It’s been an interesting year for cybersecurity with no shortage of ransomware attacks, targeting everything from mortgage companies and supermarkets to airports and healthcare providers. APT activity is up, too, as global tensions remain at a serious high.
If there’s one theme you can take away from 2024, it’s that hackers are looking further down the supply chain when picking their targets.
It’s unlikely this is going to change any time soon, as even the most advanced APTs will gladly go for low-hanging fruit if it advances their goals. So, to give you a better idea of what to expect in 2025, I'm looking back at some of the most serious cyber incidents of 2024.
1. The XZ Utils supply chain compromise
The most concerning cyber attack is one that was, thankfully, caught in the final moments before it could do any meaningful damage. However, the potential havoc this operation could have wrought means it’s my #1 pick.
The XZ Utils backdoor attack, classified as CVE-2024-3094, was first publicly disclosed on March 29, 2024. It’s a backdoor introduced into 5.6.0 and 5.6.1 of XZ Utils, which is a set of lossless compression utilities that can be found in most Linux distributions.
These compromised versions of the tools would have allowed an attacker to remotely access almost any Linux machine via SSH without login credentials.
If you're a Linux loyalist looking for a reliable VPN, you'll want to head on over to our round-up of the best VPNs for Linux.
It isn’t just the scope that makes the XZ Utills attack so scary, however, it’s how it was carried out.
The attackers behind this backdoor carried out a multi-year social engineering campaign to insert multiple sock-puppets into the XZ Utils projects, regularly uploading non-malicious updates to build trust with the existing developers.
Eventually, the group responsible was able to pressure developers into handing over control to one of their sock puppets, at which point the backdoor was introduced into the source code.
As if that wasn’t bad enough, it almost wasn’t caught at all. As the backdoored version of ZX Utils started to be adopted into bleeding-edge experimental distributions, a PostgreSQL developer named Andres Freund who was conducting regression testing on Debian noticed some unusually high CPU usage from the SSH service and began to investigate.
This led to the open-source community identifying the malicious patches made to XZ Utils and quickly rolling back to earlier versions in the affected distributions, as well as issuing security advisories.
While the backdoor was identified before it could spread to widely used distributions, the attack's potential impact was a serious wake-up call for the open-source community.
The technical aspects of the attack are impressive, but they could never have been implemented if it wasn’t for the fact that vital parts of the Linux codebase are maintained by unpaid volunteers who are, like everyone else, susceptible to burnout.
It’s not a viable model in the long run with APTs actively looking to compromise the open-source supply chain, and while community vigilance goes a long way towards identifying bad actors, it can’t be the complete solution.
2. The mother of all breaches
This next incident is a record-breaker: the largest data leak ever recorded at 26 billion records.
The dataset, stored on an exposed instance and first identified by cybersecurity researcher Bob Dyachenko and the Cybernews team, included sensitive information from platforms like LinkedIn, Adobe, Zynga, and AdultFriendFinder.
It included over 4000 separate datasets, 600 of which contained over a million records. The largest single source in the MOAB was Tencent QQ, contributing 1.4 billion records, followed by Weibo, MySpace, and Twitter.
Now, before we go any further I should point out that these aren’t completely new credentials. This is an aggregate database, made out of compilations of many different previous breaches and data leaks.
These databases are used by hackers to cross-reference credentials they can use to populate password lists and carry out credential stuffing attacks, where old usernames and passwords are used across different sites to try and gain entry.
This was the largest data leak ever recorded – involving 26 billion records
At first, it was unclear who this treasure trove of compromised details actually belonged to. Early speculation pointed to a well-organized hacker group who were unlikely to ever be definitively linked to the breach, but it was ultimately something far more benign: a security research service accidentally hooked up to the internet.
The Leak-Lookup team quickly owned up to their mistake, pointing out that the breach was actually an accidental firewall misconfiguration which led to an exposure of the data breach collection they use to power their service.
Although these credentials were the results of previous breaches and thus aren’t “fresh”, the impact of this leak shouldn’t go understated.
Many data breaches are only available to a select few hackers and researchers who are willing to pay for access, but this collection was freely available on the public web for anyone to scrape.
APTs get a lot of the spotlight when it comes to damaging hacking attacks, but putting hacking resources into the hands of less well-funded attackers can fuel potentially catastrophic identity theft, phishing, and credential-stuffing attacks.
3. Salt Typhoon metadata exposure
Although the attack we’re talking about is a relatively late entry into 2024’s cyber incidents, the advanced persistent threat group behind it, Salt Typhoon, seems to have been actively hacking government organizations and hotels for at least the last four years.
However, they’ve stepped their game up a little, as the impact of their latest spying campaign will likely spill over into a significant part of 2025.
In what some are calling one of the most significant intelligence breaches in US history, this Chinese-backed APT group managed to compromise at least eight telecom companies in the US as well as several companies abroad.
While the true extent of this campaign is unknown, reporting by the Wall Street Journal suggests that the hackers managed to access the networks used by law enforcement agencies in the US to deploy legally mandated wiretaps.
Want to learn more about metadata and the danger it poses? Check out our detailed guide to metadata.
So far, we know that high-profile targets of this campaign include the Trump and Harris campaigns. Other individuals who were the victims of direct surveillance included politicians, intelligence officials, and government personnel. However, it also seems that the hackers accessed metadata from over a million individuals, with the Washington D.C. area being a primary focus.
The mass collection of metadata is particularly worrying. In this context, metadata is information about your phone calls. It’s not the contents, but it’s stuff like the participants, durations, and cell tower locations.
Metadata can reveal social relationships, movements, and networks which can all provide invaluable insights for intelligence purposes.
While the FBI are reaching out to individuals they know have been the victim of direct surveillance, there are currently no plans to inform the potentially millions of Americans who have had their metadata spied on by Salt Typhoon.
This isn’t the first time this year that Chinese-backed APTs have conducted wide-scale operations across the US, either. In January 2024, the US Department of Justice announced a major operation led by the FBI to disrupt a cyber espionage campaign conducted by Volt Typhoon, a Chinese government-associated hacking group.
The campaign leveraged hundreds of compromised small office routers infected with the KV Botnet malware. These routers, primarily outdated Cisco and NetGear models, had reached end-of-life status, leaving them vulnerable to exploitation due to the absence of security updates.
4. Cyber ransomware repeatedly targeting NHS operations
Ransomware attacks on critical infrastructure are not new, but the regularity with which they’re occurring is a worrying trend. It’s also clear that healthcare providers are now very much considered a “legitimate target” by ransomware gangs.
In June 2024, a ransomware attack targeted Synnovis, a pathology services provider for major London hospitals, including Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trusts.
The attack disrupted essential services, delaying blood tests, transfusions, and other diagnostics. Hospitals declared critical incidents, prioritizing emergency care while diverting non-urgent cases.
The NHS didn’t fully recover until October, during which more than 10,000 appointments and around 2,000 procedures were canceled.
Healthcare organizations are lucrative targets, with the sector often willing to pay substantial ransoms
The ransomware group Qilin infiltrated Synnovis’ systems, encrypting vital data and rendering IT infrastructure unusable. The attackers also exfiltrated nearly 400 GB of sensitive patient data, which included names, NHS numbers, and pathology descriptions, leveraging this for extortion.
Despite their threats, Synnovis refused to pay the ransom, leading Qilin to publish portions of the data on the dark web.
Qilin’s motives appeared financial, although they publicly claimed the attack was a geopolitical retaliation against the UK. Law enforcement officials and cybersecurity experts, however, dismissed these claims as baseless.
Healthcare organizations are increasingly lucrative targets, with the sector often willing to pay substantial ransoms. High-profile payouts, like UnitedHealth Group’s $22 million earlier in 2024, have made healthcare a focal point for cybercriminals.
This isn’t the first or the last time the NHS has been hit this year, either. The Wirral University Teaching Hospital NHS Trust in North West England declared a "major incident" in November 2024 due to a cybersecurity breach, causing the cancellation of all outpatient appointments.
The incident impacted the entire Trust, which oversees Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children's Hospital. As of the time of writing, several key details of this incident are unknown – such as which group is responsible for the attack and the method used to carry it out.
Earlier in the year, NHS Dumfries and Galloway was also targeted by the hacker group INC Ransom. While this one didn’t interrupt the day-to-day running of the service, the attackers claimed that they were able to compromise 3TB of patient data.
NHS Dumfries and Galloway refused to pay the ransom and, as a result, sensitive patient information was disclosed on a dark web leak site. Citizens affected by the disclosure were given direct advice warning them against potential phishing attacks as a result of the attack, which is marginally better than nothing.
5. Ministry of Defence payroll breach
Rounding off our list of significant cyber-incidents in 2024, it’s more bad news for the UK.
In May 2024, the Ministry of Defence announced that it had suffered a breach that resulted in payroll data for up to 272,000 current and former UK military personnel being leaked to a malicious third party.
Personal information, including names, bank details, and, in some cases, home addresses, was accessed, though no operational military data was reportedly affected.
The attack targeted the payroll system managed by Shared Services Connected Ltd, a contractor responsible for delivering armed forces pay and HR services.
Whether you're living in Great Britain or just visiting on vacation, don't get caught without one of today's best VPNs for the UK.
SSCL, initially a joint venture between the Cabinet Office and French IT provider Sopra Steria, manages services for millions of public servants across various government sectors. Its MoD contract, valued at £294 million, handles HR services for 230,000 active personnel and two million veterans. This widespread access made it a high-value target.
In response, the MoD swiftly took the compromised system offline and launched a full review of SSCL’s security protocols. Defense Secretary Grant Shapps announced a broader investigation into SSCL’s contracts across the government and pledged to implement a multi-point plan to enhance cybersecurity.
Although some media reports indicated that groups linked to China were behind the attack because of previous patterns of behavior from Chinese-linked APTs, the UK government has never officially named a suspected culprit for the breach and the Chinese government has publicly refuted any involvement.
