Strengthening our cyber defences

Strengthening our cyber defences: A person, a bank, a country - it's a free-for-all

From malware available to anyone willing to pay for it, to state-sponsored hacking, the Internet is now a far more dangerous field than in the recent past, Insight finds

PHOTO ILLUSTRATION: CHNG CHOON HIONG PHOTO: ISTOCKPHOTO
Visitors trying out virtual reality goggles at the FireEye booth (left) and a Cisco exhibition worker (above) during the Singapore International Cyber Week at Suntec Convention and Exhibition Centre earlier this month. Studies have found that cyber a
Visitors trying out virtual reality goggles at the FireEye booth (above) and a Cisco exhibition worker during the Singapore International Cyber Week at Suntec Convention and Exhibition Centre earlier this month. Studies have found that cyber attacks today cost the global economy about US$400 billion (S$557 billion) a year, and British market research group Juniper Research estimates that this will shoot up to US$2.1 trillion by 2019. PHOTOS: ALPHONSUS CHERN, AGENCE FRANCE-PRESSE
Visitors trying out virtual reality goggles at the FireEye booth (left) and a Cisco exhibition worker (above) during the Singapore International Cyber Week at Suntec Convention and Exhibition Centre earlier this month. Studies have found that cyber a
Visitors trying out virtual reality goggles at the FireEye booth and a Cisco exhibition worker (above) during the Singapore International Cyber Week at Suntec Convention and Exhibition Centre earlier this month. Studies have found that cyber attacks today cost the global economy about US$400 billion (S$557 billion) a year, and British market research group Juniper Research estimates that this will shoot up to US$2.1 trillion by 2019. PHOTOS: ALPHONSUS CHERN, AGENCE FRANCE-PRESSE
The cyber security conference two weeks ago was attended by more than 100 government, military and policy types. Governments around the world have devoted greater attention to the issue, from starting specialised national agencies to focus efforts to introducing new laws to govern this field. PHOTO: MCI

Even the man who once headed cyber security operations of the entire United States military, retired Army major-general John Davis, is astonished at how cybercrime has changed so much, so quickly.

A few years ago, the cyber criminal underworld still resembled a "dark, murky back alley, with puddles on the ground and maybe someone in a basement in a hoodie, acting by themselves", says Mr Davis.

Today, that back alley looks more like New York's Fifth Avenue and Wall Street, he told an audience of more than 100 government, military and policy types at a cyber security conference at Suntec City two weeks ago.

Insight sat in on the conference, held the same week that Singapore launched its National Cyber Security Strategy, which maps out its long-term approach towards securing its cyberspace, while tapping opportunities to grow the infocomm technology sector locally.

Mr Davis has more than a decade of experience in the upper echelons of the US national security sector. His job once included protecting one of the largest computer systems in the world, the US Defence Department's global network. So he is not given to hyperbole. No wonder, then, that his comments drew nods across the room.

"Today's model is an extremely professionalised and lucrative business model, resulting in billions of dollars in revenue for the criminal underworld," says Mr Davis, who left the US Army in May last year for the private sector.

"It's no more the single person in the hoodie - it's a very well-oiled enterprise that takes advantage of the market system."

Exactly how well does cybercrime pay? Multiple studies have found that cyber attacks today cost the global economy about US$400 billion (S$557 billion) a year.

With more business and government infrastructure moving online, and mobile device use growing around the world, British market research group Juniper Research estimates that this figure will quintuple to US$2.1 trillion by 2019.

This state of affairs underlines the importance of cyber security, an area governments around the world have devoted greater attention to, from starting specialised national agencies to focus efforts to introducing new laws to govern this field.

Like shopping at a high-end mall, today's malicious software (malware) can be tailored to a criminal's needs, whether it is to breach networks and steal intellectual property, or in the form of "ransomware", so named because it locks a user out of his own files until a payment is made. Some "vendors" even offer after- service support, says Mr Davis, who is now vice-president of cyber security firm Palo Alto Networks.

In the same way that services like Spotify and Netflix have changed the way people listen to music and watch television, malware purveyors have also, in recent years, begun offering their wares via subscription, with the promise that, in return for monthly payments, their products will stay ahead of anti- virus and other defensive tools.

ATTACK ON S'PORE BANK

One such programme was used in an attack on a major Singapore bank here last year, says Mr Vitaly Kamluk, principal researcher for IT security firm Kaspersky Lab, without naming the bank.

Impersonating a real-life officer from another bank's regulations department, the e-mail asserted that a case of money laundering had been discovered. The malware was an attachment titled "money laundering report".

It was a classic case of "spear phishing", one of the most common forms of cyber attacks today: An e-mail arrives that has been altered to look like it comes from a trusted individual. With their guard down, many then click on an online link or attachment, unwittingly granting hackers access to their computer.

Fortunately, in this instance, the employee caught a typo, became suspicious of the e-mail and alerted the IT department.

Through its investigations, Kaspersky Lab found that the program could be rented by anyone who wanted to try his hand at cybercrime. For between US$25 and US$300 a month, the would-be criminal could even customise the service to suit his needs and usage.

And many did: At least 60,000 attacks were carried out using that program between last December and this January. Targets included banks in the United Arab Emirates, Thailand, the US, Sweden and Russia.

Mr Kamluk estimates that the creator, who is believed to be an individual living in Mexico, made US$200,000 a year from this single software service.

"One person, living and working somewhere in central Mexico, single-handedly empowered a lot of criminals," he says, adding that hackers have no qualms using such tactics with the general public.

"What's really serious is that the program was also found in a terror alert e-mail supposedly sent by the federal police in Belgium, which shows that the attacker was okay with raising alarm if it helped distribute malware."

While the attack against the Singapore bank did not work, Bangladesh Bank was not as lucky. The central bank of Bangladesh lost US$81 million to hackers over the course of several hours in February from its account with the Federal Reserve Bank of New York. And it could have been worse: The attackers had tried to withdraw more than US$900 million.

Reports by firms that track cyber attacks also tell a story of how criminals are increasingly mining the rich veins that are unsecure computers connected to the Internet, not just those belonging to financial institutions.

Spear phishing campaigns jumped 55 per cent last year, while ransomware attacks grew by a third, according to a report by IT security company Symantec.

In total, the number of malware attacks last year nearly doubled from the year before to 8.19 billion, according to PC maker Dell, with Android phones a prime target.

ASIA-PACIFIC A TARGET

But what is most worrying is that Asia-Pacific - specifically South-east Asia - is where most cyber attackers are focusing their efforts, a development with many implications for Singapore, with its global connectivity and openness.

A Singtel-FireEye study found that organisations in the region face a 45 per cent higher risk of a targeted cyber attack than the global average, with one in four such attacks aimed at governments.

And companies in this region take an average of 17 months to find out they had been attacked, more than twice as long as the global average, said another study.

Even Singapore, with its reputation of being ahead of the curve in IT education and infrastructure, is not immune. Local telcos performed surprisingly poorly, compared with their regional counterparts, when it came to ensuring that their subscribers are kept safe from malware, says enterprise security specialist Nsfocus' director of project management Guy Rosefelt.

A scan of almost four million Internet protocol addresses here, against a blacklist the company maintains, showed that more than 62,000, or 1.6 per cent of them, have been compromised by malware.

This is almost five times the number of infected addresses - which attackers use as an army to attack networks and send spam e-mail - found in Malaysia, according to Nsfocus, and over 100 times more than in Japan.

NATIONS BEHIND ATTACKS, TOO

The profit-driven alliance between criminals and hackers with know- how is not the only big trend cyber security professionals have to contend with today.

Just as nations have driven most of the advances in conventional weaponry, states are increasingly sponsoring and supporting hacking groups, which have in turn created powerful tools able to breach traditional cyber defences.

Prominent cases include the use of a computer worm suspected to have been developed by Israel and the US to damage an Iranian nuclear plant in 2010, the hack of Sony in 2014 by a North Korea-linked group protesting against a movie about Kim Jong Un, and an attack on Ukraine's power grid last December that has been blamed on Russia.

"We should expect that every single time there is any sort of conflict between governments, especially militaries, there will be a cyber component in the future," says FireEye president Travis Reese.

There has been a "significant uptick" in attacks emanating from China and Russia, says Mr Reese, who noted that state-sponsored groups, such as the one US officials have blamed for the hacking of e-mails belonging to campaign staff of presidential candidate Hillary Clinton, have become more aggressive and persistent.

"The Russians are all over US government agencies, the diplomatic corps, the hacks of the Democratic National Convention - it's been amazing to see how loud they have become," says Mr Reese.

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Sunday Times on October 23, 2016, with the headline Strengthening our cyber defences: A person, a bank, a country - it's a free-for-all. Subscribe