In 1988, graduate student Robert Tappan Morris created a computer worm and inadvertently launched what many consider to be the world’s first cyber attack. Since that infamous “Morris Worm,” major events from Stuxnet to WannaCry have filled the pages of history, inspired TV shows and best-selling books, and reshaped the cybersecurity landscape.
But for every notorious attack, there are countless others that don’t make headlines, are overshadowed by competing news or simply get brushed aside. In 2021, SolarWinds and a series of high-profile ransomware attacks dominated the media and conversations, yet there were other significant incidents that had the potential for far-reaching privacy, regulatory and even human safety implications — and warrant another look. There could be lessons still waiting to be learned.
Florida Water Facility Attack Highlights Pervasive ICS Vulnerabilities
In February 2021, a threat actor attempted to poison a Florida city’s water supply in what seemed like an attack straight out of a Hollywood movie. A plant operator first noticed something amiss when his cursor began moving across his computer screen to open programs used to control water treatments.
The attacker reportedly increased the level of sodium hydroxide in the water 100 times. Thanks to the operator’s quick discovery and immediate actions to stabilize the levels, no one was harmed. But the real-world “could haves” loomed large, and the incident highlighted how dire critical infrastructure cybersecurity challenges remain.
The public utilities sector is uniquely vulnerable for many reasons. For one, much of the infrastructure controlling industrial control systems (ICS) — the systems that support essential services — dates to the 1980s or 1990s. The critical nature of utility operations required the developers of these systems to focus on system availability and interoperability but not necessarily on security. Over the years, as these systems became increasingly joined to internet-connected IT, they became more attractive targets for attackers.
Both government and the private sector have ramped up spending on cybersecurity operations and maintenance, yet despite these efforts, many utility companies struggle keep up with increasingly sophisticated and highly targeted attacks. And the stakes are high: beyond bad publicity, brand damage or costly regulatory fines, public safety is potentially at risk, as evidenced by this incident.
Following the attack, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Christopher Krebs wrote, “Unfortunately, that water treatment facility is the rule rather than the exception. When an organization is struggling to make payroll and to keep systems on a generation of technology created in the last decade, even the basics in cybersecurity often are out of reach.”
The Verkada Breach Shows the Dark Side of the IoT
Comprising billions of connected devices (and counting), the Internet of Things (IoT) represents a potentially massive attack surface and continues to pose a formidable cybersecurity challenge for enterprises.
When IoT devices are not secured like other sensitive network assets, risk can escalate quickly, as seen in March 2021 when attackers breached Verkada, a cloud-based video security company.
Using legitimate admin account credentials found on the internet, the attackers were able to navigate through live feeds of some 150,000 cameras stationed in factories, hospitals, classrooms, prisons and more, while also accessing sensitive footage belonging to Verkada software customers. It was later confirmed that more than 100 people within the organization had “super admin” access, each of whom could access thousands of customer cameras — demonstrating the potential dangers of overprivileged users.
Fortunately, damages from the incident were reportedly limited, but things could have been much worse. The breach was just the tip of the iceberg, giving a glimpse of how dangerous the IoT can be. For those paying attention, it prompted new questions and fueled ongoing privacy debates around how surveillance technology should be used, how sensitive data — such as bedside footage of a hospital patient or proprietary manufacturing processes in action — should be stored and how access to this data should be managed.
While the incident didn’t garner lengthy news cycles, it shouldn’t be forgotten. The question of “who watches the watchmen” will likely reemerge as daily life becomes increasingly connected.
The Twitch Data Leak Reinforces the Need for Least Privilege Access
Popular video game site Twitch was targeted in October 2021 with what the New York Times called a “potentially disastrous” data breach.
The threat actors reportedly stole the platform’s entire source code, along with 125GB of sensitive data including top user payout information, and then leaked it online in an effort to “foster more disruption and competition in the online video streaming space,” according to Video Games Chronicle.
According to a company statement, the incident was caused by a “server configuration change that allowed improper access by an unauthorized third party.” Particularly in cloud-based environments, such misconfigurations — including unchanged default credentials or those granting excessive permissions — are very common, are often used as attackers’ entry point of choice and can potentially open a path to sensitive assets such as source code and other intellectual property. The dynamic nature of the cloud makes traditional change control approaches for proper configuration extremely difficult.
While the company later said that user credentials and bank details were not accessed or exposed in the Twitch breach, privacy-conscious users didn’t wait to find out. The Guardian reported that global online queries for “how to delete Twitch” surged by 733% on the day the news broke, noting the platform’s popularity could potentially take a hit as a result of the breach.
The attack illustrated the many challenges companies face in securing cloud environments and emphasized the importance of least privilege access in reducing risk and defending against internal and external threats.
Those 2021 cyber attacks quickly lost the spotlight; however, there are valuable considerations and lessons to be learned from them as we begin a new year. Because, as Edmund Burke once said, “In history, a great volume is unrolled for our instruction, drawing the materials of future wisdom from the past errors and infirmities of mankind.”