Summary

2021 was marked by security professionals reacting to threats, incidents, and vulnerabilities of a previously unheard of frequency, volume and scale.  It was also a tipping point for cybersecurity efforts by the federal government and corporate IT.  In particular, there is new leadership at the helm of vital cyber agencies in the appointment of Rob Joyce as Director of the NSA Cybersecurity Directorate and Jen Easterly as the Director of CISA.  

Still, the private sector continues to ‘go it alone’ in what is historically a global IT supply chain predominantly managed and operated by high technology companies, not government agencies.  Hovering over the entire cybersecurity discipline and marketplace: the information threat vectors of misinformation, disinformation, information disorder, ransomware, and cyberwar threats from state and non-state actors alike.

2021 also marks the year that a lack of innovation and a dearth of new solutions-driven platforms raised concerns that we may be in a “Cyber Winter” in terms of business model generation and value proposition design.  It begs the question: what are the novel architectures, design metaphors, and design processes for innovation in cybersecurity moving forward? And will security need to go back to the drawing board in a really transformative way in 2022?

New Threats/New Responses

2021 began with a cyber hangover from the December 2020 Solarwinds hack, which was a wake-up call for critical infrastructure organizations, public and private.  Cybersecurity threats of a certain scale found a place in mainstream media coverage and the consciousness of the general public.     

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Also by January of 2021, SolarWinds was hit with a class-action lawsuit by the company’s stakeholders following the Orion Breach, in what was the beginnings of a pattern of activity that played out over the entirety of 2021: new types of legal actions, including class action suits, which grew out of cyber incidents.  It seems a legal framework for cyber is no longer the exclusive domain of the Electronic Frontier Foundation or the Berkman Klein Center at Harvard Law.  2021 proved that legal action is now a more frequent course of action for individuals and groups in response to cyber threats.  

OODA CEO Matt Devost notes:  “Overall, we saw an increase of pressure on groups like the NSO group, that we’re providing almost nation state-level capabilities to what we would consider tier two, tier three nation-states.  Also, entities like Apple and Microsoft got proactively involved – warning individuals around targeting and engaging in lawsuits against entities like NSO, Hafnium and NICKEL.”  

2022 will be marked by a different kind of cyber hangover, this time from the Log4j vulnerability.  In contrast to the Solarwinds Orion incident, Log4j has proven more of an IT and cybersecurity insider’s story covered widely by the tech and hacker press, yet has not broken through to the mainstream media (as of this printing). It makes sense.  It was the Solarwind’s impact on critical infrastructure and governmental breach that made it big national news.  And it is actually bad news if the Log4j evolves into a story, based on the impact of future exploits, that the mainstream media can easily catastrophize and make into a soundbite spectacle for a more general audience.   

Attribution of the Solarwinds hack was not achieved until early 2021 by Kaspersky Labs, which connected the SolarWinds attack code to the known Russian APT Group.  By May, the Colonial Pipeline ransomware attack, payout, and attribution to the Russian affiliated DarkSide finished what the SolarWinds hack had started in terms of a broader exposure and awareness of critical infrastructure cyber threats for policymakers and the general public.  The Department of Justice seizure of  $2.3 million in cryptocurrency paid to the ransomware extortionists DarkSide, also represented a new type of law enforcement activity to ransomware.  Up until May of 2021, cybercriminals and law enforcement alike did not think the seizure of stolen cryptocurrency was even a possibility.  The DoJ has now opened that front, which should also become a deterrence mechanism over time. 

The Log4j vulnerability has yet to be attributed.  Final attribution and Log4j headlines internationally and domestically will certainly play themselves out, possibly over the course of the entirety of 2022.  Matt Devost offers this assessment:  “Log4j is pretty systemic as vulnerabilities go, given how deeply embedded it is on so many different types of devices.  I think it’s kind of untreated territory, at least in the history of my career, and it’s something that’s going to have an incredibly long dwell time inside folks’ networks as vendors are slow to upgrade, et cetera.” 

Log4j vulnerabilities still have the potential to enter the news cycle in a big way.  We recently reported via the OODA Loop Daily Pulse that the sophisticated Russia-based Conti ransomware group has become the first group to weaponize Log4j with a full attack chain. Last week, the group became the first professional cybercrime group to adopt the Log4Shell vulnerability and has since built up a holistic attack chain.  On December 27th, the Five Eyes issued a joint Log4Shell advisory.  

In 2021, Cryptocurrency Hit Hard

As a sampling of the type of issue faced by the cryptocurrency community and marketplace this past year, the first cryptocurrency incident we reported on in 2021 was a crypto-hijacking campaign leveraging the new Golang Remote Access Tool (RAT).  Heists from later in the year include:

• BitMart:  Crypto-Exchange BitMart to Pay Users for $200M Theft
• Poly Network: Hackers take $600m in ‘biggest’ cryptocurrency theft
• Cream Finance:  Cream Finance DeFi Platform Rooked For $29M
• Liquid: Crunch Time for Liquid as Crypto Exchange Loses $97m to Hackers
• bZx:  Hacker Steals $55 Million in Crypto After BZx Phishing Attack; and
• BadgerDAO: Someone stole $120 million in crypto by hacking a DeFi website (BadgerDAO)

The cryptocurrency heist landscape totaled over $7.7 billion in theft from vulnerable crypto exchanges and cryptocurrency websites in 2021, an 81% increase over 2020.  In November, the cryptocurrency market surpassed $3 trillion in value.   

There was a lot of publicity around what is happening in the cryptocurrency, non-fungible token (NTF), and Web3 space. 2021 saw huge instances of online fraud and vulnerability.  The blockchain code may be secure, but the web application layer is not, which will impact the stability and market credibility of these digital native efforts to transform the future of money, stored value, and disintermediated transactions.  Digital sovereignty, digital rights, and digital identity were also a stream of conversation surrounding the security of personal data, transactional or otherwise, and the individual’s right to ownership of their personal data.  

Unrelenting Cyber Activity throughout the Year

In 2021, cyber threats and activity merged with major headlines and the multiple crises in the U.S.  In early January, hackers leaked the COVID-19 vaccine data they stole in a cyberattack and the January 6th insurrection unearthed the role social media “communities of practice’ and encrypted communications tools like Zello played in the growth of domestic extremism in the U.S.  Crowdsourcing efforts were used by the FBI and cybersecurity professionals to track down and arrest participants in the events of January 6th.  

A sampling of the types of breach, incident, and vulnerability at the beginning of the year is very representative of the variety of cyber threats that continued over the course of the entirety of 2021: Capcom, the game developer behind Resident Evil, Street Fighter, and Darkstalkers, said an attack compromised the personal data of up to 400,000 gamers;  over 100,000 UN employee records accessed by researchers and Colombian energy, metal firms were under fire in new Trojan attack wave. 

Following are some of the other events and perspectives of the last year in cybersecurity:  

January

• Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
• Is Digital Advertising the ‘Mother of All Money Laundries?’
• Apple Ships Emergency Fixes for Under-Attack iOS Zero-Day
• More Cybersecurity Firms Confirm Being Hit by SolarWinds Hack
• Ransomware is now the biggest cybersecurity concern for CISOs
• High Court Rules Against Government Bulk Hacking
• Meet the New Boss: Context on Cybersecurity and US Federal Leadership

February

• Scammers Selling Fake Covid-19 Vaccination Cards for Just $20
• What CEOs Need To Know About Bitcoin: Including potential new business models to consider
• Wallstreetbets’ Denial of Hedge-Funding Hack Could Slow DeFi Boom
• 1000+ Hackers Worked on SolarWinds Campaign, Microsoft Says

March 

• Insurance Giant CNA Hit with Novel Ransomware Attack
• From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice
• Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities
• National Cyber Ranges: Virtual environments that enable government organizations to test their cyber capability
•  Massive Supply-Chain Cyberattack Breaches Several Airlines
• DoJ Steps Up Investigation into NSO Group

April

• What’s the China-Arab State Data Security Pact Really Mean?
• Costco Issues Scam Warning
• Cyber Retaliation Needs to Be Decisive, Swift, and Meaningful

May

• Microsoft, Google Clouds Hijacked for Gobs of Phishing
• Ransomware: An update on the nature of the threat
• Deepfake Attacks Are About to Surge, Experts Warn
• Ransomware Takes Down East Coast Fuel Pipeline
• Colonial Pipeline Shells Out $5M in Extortion Payout, Report
• US to Regulate Pipeline Cybersecurity
• Update on the Colonial Pipeline ransomware attack
• A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
• China reiterates warning against cryptocurrency use in transactions
• FTC Expectations For Corporate Board Level Oversight of Cybersecurity
• IRS Wants Tools for Cracking Crypto Wallets
• White House Asked to Increase Crypto Regulation
• DoJ Launches Ransomware Taskforce as Apple Hit by Extortion Attempt

June

• The New Enterprise Architecture Is Zero Trust
• Sophisticated Cyber Espionage Exploits Russia and No One Says a Word
• Hackers use Colonial pipeline ransomware news for phishing attack
• Cybersecurity, like Espionage, Is an Infinite Game
• Chinese Trolls Show That Information Can’t Be Stopped, Nor Should It Be
• Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside

July

• LinkedIn’s 1.2B Data-Scrape Victims Already Being Targeted by Attackers
• Mitigating Cyber Risk In An Age of Continuous Crisis
• Project Pegasus: Global news organizations reveal expansive investigation of NSO Group “zero click” surveillance software

August  

• 1M Stolen Credit Cards Hit Dark Web for Free;  Misconfigured Server Leaks US Terror Watchlist
• Why we’re committing $10 billion to advance cybersecurity
• What did the White House and U.S. tech giants pledge to do on cyber, exactly?
• Angry Affiliate Leaks Conti Ransomware Gang Playbook
• Bitskrieg: The New Challenge of Cyberwarfare by Dr. John Arquilla
• At Black Hat 2021, CISA Director Jen Easterly launches CISA JCDC (Joint Cyber Defense Collaborative)
• NSA Warns Public Networks are Hacker Hotbeds
• Hackers take $600m in ‘biggest’ cryptocurrency theft
• What To Know And Do About The Coming Metaverse
• The Privatization of Cyber Tools and Operations Further Muddies Attribution Efforts

September

• Sacked Employee Deletes 21GB of Credit Union Files
• TTEC was hit with a ransomware attack, hampering work for major clients
• Comcast RF Attack Leveraged Remotes for Surveillance
• The People’s Liberation Army (PLA), Global Supply Chains and Chinese Military-Civil Fusion (MCF)
• Zero Trust Will Yield Zero Results Without A Risk Analysis
• Cyber Espionage Likely Supporting China’s Arctic Aspirations
• OODA Loop – Quantum Computing Use Cases and Post-Quantum Cryptography
• OODA Loop – The Next Evolution of Ransomware Gangs: Collaboration

October

• ADA stagnates despite Cardano conference and Chainlink partnership
• Ticketmaster fined $10 million after staff hacked competitor to ‘choke off’ presale ticket business
• One Million Compromised Accounts Found at Top Gaming Firms
• U.S. Treasury’s Response to Ransomware Gangs: Punish the Attackers and the Victims
• Hackers as Global Private Contractors is a Pandora’s Box You Do Not Want to Open
• Renowned Encryption Experts Sound the Alarm on Client-Side Scanning (CSS)
• DiploFoundation Develops Simulated Cyber-Attack Game

November

• Iran-Israel Cyber Conflict Shows Leadership Needed to Curb Critical and Civilian Infrastructure Targeting
• Data Breach at Panasonic
• Queensland government energy generator hit by ransomware
• Ransomware Hoax Spins Disinformation in a New Direction

December

• FBI says hackers are actively exploiting this flaw on ManageEngine Desktop Central servers
• Facebook Bans Spy-for-Hire Firms for Targeting 50K People
• Twitter removes another 3,000 state-backed accounts linked to six countries
• The New Normal? Unique New Responses to Massive, Global Cyber Theft, Data Breach and Espionage Activities (Part 1 of 3) – The Syniverse Hack
• Part II of this series – The BitMart Cryptocurrency Heist
• Part III in the series –  The Microsoft NICKEL Domain Seizures
• OODA Salon 20 December 2021: Digital Innovation and Threats, A discussion with Deputy Director of CIA for Innovation Jennifer Ewbank
• CISA orders federal civilian agencies to patch Log4j vulnerability and 12 others by December 24
• Conti Ransomware Gang Has Full Log4Shell Attack Chain
• NSO spyware used to hack Polish politicians, Khashoggi’s wife, others
• Five Eyes Issue Joint Log4Shell Advisory: “Agencies Strongly Urge All Organizations Take Immediate Action to Protect their Networks”
• Shutterfly reports ransomware incident
• Telegram Abused to Steal Crypto-Wallet Credentials
• Cryptomining Malware Found In Spider-Man: No Way Home Torrents