The NJCCIC reflects on the cyber threats experienced over the past year to strategize our cyber defenses for the year ahead.

Ransomware

Throughout 2024, ransomware continued to evolve and grow despite the significant impact of Operation Cronos, which dismantled LockBit’s ransomware operations. Ransomware trends include data exfiltration, extortion without encryption, and primarily targeting small and medium-sized businesses (SMBs).

Rhode Island fell victim to the Brain Cipher ransomware group. The threat actors gained access to the RIBridges online portal, which gives residents access to many programs, including Medicaid, Rhode Island Works (RIW), and Supplemental Nutrition Assistance Program (SNAP). Additionally, the Clop ransomware gang took credit for the recent attack on the Cleo-managed file transfer platforms. Despite patching the original vulnerability, threat actors could bypass the patch and continue to conduct data theft attacks. Also, the City of Hoboken was attacked by the 3AM ransomware gang the day before Thanksgiving, causing City Hall, Municipal Court, and online city services to close temporarily while investigations and remediations occurred. 2024 saw the highest-ever ransomware payment when an unnamed Fortune 500 company made a $75 million payment to the Dark Angels ransomware group.

Several ransomware attacks impacted the US Healthcare and Public Health sector this year, including an unclaimed attack against Artivion, a manufacturer of heart surgery medical devices. In September, Boston Children’s Health Physicians experienced an attack in which the BianLian gang accessed and stole patient’s personally identifiable information (PII). In Texas, the UMC Healthcare System also disclosed a ransomware attack that caused some patient care to be diverted to other medical centers while systems were offline. 2024 also witnessed the Change Healthcare ransomware attack, exposing the protected health information (PHI) of an estimated 100 million individuals.

Critical Infrastructure and Operational Technology

Attacks upon the critical infrastructure and operational technologies continued to advance throughout 2024. American Water Works Company, based in New Jersey, was attacked in October with a focus on its internet-facing assets. American Water said the water and wastewater services appeared unharmed during the attack. In September, a cyberattack occurred at a water treatment facility in Arkansas City, Kansas. The threat actors took down the water treatment center’s control systems, resulting in a lack of control for the attackers and the facility to switch to manual operations while the situation was remediated.

The Cyber Army of Russia Reborn (CARR) targeted Supervisory Control and Data Acquisition (SCADA) systems, commonly used to control and monitor water utilities. CARR shared a video claiming responsibility for an attack on Indiana’s Tipton West Wastewater Treatment Plant. CARR also claimed an attack in January against a water facility in Muleshoe, Texas, which caused a water tank to overflow.

Threat actors also targeted US Internet service providers (ISPs). For example, a suspected Chinese (PRC) state-sponsored cyber threat group, Salt Typhoon, was identified as accessing multiple ISPs to conduct cyber espionage. These attacks on ISPs are particularly concerning as they can compromise sensitive communications, establish a foothold for future cyberattacks, and impact national security.

Election Interference

Numerous attempts were made to interfere with the 2024 elections around the world. Romania released a report stating that its election infrastructure was the target of over 85,000 cyberattacks. Credentials for Romanian election sites were stolen and leaked onto a Russian hacker forum a few days before the first round of the presidential election.

The United States also experienced various attempts at election interference leading up to this year’s presidential election. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement warning citizens about a fabricated video that depicted mailed ballots in Pennsylvania being destroyed before the election. Telecommunication networks were also found to be targeted by a Chinese hacking campaign. Threat actors targeted the phones of both the Republican and Democratic nominees, as well as their campaign teams. However, it is unclear if the hackers attempted to interfere with the election or if their efforts were focused on gathering intelligence.

Additionally, Iranian hackers attempted phishing attacks against the administrations of President Joe Biden and President-Elect Donald Trump to influence the 2024 presidential election. The threat actors used WhatsApp to pose as technical support agents for Google, AOL, Yahoo, and Microsoft. With the help of user reports, Meta quickly shut down the hacker’s attempts, and there has been no reported evidence to suggest that these attempts resulted in successful account compromises.

Looking to the Future

Threat actors continue to find new and innovative attack techniques. A well-informed team that includes users and information security is essential to maintain a strong line of defense against incoming attacks. Effective communication, training, and defense-in-depth will help keep our systems and information secure throughout 2025.