No reason to believe Singapore was a target in FireEye hack: CSA

FireEye, one of the largest cyber security companies in the United States, said earlier this month that it was hacked in a state-sponsored attack.
FireEye, one of the largest cyber security companies in the United States, said earlier this month that it was hacked in a state-sponsored attack.ST PHOTO: KELVIN CHNG

SINGAPORE - There is no reason to believe that Singapore was a target of the recent high-profile hacking attack involving cyber security firm FireEye and software provider SolarWinds Corp, authorities said late on Tuesday (Dec 15).

Even so, the Cyber Security Agency of Singapore (CSA) said that it has sent out an advisory on Dec 9 for firms to disconnect affected cyber security tools and update their systems to protect against cyber criminals.

FireEye, one of the largest cyber security companies in the United States, said earlier this month that it was hacked in a state-sponsored attack. The firm's hacking tools, which are used to test the defences of its clients, was stolen in the process.

The theft stems from malicious code injected by hackers into US-based SolarWinds software that FireEye used, the cyber security firm said this week after conducting an investigation.

The software facilitates the monitoring of computer networks of businesses and governments for outages. 

The malware, in the form of a software update, reportedly allowed hackers to spy on secure information at some of the top agencies in the US.

The attack on FireEye, which holds a range of contracts in the United States and its allies, is among the most significant breaches in recent memory. The firm, which last month reported an all-time record revenue of US$238 million ($317 million) for the third quarter of this year, provides services for international Government agencies.

It also works with big name firms like telecommunications company Vodafone, the Bank of Thailand and lighting company Signify, which was previously known as Philips Lighting.

The company is a strategic partner of CSA, which oversees national cyber security functions and protects Singapore's critical services. CSA told The Straits Times that based on its understanding, the scope of the FireEye attack was limited and did not affect Singapore.

"Based on the information from FireEye, the attack was highly targeted, with the breach limited to FireEye's US offices. There has been no evidence to suggest that Singapore was or would be a target," it said.

The agency sent an advisory to Critical Information Infrastructure (CII) leaders, to work with their security vendors and update their systems so that they can be protected from the stolen FireEye tools.

Software update

Hackers had gained access  through a SolarWinds software called Orion, using malware disguised as a software update.

SolarWinds provides network-monitoring and other technical services to thousands of organisations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East. The firm has an office in Suntec City.

According to reports, more than 18,000 private and government users  had downloaded this tainted software update, which reportedly allowed hackers to monitor internal e-mails at some of the top agencies in the US. 

The Singapore Computer Emergency Response Team (SingCert) had, in a public advisory on its website on Monday, advised organisations to disconnect or power down SolarWinds Orion products from their networks immediately. SingCert is a unit of CSA.

"Administrators should also review the logs for suspicious activities, check connected systems for signs of compromise and persistence mechanisms, and reset credentials if necessary, especially ones used by or stored in SolarWinds software," said CSA.

"Administrators are also advised to monitor their networks and systems for any suspicious activities."

CSA said that it has been in close contact with the US Cybersecurity and Infrastructure Security Agency, as well as FireEye.

They have both provided CSA with more information, which the agency said has helped it to better advise on preventive measures to take.

FireEye took swift action to mitigate the threat and alert their partners, customers and other cyber security vendors, so that appropriate action can be taken quickly, said CSA.

According to FireEye’s statement,  there is evidence to show the attackers are state-sponsored and highly sophisticated. CSA has urged organisations to be vigilant.

Associate Professor Chang Ee-Chien from the National University of Singapore's School of Computing said that the attacks in this case are likely to affect larger organisations instead of home users.

"State-sponsored attacks typically have large resources and political goals. They do not direct towards home users but would have significant targets, for example an attack on financial institutions or power systems," he said.


Here's a look at what happened

Highly secure US government information, potentially involving some of its top agencies, was targeted in a sophisticated hacking incident – one of the biggest in recent years.

Malicious code was hidden in updates to a popular software called Orion, made by the US company SolarWinds, which monitors networks of businesses and governments for outages.

With the code, hackers were able to access an organisation’s networks to steal data. 

Prominent cyber security company FireEye, which itself uses SolarWinds, said earlier this week that it had experienced a breach due to the software. FireEye supplies services to international government agencies as well as banks, telecommunications providers and electricity companies. 

More than 18,000 private and government users are reported to have downloaded the tainted Orion software update, which could have allowed hackers to monitor internal e-mails and steal information.

Agencies that may have been impacted include the Centres for Disease Control and Prevention in the US, as well as the country’s State Department and the Justice Department.

It has been reported that last year, SolarWinds was alerted to the fact that anyone could access its update server by using the password “solarwinds123”, exposing a jarring vulnerability in the firm’s system.

Who is affected

It is likely that the scale of the attack is global, given how SolarWinds provides network-monitoring and other technical services to thousands of organisations.

This includes most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East. 

Due to Orion’s design – to look for problems in a computer network – experts have said that it could give hackers a thorough view of an organisation, as well as deep access into its systems. 

SolarWinds said that it sent an advisory on Dec 13 to about 33,000 of its Orion customers who might have been affected, though it estimated a smaller number of customers – fewer than 18,000 – had actually installed the compromised product update earlier this year.

Who is responsible and what's next?

SolarWinds said an “outside nation state” infiltrated its systems with malware, but neither the US government nor the affected companies have publicly identified the hackers.

A US official, speaking on condition of anonymity because of an ongoing investigation, told The Associated Press on Monday that Russian hackers are suspected. Russia responded the same day to say it had “nothing to do with” the hacking.

SolarWinds may face legal action from private customers and government entities affected by the breach.

Singapore’s Computer Emergency Response Team (SingCert), a unit of the Cyber Security Agency of Singapore (CSA), has recommended that organisations disconnect or power down SolarWinds Orion products from their networks immediately.