Five Incidents that Shaped the Cybersecurity Landscape in 2024

Phil Muncaster takes a look at the breaches, takedowns and near misses that defined the past year

The UK’s CISOs are at the centre of a gathering storm. Buffeted on all sides by closer regulatory scrutiny, escalating cyber threats, and the expansion of their corporate attack surface, many are feeling the pressure. According to one study, nearly three-quarters have taken personal indemnity insurance, and almost a fifth are considering leaving the industry.

This would be a disaster. UK organisations desperately need more cybersecurity leaders, not fewer. They also need their CISOs to be better informed about the industry and threat landscape trends that should help shape their strategy. That’s why Assured Intelligence has compiled a breakdown of the top events that helped define the security landscape over the past 12 months.

1: How the xzUtils attackers nearly hacked the world

The challenges of securing the open-source supply chain have been known for some time. But when news emerged of a staggeringly sophisticated and long-running campaign to install a backdoor into a popular data compression utility (xz Utils), the world took notice. It emerged that a threat actor known as ‘JiaT75’ or ‘Jia Tan’ joined the project and used fake accounts to bombard the original maintainer with feature requests and bug complaints.

The fact that it was discovered by chance by a Microsoft developer will do nothing to reassure the community

The end goal was to make the case for Jian Tan to be given release manager rights, which they duly were. They used these permissions to install a backdoor in xz Utils, introduced by zero-day vulnerability CVE-2024-3094, which could allow threat actors to remotely control an affected machine. Given the near-ubiquity of the little-known utility, this could have given the threat actor tremendous power. The fact that it was discovered by chance by a Microsoft developer will do nothing to reassure the community, nor will reports of several copycat attempts.

The whole affair has given weight to calls for more funding for open source projects like this, while hopefully reminding CISOs of the need for greater scrutiny of the packages that go into their code.

2: The cautionary tale of the British Library

By now, we should be immune to seeing major brands and institutions crippled by ransomware. But that did not diminish the impact of a cyber attack on the world’s largest library. Although it occurred in late 2023, the repercussions of the incident only really emerged this year after the government-backed body penned an 18-page “lessons learned” review of the breach and its aftermath.

The attack, carried out by an affiliate of the Rhysida ransomware group, gained initial access, most likely via compromised credentials, possibly belonging to one of the library’s many suppliers or partners. The hackers stole around half a million digital documents from the library, including personally identifiable information (PII) on users and staff, and knocked out much of its server estate. The library has reportedly already spent £1.6m recovering from the breach.

The lessons learned could be valuable for CISOs everywhere. They highlight the need for best practices like MFA, network segmentation and monitoring, eliminating legacy tech, and improving incident response and user training. However, perhaps the biggest takeaway is that the British Library shared this document in the first place. It’s a fantastic example of how information sharing can benefit the entire cybersecurity community.

A new Australian security law promises to introduce a Cyber Incident Review Board, which will conduct “no-fault” investigations following severe incidents and publicly share anonymised insights. The UK government should consider something similar in its upcoming Cyber Security and Resilience Bill.

3: A blood-curdling NHS cyber-attack

As IT and OT systems find their way into a growing number of business-critical systems and sectors, the risk to human life spirals. Unfortunately, the healthcare sector is on the front line, as evidenced by a major ransomware breach that impacted NHS pathology supplier Synnovis in June. A total of 10,152 acute outpatient appointments and 1,710 elective procedures were ‘postponed’ at two London trusts. Hospitals issued appeals for blood donors and trainee medics to volunteer as “floorwalkers”.

“Already at breaking point in peace time, in a war scenario, the NHS’s operational effectiveness could be compromised by cyber attacks to the point of collapse” Ian Hill

The takeaways are twofold. The first is that cyber attacks don’t have to be sophisticated efforts aimed at IoT or OT systems to cause potential physical harm. The second is that supply chains will continue to be targeted in this way in critical infrastructure sectors that have a low tolerance for outages – until they are hardened against attack. The concern is that, in the event of a military conflict or escalation, the end goal will not be monetary gain but maximum societal impact.

Blockmoor CISO, Ian Hill, warns that the June attack “showed our enemies the art of the possible,” and could be repeated during hybrid warfare.

“Already at breaking point in peace time, in a war scenario, the NHS’s operational effectiveness could be compromised by cyber attacks to the point of collapse, even before any kinetic weapons have been fired,” he tells Assured Intelligence.

“The NHS is a large and fragmented collective of individual and interdependent health trusts and services with an extremely complex supply chain. It is not prepared for a sustained multi-vector nation-state cyber attack,” says Hill.

4: The LockBit takedown

The LockBit ransomware collective was among the most prolific of the past few years, amassing a fortune in the hundreds of millions of pounds from digital extortion. Dramatic news came in February: The UK’s National Crime Agency (NCA) announced Operation Cronos: a multi-pronged campaign to disrupt the group. Unlike similar efforts that usually focus on taking down threat actor infrastructure only to see it reappear, this operation also sought to tarnish the LockBit brand and those associated with it. Police even went so far as to troll the group on its own leak site, which they had seized. That and freezing 200 cryptocurrency accounts and over 1000 decryption keys mark it as one of the most successful operations of its kind.

Robert McArdle, director of Trend Micro’s Forward Looking Threat Research team, played a crucial role in assisting global law enforcers. He tells Assured Intelligence that the Operation Cronos playbook has been replicated to good effect with Operation Stargrew and Operation Endgame.

“Before Operation Cronos, LockBit dominated the ransomware space. Today, it is barely present. While it did struggle on for some time, and tried several approaches to make it appear like business as usual, ultimately the criminal market lost all faith in the brand and went elsewhere,” he explains.

“Operation Cronos’s impact was not just about removing the top player – it was dismantling an entity that had gotten to industrial levels of efficiency. Much like when Conti was in its heyday, cyber crime naturally optimises itself when large groups are allowed to dominate market share. Breaking these monopolies is key to reducing the risk for ordinary internet users.”

5: The cascading impact of a cloud platform incident

Snowflake is a popular cloud platform for data storage and analytics. It emerged that over 160 customers had their accounts compromised by threat group UNC5537, primarily via credentials previously stolen by infostealer malware. The Snowflake clients affected, which include Ticketmaster (560 million records) and AT&T (110 million), did not have MFA enabled on their accounts, according to Google’s Mandiant.

Ticketmaster (560 million records) and AT&T (110 million), did not have MFA enabled on their accounts

What can we gather from the incident? Providers like Snowflake and internal security teams must start enforcing MFA as default to mitigate the impact of huge volumes of credentials circulating on the infostealer marketplace. Mandiant also recommends data leak/dark web monitoring, flagging unusual access attempts, and “limiting traffic to trusted locations for crown jewels”. The same threat actor is likely to target other SaaS platforms in the future, it says. You have been warned.