The Most Costly Cyber Attacks of 2022: Trends and Impacts

2022 has seen a number of costly cyber attacks, with critical infrastructures such as health systems, small government agencies, and educational institutions being targeted.

Ransomware has proven to be a popular attack method for both large and small organizations. While organizations may not disclose the costs associated with a cyberattack, the loss of consumer trust can be a significant risk following any major attack.

The cost of a cyber attack

Here are the twelve most expensive cyberattacks of the past year, along with the trends that have defined major threats from the beginning of 2022 to now:

1. January 2022 - Twitter
   

   On August 2022, Twitter confirmed that a hacker had exploited a zero-day vulnerability to gather user information, including non-public data of more than 5 million users.

   The vulnerability was reportedly fixed in January 2022, but the resulting database of user information has since been shared for free on a breached data marketplace forum. Another database, potentially containing 17 million records, was also reportedly created using the same vulnerability.

   The impact on affected Twitter users could include risks to victims of stalking and those voicing unpopular opinions, as well as spam and phishing attacks.

2. January 2022 - Red Cross
   

   In January, the International Committee of the Red Cross (ICRC) suffered a cyberattack that compromised the personal data and confidential information of over 515,000 highly vulnerable individuals, including those separated from their families due to conflict, migration, and disaster, missing persons, and people in detention.

   The data originated from at least 60 Red Cross and Red Crescent National Societies worldwide. The ICRC's main concern following the attack is the potential risks to those the organization seeks to protect and assist, as well as their families. It is unclear who is responsible for the attack or why it was carried out, and there is no indication that the compromised information has been leaked or shared publicly.

   The ICRC had to shut down the systems underpinning its Restoring Family Links program, which aims to reunite separated family members, while it works to identify workarounds and safeguard its data in the future.

3. February 2022 - Nvidia
   

   On February 2022, the LAPSUS$ ransomware group claimed responsibility for a cyberattack on Nvidia, a major US microchip company, which resulted in parts of the company's business being offline for two days. The group threatened to leak 1 TB of exfiltrated data.

   LAPSUS$ is a relatively new ransomware group that is believed to be based in South America and has previously targeted Impresa, the largest media conglomerate in Portugal, the Brazilian Ministry of Health, and Brazilian telecommunications operator Claro. Nvidia confirmed that it was hacked and that employee credentials and proprietary information were being leaked onto the internet.

   The company stated that all employees were required to change their passwords. The password and email addresses of around 70,000 employees were impacted, with 17% already being in HaveIBeenPwnd's database.

4. February 2022 - AcidRain Wiper Malware 
   

   A cyber attack using AcidRain malware, a data wiper that destroys routers and modems, impacted Viasat KA-SAT modems in Ukraine and resulted in the inoperability of 5,800 Enercon wind turbines in Germany. The attack occurred in February and affected thousands of modems in Ukraine and tens of thousands more across Europe. AcidRain can brute-force device file names and wipe every file it can find.

   This type of malware is not typically used for ransom attacks but rather for the destruction or wiping of data. Wiper malware has been used in previous attacks such as Shamoon, which struck Saudi Aramco and other Middle Eastern oil companies between 2012 and 2016, and Meteor, which can change passwords, disable recovery mode, and issue malicious commands.

5. March 2022 - North Carolina A&T
   

   Back in March, North Carolina A&T State University was hit by a ransomware attack carried out by the ALPHV group, also known as BlackCat. 

   The group used an exfiltration tool called Fendr to collect data before encrypting it and demanded payment for both a decryption key and a promise not to make the data public. ALPHV is unusual because it was written in the Rust programming language and the individual ransomware executable was compiled specifically for the targeted organization. North Carolina A&T was the seventh US university or college to be affected by ransomware that year.

6. April 2022 - Florida International University
   

   Florida International University (FIU) was also impacted by the ALPHV/BlackCat ransomware gang, with the group claiming to have stolen 1.2TB of data, including accounting documents, contracts, email databases, and Social Security numbers.

   While FIU stated that it had not found any indication that sensitive data had been compromised, some cybersecurity experts confirmed that sensitive student and staff information was included in the stolen data.

7. April 2022 - Government of Costa Rica 
   

   In April, Costa Rica declared a state of emergency due to a major ransomware attack launched by the Russian-based Conti gang, who demanded a $20 million ransom and threatened to "overthrow the government by means of a cyberattack."

   The U.S. Department of State offered a $10 million reward for information on key leaders in the gang and $5 million for information on anyone "conspiring to participate in or attempting to participate in a Conti variant ransomware incident." The Costa Rican government refused to pay the ransom and worked to get systems and services back online, but the attack affected the country's foreign trade, tax and customs systems, and payment services for civil servants.

8. August 2022 - U.K. National Health Service (NHS)
   

   A ransomware attack on a software supplier in August 2022 affected the NHS in the UK, causing outages across the system. The variant of malware used was LockBit 3.0, which uses the "double extortion" method of encrypting and transferring data to another device.

   The supplier, Advanced, confirmed that client data was accessed and extracted during the attack and that it affected about 16 of its Staffplan and Caresys customers. These software systems are used to manage care homes and services.

   The attack began when the hackers used legitimate third-party credentials to establish a remote desktop connection to the Staffplan Citrix server and then moved laterally within Advanced's network, deploying encryption malware and exfiltrating a limited amount of data. The attack left some trusts without access to key software systems for two months.

9. September 2022 - Uber
   

   This year, Uber experienced a cyber attack that highlighted the risks of social engineering.

   The attackers exploited an employee by sending a fraudulent two-factor authentication notification that prompted the victim to click a link to verify a request. Once the employee's account was compromised, the attackers used Uber's virtual private network to access internal network resources. They were able to gain access to the company's privilege access management service and used it to escalate their account privileges. They claimed to have access to various Uber systems, including AWS, Duo, GSuite, OneLogin, Slack, VMware, and Windows.

10. September 2022 - Rockstar Games
    

    In September 2022, someone claiming to be the hacker behind the Uber hacking incident announced that Rockstar Games had been hacked. As evidence, videos of Grand Theft Auto (GTA) 6, which was still in the early stages of development, were leaked and published online.

    Some of the videos were published on YouTube, and, despite Rockstar Games issuing takedown notices, many remained viewable. It appeared that extortion was the motivation, with the threat actor demanding money in return for not publishing the source code to the GTA 6 game. Rockstar Games confirmed the breach and stated that they did not anticipate any disruption to their live game services or any long-term effect on the development of their ongoing projects.

    The hacker claimed to have gained access to Rockstar Games' Slack server and also its team-working Confluence wiki.

11. October 2022 - CommonSpirit Health System
    

    Chicago-based medical company CommonSpirit Health suffered a ransomware attack in October 2022 that exposed the personal data of over 620,000 patients. The attack interrupted access to electronic health records and delayed patient care in multiple regions, but CommonSpirit has not yet attributed the attack to a particular group.

    The company has confirmed that the attack may have accessed certain files containing personal information such as names, addresses, phone numbers, dates of birth and internal ID numbers, but no medical record numbers or insurance IDs were accessed, and there is no evidence that any personal information has been misused.

12. October 2022 - Medibank 
    

    Medibank, a health insurance company in Australia, was the target of a ransomware attack in November 2022. The attack was carried out by a group believed to be linked to the Russian-backed REvil ransomware gang and resulted in the theft of 9.7 million customers' personal details and health claims data for almost 500,000 customers.

    The attackers demanded a ransom of $10 million, later reduced to $9.7 million, or $1 per affected customer. When Medibank refused to pay, the attackers published portions of the stolen data on the dark web, including customers' names, birth dates, passport numbers, and information on medical claims.

A summary of the major 2022 cyber threats