ArchiveOODA Original

2021 Year-End Review: Cybersecurity

Summary

2021 was marked by security professionals reacting to threats, incidents, and vulnerabilities of a previously unheard of frequency, volume and scale.  It was also a tipping point for cybersecurity efforts by the federal government and corporate IT.  In particular, there is new leadership at the helm of vital cyber agencies in the appointment of Rob Joyce as Director of the NSA Cybersecurity Directorate and Jen Easterly as the Director of CISA.  

Still, the private sector continues to ‘go it alone’ in what is historically a global IT supply chain predominantly managed and operated by high technology companies, not government agencies.  Hovering over the entire cybersecurity discipline and marketplace: the information threat vectors of misinformation, disinformation, information disorder, ransomware, and cyberwar threats from state and non-state actors alike.

2021 also marks the year that a lack of innovation and a dearth of new solutions-driven platforms raised concerns that we may be in a “Cyber Winter” in terms of business model generation and value proposition design.  It begs the question: what are the novel architectures, design metaphors, and design processes for innovation in cybersecurity moving forward? And will security need to go back to the drawing board in a really transformative way in 2022?

New Threats/New Responses

2021 began with a cyber hangover from the December 2020 Solarwinds hack, which was a wake-up call for critical infrastructure organizations, public and private.  Cybersecurity threats of a certain scale found a place in mainstream media coverage and the consciousness of the general public.     

Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Also by January of 2021, SolarWinds was hit with a class-action lawsuit by the company’s stakeholders following the Orion Breach, in what was the beginnings of a pattern of activity that played out over the entirety of 2021: new types of legal actions, including class action suits, which grew out of cyber incidents.  It seems a legal framework for cyber is no longer the exclusive domain of the Electronic Frontier Foundation or the Berkman Klein Center at Harvard Law.  2021 proved that legal action is now a more frequent course of action for individuals and groups in response to cyber threats.  

OODA CEO Matt Devost notes:  “Overall, we saw an increase of pressure on groups like the NSO group, that we’re providing almost nation state-level capabilities to what we would consider tier two, tier three nation-states.  Also, entities like Apple and Microsoft got proactively involved – warning individuals around targeting and engaging in lawsuits against entities like NSO, Hafnium and NICKEL.”  

2022 will be marked by a different kind of cyber hangover, this time from the Log4j vulnerability.  In contrast to the Solarwinds Orion incident, Log4j has proven more of an IT and cybersecurity insider’s story covered widely by the tech and hacker press, yet has not broken through to the mainstream media (as of this printing). It makes sense.  It was the Solarwind’s impact on critical infrastructure and governmental breach that made it big national news.  And it is actually bad news if the Log4j evolves into a story, based on the impact of future exploits, that the mainstream media can easily catastrophize and make into a soundbite spectacle for a more general audience.   

Attribution of the Solarwinds hack was not achieved until early 2021 by Kaspersky Labs, which connected the SolarWinds attack code to the known Russian APT Group.  By May, the Colonial Pipeline ransomware attack, payout, and attribution to the Russian affiliated DarkSide finished what the SolarWinds hack had started in terms of a broader exposure and awareness of critical infrastructure cyber threats for policymakers and the general public.  The Department of Justice seizure of  $2.3 million in cryptocurrency paid to the ransomware extortionists DarkSide, also represented a new type of law enforcement activity to ransomware.  Up until May of 2021, cybercriminals and law enforcement alike did not think the seizure of stolen cryptocurrency was even a possibility.  The DoJ has now opened that front, which should also become a deterrence mechanism over time. 

The Log4j vulnerability has yet to be attributed.  Final attribution and Log4j headlines internationally and domestically will certainly play themselves out, possibly over the course of the entirety of 2022.  Matt Devost offers this assessment:  “Log4j is pretty systemic as vulnerabilities go, given how deeply embedded it is on so many different types of devices.  I think it’s kind of untreated territory, at least in the history of my career, and it’s something that’s going to have an incredibly long dwell time inside folks’ networks as vendors are slow to upgrade, et cetera.” 

Log4j vulnerabilities still have the potential to enter the news cycle in a big way.  We recently reported via the OODA Loop Daily Pulse that the sophisticated Russia-based Conti ransomware group has become the first group to weaponize Log4j with a full attack chain. Last week, the group became the first professional cybercrime group to adopt the Log4Shell vulnerability and has since built up a holistic attack chain.  On December 27th, the Five Eyes issued a joint Log4Shell advisory.  

In 2021, Cryptocurrency Hit Hard

As a sampling of the type of issue faced by the cryptocurrency community and marketplace this past year, the first cryptocurrency incident we reported on in 2021 was a crypto-hijacking campaign leveraging the new Golang Remote Access Tool (RAT).  Heists from later in the year include:

The cryptocurrency heist landscape totaled over $7.7 billion in theft from vulnerable crypto exchanges and cryptocurrency websites in 2021, an 81% increase over 2020.  In November, the cryptocurrency market surpassed $3 trillion in value.   

There was a lot of publicity around what is happening in the cryptocurrency, non-fungible token (NTF), and Web3 space. 2021 saw huge instances of online fraud and vulnerability.  The blockchain code may be secure, but the web application layer is not, which will impact the stability and market credibility of these digital native efforts to transform the future of money, stored value, and disintermediated transactions.  Digital sovereignty, digital rights, and digital identity were also a stream of conversation surrounding the security of personal data, transactional or otherwise, and the individual’s right to ownership of their personal data.  

Unrelenting Cyber Activity throughout the Year

In 2021, cyber threats and activity merged with major headlines and the multiple crises in the U.S.  In early January, hackers leaked the COVID-19 vaccine data they stole in a cyberattack and the January 6th insurrection unearthed the role social media “communities of practice’ and encrypted communications tools like Zello played in the growth of domestic extremism in the U.S.  Crowdsourcing efforts were used by the FBI and cybersecurity professionals to track down and arrest participants in the events of January 6th.  

A sampling of the types of breach, incident, and vulnerability at the beginning of the year is very representative of the variety of cyber threats that continued over the course of the entirety of 2021: Capcom, the game developer behind Resident Evil, Street Fighter, and Darkstalkers, said an attack compromised the personal data of up to 400,000 gamersover 100,000 UN employee records accessed by researchers and Colombian energy, metal firms were under fire in new Trojan attack wave

Following are some of the other events and perspectives of the last year in cybersecurity:  

January

February

March 

April

May

June

July

August  

September

October

November

December

Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.