Cyber-attacks have continued to wreak havoc across all industries in 2024, resulting in substantial disruption to organizations and critical services.
As with previous years, vast quantities of personal data have been stolen by hackers, often sold to other malicious actors or used to extort victims.
Notable themes in 2024 have included rising ransomware attacks on healthcare, a sector no longer ‘off-limits’ among cybercriminals.
Another is the growing sophistication and scale of Chinese espionage attacks against the US and its allies, which experts believe is a strategic move by Beijing to potentially disrupt or destroy critical services in the event of escalating geopolitical tensions or military conflicts.
In this article, Infosecurity Magazine has set out its top 10 cyber-attacks of 2024, which have been decided based on factors such as data loss, recovery costs, real-world impacts and wider geopolitical implications.
The cyber-attacks have been listed in order of the dates the attacks were first reported.
LoanDepot Attack Disrupts Mortgage Payments
On January 8, one of America’s largest retail mortgage lenders, LoanDepot, revealed it had been hit by a significant ransomware attack, forcing it to take some of its systems offline.
This resulted in a number of customers temporarily unable to make mortgage payments.
In an update on January 22, LoanDepot confirmed that around 16.6 million of its customers had their sensitive personal information stolen in the incident, including Social Security numbers and financial account numbers.
A financial report published by the firm in August revealed that it incurred $26.9m in costs due to the incident. These recovery costs included remediation, customer notifications, litigation settlement and legal fees.
Mass Exploitation of Ivanti Zero-Day Vulnerabilities
In early 2024, researchers observed the mass exploitation of critical zero-day vulnerabilities contained in Ivanti products.
The story began when the security vendor confirmed the exploitation of two zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure gateways in January 2024.
Reports of further vulnerabilities and in-the-wild exploits rapidly emerged, impacting Ivanti customers across a variety of sectors including government, military, telecoms, technology, finance, consulting and aerospace.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive in January requiring all government civilian federal agencies to mitigate two zero-days.
In February, a joint advisory from Five Eyes countries warned about the threat posed by this activity.
Chinese nation-state threat actors actively used these flaws to carry out espionage and other types of attacks.
Volt Typhoon Infiltrates US Critical Infrastructure Networks
The US Department of Justice (DoJ) announced on January 31 that a law enforcement operation had disabled hundreds of routers in an effort to take down a cyber espionage campaign conducted by Chinese state-sponsored actor Volt Typhoon.
A subsequent February advisory by the US Government and allies warned that Volt Typhoon used the campaign to position itself in critical sectors including communications, energy, transportation and water.
The infiltration was seen by the US and allies as a strategic move by China to potentially disrupt or destroy critical services in the event of escalating geopolitical tensions or military conflicts with them.
Critical infrastructure organizations in the US and allied nations have been urged to identify and mitigate the persistence techniques used by Volt Typhoon and other Chinese state-sponsored groups.
Change Healthcare Ransomware Attack Delays Prescriptions
In February, reports emerged that US healthcare payment provider, Change Healthcare, had been hit by a ransomware attack.
The cyber-attack caused delays in prescriptions and other healthcare services to patients across the country.
It was confirmed that Change Healthcare’s parent company, UnitedHealth Group, paid a $22m ransom to the perpetrators, the ALPHV/BlackCat gang, to restore its systems.
BlackCat subsequently appeared to conduct an “exit scam,” disbanding upon receiving payment without paying its affiliates.
UnitedHealth CEO, Andrew Witty, revealed the attackers infiltrated the company’s systems through stolen credentials, admitting no multi-factor authentication (MFA) was in place to prevent the intrusion.
The fallout of the incident is ongoing, with the US Department of Health and Human Services (HHS) reporting in October 2024 that approximately 100 million individual data breach notices have been sent relating to the attack, making it the largest known data breach of US healthcare records.
At the time of writing, the US Government is currently investigating whether Change Healthcare complied with its regulatory duties in regard to the protection of personal data.
MediSecure Data Breach Exposes 13 Million Australian’s Health Records
A ransomware attack on Australian medical prescriptions provider MediSecure in May led to 12.9 million individuals’ personal and health data being compromised.
This included sensitive health information relating to patient prescriptions, such as name of drug, strength, quantity, repeats and the reason for prescription.
This report followed an analysis of a sample data set containing the personal and health data of MediSecure’s customers that was offered for sale on a dark web forum by an unidentified cybercriminal group.
MediSecure announced it had entered voluntary administration in June 2024 after revealing it was denied a request for funding from the Australian Government to assist with the costs of responding to the incident.
NHS Cancels Operations Following Ransomware Incident
A ransomware attack on a critical supplier of pathology services to UK NHS hospitals, Synnovis, resulted in thousands of operations and appointments being cancelled over the Summer months.
The incident on June 3 significantly impacted the delivery of vital healthcare services at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust, such as blood transfusions and test results, over several months.
NHS England confirmed that as of October 11, 2024, all NHS systems were operating normally with no further disruption to pathology and blood testing services.
The attack was claimed by ransomware gang Qilin, which reportedly published 400GB of data stolen from Synnovis on June 20.
The data stolen by the attackers included patient names, NHS numbers and descriptions of blood tests.
An investigation is ongoing to ascertain the extent of any patient or employee data that has been impacted.
Snowflake Attack Leads to Multiple Data Breaches
In June 2024, Mandiant researchers warned that a threat actor had stolen a significant volume of customer data from multi-cloud data warehousing platform Snowflake.
The data was advertised for sale on cybercrime forums as well as the threat actor using the data in attempts to extort many of the victims.
Mandiant said that the threat actor, tracked as UNC5537, was “systematically” compromising Snowflake customer instances using stolen customer credentials.
The researchers added that 165 organizations using Snowflake were notified they had potentially been exposed.
A number of high-profile data breaches in 2024 were believed to have been caused by the Snowflake compromise, which began in April. This included a data breach of Ticketmaster’s parent company Live Nation, which impacted as many as 560 million of the company’s customers.
A breach of banking giant Santander’s customer and employee data in May was also linked to the attack on Snowflake.
Additionally, user data from telecommunications giant AT&T was reportedly accessed from the firm’s workspace on Snowflake.
City of Columbus Hit by Ransomware
The City of Columbus, Ohio, revealed it had been hit by a ransomware attack in July, resulting in outages to some resident-facing IT services.
After failed negotiations with the city, the perpetrators, the Rhysida ransomware group, allegedly posted 3.1 TB of personal and other sensitive data exfiltrated by the attackers.
Officials initially claimed that only unusable corrupted data had been taken by the attackers.
However, security researcher David Leroy Ross contradicted this assertion and informed local media that residents’ personal information had been uploaded to the dark web.
The City of Columbus filed a lawsuit against Ross in early August for making this claim.
Following Ross’s revelations, cyber analysts reviewed samples of the stolen data, finding a significant volume of sensitive files, including databases, password logs, cloud management files, employee payroll records and even footage from city traffic cameras.
In November, City officials notified 500,000 residents that their personal data may have been compromised by the attackers. With Columbus’ population 915,000, the breach could affect approximately 55% of residents.
The attackers reportedly accessed highly sensitive data, such as Social Security numbers, bank account details and driver’s license information.
This exposure is believed one of the most significant public sector data breaches in recent history.
Cyber-Attack Causes Chaos at Seattle Airport
An August cyber-attack on the Port of Seattle, a local government agency overseeing the seaport of Seattle and Seattle–Tacoma International Airport (SEA), heavily disrupted travel to and from the state ahead of the US Labor Day holiday.
The resulting IT outage, which started on August 24, led to significant delays to the check-in process at the SEA, with WiFi unavailable and display screens not working.
In an update on September 13, the Port of Seattle confirmed the incident was caused by a ransomware attack by the Rhysida gang. The attackers were able to access parts of the ports computer systems and encrypt access to some data.
The majority of systems were brought back online within a week, enabling passenger travel to resume as normal. The Port of Seattle and SEA website was fully restored in November 2024.
Investigations into the attack are ongoing and the Port said that it will inform any employee or passenger if any of their personal information is found to have been compromised.
US Officials’ Data Compromised in Chinese Espionage Campaign
A major espionage campaign by Chinese-affiliated threat actors compromised US Government officials’ data through a large-scale hack on telecommunications providers.
The campaign was confirmed by US Government agencies in November, who revealed that the Salt Typhoon threat actor stole customer call records data, compromised private communications of people involved in government or political activity and copied information subject to US law enforcement requests under court orders.
In October, Donald Trump's presidential campaign was informed that the phones of both Trump and Vice-President-elect JD Vance, along with those of staff members from Kamala Harris's 2024 presidential campaign, may have been compromised in the hack.
Telecoms companies targeted by Salt Typhoon included Verizon, AT&T, Lumen Technologies and T-Mobile.