It was also an extraordinary year for elections. In addition to the US presidential election, the UK general election, and the European Parliament election, general or local elections were held in nearly 100 countries worldwide in 2024. For many nations, this meant increased pressure in cyberspace, with attacks ranging from denial-of-service (DoS) and defacement attempts on political party websites to information operations designed to shape voter preferences.
Presidential election first round annulled in Romania
An information operation in the context of elections generally involves the coordinated dissemination and amplification of fabricated news or half-truths on social media, aiming to gain votes for a particular candidate or, conversely, to diminish the support of their opponent.
When foreign states conduct such operations, the situation becomes particularly grave, as it amounts to external interference in a country’s democratic process.
The most drastic example this year came from Romania, where the Constitutional Court decided to annul the results of the first round of presidential elections held in November. According to the country’s intelligence services, Russia had organised a coordinated influence campaign on TikTok in support of a far-right candidate.
The intelligence services also reported that over 85,000 cyberattacks were carried out against election infrastructure with various objectives, such as gaining access, altering election-related information or disrupting its availability.
Salt Typhoon targets telecom companies
Iran, China and Russia also attempted to interfere in the US presidential election. In the final months of the year, reports began to emerge about Chinese state-backed hackers successfully infiltrating the infrastructure of several major American telecom companies, including AT&T, T-Mobile, and Verizon.
The group responsible was Salt Typhoon, and the incident is believed to be the most extensive cyberespionage campaign targeting the Western telecommunications sector to date.
According to the White House, Chinese hackers had been embedded in telecom companies for one or two years, affecting not only the US but also several European and Southeast Asian countries.
Salt Typhoon’s activities first gained media attention after reports surfaced that they had intercepted the phone conversations of several high-ranking US politicians, including the vice president and president.
longside state-sponsored espionage groups, cybercriminals also targeted the telecom sector. In October, Free, the second-largest internet service provider in France, suffered a breach in which a database containing the details of 19 million customer accounts was stolen and offered for sale on the dark web.
AThe US telecom company AT&T was also affected in the spring by the compromise of Snowflake’s data warehouse, which was among the largest service provider-based attacks of the year.
Snowflake, a cloud-based platform for storing and analysing large volumes of data, became a target when the data theft group ShinyHunters found some Snowflake user credentials for sale on the dark web. Seizing the opportunity, they used the credentials to attempt access to sensitive data belonging to Snowflake’s high-profile clients. The Snowflake data breach affected at least nine major corporations and millions of their customers. Among the victims was Ticketmaster, whose leaked data caused significant disruption, including chaos around already scarce tickets for a Taylor Swift concert tour.
CrowdStrike software glitch disrupted millions of computers
While high-impact cyber incidents are usually associated with malicious attacks and prevented by cybersecurity companies through their protective solutions, one of the most significant IT incidents in history was caused by a colossal blunder by the renowned cybersecurity provider CrowdStrike.
Last summer, the company released a faulty update for one of its flagship products, the CrowdStrike Falcon platform, which on 19 July caused millions of Windows systems to stop functioning.
The fallout included flight cancellations across the US and Europe, disruptions to rail services in the UK, interruptions at a Finnish news agency, and the closure of shopping centres in Australia, to name just a few examples of the widespread global disruptions.
Estonia was also affected: some computers at grid operator Elektrilevi were down for a few hours, and check-in for Ryanair flights at Tallinn Airport had to be carried out manually.
CrowdStrike’s global IT disruption: what happened?
In the early hours of 19 July, at 4:24 am, CrowdStrike released a routine security update for the sensor in its cloud-based CrowdStrike Falcon antivirus system.
But the update was faulty. The automatically updated sensor affected the underlying settings of many Windows systems, causing them to stop functioning. It is estimated that the operation of at least 8.5 million devices was disrupted globally.
This led to disruptions and closures across aviation, finance, healthcare, commerce and media sectors worldwide, with global damages estimated in the billions of dollars.
CrowdStrike quickly identified the error and issued a corrected update at 5:27 am the same morning. However, already compromised devices had to be restored manually, which meant that the interruptions lasted anywhere from hours to days or even weeks, depending on the sector and organisation.
Attacks on the healthcare sector
Cyberattacks often target critical services, and as in previous years, several serious incidents were linked to the healthcare sector. In many cases, attackers bypassed the healthcare institutions themselves and targeted these institutions’ critical service providers instead.
In February, the ransomware group BlackCat attacked the US company Change Healthcare, which connects patients, doctors and insurance providers. As a result, healthcare billing and patient reimbursements across the country were disrupted, with healthcare institutions reportedly suffering losses amounting to tens of millions of dollars. The attack also led to the theft of sensitive data on 100 million Americans – about one in three people – followed by additional ransom demands months later.
In Romania, a February ransomware attack on the medical sector’s information system forced around 100 hospitals to go offline and temporarily resort to handwritten prescriptions and patient records. In early June, a ransomware attack hit Synnovis, a pathology and diagnostic service provider collaborating with several major hospitals in London. This led to several days during which rapid blood analyses and transfusions could not be performed, resulting in postponed surgeries and cancelled appointments.
Data leak from Helsinki City Government
Data breaches have become increasingly common in today’s digitalised society, but 2024 saw some particularly notable cases.
Early May brought bad news for Finland, as it was revealed that the education department of the Helsinki City Government had suffered a cyberattack resulting in the theft of data belonging to up to 150,000 individuals, including children and young people’s personal details and health information.
The attack exploited a server running outdated software, which had been slated for replacement but was delayed due to a busy maintenance schedule.
Given that serious data breaches have shaken Finnish society before, the government decided to involve the Safety Investigation Authority, which is responsible for investigating and preventing major incidents.
During the first week of May, it was also revealed that over 225,000 personal records of active-duty personnel, veterans and reservists in the United Kingdom armed forces were leaked through payroll software used by the UK Ministry of Defence. The leaked data included names and bank account information – sensitive details likely to be of interest to hostile intelligence services.
The breach was reportedly made possible due to the service provider’s inadequate cybersecurity standards. This underlined an issue that many countries, including Estonia, continue to grapple with: how to mitigate cyber risks in critical sectors that rely on external service providers.
$25 million lost due to deepfake technology
Last year, we predicted that rapidly advancing artificial intelligence would transform the cyber landscape. In 2024, phishing emails and messages, enhanced by large language models, became more realistic and accurate, even in less widely spoken languages.
However, the most alarming developments were tied to deepfake technology in both voice and video.
In February, Hong Kong police investigated a case where a finance officer at a multinational corporation participated in a video call with colleagues and later transferred $25 million from the company account, acting on what appeared to be instructions from the CFO during the call. The entire video call turned out to be fake – the ‘colleagues’ on-screen were deepfake creations, made to look and sound exactly like their real counterparts.
While creating fake videos requires some effort and time, synthesising a specific individual’s voice can take just 10 minutes using widely available software.
In one case in the US, for example, a mother received a call from a stranger claiming her daughter had caused a car accident and demanded compensation. To lend credibility to the story, the phone was passed to the ‘daughter’, who sounded distressed, admitted fault and urged her mother to comply. In reality, the daughter’s voice had been faked.
Scammers often use public speech samples, such as TikTok videos or conference recordings, to create a fake voice. In this case, however, the daughter had received several strange phone calls in the days leading up to the scam, which she did not think to hang up immediately. The family believes these calls were used to train the AI tool to replicate her voice and mannerisms.
Growing collaboration among hacktivists
In recent years, hacktivists have made their presence felt in cyberspace, in Estonia, and globally, disrupting the daily lives of nations they view as adversaries through cyberattacks. In 2024, they continued their efforts, targeting high-profile events such as the Paris Olympics and the UEFA European Championship.
These attacks primarily involved basic denial-of-service (DoS) attacks on government websites, which were largely ineffective. However, there are signs that cooperation among various hacktivist groups is gradually growing, enabling them to occasionally expand their activities geographically. For example, pro-Kremlin hacktivists added South Korea to their list of targets after the country condemned North Korean soldiers’ involvement in Russia’s war in Ukraine.
Last updated: 17.02.2025
