1 January 2023

The Worst Hacks of 2022


WITH THE PANDEMIC evolving into an amorphous new phase and political polarization on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defenses.

Here's WIRED's look back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.


For years, Russia has pummeled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access. The Russian playbook on the physical battlefield and in cyberspace seems to be the same: one of ferocious bombardment that projects might and causes as much pain as possible to the Ukrainian government and its citizens.

Ukraine has not been digitally passive during the war, though. The country formed a volunteer “IT Army” after the invasion, and it, along with other actors around the world, have mounted DDoS attacks, disruptive hacks, and data breaches against Russian organizations and services.


Over the summer, a group of researchers dubbed 0ktapus (also sometimes known as “Scatter Swine”) went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organizations. The majority of the victim institutions were US-based, but there were dozens in other countries as well, according to researchers. The attackers primarily texted targets with malicious links that led to fake authentication pages for the identity management platform Okta, which can be used as a single sign-on tool for numerous digital accounts. The hackers' goal was to steal Okta credentials and two-factor authentication codes so they could get access to a number of accounts and services at once.

One company hit during the rampage was the communications firm Twilio. It suffered a breach at the beginning of August that affected 163 of its customer organizations. Twilio is a big company, so that only amounted to 0.06 percent of its clients, but sensitive services like the secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta were all in that slice and became secondary victims of the breach. Since one of the services Twilio offers is a platform for automatically sending out SMS text messages, one of the knock-on effects of the incident was that attackers were able to compromise two-factor authentication codes and breach the user accounts of some Twilio customers.

As if that wasn't enough, Twilio added in an October report that it was also breached by 0ktapus in June and that the hackers stole customer contact information. The incident highlights the true power and menace of phishing when attackers choose their targets strategically to magnify the effects. Twilio wrote in August, “we are very disappointed and frustrated about this incident.”


In recent years, countries around the world and the cybersecurity industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialized in targeting both categories, and it focused its attacks on the education sector this year. The group had a particularly memorable showdown with the Los Angeles Unified School District at the beginning of September, in which the school ultimately took a stand and refused to pay the attackers, even as its digital networks went down. LAUSD was a high-profile target, and Vice Society may have bitten off more than it could chew, given that the system includes more than 1,000 schools serving roughly 600,000 students.

Meanwhile, in November, the US Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services released a joint warning about the Russia-linked ransomware group and malware maker known as HIVE. The agencies said the group's ransomware has been used to target over 1,300 organizations around the world, resulting in roughly $100 million in ransom payments from victims. “From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors,” the agencies wrote, “including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health.”


The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta. The attackers appeared to be based primarily in the United Kingdom, and at the end of March, British police arrested seven people in association with the group and charged two at the beginning of April. In September, though, the group flared back to life, mercilessly breaching the ride-share platform Uber and seemingly the Grand Theft Auto developer Rockstar as well. On September 23, police in the UK said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in March in connection with Lapsus$.

The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys. The attackers then used this access to steal some users' encrypted password vaults—the files that contain customers' passwords—and other sensitive data. Additionally, the company says that “some source code and technical information were stolen from our development environment” during the August incident.

LastPass CEO Karim Toubba said in a blog post that in the later attacks, hackers compromised a copy of a backup that contained customer password vaults. It is not clear when the backup was made. The data is stored in a “proprietary binary format" and contains both unencrypted data, like website URLs, and encrypted data, like usernames and passwords. The company did not provide technical details about the proprietary format. Even if LastPass's vault encryption is strong, hackers will attempt to brute-force their way into the password troves by attempting to guess the “master passwords” that users set to protect their data. With a strong master password, this may not be possible, but weak master passwords could be at risk of being defeated. And since the vaults have already been stolen, LastPass users can't stop these brute-force attacks by changing their master password. Users should instead confirm that they have deployed two-factor authentication on as many of their accounts as they can, so even if their passwords are compromised, attackers still can't break in. And LastPass customers should consider changing the passwords on their most valuable and sensitive accounts.

On top of all of this, LastPass also said that hackers compromised other customer data in the attack, including names, email addresses, phone numbers, and some billing information, though seemingly not credit card numbers.


At the beginning of November, Vanuatu, an island nation in the Pacific, was hit by a cyberattack that took down virtually all of the government's digital networks. Agencies had to move to conducting their work on paper because emergency systems, medical records, vehicle registrations, driver's license databases, and tax systems were all down. The country, which is a collection of islands north of New Zealand, has a population of just over 315,000 people. At the beginning of December, a month after the initial attack, government officials said that systems had only been 70 percent restored, meaning that disruptions persist, even as some agencies start to return to normal. The situation has the trappings of a ransomware attack, but the government hasn't provided details about the hack or who may have been behind it.

Ransomware poses a significant threat to government infrastructure around the world. Earlier this year, the notorious Russia-linked Conti ransomware gang hit the Costa Rican government, paralyzing the country and particularly its import/export systems for months, leading to major financial losses amidst the chaos of day-to-day operations.
Honorable Mention: Twitter-Related Bedlam

Twitter has been in chaos mode for months following Elon Musk's acquisition of the company earlier this year. Amidst the tumult, reports surfaced in July and then again in November of a trove of 5.4 million Twitter users' data that has been circulating on criminal forums since at least July, if not earlier. The data was stolen by exploiting a vulnerability in a Twitter application programming interface, or API, which was fixed in January. A lot of the data in the trove is public, like names, Twitter IDs, tweet locations, and verified status. However, this doesn't mean such a breach is inconsequential, since a collection of data in one place is still valuable to attackers and identity thieves. Additionally, though, the stolen data contained nonpublic information like email addresses and phone numbers. Meanwhile, some researchers also found evidence of an even more massive collection of 17 million records stolen by exploiting the same API flaw. That trove has not leaked publicly, though, and has not been fully vetted.

With Musk bringing huge changes to Twitter, emerging competitors like Mastodon received mass influxes of new signups, flooding servers and causing disruptions as the nascent social networks scrambled to scale and meet the demand. A competing service, Hive Social, had even more dramatic problems. After researchers discovered security vulnerabilities at the end of November that exposed all data stored in user accounts, the company elected to shut down while dealing with the fallout. A blog post warning about the situation began, “Warning: do not use Hive Social.” The company wrote on November 30 that the vulnerabilities “affect the stability of our application and the safety of our users. Fixing these issues will require temporarily turning off our servers for a couple of days.” The site ultimately returned on December 16.

No comments: