CSA advises firms to take steps to secure systems

Cyber Security Agency says there is no indication that Singapore was a target in FireEye hacking attack

US cyber-security company FireEye said earlier this month that it was hacked in a state-sponsored attack, with the firm's hacking tools stolen in the process. The company said the theft stems from malicious code injected by hackers into SolarWinds' s
US cyber-security company FireEye said earlier this month that it was hacked in a state-sponsored attack, with the firm's hacking tools stolen in the process. The company said the theft stems from malicious code injected by hackers into SolarWinds' software that FireEye used. The malware reportedly allowed hackers to spy on secure information at top US agencies.PHOTO: LIANHE ZAOBAO

The Cyber Security Agency of Singapore (CSA) has advised companies to take steps to secure their systems, even though there is no indication that Singapore was a target of a recent high-profile hacking attack.

Following the attack involving cyber-security firm FireEye and software provider SolarWinds Corp, the CSA sent out an advisory on Dec 9 for firms to disconnect affected cyber-security tools and update their systems to protect against cyber criminals.

It told The Straits Times late on Tuesday that based on its understanding, the scope of the FireEye attack was limited and did not affect Singapore.

FireEye, one of the largest cyber-security companies in the United States, said earlier this month that it was hacked in a state-sponsored attack. The firm's hacking tools, used to test the defences of its clients, were stolen in the process.

The theft stems from malicious code injected by hackers into US-based SolarWinds' software that FireEye used, the cyber-security firm said this week after conducting an investigation. The software facilitates the monitoring of computer networks of businesses and governments for outages.

The malware, in the form of a software update, reportedly allowed hackers to spy on secure information at some of the top agencies in the US.

The attack on FireEye, which holds a range of contracts in the US and its allies, is among the most significant breaches in recent memory. The firm, which last month reported an all-time record revenue of US$238 million (S$316 million) for the third quarter of this year, provides services for international government agencies.

It also works with big-name firms like telecommunications company Vodafone, the Bank of Thailand and lighting company Signify, which was previously known as Philips Lighting.

The company is a strategic partner of CSA, which oversees national cyber-security functions and protects Singapore's critical services.

Said the CSA: "Based on the information from FireEye, the attack was highly targeted, with the breach limited to FireEye's US offices. There has been no evidence to suggest that Singapore was or would be a target," it said.

The agency sent an advisory to critical information infrastructure leaders, advising them to work with their security vendors and update their systems to protect them from the stolen FireEye tools.

  • About the attack

  • What happened

    Highly secure US government information, potentially involving some of the country's top agencies, was targeted in a sophisticated hacking incident - one of the biggest in recent years.

    Malicious code was hidden in updates to a popular software called Orion, made by US company SolarWinds, which monitors networks of businesses and governments for outages.

    With the code, hackers were able to access an organisation's networks to steal data.

    Prominent cyber-security company FireEye, which itself uses SolarWinds, said earlier this month that it had experienced a breach due to the software.

    FireEye supplies services to international government agencies as well as banks, telecommunications providers and electricity companies.

    More than 18,000 private and government users were reported to have downloaded the tainted Orion software update, which could have allowed hackers to monitor internal e-mails and steal information.

    Agencies that may have been impacted include the Centres for Disease Control and Prevention in the United States, as well as the country's State Department and Justice Department.

    It has been reported that last year, SolarWinds was alerted to the fact that anyone could access its update server by using the password "solarwinds123", exposing a jarring vulnerability in the firm's system.

    Who is affected

    The scale of the attack is likely to be global, given how SolarWinds provides network monitoring and other technical services to thousands of organisations.

    These include most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.

    Experts have said that due to Orion's design - to look for problems in a computer network - it could give hackers a thorough view of an organisation and deep access into its systems.

    SolarWinds said it sent an advisory on Sunday to about 33,000 of its Orion customers who might be affected, though it estimated a smaller number of customers - fewer than 18,000 - had actually installed the compromised product update earlier this year.

    Who is responsible and what's next

    SolarWinds said an "outside nation state" infiltrated its systems with malware, but neither the US government nor the affected companies have publicly identified the hackers.

    A US official, speaking on condition of anonymity because of an ongoing investigation, told The Associated Press on Monday that Russian hackers are suspected.

    Russia responded the same day saying it had "nothing to do with" the hacking.

    SolarWinds may face legal action from private customers and government entities affected by the breach.

    Singapore's Computer Emergency Response Team, a unit of the Cyber Security Agency of Singapore, has recommended that organisations disconnect or power down SolarWinds' Orion products from their networks immediately.

Tainted software update

Hackers had gained access through SolarWinds' software called Orion, using malware that was disguised as a software update.

SolarWinds provides network-monitoring and other technical services to thousands of organisations around the world, including most Fortune 500 firms and government agencies in North America, Europe, Asia and the Middle East. The firm has an office in Suntec City.

According to reports, more than 18,000 private and government users had downloaded this tainted software update, which reportedly allowed hackers to monitor internal e-mails at some of the top agencies in the US.

In a public advisory on its website on Monday, the Singapore Computer Emergency Response Team (SingCert) advised organisations to disconnect or power down SolarWinds' Orion products from their networks immediately. SingCert is a unit of CSA.

"Administrators should also review the logs for suspicious activities, check connected systems for signs of compromise and persistence mechanisms, and reset credentials if necessary, especially ones used by or stored in SolarWinds software," said CSA.

"Administrators are also advised to monitor their networks and systems for any suspicious activities."

CSA said it has been in close contact with the US Cybersecurity and Infrastructure Security Agency, as well as FireEye. They have both provided CSA with more information, which the agency said has helped it to better issue advice on what preventive measures to take.

A version of this article appeared in the print edition of The Straits Times on December 17, 2020, with the headline 'CSA advises firms to take steps to secure systems'. Subscribe