The cyberthreat landscape continued to expand and accelerate in 2024, keeping MSSPs busy, as bad actors expanded their arsenals – in particular, their embrace of generative AI – and tactics, including their growing use of cybercrime-as-a-service, which gave criminals new revenue streams and lesser-skilled hackers easy access to ready-to-use tools for launching increasingly sophisticated attacks.
State-sponsored threat groups from foreign adversaries like China, Russia, North Korea, and Iran put critical infrastructure in the United States and other countries in their crosshairs for espionage and other purposes, including in the case of North Korea to steal money to bypass international sanctions and fund their massive weapons operations.
Ransomware gangs, which long saw financial institutions as their primary targets, were increasingly turning their attention to the healthcare industry. As Bob Palmer, director of product marketing for cybersecurity firm ColorTokens, wrote in a blog post, financial firms improved their defenses over the years, so the bad actors began looking for other victims and put hospitals and similar organizations in their sights.
“These systems have become a prime target for ransomware attacks, as they often face life-threatening disruptions that can jeopardize patient care,” Palmer wrote. “Healthcare organizations have often found themselves compelled to comply with ransom demands to restore critical services.”
There also were struggles within the cybersecurity field, such as the National Institute of Standards and Technology trying to keep its critical database of vulnerabilities up-to-date after seeing its budget slashed earlier this year. NIST in November caught up with a backlog of known security flaws that hadn’t been analyzed, but getting everything in order will happen sometime in 2025.
In all, it was another year of escalating and evolving attacks that results in massive amounts of personal and sensitive data being exposed and billions of dollars being stolen Below are 10 of the most significant cyberattacks of 2024:
1. Change Healthcare Ransomware Attack
The attack by the BlackCat/ALPHV ransomware group on the UnitedHealth Group subsidiary earlier in 2024 tore through the U.S. healthcare industry, disrupting operations at hospitals and clinics throughout the country, canceling procedures, stopping payments, and keeping prescriptions from being filled out. Change performs such tasks as processing payments, medical and insurance claims, and prescription orders for UnitedHealth’s vast network of healthcare facilities.
UnitedHealth’s businesses touch about a third of all U.S. residents, and the effects of the attack were so widespread that federal lawmakers and regulatory agencies had to step in. The data breach happened because some remote access servers didn’t have multifactor authentication (MFA) enabled, as required under U.S. HIPAA rules, allowing the bad actors to gain access via stolen credentials.
In all, BlackCat was able to steal more than 6TB of data and more than 100 million people had their sensitive and medical data – from names and addresses, email addresses, an Social Security numbers to medications, test results, and treatment plans – exposed, making the attack among the largest data breaches in history.
Change healthcare reportedly paid a $22 million ransomware to the threat group.
2. Snowflake Users Breached
Bad actors were able to hack into the accounts of many major corporations that stored their data with cloud-based data warehouse provider Snowflake because the companies failed to properly secure the accounts with tools like MFA. Among the dozens of victim organizations were AT&T (which said 70 million customers were affected), Niemen Marcus, Ticketmaster, Santander Bank, State Farm, Advance Auto Parts, and Bausch Health. Google-owned Mandiant attributed the hack to the threat group Scattered Spider – also known as UNC55367 – and in November the U.S. Justice Department charged two individuals with stealing terabytes of data from the victim companies.
The two were accused of collecting 50 billion call and text records and reportedly had extorted at least $2.7 million from some of the corporations. Mandiant said the hackers used credentials that previously had been stolen – some as far back as 2020 – to get into the vulnerable Snowflake accounts.
3. China's Salt Typhoon and Volt Typhoon
The lengths that Chinese state-sponsored groups would go to compromise U.S.-based networks became clearer in 2024. Early in the year, agencies like CISA (Cybersecurity Infrastructure and Security Agency), the National Security Agency, and the FBI said that the threat group Volt Typhoon had infiltrated the networks of critical infrastructure companies, prepositioning themselves and lying in wait to disrupt or destroy operations if a conflict between the United States and China arose. Some of the compromises happen at least five years earlier.
Later in the year, the agencies said another Chinese-back group, Salt Typhoon, compromised the networks at least eight U.S. telecoms – including AT&T, Verizon, and T-Mobile – as well other such companies overseas in an vast and ongoing attack that included targeting of major political figures, including Donald Trump and JD Vance. The metadata of many Americans was stolen in an operation that included huge amounts of phone call data and, in some instances, intercepted audio and text.
U.S. agencies are investigating the attacks and the security processes and protections used by the telecoms, with Senator Richard Blumenthal (D-CT) saying the “extent and depth and breadth of Chinese hacking is absolutely mind-boggling – that we would permit as much as has happened in just the last year is terrifying.”
4. National Public Data is Breached
The ongoing concerns about data brokers came into sharp focus in April, when a breach of National Public Data’s systems exposed 2.9 billion records of up to 170 million people, including names, email addresses, and Social Security and phone numbers. The company scraped personal data of people from an array of publicly available sources – voting registries, bankruptcy filings, court records, and marriage certificates – and sold it to companies for such uses as background checks.
A hacker using the handle “USDoD” began trying to hack into the systems as early as December 2023 and succeeded earlier this year before trying to sell a database of the stolen information for $3.5 million. In October, Brazilian authorities arrested USDoD, who was connected to other breaches.
National Public Data’s parent company, Jericho Pictures, facing multiple lawsuits, filed for Chapter 11 bankruptcy protection in October. A Federal Court judge dismissed the filing and soon after, National Public Data shut down after two decades in business.
5. Midnight Blizzard Targets Microsoft Execs
Microsoft security experts in January found that bad actors with the Russian state-sponsored threat group Midnight Blizzard – also known as CozyBear, Nobelium, and APT29 – had hacked into the IT giant’s corporate email accounts and was running what the company called a “sustained, significant commitment of the threat actor’s resources, coordination, and focus” using data it already had stolen.
Microsoft wrote in a filing with the U.S. Securities and Exchange Commission (SEC) that since November 2023, the group had been present in a small number of employee email accounts that included those belong to the senior leadership team and employees in such areas as cybersecurity and legal.
The hack, which included stealing information and source code, was another example of a foreign adversary looking to steal information by attacking private companies, with Microsoft writing in a report that it “reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”
6. Flaws in ConnectWise's ScreenConnect Exploited
Managed service provider (MSP) tool platform vendor ConnectWise alerted MSPs in February about two critical vulnerabilities in its popular ScreenConnect software, which managed service providers use to gain remote access to customer devices when delivering IT support and other services.
ConnectWise that month issued two fixes for the flaws in the remote monitoring and management (RMM) software and urged users to update the product. Initially the company said there were no indications that the vulnerabilities were being targeted by threat actors, though that changed when cybersecurity firms like Huntress, Sophos, and Darktrace found that the flaws were actively being exploited in the wild.
Huntress researchers wrote in late February that it found more than 8,800 servers still running the vulnerable versions of ScreenConnect and that they had developed a proof-of-concept (PoC) exploit that could bypass authentication on unpatched ScreenConnect servers.
ConnectWise CISO Patrick Beggs provided MSSP Alert with an inside look at the crisis and presented about how the company had used artificial intelligence for its incident response efforts at the MSSP Alert Live conference in Austin in October 2024.
7. Kaiser and Ascension Attacks
The ransomware attack on Change Healthcare made a lot of headlines, but it was only the largest of the data breaches hitting healthcare organizations. In April, Kaiser Permanente reported a data breach that was caused by a technical issue – rather than ransomware – with tracking technology that shared patient information with companies like Microsoft and Google.
The vendors were able to access such data as patient name and IP address and get information about how patients used websites and applications. More than 13.4 million current and former members of the health plan were notified by Kaiser, which operates 40 hospitals in several states.
The next month, Ascension Health was the victim of a ransomware attack by the notorious Black Basta threat group that the organization in December said affected 5.6 million people. Ascension runs 140 hospitals in the United States, along with 40 senior care facilities. The data stolen includes medical and payment information, insurance information, and government data, such as Social Security, tax identification, and driver’s license numbers.
8. OpenAI Foils 20 Attempts to Use Its LLMs
In a report that highlighted the multiple ways threat groups are using generative AI, OpenAI said in October it disrupted more than 20 operations – including some linked to cyberthreat exporters like Russia, China, and Iran – that were trying to use its large language models (LLMs) for nefarious purposes.
Some of the operations were for offensive actions, like compromising critical infrastructure, running spearphishing and other campaigns, interfering with elections in the United States and in other countries, or operating reconnaissance and similar schemes. Others groups used ChatGPT and other models in their development work to help with coding, debugging their malware, or evading cyber-defense systems.
Some of the state-linked groups included China’s SweetSpecter (using AI for reconnaissance or vulnerability research) and Iran’s CyberAv3ngers and Storm 0817.
9. Internet Archive Attack Exposes 31 Million Files
The venerable Internet Archive, the non-profit digital library that offers free access to a wide range of digitized materials like websites, books, and software, was hit by a series of attacks in September that exposed more than 31 million files, such as email addresses and usernames. The bad actors stole a 6.4GB SQL file.
It took the Internet Archives a month to get all of its site and services back up and running from the attacks, the first of which exposed the files and the second one – a distributed denial-of-service (DDoS) incident – launched by a pro-Palestinian group called SN_BlackMeta, which claimed to have launched the attack because the Internet Archive was in the United States.
A third attack involved GitLab the authentication theft tokens, which could be used to access the site’s email system.
10. Dell Data Breach Affects 49 Million Customers
IT stalwart Dell Technologies in May said 49 million customer records were stolen in a data breach, including names, addresses, hardware bought, services rendered, and order information. The company said no financial information, like credit card numbers or payment details, were exposed, though the information that was taken could lead to bad actors running scams on customers by using it to convince targets of their legitimacy.
Days before, a threat actor with the handle “Menelik” tried to sell a Dell database on a hacking forum, saying the information was linked to 49 million customers who bought products from Dell between 2017 and 2024.
The incidents listed here don’t include myriad other cyberattacks that could have been added, but they highlight not only the scale of the threats facing many companies as well as the various areas – healthcare and AI – that the bad guys are expanding into.
