Attackers had full access—a nightmare security scenario that would be any nation-state hacker’s dream. Instead, the assault was simply part of a bitcoin scam that ended up netting about $120,000. In all, the scammers targeted 130 accounts and took control of 45. In a mad scramble to contain the situation, Twitter temporarily froze all verified accounts, blocking their ability to tweet or reset the account password. Some of the lockdowns lasted hours.
Subsequent investigation revealed that the attackers had called Twitter’s customer service and tech support lines and tricked reps into accessing a phishing site to harvest their special backend Twitter credentials, including username, password, and multifactor authentication codes. Then the attackers were able to use their access to these support accounts to reset the passwords on target user accounts. At the end of July, three suspects were arrested and charged with committing the hack, including 17-year-old Graham Ivan Clark of Tampa, Florida, who allegedly led the digital assault. In the wake of the breach, Twitter says it launched a major effort to overhaul its employee access controls, particularly with November’s US presidential election looming.
On Juneteenth, the leak-focused activist group Distributed Denial of Secrets published a 269-gigabyte trove of United States law enforcement information, including emails, intelligence documents, audio, and video files. DDOSecrets said the data came from a source claiming to be part of the ephemeral hacking collective Anonymous. Published in the wake of George Floyd’s murder, the dump of more than a million files included documents and internal police communications about law enforcement initiatives to identify and track protesters and share intelligence about movements like Antifa. A lot of the information came from law enforcement “fusion centers,” which gather and share intelligence with law enforcement groups around the country. “It’s the largest published hack of American law enforcement agencies,” Emma Best, cofounder of DDOSecrets, told WIRED in June. “It provides the closest inside look at the state, local, and federal agencies tasked with protecting the public, including [the] government response to Covid and the BLM protests.”
In September, a ransomware attack apparently targeted at Heinrich Heine University in Düsseldorf instead crippled 30 servers at University Hospital Düsseldorf, throwing the hospital’s systems and patient care into crisis. Unfortunately, ransomware actors have long targeted hospitals, because of their pressing need to restore service in the interest of patient safety. It’s also somewhat common for university-affiliated hospitals to get hit inadvertently. The University Hospital Düsseldorf incident was especially significant, though, because it may represent the first time a human death can be attributed to a cyberattack. As a result of the ransomware attack, an unidentified woman in need of emergency treatment was rerouted from Düsseldorf University Hospital to a different provider in Wuppertal, about 38 miles away, causing an hour-long delay in treatment. She did not survive. Researchers note that it is difficult to definitively establish causality. The incident is clearly an important reminder, though, of the real-world impacts of ransomware attacks on health care facilities and any critical infrastructure.
At the end of October, amidst a sobering wave of health-care-focused ransomware attacks, hackers threatened to release data stolen from one of Finland’s largest psychiatric service networks, Vastaamo, if individuals or the organization as a whole didn’t pay to keep the data under wraps. The hackers may have obtained the information from an exposed database or through an inside operation. Such digital extortion attempts have been around for decades, but the Vastaamo situation was particularly egregious, because the stolen data, which went back roughly two years, included psychotherapy notes and other sensitive information about patients’ mental health treatment. Vastaamo worked with the private security firm Nixu, Finland’s Central Criminal Police, and other national law enforcement agencies to investigate the situation. Government officials estimate that the episode impacted tens of thousands of patients. Hackers demanded 200 euros’ worth of bitcoin, about $230, from individual victims within 24 hours of the initial ask, or 500 euros ($590) after that to hold the data. Finnish media also reported that Vastaamo received a demand for around $530,000-worth of bitcoin to avoid publication of the stolen data. A hacker persona “ransom_man” posted leaked information from at least 300 Vastaamo patients on the anonymous web service Tor to demonstrate the legitimacy of the stolen data.
In late July, hackers launched a ransomware attack against the navigation and fitness giant Garmin. It took down Garmin Connect, the cloud platform that syncs user activity data, as well as large chunks of Garmin.com. The company’s email systems and customer call centers were knocked out, as well. In addition to athletes, fitness buffs, and other regular customers, airplane pilots who use Garmin products for position, navigation, and timing services also dealt with disruption. The flyGarmin and Garmin Pilot apps both had days-long outages, which impacted some Garmin hardware used in planes, like flight-planning tools and updates for required FAA aeronautical databases. Some reports indicate that Garmin’s ActiveCaptain maritime app also suffered outages. The incident underscored how exposed internet-of-things devices are to systemic failures. It’s bad enough if your GPS-equipped, activity-tracking watch stops working. When you have to ground planes over instrument issues caused by a ransomware attack, it’s very clear how tenuous these interconnections can be.
Honorable Mention: Chinese Government-Backed Hacking
China continued its unrelenting global hacking spree this year and seemed to be casting an ever wider net. Beijing-backed hackers burrowed deep into Taiwan’s semiconductor industry to steal a huge quantity of intellectual property, from source code and software development kits to chip designs. Australian prime minister Scott Morrison said in June that the country’s government and other organizations have been repeatedly targeted by a barrage of attacks. Australia has committed to investing nearly $1 billion over the next 10 years to expand its defensive and offensive cybersecurity capabilities. Though Morrison did not specify which actor has been dogging the country, he is widely reported to have been referring to China. Australia and China have been locked in an intense trade war that is redefining relations between the two countries. A Reuters report this month also provided an example of ongoing Chinese hacking operations across Africa after the African Union in Addis Ababa, Ethiopia, discovered suspected Chinese attackers stealing video surveillance footage from their servers. The United States has also faced years of widespread digital espionage and intellectual property theft attributed to China. And it continued this year, especially in the realm of Covid-19-related public health and vaccine research.
More From WIRED’s Year in Review