We’ve been saying this for many years: This year’s cyberattacks dwarfed last year’s. And in this regard, 2016 was no exception. From online fraud to account takeovers and data breaches, and everything else, attacks were dished out in bigger sizes and higher frequencies than before.
Some trends such as ransomware and DDoS attacks dominated the headlines, but that was not all 2016 had in stock. While experts might differ on which were the biggest hacks of the year, there’s no denying that the following four cases were really unprecedented in their own kind.
Yahoo’s half and full million account theft
2016 was a very bad year for Yahoo.
Last summer, the company reported it was investigating a data breach in which hackers claimed they had gained access to account information for 200 million users. But then in September, it declared the attack had actually exposed the data of more than 500 million users, a record number for a single data breach.
The data included usernames, easily decrypted passwords, personal information such as birth dates, and other recovery email addresses.
The perpetrator of the attack, a dark web dealer that goes by the moniker “Peace,” was the alleged hacker behind previous data breaches at LinkedIn and MySpace.
To add salt to the wound, it was reported shortly after that Yahoo scanned customer emails for U.S. intelligence agencies, a bad move at a time where the tech community is grappling with the government over privacy issues.
The announcement came at a very bad time for Yahoo—the firm was negotiating the sale of its core business to Verizon at $4.8 billion. Subsequently, Verizon demanded a $1 billion discount on the deal, probably another record breaker.
But that wasn’t the end of Yahoo’s 2016 nightmares, and in the end, only Yahoo was able to break its own record. In December, the company disclosed that it had been targeted by another hack dating back to August 2013, this one involving the information of more than 1 billion user accounts, including poorly MD5-hashed passwords.
Mirai’s devastating spate of DDoS attacks
The Internet of Things (IoT) gave more reasons for the security community to hate it in 2016. Lack of security in IoT devices made it easier for hackers to assemble botnets and stage Distributed Denial of Service (DDoS) attacks, a form of assault that brings down servers by flooding them with fake traffic.
The extent of devastating powers IoT botnets grant to hackers became evident in the second half of 2016, when DDoS attacks of unprecedented scale targeted the websites of security researcher Brian Krebs and French hosting giant OVH. The two victims were hit respectively with 620 Gbps and 1 Tbps floods.
The Battle.net service of famous gaming company Blizzard was also hit by a large-scale DDoS attack during the same period, though figures were not disclosed.
However, all of those attacks were overshadowed by the October 21 DDoS attack against Dyn, which cut access in large swaths of U.S. to major services such as Twitter, Netflix and PayPal. This latest attack was unique in its own kind because it wreaked its havoc by targeting not those websites themselves, but the DNS infrastructure supporting access to them.
Mirai, the famous botnet malware behind the attack, exploits security weaknesses in connected devices in order to create large IoT botnets. The source code of the malware was made public earlier in October.
The success of the attacks gave rise to a new botnet-as-a-service business model, in which customers can rent access to botnets and attacks targets of their choice. If there’s one thing to say about the entire DDoS and IoT insecurity saga, 2016 was the year where large scale attacks, previously the domain of APTs and state actors, became democratized.
The unmeasurable hacking of the Democratic Party
Hillary Clinton and the Democratic Party also had a terrible 2016. A string of cyberattacks and data breaches exposed them to the disclosure of tons of valuable and damaging information, and possibly cost Clinton the presidency.
In June, it was reported that two separate hacking groups, allegedly tied to Russia, had broken into the servers of the Democratic National Committee, getting access to the campaign organization’s emails and chat traffic, and stealing opposition research on Republican presidential front-runner Donald Trump.
DNC chairwoman Debbie Wasserman Schultz resigned in the wake of the hack, after the leaks revealed that campaign officials had played favorites on party nominees. This was a blow to the Democratic Party, which needed to show unity if it were to acquire the favor of ambivalent voters.
However, this wasn’t the last of the Democratic Party’s cyber woes before the 2016 elections. A phishing attack carried out against Clinton’s campaign chair, John Podesta, led to a series of leaks that shed light on some of the less professed details of the Clinton’s campaign.
While the hack dated back to March, the leaks were made at a less opportune time, weeks before to the November 9 elections. What’s interesting is that a technician in Clinton’s campaign had suspected the hack, but a fatal typo in his report led to a Podesta aide stepping into the trap.
As if Clinton didn’t already have enough on her plate, less than a fortnight before the elections, FBI director James Comey sent a letter to the House Judiciary Committee, purporting to have new evidence related to its previous inquiry into Hillary Clinton’s email server and handling of classified data.
Another probe was made, but the FBI reiterated shortly after that it hadn’t found anything.
This last episode was a two hit combo to Clinton’s run for presidency. First, the resurfacing of the year-old ghost of her email server scandal, and second, the controversy surrounding the viability of investigating 650,000 emails in eight days.
While the amount of damage that the series of hacks and security incidents dealt to the Democratic Party in 2016 is unquantifiable, they were unprecedented nonetheless and can count as a record-breaking.
They also served as a reminder and wake up call to how cybersecurity and cyberattacks have found political proportions like never before.
The $1 billion heist that didn’t come to pass
Early in the year, hackers managed to rob $81 million from a Bangladesh bank by obtaining credentials to SWIFT, the closed network that member banks across the world to communicate.
While the SWIFT system itself was not compromised, investigators believe a trojan malware enabled the hackers to obtain login info and monitor habits and common activities across the network in order to blend in their fraudulent transactions with other legitimate transfers.
The hackers had filed for a total of nearly $1 billion transfer through separate transactions. The timing and method of performance was near flawless, to the point that there remains suspicions that an insider element was involved.
However in the end, a typo led to the discovery of the scam and banking institutions were able to block $850 million worth of fraudulent transactions after the saw the word “foundation” misspelled as “fandation” in one of the hackers’ emails. The robbers were deprived of claiming the trophy of a unicorn online heist, but $81 million is nonetheless a record in itself.
The irony
Podesta’s email hack was enabled through a typo—the Bangladesh bank heist was stopped by one. The moral of the story is that whether you’re a cybersecurity expert or a cybercriminal, work on your writing skills.