Since 2018, along with colleagues first at VICE Motherboard, and now at TechCrunch, I have been publishing a list at the end of the year highlighting the best cybersecurity stories reported by other outlets. Cybersecurity, surveillance, and privacy are huge topics that no one single publication can cover effectively on its own. Journalism is by definition competitive, but also a highly collaborative field. That’s why it sometimes makes sense to point our readers to other publications and their work to learn more about these complicated and sprawling beats.
Without further ado, here are our favorite cybersecurity stories of this year written by our friends at rival outlets. — Lorenzo Franceschi-Bicchierai.
In one of the biggest and most brazen mass-hacks in recent history, hackers this year raided hundreds of insecure cloud storage accounts hosted by cloud computing company Snowflake, relied on by some of the world’s largest tech and telecom companies. The hackers then held the huge troves of stolen data for ransom. One victim of the hacks, AT&T, confirmed that it lost the call and text records of “nearly all” of AT&T’s 110 million customers in the breach, accounting for more than 50 billion call and text records.
Days after AT&T went public with news of its breach, independent security reporter Kim Zetter broke the news that AT&T had weeks earlier paid a hacker $370,000 to delete the huge cache of stolen phone records and not publicly release the data. Zetter’s reporting uncovered a major piece in the puzzle of who was behind the intrusions — at the time known only as UNC5537 by Mandiant — and who were later identified as Connor Moucka and John Binns and indicted for their role in the mass-thefts from Snowflake’s customer accounts. — Zack Whittaker.
Kashmir Hill’s latest investigative report in The New York Times revealed that automakers are sharing consumers’ driving behavior and habits with data brokers and insurance companies, which use the data to hike customer rates and premiums, a dystopian use of a driver’s own information against them. For GM vehicle owners, drivers are often not informed that enrolling in its Smart Driver feature would automatically result in vehicles sharing their driving habits with third-parties. The story prompted a congressional inquiry, which revealed that the carmakers sold consumers’ data in some cases for mere pennies. — Zack Whittaker.
This is just a wild story. If this story was a movie — heck, it should be — it would still be shocking. But the fact that this actually happened is just incredible. Zach Dorfman pulled off an incredible feat of reporting here. Writing about intelligence operations is not easy; by definition, these are supposed to stay secret forever. And this is not one of those stories that the intelligence community would secretly be happy to see out there. There’s nothing to be proud or happy here. I don’t want to spoil this story in any way, you just have to read it. It’s that good. — Lorenzo Franceschi-Bicchierai.
This is not purely a cybersecurity story, but in some ways crypto has always been part of hacking culture. Born as a libertarian pipe dream, it’s been clear for a few years that Bitcoin and all its crypto offshoots have nothing to do with what Satoshi Nakamoto, the mysterious inventor of the cryptocurrency and blockchain technology, imagined back in 2008 in his founding paper on Bitcoin. Now, crypto has become a tool for the far-right to wield their power, as Charlie Warzel explains very well in this piece. — Lorenzo Franceschi-Bicchierai.
Bloomberg’s Katrina Manson got the scoop that nobody else could: drug distributor Cencora paid a $75 million ransom to an extortion gang not to release sensitive personal and medical-related data on upwards of around 18 million people following an earlier cyberattack. Cencora was hacked in February, but steadfastly and continually refused to say how many individuals had their information stolen — even though public filings showed upwards of 1.4 million affected individuals and rising. TechCrunch had been chasing this story about the alleged ransom payment for some time (and we weren’t the only ones!) after hearing rumblings that Cencora had paid what is believed to be the biggest ransomware payment to date. Bloomberg’s Manson got the details on the bitcoin transactions and confirmed the ransom payments. — Zack Whittaker.
I’ve covered ransomware for years, and while the hackers behind these data-theft attacks are often willing to talk, the victims of these attacks typically aren’t so keen to open up. Bloomberg’s Ryan Gallagher achieved the near-impossible by getting the U.K.-based delivery company Knights of Old to reveal all about a ransomware attack that resulted in the company shuttering after 158 years in business. Paul Abbott, Knights’ co-owner, spoke frankly about the attack, giving readers a glimpse into the devastation caused by the Russia-linked hacking gang. Abbott revealed how — and why — the company decided not to negotiate, resulting in the publication of more than 10,000 internal documents. This leak, Abbot disclosed, meant the company could not secure a loan or sell the company, forcing it to close its doors for good. — Carly Page.
404 Media has absolutely been killing it in the year or so after it launched. There have been plenty of great stories but this one stood out for me. Here, Joseph Cox and other journalists received the same dataset, and he smartly decided to focus on one major issue in his story: How cellphone location could help identify people visiting abortion clinics. With Donald Trump returning to the White House, and the Republican Party controlling all branches of government, it is likely that we will see further challenges to abortion rights and access, making this kind of surveillance especially dangerous. — Lorenzo Franceschi-Bicchierai.
I have been covering crypto hacks and heists on and off for a few years now. It is a fascinating world full of grifters, scammers, hackers — and dogged investigators. One of the most intriguing characters is a man who goes by the handle ZachXBT. For years, he has been unraveling some of the most intricate crypto mysteries, hacks, heists, scams and money laundering operations. This year, Andy Greenberg at Wired did a great job profiling ZachXBT. And even if Greenberg couldn’t reveal the detective’s real-world identity and withheld a lot of identifying information, the story painted a vivid picture of the investigator and his motivations. — Lorenzo Franceschi-Bicchierai.
Wired’s Andy Greenberg got the scoop on another major China backed-hacking campaign. The eye-opening report, published in October, reveals how researchers working for Chengdu-based cybersecurity firm at Sichuan Silence and the University of Electronic Science and Technology of China spent years researching vulnerabilities in Sophos firewalls. The vulnerabilities subsequently used by Chinese-government backed hacking groups, such as APT41 and Volt Typhoon, to plant backdoors in Sophos firewalls used by organizations around the world and steal their sensitive data. The five-year-long campaign, as also detailed by Sophos itself, resulted in the compromise of more than 80,000 firewall devices globally — including some used in the U.S. government. Following Greenberg’s reporting, the U.S. government sanctioned the Chinese cybersecurity company and one of its employees for their role in the widespread hacking campaign. — Carly Page.
The Salt Typhoon hack of U.S. phone and internet giants will not only go down as one of the biggest cybersecurity stories of 2024, but also as one of the biggest hacks in history. The Wall Street Journal impressively got the scoop on this story, reporting in October that Salt Typhoon, a Chinese government-backed hacking group, had penetrated the networks of a swath of U.S. telecom providers to access information from systems the federal government uses for court-authorized network wiretapping requests. The WSJ’s excellent reporting kickstarted months of follow-ups and prompted action from the U.S. government, which has since urged Americans to switch to encrypted messaging apps, such as Signal, to minimize the risk of having their communications intercepted. — Carly Page.
KYC, or “know your customer” checks, are some of the most relied upon techniques that banks and tech companies use to try to confirm it is in fact you they are dealing with. KYC involves looking at your driver’s license, passport, or other kind of ID, and checking — to the greatest degree possible — the authenticity of the document. But while fakes and forgeries are inevitable, generative AI models are rendering these KYC checks entirely useless. 404 Media explored the underground site where “neural networks” churn out fake IDs at speed, which was a brilliant way to expose how easy it is to generate fake IDs on the fly that are capable of enabling bank fraud and criminal money laundering. The site went offline following 404 Media’s reporting. — Zack Whittaker.
