Cyber security news roundup: December

We're rounding up some of the biggest cyber security stories of the past few weeks. In December, several US government agencies came under cyber attack, healthcare and financial services were named as major areas of concern for 2021, and a new milestone highlighted the potential rewards available to ethical hackers.

US govt cyber attack affects up to 250 agencies

The US government uncovered a major cyber attack in December that could have compromised data at more than 250 agencies, ranging from the Treasury to parts of the Pentagon.

The attack, believed to have originated in Russia, gained access via network management software made by a Texan company named SolarWinds, which allowed the hackers to impersonate existing users and accounts, including highly privileged accounts.  

By targeting weak points elsewhere in the supply chain, rather than attacking government agencies directly, the hackers were able to avoid detection by early warning sensors. The scale of the attack is said to have been unprecedented, with one US senator, Mark Warner, describing it as "looking much, much worse than I first feared" as new details have continued to emerge.

Cyber security firm targeted by 'state sponsored' attack

The SolarWinds attack may have gone undetected for even longer had it not been for the discovery of another attack on US cyber security firm FireEye, which was said to have come from 'state-sponsored' actors.

Chief executive of FireEye Kevin Mandia explained the data breach had stolen tools used for testing its customers' security. He said: "Based on my 25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities."

However, it was while investigating the incident and looking through 50,000 lines of source code that the company's digital forensics experts noticed a backdoor in one of its software providers - SolarWinds - that proved to be the first discovery of the government attack.

IMF warns of cyber threats to financial stability

Looking forward to 2021, the International Monetary Fund (IMF) has warned that cyber security threats are posing an increasing risk to the stability of global financial markets. The organisation warned that hacking tools have become cheaper, more powerful and more widely available, yet many financial institutions are still not able to effectively fight attacks.

The IMF therefore highlighted several strategies to strengthen cyber defences in this sector. These include improving risk assessment and mapping of key digital infrastructure, the development of more consistent international regulations and better sharing of information about attacks, which will help develop more effective response strategies.

Healthcare firms set to be on the front line in fight against cyber crime

Another sector set for a testing 2021 is the healthcare industry. This comes at a time when organisations are already facing major logistical challenges related to the rollout of Covid-19 vaccines, which are creating more complexity that nation-state and criminal actors alike are keen to exploit.

As well as taking advantage of increasingly-complex supply chains for cyber-espionage, the rise of connected medical devices and an increased reliance on digital data gives hackers more opportunities for attacks such as ransomware.

This has the potential to seriously disrupt patient care. For instance, the BBC reported that in October, six American hospitals received ransom demands of at least $1 million (£810,000) within 24 hours, leading to some cancer treatments being cancelled.

Ethical hacker earns $2 million in bug bounties

It was also reported in December that a Romanian ethical hacker has become the first person to rack up more than $2 million in bug bounties through the HackerOne platform. 

Cosmin Lordache, also known by the handle @inhibitor181, had already become one of the first ethical hacker millionaires in 2019 after reporting 468 flaws through HackerOne. It took the 30-year-old less than a year to make his second million.

HackerOne has reportedly handed out a total of $82 million in big bounties through its platform, with hackers in 170 different countries taking a share of this. The success of the service therefore highlights just how important ethical hacking professionals are to the global cyber security industry.