New Log4J Flaw Caps Year of Relentless Cybersecurity Crises
'Exhausted' network defenders say technological dependency creates new vulnerabilities
Last December, cybersecurity professionals began to unravel an extraordinary cyberattack on a little-known company based in Texas called SolarWinds. By hijacking the firm's software-update mechanism, the hackers had gained the means for covert entry into their choice of thousands of unsuspecting customers.
That attack, which the U.S. government blamed on Russia, infiltrated scores of federal agencies and private companies and was widely described as one of the worst intelligence failures in history. Things, it seemed, couldn't get much worse.
But cyberattacks on major technology providers and the interconnected world of software and hardware that power the global economy continued at a relentless pace in 2021, according to U.S. officials and security experts.
Instead of one company being victimized at a time like in a traditional data breach, thousands were often exposed simultaneously. Businesses, hospitals and schools also worked to defend themselves against an onslaught of ransomware attacks, which increasingly reap $10 million or more in extortion payments.
The annus horribilis culminated this month with discovery of a flaw in an obscure but widely used internet code known as Log4j, which one senior Biden administration official said was the worst she had seen in her career.
The latest vulnerability comes as U.S. officials warn corporate leaders of a potential surge of cyberattacks while businesses slow their operations during the holiday season.
The string of incidents highlights how decades of digital transformation have linked business and government computer systems in opaque and sometimes surprising ways that will create new vulnerabilities.
Major disruptions are certain to continue, cybersecurity officials said.
"Network defenders are exhausted," said Joe Slowik, threat-intelligence lead at the security firm Gigamon.
New attention and investment in cybersecurity hasn't improved the status quo, he said. "Money is flowing into the field, but largely on technical solutions while the core need -- more capable people -- remains hard to address."
A hack of the Microsoft Corp. Exchange email software in March, later attributed by Western nations to China, rendered tens of thousands of victims across the globe vulnerable to destructive attacks. In July, an attack on Dutch enterprise-software provider Kaseya by a criminal gang of Russian hackers was used as a springboard to launch ransomware strikes.
Earlier this month, the flaw found in Log4j, a routine piece of free software, prompted especially grave warnings, with some officials estimating that hundreds of millions of devices are at risk.
The reliance on intertwined software and hardware ensures that a vulnerability hidden in a tool such as Log4j can cause wide-ranging disruption.
"When there's a risk in one part of the system, it has the potential for a global ripple effect," said Sherri Davidoff, chief executive of the cyber firm LMG Security.
"Every organization is scrambling to figure out how they should respond, when so much of the problem is outside their control and in the hands of suppliers, or suppliers of suppliers," she said of Log4j.
Since the Log4J vulnerability was publicly disclosed earlier this month, cybersecurity researchers have warned of hackers linked to the Russian, Chinese, Turkish and Iranian governments exploiting the flaw against various targets.
The Belgian Defense Ministry has reported a breach to its systems, while companies ranging from a German chemical firm to a Milwaukee-based industrial-parts supplier have rushed to shore up their networks, taking portions offline as a precaution.
U.S. officials and security experts said the past year has been one of the worst on record for cybersecurity, marked not just by such repeated discoveries of bugs considered historic in their scope and potential severity but an onslaught of ransomware attacks on businesses and critical infrastructure as well.
A May attack on Colonial Pipeline shut down the main conduit of fuel for the East Coast, and was followed by a similar attack in June that disrupted a large meat distributor.
A surge of such attacks this year prompted the Biden administration to identify ransomware as a top threat to national security, and President Biden has repeatedly tried to pressure his Russian counterpart, Vladimir Putin, to crack down on ransomware groups operating within his borders.
There are also far more deep-pocketed buyers in what is known as the zero-day market for high-powered hacking tools, officials and experts said.
Researchers at Alphabet Inc.'s Google have identified 57 zero-days used by attackers in 2021, according to data shared with The Wall Street Journal, more than double the total seen last year.
Many of the observed vulnerabilities lie on software produced by large technology providers, such as Microsoft, with global customer bases.
Microsoft declined to comment.
The Biden administration in recent months has begun taking steps intended to rein in the proliferation of zero days -- essentially previously unknown computer flaws -- by blocking U.S. trade with some well-known vendors, including the Israeli cyber firm NSO Group. But cybersecurity experts said demand for such vulnerabilities could continue to grow as companies and governments harden their baseline defenses against simpler attacks.
"The attacker is always going to use the easiest way to get into an organization," said Phil Venables, chief information security officer at Google's cloud division.
The previously unknown flaw in the Log4j tool, which many developers use to record activity across websites and applications, underscored how such threats can originate in the most basic building blocks of software.
The Biden administration in May ordered federal agencies to more aggressively vet such tools in an executive order aimed at shoring up the government's digital-supply chains.
U.S. officials also have instituted first-of-their-kind regulations requiring pipeline, rail and airline companies to report hacks that could provide intelligence about threats to other types of critical infrastructure.
The drumbeat of attacks has inspired gallows humor among cyber professionals also grappling with the stress of the coronavirus pandemic.
London-based cyber firm Intruder last week launched a pop-up site curating memes, including one image showing a freight train labeled as "Log4j" smashing a bus that represents the cybersecurity community's holiday plans.
The site, which Intruder officials said has attracted nearly a quarter-million unique visitors since its launch, describes itself as a pick-me-up for cyber defenders in its tagline: "If you don't know whether to laugh or cry."