2020: Cybercrime’s Perfect Storm

Connor Fairman is a research associate in the Digital and Cyberspace Policy program at the Council on Foreign Relations.

A rare combination of circumstances led to a perfect storm for cybercrime in 2020. The COVID-19 pandemic forced entities in every sector to operate remotely, increasing their reliance on third-party infrastructure and exposure to cyber threats. Recognizing the new dependence on remote-access and unprecedented pressure on health-care systems and schools, cybercriminals saw an opportunity to target those who would have no choice but to pay up.

School districts across the country already struggling with the shift to remote learning proved to be easy targets for ransomware attacks. 57 percent of reported ransomware attacks in August and September targeted K-12 schools, and that figure only includes reported attacks—many schools that fell victim to ransomware quietly paid their attackers, who warned them not to contact law enforcement.

In order to pressure victims to pay ransoms, many cybercriminals took the particularly egregious step of dumping their victims’ data on “leak sites.” After infecting school systems, hackers published social security numbers, dates of birth, student disciplinary and disability information, employee evaluations, and grades. According to the Wall Street Journal, hackers that breached public-school systems in Toledo, Ohio posted “the identities of an eighth-grader listed as emotionally disturbed, a ninth-grader suspended for sexual activity and a roster of foster children” on their website.

Early hopes that cybercriminals would refrain from targeting health-care systems during the pandemic proved overly optimistic. “We expect panic,” one Russian cybercriminal said in a private message intercepted by Hold Security cybersecurity experts. In the last week of October, it was revealed that Russian cybercriminals were circulating a list of over 400 hospitals that they planned to target and claimed to have already infected over 30 of them. By November, there were over eighty publicly reported ransomware attacks on health-care providers during the year.

Hospitals were forced to suspend patient care and coronavirus vaccine studies, revert to pen and paper, and even make trips to ATMs to withdraw cash to convert to cryptocurrency and pay their attackers. An attack that shut down the University of Vermont Medical Center’s electronic medical record system for nearly a month forced the hospital to turn away hundreds of cancer patients scheduled to receive chemotherapy.

Not surprisingly, the financial sector remained a popular target of cybercrime in 2020. Phishing and ransomware attacks targeting banks increased by 520 percent between March and June. In late August, New Zealand’s stock exchange was knocked offline by distributed denial of service attacks two days in a row, halting trading. BancoEstado, one of Chile’s largest banks, was forced to close all of its branches for a day in September after its systems were infected with ransomware.

States also committed cybercrimes. Aiming to circumvent sanctions and fund the development of its nuclear weapon and missile program, North Korean state-backed hackers resumed pillaging banks, ATMs, and cryptocurrency exchanges in February after a lull since late 2019. Though the costs of North Korean financial theft in 2020 have not been publicized, the Cybersecurity and Infrastructure Security Agency said in October that North Korean hacking group BeagleBoyz, believed to overlap with Lazarus Group, has attempted to steal nearly $2 billion since 2015.

Bank executives cited numerous factors that enabled the rise in cyberattacks targeting the financial sector in 2020 during an event held by the Carnegie Endowment for International Peace. Among the usual concerns of insider threats and ineffective employee cybersecurity training, they also emphasized systemic blind spots created by third parties, such as cloud service providers and others that are part of financial institutions’ supply chains.

The SolarWinds breach perfectly illustrates this hidden third-party risk at a massive scale. Nonetheless, the difference between a breach affecting a school, hospital, or bank and one that compromises the U.S. government is that the latter is much more able to investigate, retaliate, rebuild, and spur a strong policy response.

Civilian targets of cybercrime will continue to be under threat for the foreseeable future. In October, the U.S. Treasury Department’s Office of Foreign Assets Control released an advisory [PDF] warning that ransomware payments could violate U.S. sanctions, which likely increased anxiety among victims. Nonetheless, there is some optimism that domestic cybersecurity will head in the right direction with the passage of the 2021 National Defense Authorization Act, which contains twenty-five of the fifty-two proposals put forth by the Cyberspace Solarium Commission and includes language [PDF] about managing supply chain and third-party software risk in Defense Department acquisitions.

Global cybersecurity has a comparatively bleak outlook. Cybercriminal gangs continue to operate from within their country’s borders with relative impunity, in many cases in exchange for supporting state operations. The long-standing norm of state responsibility, which requires states to conduct due diligence to ensure that non-state actors aren’t operating from within their borders to harm other states, has not been widely observed, despite hopes that the coronavirus pandemic would strengthen it.

Cybercrime cost the world economy $1 trillion in 2020, an all-time high. Despite optimism surrounding the Biden administration, cybersecurity progress will continue to be slow. Even as the world is inoculated against COVID-19, the pandemic of cybercrime will remain for the foreseeable future.