 with SolarWinds, attributed to Russia, and large-scale attack against Microsoft Exchange Servers, attributed to China and even Germany accused Russia with interference with their election, using the EU Cyber Diplomacy Toolbox, but we were really missing something… BIG. As the tension around Ukraine emerges, we can assume that countries are keeping their powder dry and don’t want to expose their real capabilities. In a real military situation, the element of surprise is important, and the same is true in cyberspace. As both Ukraine and Belarus were hit in January, we can predict that 2022 will be get a whole lot hotter in this sphere.

0-day vulnerabilities are gems: Both SolarWinds Orion backdoor and Exchange vulnerabilities were first exploited by countries and discovered later by independent researchers. Log4J could have happened in the same way, as it was discovered by a Chinese security expert, and according to Chinese law, such discoveries should be reported to the state first. Alibaba Cloud, the employer of the researcher, of its failure to report. NSO Group used several 0-days in their Pegasus spyware tool, with the Israeli government’s knowledge. We can be sure that governments are stockpiling valuable software bugs to use in conflicts.

Supply chain attacks as real threats: A DDoS against our DNS provider? A targeted attack against a software developer to build a backdoor into the product running deep inside our network? Or just an unintentional network configuration that stops Facebook working? All of these incidents are happening outside the organization, but as a collateral victim, the organization’s operation will also be affected. Supply chain-related risks were never as real as in 2021. Meanwhile, cloud outages are coming.

Silent building on the defenders’ side: Financial institutions and huge governmental systems were not really hacked in 2021. There are no new disruptive technologies on the product horizon of cybersecurity. Everything is calm on the market. If 2020 was the year of rapid digital transformation, 2021 was the year of cleaning up the ensuing mess in terms of security. There are a lot of great products on the market, and even vulnerable APIs can be protected, but traditional security solutions should be combined with the latest technology, something that requires significant time and resources. Zero Trust seems to be the directive principle that can provide us with more secure cyberspace in the near future.

Photo by Possessed Photography on Unsplash