As part of our 5-part series on the evolution of cybersecurity, check out our fourth article below that covers IoT devices and vulnerabilities to Bitcoin-driven ransomware in the 2010s.
During the 2000s, we saw the growing arms race between security experts and hackers at the start of the century. We also saw the impact of the development of Internet-connected smartphones, cloud-based services, and the continued growth of e-commerce greatly expanding the threat surface.
By the 2010s, we witnessed a growth in cybercrime along with the number of Internet users, and a wide variety of new connected devices.
Several trends were key to the cybersecurity landscape: The adoption of cloud-based software and services continued to rise for businesses, roughly doubling by the end of the decade, the surge of mobile device usage, and the rise of smartwatches, a market that expanded after Apple released its first Apple Watch in 2015. These trends fueled the growth of attack vectors and supply chain attacks.
The era of connected devices
Between 2008 and 2009, the Internet of Things (IoT) emerged. Initially, the concept was that objects would be tagged (using radio frequency identification) for tracking purposes. However, this soon expanded to include otherwise dumb devices that suddenly had Internet connectivity without a traditional user interface. Everything from vending machines to medical devices soon gained connectivity. New devices (like the Ring doorbell, debuting in 2011, and several baby monitor systems) were developed with connectivity from the ground up. Web-based home security solutions also emerged, giving consumers remote access to security cameras, locks, and garage doors. Amazon introduced Alexa in 2014, adding even more devices to the network.
Soon, offices and homes were inundated with various devices tapping into corporate and personal networks, providing GPS coordinates, access to payment data, and (most importantly) relatively unprotected links to existing networks. While companies and users had invested heavily in antivirus software for their desktops, such protection was unheard of for vending machines or security cameras.
As these new connected devices hit the market, blasting data across public cellular and Wi-Fi connections, you couldn’t blame cybersecurity experts for throwing up their hands and shouting, ‘Here we go again!’
Cybercriminals leveraged Internet of Things devices to help launch denial of service (DDoS) attacks and access corporate networks. There was, of course, traditional hacking – reports of outsiders tapping into connected baby monitors and freaking out sleep-deprived parents. But ambitious criminals hatched much grander plans.
Some notable incidents include the Bashlite Botnet attack which infected millions of devices in 2014; vulnerabilities uncovered in everything from insulin pumps and traffic lights to connected vehicles (including BMWs, Fiats, and Teslas) that would have allowed third parties to take over these devices with potentially deadly consequences; the Mirai botnet took advantage of weak password protection on closed-circuit cameras and other devices for a DDoS attack that brought down large swaths of the Internet in 2016; the Reaper Botnet, Amnesia Botnet, and others that followed.
One of the most significant attacks on IoT devices was the Stuxnet attack. Stuxnet is a powerful computer worm that was designed by U.S. and Israeli intelligence to disable a key part of the Iranian nuclear program. It was targeted at an air-gapped facility but unexpectedly spread to outside computer systems.
Stuxnet exploited multiple previously unknown Windows zero days. It was designed to target programmable logic controllers (PLCs), industrial digital computers used for manufacturing purposes. In this case, there was one specific PLC target: the computers controlling Iran’s nuclear program. The goal of Stuxnet was to disrupt the PLCs responsible for managing the uranium enrichment centrifuges and cause them to spin out of control to the point of destruction.
Stuxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges. Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade. It was highly effective and significantly set back Iran’s nuclear program. The most optimistic assessment of Stuxnet is that it delayed and slowed Iran’s uranium development enough to dissuade Israel from unilaterally striking the country, and it afforded time for intelligence and diplomatic efforts.
This attack underscored the potential for IoT devices to be exploited in large scale cyberattacks and highlighted the importance of robust cybersecurity measures for IoT devices.
Ransomware: The Bitcoin-driven surge
But another technology, one seldom used by consumers or businesses at the time, proved to be the most valuable tool to cyber criminals. Blockchain and the cryptocurrency Bitcoin emerged in 2008, with the first transaction taking place the following year. This anonymous digital currency gave criminals a tool they had been waiting for – a way to digitally extract a ransom from a malware or phishing scam victim without the risk of having the transaction traced to a bank account or a physical location. Large-scale attacks could now be monetized much more effectively.
As the value of Bitcoin grew, ransomware attacks also rose. The number of ransomware attacks grew exponentially between 2015 and 2020 and roughly mapped the growth in the valuation of Bitcoin over the same period.
In 2017, things came to a head with the WannaCry ransomware attack, which leveraged the EternalBlue exploit for Windows, eventually affecting 300,000 computers before researcher Marcus Hutchins discovered a kill switch to prevent further spread. The cryptoworm demanded ransom payments in Bitcoin. The attack affected up to 70,000 devices at the National Health Service hospitals in the UK, including MRI scanners and blood storage refrigerators.
Security specialists acknowledged the need to expand beyond antivirus and into what would eventually become endpoint detection and response (EDR), a term coined by Gartner in 2013. Traditional scanning became insufficient because attackers could deploy malicious code without installing software (using executables). Cybercriminals could also move laterally through a network once they were inside. Companies needed network visibility to identify suspicious activity happening within applications at these endpoints. Attacks could be identified by behavior – applications being modified, or files being deleted.
However, these solutions required a lot of resources (both technical and human) to monitor and analyze the data rendered within EDR. Thus, managed detection and response (MDR) was born, providing a way to outsource this function while maintaining visibility.
Because of the rapid evolution and complexity of cyberattacks, EDR and MDR were proven to be insufficient. In 2018, the term Extended Detection & Response (XDR) was coined to provide a more holistic view that provided visibility across the entire digital estate, including endpoints, networks, cloud resources, hardware, and applications, ushering in a new era of cybersecurity – one that we will examine in the next entry of this series.
That’s all for part four of our series on the evolution of cybersecurity. Check out part three in case you missed it and look out for part five coming soon!
Photo: rdonar / Shutterstock