10 of the biggest cybersecurity stories of 2024

1. LockBit taken down

The LockBit gang has for years been one of the larger and most active ransomware-as-a-service groups, after compromising giant organizations including Boeing. But the cybercrime outfit was severely disrupted in an international law enforcement operation unveiled on Feb. 20.

Operation Cronos, a coalition of law enforcement organizations led by the U.K.'s National Crime Agency, was a monthslong effort to bring the group's operations down. Collaborators included Australia, Canada, France, Germany, Japan, the Netherlands, Sweden, Switzerland and the U.S. As part of Operation Cronos, law enforcement seized 28 servers, brought down LockBit's public leak site, arrested multiple alleged collaborators, and obtained LockBit source code as well as more than 1,000 decryption keys.

Though governments have ramped up their cybercrime disruption efforts in recent years, LockBit's takedown was innovative, as law enforcement agencies published a rebranded name-and-shame "leak site" to LockBit's .onion domain with press releases, decryption keys, the identity of its leader, back-end leaks and more. The move caused apparent reputational damage to LockBit such that researchers argued the gang's comeback attempts were failing.

2. Change Healthcare suffers massive ransomware attack

In one of the most effective breaches of recent memory, healthcare software giant Change Healthcare suffered a ransomware attack on Feb. 21 conducted by the Alphv/BlackCat ransomware group. Due to the ubiquity of Change Healthcare's software, healthcare organizations, including major pharmacy chains CVS and Walgreens, faced dayslong disruptions due to the attack. The attack further affected physicians' ability to bill, hospitals' abilities to prescribe medication and procedures, and individuals making health claims.

The breach was caused by a Citrix remote access portal that did not have MFA enabled.

Andrew Witty, CEO of Change Healthcare owner UnitedHealth Group, estimated in May that the fallout of the attack will affect roughly one-third of Americans. Notably, the Alphv/BlackCat gang were disrupted by the FBI and other law enforcement agencies in December 2023. However, the gang resumed operations and began aggressively targeting healthcare organizations in 2024.

3. CISA breached via Ivanti zero-day vulnerabilities

Cybersecurity vendor Ivanti disclosed two zero-day vulnerabilities Jan. 10 -- an Ivanti Connect Secure command injection flaw tracked as CVE-2024-21887 and an Ivanti Policy Secure authentication bypass vulnerability tracked as CVE-2023-46805 -- that were under mass exploitation by a Chinese nation-state actor. CISA, the U.S.'s primary cyber agency, was revealed to be among them after cybersecurity publication The Record reported the breach on March 8.

CISA confirmed the attack in short order, saying it detected "activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses" and that the impact was limited to two systems the agency immediately took offline. "This is a reminder that any organization can be affected by a cyber vulnerability, and having an incident response plan in place is a necessary component of resilience," CISA told TechTarget Editorial at the time.

4. Cisco closes $28 billion acquisition of Splunk

Although Cisco's massive $28 billion acquisition of observability and security vendor Splunk was announced last fall, the deal finally closed March 18. As soon as the acquisition was complete, Cisco hit the ground running in announcing its intentions to broadly integrate Talos' threat intelligence capabilities with Splunk's observability products. The networking giant later integrated its XDR technology into the Splunk Enterprise Security platform.

Though other headline-worthy cybersecurity acquisitions were announced this year -- such as Mastercard's $2.65 billion purchase of Recorded Future, expected to close in Q1 of next year, and Sophos' pending $859 million acquisition of SecureWorks (expected to close early next year) -- none approached the scale and price of the Splunk acquisition.

5. Cyber Safety Review Board calls out Microsoft

On April 2, the U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) published a report slamming Microsoft for a "cascade" of errors that enabled a Chinese nation-state threat actor tracked as Storm-0558 to breach email accounts at approximately 25 organizations, including government agencies. The actor gained access to accounts by using Outlook Web Access in Exchange Online and Outlook.com through forging authentication tokens via a stolen Microsoft account signing key.

The report concluded that "this intrusion should never have happened," and that several security mistakes on Microsoft's part contributed to the breach. Among its findings, the CSRB said "Microsoft's security culture was inadequate and requires an overhaul," and that it took a customer -- the U.S. Department of State -- to inform Microsoft of Storm-0558's activities.

The report also shortly followed a breach the tech giant disclosed in January, in which a Russian state-affiliated threat actor known as Midnight Blizzard breached Microsoft's corporate network in a password spraying attack. The legacy test tenant account that Midnight Blizzard compromised did not have MFA enabled.

Microsoft made sweeping changes to its security culture in response to this report. In May, the company announced an expansion to its Secure Future Initiative (SFI) that promised to make security Microsoft's top priority above all else. The initiative's expansion includes commitments to protect identities, isolate production environments, monitor and detect threats, and accelerate its response and remediation efforts. An SFI progress report published in September elicited cautious optimism from the cybersecurity community.

6. Microsoft Recall elicits concerns, questions

Microsoft on May 20 announced Recall, a feature in its AI-powered Copilot+ PCs that would take periodic screen captures of what users have seen on their computers and then be able to "recall" it upon being prompted by natural language. The privacy and security concerns noted the similarities Recall's functionality has to keylogging software. In the wake of the scathing CSRB report and Microsoft's SFI, many infosec professionals questioned why the software giant developed such a feature. This led to Microsoft delaying Recall multiple times in the months since it was announced, ultimately re-revealing it in September with security enhancements; though the security updates are promising, some concerns still remain. The feature is currently in a Windows Insider preview for Copilot PCs with Snapdragon, Intel and AMD chips.

7. CrowdStrike causes massive IT outage

One of the largest IT outages of all time began July 19, when millions of Windows systems experienced blue screens of death and entered reboot loops. The issue was caused by a faulty channel file update in CrowdStrike's Falcon threat detection platform. And although Microsoft said only about 8.5 million Windows devices were affected, or fewer than 1% of the total, they were in major industries such as airline services and healthcare organizations. It didn't help that fixing the issue required manual intervention to every affected device.

While the vast majority of affected systems were back online within a week, the incident triggered discussions and debates about kernel-level access to Windows and how software vendors like CrowdStrike validate and issue updates. Delta Air Lines formally sued CrowdStrike in October, claiming it suffered $500 million in damages, though the security vendor disputes the airline company's claims.

8. Dark Angels gang receives $75 million ransom payment

Zscaler's ThreatLabz team revealed over the summer that it identified a $75 million ransom payment made by an unnamed victim to the Dark Angels ransomware group, a group that has been tracked since at least May 2022.

In ThreatLabz's 2024 Ransomware Report published in July, the research team explained that the payment is higher than any publicly known ransomware payment to date. Moreover, the team wrote that the payment is "an achievement that's bound to attract the interest of other attackers looking to replicate such success." In a follow-up post on X, formerly Twitter, Zscaler said the victim organization was a Fortune 50 company.

In September, Bloomberg reported that Dark Angels received the record-setting payment for its attack on pharmaceutical giant Cencora, a publicly traded company that's No. 18 on the 2024 Fortune 500 list. Cencora did not confirm or deny that it made a ransom payment to Dark Angels. The company previously disclosed a data breach in February that led to attackers exfiltrating personally identifiable information and personal health information.

9. Iran hacks Trump presidential campaign

On Aug. 19, intelligence officials including CISA, the FBI and the Office of the Director of National Intelligence (ODNI) attributed a hack against President-elect Donald Trump's 2024 election campaign to Iranian state-sponsored actors. The attribution came after Politico on Aug. 10 claimed it was sent internal Trump campaign documents from an individual named "Robert." The campaign confirmed a breach that same day.

In an Aug. 19 statement, the intelligence community said Iran looked "to stoke discord and undermine confidence in our democratic institutions." Though CISA ultimately called the U.S. election a success from a security standpoint, the campaign hack reflects the increasing aggressiveness of U.S.'s cyber adversaries in attempting to influence the country's electoral process.

10. China breaches several major telecom companies

On Nov. 13, CISA and the FBI confirmed reports that Chinese nation-state actors had compromised a number of U.S. telecommunications providers. The confirmation came a month after The Wall Street Journal first reported that Chinese government hackers may have compromised U.S. wiretap systems within the telecom companies.

In the November statement, CISA and the FBI said they "have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders."

In The Wall Street Journal's story, the outlet claimed AT&T, Verizon and Lumen Technologies were among the victim organizations of the far-reaching attacks. T-Mobile later confirmed it was compromised as well, attributing the attacks via a statement on its website to Salt Typhoon, matching Wall Street Journal's reporting. Currently, U.S. officials are unsure if the Salt Typhoon hackers have been fully evicted from the telecon networks; as a result, CISA warned last week that highly targeted individuals such as government officials should assume all mobile communications are at risk of being intercepted or manipulated by nation-state actors.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.