Introduction

The aim of this blog is to highlight the 2024 global cybersecurity trends that defenders can study to prepare themselves for the threats of 2025. The Top 10 Cyber Threats of 2024 had several interesting themes, such as aggressive cyber espionage campaigns from Russia and China, new cases of state-sponsored cybercrime from Iran and North Korea, ground breaking ransomware attacks, and multiple disruption events that were notable.

#1 The Snowflake Campaign

This year, Snowflake was the center of a historic data breach campaign. Snowflake is a cloud-hosted service that allows companies to store huge datasets. In May, up to 165 customers had their databases accessed and stolen using valid login credentials. In June, the stolen data was offered on the English-speaking cybercrime community known as BreachForums, which was resurrected following a takedown by the FBI earlier in the year. The aftermath of the Snowflake campaign has been staggering. The publicly known impact includes 110 million AT&T customers, 30 million Santander customers, 560 million Ticketmaster customers, 380 million Advance Auto Parts customers, and 190 million LendingTree customers.

Snowflake’s own investigation disclosed that the breaches were part of a targeted effort directed at users with single-factor authentication. The cybercriminals used leaked credentials obtained through infostealing malware. Ruling out whether the attack was caused by compromised credentials of current or former Snowflake employees or a vulnerability in the product.

There is some good news though. The cybercriminals behind the attack have been caught. In November, the US authorities charged Connor Moucka and John Binns for the Snowflake campaign.

#2 The Scourge of Ransomware

Ransomware persisted as a perennial threat to organizations worldwide for yet another year and likely many more to come. However, in February, pharmacies across the US ran into issues filling prescriptions due to an ALPHV/BlackCat ransomware attack affecting a multibillion-dollar healthcare conglomerate called Change Health, which is involved in processing half of all medical claims in the US.

The aftermath of this incident was massive. There were up to 100 million people impacted and the company unfortunately decided to pay an eye watering 22 million USD ransom. But what made this incident one of the worst of the year was that as of July, the cost of the ransomware attack to Change Health was between 2.3 billion USD and 2.45 billion USD – one of the highest amounts in history for an attack of any kind against a single organization.

Plus, the record for the highest ever ransom payment was also broken this year. The Dark Angels ransomware gang was reportedly paid a mind-blowing 75 million USD ransom. Bloomberg reported that the company that allegedly paid this astronomical ransom was Cencora, a US pharmaceutical company — that made 262 billion USD in revenue in 2023.

#3 The Scattered Spider Problem Persists

Scattered Spider is one of largest English-speaking cybercriminal threat groups, whose structure is more like a community rather than a few individuals working closely together. Since around 2022, attacks linked to Scattered Spider have increasingly grown in notoriety, from Twilio to Reddit to Coinbase, and eventually MGM and Caesars in late 2023. This year, however, Scattered Spider continued their attacks, but several members were caught and arrested.

In September, Transport for London (TfL) disclosed that it experienced a cyberattack on its systems impacting customer data, some payment processing systems, and some of their live data feeds. This incident gained further headlines due to the massive scale of recovery operations. TfL had to reset the passwords of 30,000 employees in-person and performed an identity verification check for access to TfL applications and data.

A 17-year-old from Walsall, UK, was arrested a few days after the attack in connection with the cyberattack on TfL, the UK National Crime Agency (NCA) said. Not long before the TfL attack, a 17-year-old from Walsall was also arrested in connection to the attack on MGM, attributed to Scattered Spider. This was followed by a further five more Scattered Spider members – four from the US and one from UK – being charged by the US Department of Justice. However, the FBI came out in May and stated that Scattered Spider (also known as The Com) is made up of approximately 1,000 individuals. So it seems they are unlikely to be going away anytime soon.

#4 The XZ Utils Backdoor

In March, a malicious backdoor was found in the widely used data compression software library XZ Utils. Red Hat warned it may be present in instances of Fedora Linux. Debian Unstable and Kali Linux indicated they were impacted as well. The malicious code was considered a vulnerability, tracked as CVE-2024-3094, and given a 10/10 CVSS score.

The backdoor in XZ Utils was later revealed to be a sophisticated, multi-year campaign involving a supply-chain compromise of an open source code repository. Fortunately for us, however, it was caught by Andres Freund early enough to prevent widespread exploitation before it ended up in millions of systems worldwide. The backdoor only affected bleeding-edge Linux distributions that picked up the latest versions of XZ Utils right away.

The malware was engineered to alter the operation of OpenSSH server daemons and interferes with authentication in sshd. Essentially, it would allow unauthorized remote access to an affected system. The backdoor also didn’t ‘call home’ but was designed to wait for the operator to connect to the target machine via SSH and authenticate with a private key.

The attacker, known simply as Jia Tan, reportedly spent two years politely and enthusiastically volunteering to help write code for XZ Utils and other well-known open source software projects. They made 6,000 code changes to at least seven projects between 2021 and February 2024. Then in January 2023, Jia Tan’s code started to be integrated into XZ Utils and over the next year, they largely took control of the project from its original maintainer, Lasse Collin.

The patience plus the complexity of the backdoor has led many to believe JiaTan’s activities were part of long-running a state-sponsored campaign. The lack of any other online presence linked to Jia Tan points toward the account being a single-purpose invented persona which was devoted to building up a history of credibility in preparation for the sabotage of XZ Utils specifically.

There’s some interesting discussions on YCombinator and Openwall about this whole situation as well.

#5 Bold Russian Espionage Campaigns

Throughout 2024, several well-known Russian state-sponsored advanced persistent threat (APT) groups continued to launch cyber-espionage campaigns targeting Ukrainian and NATO member state government entities as well as technology companies, presumably because they are upstream targets that provide services to their ultimate goal of government and military networks.

In January, the Microsoft Security Response Center (MSRC) revealed that their corporate email system had been breached by spies working for the Russian Foreign Intelligence Service (SVR), also known as COZY BEAR (APT29 or Midnight Blizzard). The intrusion began with low-and-slow password spraying against a “legacy non-production test tenant account” owned by Microsoft. Later in October, the SVR was caught in another campaign sending .RDP configuration files as attachments in spear-phishing emails.

In November, researchers from Volexity disclosed at CyberWarCon a complex investigation into a cyber-espionage campaign against a US-based entity attributed to spies working for the Russian military Intelligence agency (GRU), also known as FANCY BEAR (APT28 or Forest Blizzard). Volexity uncovered that the GRU had compromised one organisation’s WiFi network that was physically opposite their intended target and used it to breach their intended target via the nearby WiFi connection. This unusual type of intrusion was dubbed a nearest neighbour attack and is very rare, but we could see more of it in years to come.

Also this year, CISA and the UK NCSC published a formal warning about EMBER BEAR (Cadet Blizzard), a relatively new GRU group that is separate from well-known GRU adversaries such as FANCY BEAR and Sandworm. This new GRU group, EMBER BESR, has often targeted the Ukrainian government and telecommunication entities, but has reportedly targeted critical national infrastructure (CNI) organizations across Europe and the Americas.

#6 Chinese Telecommunications Hacks

During 2024, Chinese APTs were attributed to several significant intrusion campaigns, specifically against the telecommunications sector, globally.

In September, the Wall Street Journal disclosed that a new China-nexus APT group called Salt Typhoon had compromised multiple US telco firms. The US broadband providers whose networks were reportedly breached, includes Verizon, AT&T, Lumen, and T-Mobile, and allegedly led to snooping on downstream targets such as US law enforcement wiretapping systems used for court-ordered surveillance. The US presidential campaigns were reportedly targeted as well.

In early 2024, US law enforcement performed a strategic takedown of Volt Typhoon’s botnet of compromised SOHO routers. The takedown was short-lived, however, as researchers observed the adversaries rebuilding it back up in November. Volt Typhoon also reportedly breached Singapore Telecommunications (Singtel) in mid-2024.

In November, CrowdStrike shared a new report on LIMINAL PANDA, another China-nexus threat group that targets telco technology. LIMINAL PANDA is said to have an extensive understanding of interconnections between telco providers, the global system for mobile communications (GSM) protocols, and targeted mobile subscriber information, call metadata, and text messages (SMS).

Other remarkable Chinese APT activities that came to light in 2024 involved leaks from a Chinese Ministry of Public Security (MPS) contractor called I-SOON as well as Sophos’ groundbreaking Pacific Rim report on their five year counter-offensive operation against a Chinese exploit development unit.

#7 Iranian State-Sponsored Cybercrime

One of the most interesting reports this year was shared in August by US authorities who highlighted that cybercriminals associated with the Iranian government were gaining network access and then collaborating with Russian-speaking ransomware affiliate actors to ransom networks.

The US authorities stated they have been tracking this campaign since 2017 and that these Iranian cybercriminals are known by many names, including Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm. These cybercriminals were linked to an Iranian company named Danesh Novin Sahand, likely as an IT front company for their operations.

The Iranian adversaries created a persona in 2023 on Russian-speaking cybercriminal forums called “Br0k3r” which posted links to a Tor single-vendor market called “Br0k3r’s Shop” to sell initial access to ransomware affiliates. The Iranian adversaries behind Br0k3r were reportedly collaborating directly with ransomware affiliates, such as NoEscape, RansomHouse, and ALPHV/BlackCat, to encrypt victim networks in exchange for a percentage of the ransom payments.

An interesting observation by the FBI was that these adversaries reportedly did not disclose their Iranian origin to their ransomware affiliate contacts and are intentionally vague about their nationality. These adversaries were also historically related to hack-and-leak campaigns targeting Israeli companies, such as Pay2Key from late 2020.

The final key aspect of these Iranian cybercriminal campaigns is that they likely initially stole sensitive information from these networks to provide it to the Iranian government. It is unlikely that the follow-on ransomware activities are permitted, as the adversaries have reportedly expressed concern around the Iranian government monitoring their cryptocurrency transactions associated with their attacks.

#8 North Korean Revenue Generation Campaigns

Cyber operations by the Democratic People’s Republic of Korea (DPRK) were highly active in 2024. They continue to launch revenue generation operations with no signs of slowing down involving cryptocurrency theft campaigns, software supply chain attacks, remote IT worker campaigns, and ransomware attacks.

In March 2024, the United Nations shared that they are investigating 58 cyberattacks attributed to North Korean hackers that involved the theft of 3 billion USD over a six-year span. In April 2024, ZachXBT, a cryptocurrency investigator, disclosed their research into over 25 campaigns attributed to North Korea between 2020 and 2023 that led to the theft of a combined 200 million USD.

North Korean software supply chain attacks have continued in 2024, which the UK NCSC warned about in November 2023. North Korean adversaries were attributed to the poisoning of Python packages and NPM packages to deliver malware to software developers. By targeting the open source software ecosystem the adversaries can wait for their victims to come to them. This tactic is more akin to malvertising and watering hole attacks.

In August 2024, the US Justice Department announced that they shut down a “laptop farm” that had generated revenue for the North Korean government. It was used to trick unwitting American and British businesses into hiring remote IT workers to earn salaries and evade international sanctions. The North Korean remote IT workers have been successful at being paid hundreds of thousands of dollars each, generating hundreds of millions of dollars collectively each year. There are also reportedly thousands of North Korean IT workers who have been sent to live abroad, primarily in China and Russia. These operations include the use of adversary-created digital infrastructure, such as email, social media, payment platform and online job site accounts, as well as false websites, proxies.

North Korean state-sponsored ransomware campaigns appear to have ratcheted up in 2024 after Palo Alto Networks (PAN) uncovered a link between Jumpy Pisces (aka Andariel and Onyx Sleet) and PLAY ransomware. This adversary has been historically connected for the Maui and H0lyGh0st ransomware families in previous years. In May 2024, Microsoft disclosed a link between another North Korean group they call Moonstone Sleet to FakePenny ransomware as well.

#9 ICS Disruptive Attacks

Disruptive attacks on industrial control systems (ICS) were observed several times in 2024. According to a Wired Magazine report, a hacktivist group known as the Cyber Army of Russia Reborn (CARR) took credit for targeting the ICS of US and European water and hydroelectric utilities at least three times. CARR posted videos to Telegram of screen recordings of their manipulation of human-machine interfaces (HMIs). Specifically, CARR’s victims included multiple US water utilities in Texas, one Polish wastewater treatment plant, and, reportedly, a small French water mill, which the hackers claimed was a French hydroelectric dam.

Interestingly, Mandiant linked CARR to Sandworm, a GRU unit known for targeting Ukrainian ICS. Importantly, Sandworm has never directly targeted a US network with a disruptive cyberattack, that we know of. However, some US firms were impacted by the 2017 NotPetya ransomware attack, but this was indirectly and via self-spreading code.

One key link between CARR and Sandworm was that Google found the YouTube accounts created for CARR were accessed by an IP address known to be controlled by Sandworm. Another connection was that following Sandworm attacks on Ukrainian targets involving data theft and data wiping malware, the stolen data would get posted to the CARR Telegram account. Mandiant assessed that the Russian GRU was probably involved in creating CARR and has some running it. Further, in July 2024, the US Treasury sanctioned two members of CARR.

In April 2024, Dragos discovered the FrostyGoop malware targeting ICS in Ukraine. FrostyGoop was reportedly used in an attack against a Ukrainian municipal district energy company, resulting in a two-day heating system service disruption to over 600 apartment buildings in Ukraine. 

As noted by SANS, this marked the FrostyGoop malware as the latest ICS malware to achieve real-world impact and the first to do it by manipulating the ModbusTCP protocol. Due to the wide adoption of ModbusTCP, FrostyGoop is a significant threat various critical national infrastructure (CNI) sectors, such as energy, water and wastewater, manufacturing, transportation, and oil and gas, among others. Further, the way the malware worked, which was via issuing ModbusTCP commands directly from the adversary’s infrastructure, they eliminated the need to place the malware on assets within the targeted network, thus avoiding future discovery, analysis, and forensics.

#10 The CrowdStrike Crash

The single event with the highest global impact this year was technically not a cyberattack, but triggered a cascading disruptive event caused by the CrowdStrike endpoint detection and response (EDR) software for the Windows operating system (OS).

The CrowdStrike Crash (affectionately called WannaStrike or the Blue Falcon of Death), boils down to a failure to test patches before deploying them and the over reliance on one piece of software. CrowdStrike’s software issue was a single-point-of-failure for many organizations globally, particularly for North American and European countries where most of CrowdStrike’s customers are located.

The CrowdStrike Crash also has significant implications for the European Union's NIS2 Directive and DORA Regulation. Both cybersecurity frameworks emphasize operational resilience, keeping supply chains secure, and incident response. All of these areas had issues highlighted by the widespread fallout of the crash. The incident will have significant consequences on how organizations implement changes to meet these requirements.

Following news of the crash, various cybercriminals also exploited the situation by launching phishing campaigns, registering malicious domains, and distributing malware. Many sent scam emails posing as CrowdStrike support. Despite CrowdStrike's efforts to provide legitimate fixes, cybercriminals used this opportunity to send unsolicited communications during IT disruptions.

2024 Conclusion

This year was intense.

The Snowflake incident once again shows how every organisation must enforce multi-factor authentication (MFA) on every account they possible can, but also to review traffic for these systems. Once again, egress filtering led to many companies getting pwned similarly to CL0P’s MOVEit campaign in 2023.

The XZ Utils campaign revealed the frightening prospect of there being a nation state adversary who conducts multi-year operations to infiltrate open source coding projects and insert backdoors. The operation further highlighted the risks around incorporating software from third-parties without verifying the integrity of the code.

Microsoft’s breach underscored that any organization’s with a very large environment will inevitably find it difficult to fully secure, especially from persistent nation state adversaries constantly looking for a way to infiltrate. Over the last few years, Microsoft has been victim to a few breaches by adversaries such as the Chinese Storm-0558 and LAPSUS$. However, this was the second time in a few years the SVR has gotten in to Microsoft, as they were also behind the SolarWinds supply chain attack in 2020. While Microsoft has announced major cybersecurity changes, including hiring 34,000 engineers, whether they can withstand against what 2025 has in store for them is yet to be seen.

Cyber operations by Iranian and North Korean adversaries leaned heavily into financially motivated cybercriminal campaigns. This is an issue for many organisations as it means that more companies are potential targets for their operations as they can monetise the access through initial access sales and ransomware attacks. The other concerning prospect is that other countries with fledgling cyber operations programs are likely to follow suit.

The ICS attacks this year that led to cyber-physical real world impact were noteworthy for their brazenness and somewhat for their innovation. There is a high likelihood that the use of living-off-the-land attacks in the ICS space along with attacks against ICS exposed to the internet will increase in the future. Traditional endpoint security tools often cannot detect or mitigate such attack techniques. One of the main concerns around hacktivists launching ICS attacks is that it is much more likely to lead to physical harm or even death of civilians if left unchecked and unmitigated.

Finally, the CrowdStrike crash demonstrated that many organisations have an over reliance on one security vendor for their EDR software. This is because it is considered industry best practice to install EDR software on as many systems as possible. However, this incident revealed that totally depending on one vendor for all critical systems was bound to end badly eventually as it only took one bad update to BSOD millions of endpoints globally.

End

Overall, 2024 was full of mega breaches, government hacking campaigns, massive ransomware attacks, disruptive ICS attacks, and global technology failures. Compared to the Top 10 Cyber Threats of 2023, the threats we encountered in 2024 have arguably increased in severity. The Snowflake breach appears to have surpassed the 2023 MOVEit attack, which was also already considered one of the worst hacks of all time. China’s espionage campaigns in 2024 were much worse for the US than 2023. Microsoft itself was breached was Russia in 2024 opposed to its customers by China in 2023. And destructive campaigns in 2024 have grown in sophistication and recklessness compared to 2023.

The adversaries we faced in 2024 as a community of cybersecurity defenders have shown no signs of slowing or stopping and our technology appears to be crumbling against their attacks. We need to take these lessons and learn from them, make changes, and brace for the next wave of threats in 2025 — before things get worse.