Full Report
From Chinese cyberspies breaching US telecoms to ruthless ransomware gangs disrupting health care for millions of people, 2024 saw some of the worst hacks, breaches, and data leaks ever.
Analysis Summary
# Incident Report: Summary of Major 2024 Cyber Incidents
## Executive Summary
The year 2024 was marked by several high-profile and impactful cyber incidents, including persistent state-sponsored espionage, identity-based breaches exploiting weak authentication, and a massive ransomware attack on critical US healthcare infrastructure. State-aligned actors like Salt Typhoon targeted telecommunications for surveillance, while opportunistic criminals leveraged stolen credentials against cloud storage providers like Snowflake, leading to massive data theft. The most operationally damaging event was the Change Healthcare ransomware attack, which severely disrupted US medical billing and compromised extensive patient health records.
## Incident Details
- **Discovery Date:** Varies by incident (Salt Typhoon infiltration spanned months; Snowflake incidents spanned the summer; Change Healthcare detected end of February).
- **Incident Date:** 2024 (Specific dates vary per event).
- **Affected Organization:** Multiple large organizations across Telecom (Verizon, AT&T), Cloud Storage (Snowflake customers: Ticketmaster, Santander, Neiman Marcus), and Healthcare (Change Healthcare).
- **Sector:** Telecommunications, Cloud Services, Healthcare/Insurance, Data Providers.
- **Geography:** Primarily United States, with global impact (e.g., Salt Typhoon).
## Timeline of Events
### Initial Access (Various)
- **Salt Typhoon:** Ongoing infiltration of US and international telecoms over several months.
- **Vector:** Likely vulnerability exploitation or credential compromise leading to prolonged espionage.
- **Details:** Targeted surveillance on <150 high-value individuals (State Dept. officials, campaign staff).
- **Snowflake Customer Breaches (Summer):**
- **Vector:** Stolen credentials used to log into accounts lacking Two-Factor Authentication (2FA).
- **Details:** Rampant credential stuffing/reuse against accessible Snowflake customer instances.
- **Change Healthcare (End of February):**
- **Vector:** Ransomware attack.
- **Details:** Disabled critical medical billing and insurance processing systems across the US.
### Lateral Movement
- **Salt Typhoon:** Implied successful lateral movement within telecom networks to conduct surveillance on targets and associated communications.
### Data Exfiltration/Impact
- **Salt Typhoon:** Surveillance/espionage on individuals, capturing texts and calls of targets and their contacts.
- **Snowflake Customer Breaches:** Large-scale data theft from victims like AT&T (nearly all call/text records from a 7-month stretch in 2022), Ticketmaster, Santander, and Neiman Marcus.
- **Change Healthcare:** Theft of personal and financial data for over 100 million people, including diagnoses, prescriptions, and financial information.
### Detection & Response
- **Salt Typhoon:** US officials publicly warned the Pentagon about the ongoing intrusion. Victims are *still* actively attempting removal.
- **Snowflake Customer Breaches:** Incident response, with Mandiant tracking ~165 victims affected throughout the summer.
- **Response:** Snowflake introduced mandatory 2FA enrollment for account administrators in July. Arrests of suspected actors occurred in November (Moucka) and related indictments (Binns).
- **Change Healthcare:** Incident identified days after the attack began.
- **Response:** Change Healthcare paid a $22 million ransom to ALPHV/BlackCat in early March.
## Attack Methodology
| Category | Method(s) Used |
| :--- | :--- |
| **Initial Access** | Credential Stuffing/Reuse (Snowflake), Ransomware deployment (Change Healthcare), Unknown penetration method for prolonged espionage (Salt Typhoon). |
| **Persistence** | Not explicitly detailed, but prolonged access suggests persistence mechanisms were established by Salt Typhoon. |
| **Privilege Escalation** | Not explicitly detailed. |
| **Defense Evasion** | Not explicitly detailed for ransomware; Salt Typhoon used long-term stealth for espionage. |
| **Credential Access** | Stolen passwords leveraged for Snowflake access (mechanism of theft for the passwords themselves is inferred/external). |
| **Discovery** | Salt Typhoon performed surveillance on specific individuals and their communications. |
| **Lateral Movement** | Implied within telecom networks (Salt Typhoon). |
| **Collection** | Focused surveillance on communications (Salt Typhoon); Large-scale patient/financial data harvesting (Change Healthcare). |
| **Exfiltration** | Data theft via compromised Snowflake access; Data transfer following ransomware deployment. |
| **Impact** | Extensive disruption of medical payment systems (Change Healthcare); Massive data theft (Snowflake). |
## Impact Assessment
| Incident Component | Details |
| :--- | :--- |
| **Financial** | Change Healthcare paid a $22 million ransom. Others face lawsuits and investigation costs (e.g., National Public Data parent filing Chapter 11). |
| **Data Breach** | **Change Healthcare:** >100 million people affected (PHI, financials, SSNs, DOBs). **Snowflake:** ~165 victims; AT&T impacted records from 2022. |
| **Operational** | Severe disruption to US hospitals, doctor's offices, and pharmacies due to Change Healthcare outage. |
| **Reputational** | Significant negative press for Snowflake, AT&T, and Change Healthcare; US officials raising concerns about state-sponsored espionage. |
## Indicators of Compromise
*(Note: Due to the nature of summarized reporting, specific IoCs are not provided here, but would traditionally be extracted.)*
- **Network indicators:** (Defanged URLs/IPs related to ALPHV infrastructure or C2 channels linked to Salt Typhoon).
- **File indicators:** (Malware hashes related to the Change Healthcare incident).
- **Behavioral indicators:** Excessive authenticated logins without 2FA on cloud services; Unusual long-term monitoring of internal communications.
## Response Actions
**Containment**
- **Change Healthcare:** Immediate efforts after detection to restore services.
- **Snowflake:** Incident response engagement by victims; Snowflake implemented mandatory 2FA enforcement capability.
- **Salt Typhoon:** Ongoing remediation efforts by victim telecom companies to evict the threat actor.
**Eradication**
- Unknown specific details, but likely involved credential resets and patching/configuration hardening post-discovery.
**Recovery**
- Change Healthcare initiated the long process of notifying over 100 million victims.
- Business functions slowly resumed across impacted healthcare providers.
## Lessons Learned
- The lack of widespread mandatory 2FA remains a critical vulnerability exploited by opportunistic criminals (Snowflake incidents).
- Paying ransoms, as seen with Change Healthcare, may embolden threat actors and lead to further attacks against the sector.
- State-sponsored actors maintain persistent access to critical infrastructure providers (telecoms) for long-term intelligence gathering.
- Single points of failure in critical infrastructure (like Change Healthcare’s dominance in billing) create systemic risk when compromised.
## Recommendations
- Enforce mandatory Multi-Factor Authentication (MFA/2FA) across all critical systems and external-facing services immediately.
- Review and improve processes for managing supply chain risk, especially concerning dominant third-party service providers handling sensitive data.
- Increase monitoring depth for long-term, low-and-slow espionage campaigns targeting high-value communications infrastructure.
- Develop robust, tested offline backups and disaster recovery plans that do not rely solely on the compromised vendor ecosystem (e.g., for medical billing).