Cyber hackers and digital defences

Cyber hackers and digital defences: Gone phishing... So, everyone, on guard

When even a computer security expert previously involved in a Mindef project gets hacked, it is clear that cyber security is an urgent issue. Insight looks at the safeguards being put in place.

One of the first cyber attacks by nation states, the Stuxnet computer worm that infected the system of Iran's Natanz uranium enrichment plant in 2010, was the subject of a documentary, Zero Days. PHOTO: ZERO DAYS

Monday blues started early for IT engineer K.S. Tan when he had to pull an all-nighter last Sunday to run codes on 720 servers and computers in Singapore.

News that hundreds of thousands of computers in about 150 countries were infected by a new malware, dubbed WannaCry, had broken on the Friday of that weekend.

The 35-year-old and three other IT colleagues were racing against time to keep the infection at bay as experts had warned that there could be more fallout on Monday, when people turned on their computers at work. Mr Tan's company maintains the IT systems of hundreds of organisations in Singapore.

The scramble continued the next day, as they found several systems susceptible to WannaCry. "We hardly had time for meals and rest- room breaks," says Mr Tan.

News of hospitals, government agencies and railway operations around the world being disrupted by WannaCry sends a chilling message - cyberspace has become a hangout for criminals and political activists, and new standards of vigilance are required.

Systems integrators point out to The Sunday Times that many companies in Singapore had not applied a software patch, available since March, to fix a Microsoft Windows flaw - and which WannaCry ransomware exploits.

  • FAQs: What's out there, and how to stay safe?

  • Q Who is typically behind cyber attacks?

    A There are three broad groups: political activist groups, criminal gangs and state-sponsored groups, says Mr Steve Ledzian, senior director of systems engineering at FireEye, a security systems specialist.

    Political activist groups have the least funding and use basic tools to, for example, deface websites to call attention to a cause.

    Criminal gangs have better resources and can afford more sophisticated hacking tools. They steal credit card details and personal data to make money.

    State-sponsored groups have the highest budgets for the most sophisticated tools. Their motivations are aligned with the economic or political interests of the nations behind them.

  • Q What are the modes of attacks?

    A The use of phishing e-mails containing malware is the top mode due to the ease of execution and high success rate.

    Mr Nick Savvides, a security advocate for Asia-Pacific and Japan at Symantec, a cyber security software firm, says one in 151 e-mails received in Singapore contained malware last year, up from one in 256 e-mails in 2015.

    Phishing e-mail is also used to trick victims into disclosing their credentials, which can then be traded in the black market or used to execute further attacks.

    Through successful phishing, criminals can deposit ransomware such as WannaCry in computers and demand payment.

    Successful phishing attempts also allow state- sponsored hackers to infiltrate target networks and then deploy a variety of stealthy techniques to extract valuable data over a long period. Such attacks are known as advanced persistent threats.

  • Q How can users prevent or prepare for such attacks?

    A Symantec advises users to:

    • Use strong passwords

    • Do not click on links in unsolicited e-mails or social media messages

    • Be wary of attachments in unexpected e-mails

    • Enable two-factor authentication that requires you to enter a one-time password

    • Update the security software in your computer, and apply software patches for fixing software flaws promptly

    • Provide simulated attacks as training for all employees

    • Back up important data daily in a separate protected hard drive or in the cloud

    Irene Tham

Many sectors in Singapore could have been hit. But thanks to an accidental move by a 22-year-old researcher in Britain, identified as "MalwareTech", WannaCry's spread was halted.

Mr Sanjay Aurora, British cyber security services firm Darktrace's Asia-Pacific managing director, says: "We might not be as lucky next time."

If a chain is only as strong as its weakest link, then something must be done about companies not being prepared for cyber security attacks. At the very least, they should have a rigorous process to identify and remediate vulnerable machines.

Given the swiftness and scale of attacks now, companies' lack of preparedness could even scuttle Singapore's plans, launched nearly three years ago, to be a Smart Nation, which embraces the conveniences of a fully digital lifestyle.

As the world's first Smart Nation, Singapore is at the vanguard of entering uncharted territory. Homes would be hyper-connected - think Internet-linked fridge, light bulbs and cameras. Companies would harness intelligence from ever more customer data collected online. All this would need protection, not just with advanced technologies, but also with discipline in patching vulnerable systems and having the street smarts to identify and deal with threats.

WHAT ACTUALLY HAPPENED

Computers become infected by WannaCry when unsuspecting users click on a bogus link or e-mail attachment - a method known as "phishing".

Once in, the malware spreads to multiple machines over the corporate intranet. In WannaCry's case, infected systems were locked down with a note demanding a ransom.

In Singapore, digital signage in some malls supplied by local firm MediaOnline broke down, and computers tied to some 500 Internet accounts were believed to have been infected - although critical sectors like finance, telecommunications and energy emerged relatively unscathed.

The scare comes hot on the heels of discoveries last month that hackers had broken into the networks of the National University of Singapore (NUS) and Nanyang Technological University (NTU).

The hackers were using a roundabout way of stealing government-related information - NTU and NUS are involved in government-linked projects for the defence, foreign affairs and transport sectors.

The hackers had been executing malware or codes stealthily for some time - a technique known as advanced persistent threats, a device employed by well-resourced entities such as political activists and governments. These hackers typically infiltrate networks via phishing.

The attacks on the universities follow the discovery in February of the theft of 850 national servicemen's and Ministry of Defence (Mindef) staff's personal data.

SINGAPORE VULNERABLE TO PHISHING E-MAILS

The use of phishing e-mails is the most popular way to infiltrate malware into a system, according to experts.

A February report by the Anti-Phishing Working Group (APWG) - a global coalition of companies, governments and law enforcement units - revealed that the number of phishing attacks hit a record 1.22 million last year, up 65 per cent from 2015.

The actual number could be higher, as APWG measured only broad-based attacks against consumer brands, and did not include those targeted at universities and governments.

APWG senior research fellow Greg Aaron says: "Truly, phishing is more pervasive and harmful (today) than at any point in the past."

Israeli cyber security threat monitor CyberInt says Singapore is now the fifth global target for phishing attacks, after the United States, Britain, the Philippines and Russia.

The ranking is based on data it gathered from its intelligence network over the last few months, including the number of phishing kits custom-built for Singapore and the number of leaked credentials from people here.

  • Dark Web: The Internet's black market

  • Unfolding what goes on beneath the surface of the Internet is like peeling the layers of an onion to reveal a rotten, dark core.

    The first layer is the open cyber world that many users are familiar with. It is indexed by popular search engines such as Google and is where services like Facebook and YouTube reside.

    But this layer is believed to be only one-tenth of what goes on online, according to a 2001 study by University of California, Berkeley. That was the last time a study was done on the number of websites on the entire Internet, including the deep Web.

    In the deep are corporate and government intranets, as well as anonymous channels for whistle-blowers and political dissidents - all protected by masking tools.

    Even deeper resides the "dark Web" masked by a tool known as The Onion Router network. There, cyber criminals crawl and black markets for trading illegal ware - from drugs to stolen credit card numbers and hacking tools - flourish. Payments are made in unregulated crypto-currencies or virtual money such as Bitcoin and MoneyPak.

    Hackers normally buy tools from these black markets. Illegal digital goods can go for as little as US$10 (S$14) for a list of 10,000 e-mail addresses to US$100 for the full details of a stolen credit card and US$700 for a health record, according to cyber security software firm Symantec.

    In October 2013, the Federal Bureau of Investigation shut down one such black market called Silk Road, with the assistance of law enforcement in 17 countries. Silk Road's American operator, Ross William Ulbricht, was arrested and sentenced to life imprisonment for money laundering, hacking and conspiring to traffic narcotics.

    The next month, Silk Road 2.0 came online, but it, too, was shut down and its alleged operator was arrested a year later.

    Cyber security firms with round-the-clock threatmonitoring operations have automated "feelers" or "sensors" in the dark Web to understand the threats that exist.

    Mr Nick Savvides, a security advocate for Asia-Pacific and Japan at Symantec, says: "Knowing the attackers, their tools and the modes of operations is important, especially when dealing with advanced persistent threats.

    Mr Amir Ofek, chief executive officer of Israeli cyber security firm CyberInt, notes: "Top hackers also brag about their achievements in underground forums, and build their reputation there."

    Irene Tham

"Internet users in Singapore are easy targets as they may not be aware of phishing and may let their guard down," says CyberInt chief executive Amir Ofek.

A University of Texas at San Antonio (UTSA) study released in January offers a peek into how people fall for phishing.

In an experiment, subjects chose between genuine and sinister e-mails. Findings show that overconfident e-mail recipients are helping phishing to succeed.

"Many times, people think they know more than they actually do, and are smarter than someone trying to pull off a scam via an e-mail," says Dr H.R. Rao, a UTSA College of Business faculty member.

Even a security expert from NUS, who was involved in a security project funded by Mindef, has been tricked by phishing messages, reported The Straits Times last Thursday.

NUS computer science research fellow Prosanta Gope's computer was hacked just last Tuesday after he clicked on a link in a phishing e-mail, ostensibly from another colleague whose computer had also been hacked. Dr Gope's account was, in turn, used to send out phishing e-mails to other colleagues.

This prompted one NUS lecturer, who received the phishing e-mail from Dr Gope, to ask: "How are average Singaporeans expected to protect ourselves when the experts can't?"

WHAT CAN BE DONE?

Cyber security experts say the key is to be prepared.

Just as how organisations hold fire drills, similar cyber attack and phishing drills should be developed for IT personnel and employees.

But The Sunday Times understands that such drills are not standard practice in organisations in Singapore.

Organisations should also lay down and enforce strict IT rules to keep their house in order.

A security expert with close links to universities here and in the region says that many researchers and students have little regard for IT rules - and little has been done to change that.

"They download a lot of stuff that is beyond the needs of their academic pursuits, and these include illegal music and movies," says the expert.

"The environment is like the Wild Wild West, a nightmare for system administrators," he says, stressing that someone must put a stop to such risky behaviour.

Mr Barnaby Grosvenor, director of cyber security at systems integrator Jardine OneSolution, which is part of British conglomerate Jardine Matheson, agrees. He says: "Our recent research shows that universities are among the most vulnerable organisations when it comes to phishing e-mail attacks."

There is also a need to use artificial intelligence (AI) to counter cyberthreats, which are increasingly being powered by AI tools.

Darktrace's Mr Aurora says: "Novel, stealthy infections travelling at machine speed require an equally fast response time, which is only possible through AI and machine-learning technologies."

The Singapore Government has already taken steps towards automation, almost doubling its cyber security budget to beef up defences, using cyber defence allocations in Israel and South Korea as benchmarks.

About 8 per cent of Singapore's infocomm technology budget has now been set aside for cyber security spending to plug gaps in critical infrastructure, up from about 5 per cent. In fiscal 2014, Singapore spent $408.6 million on cyber security.

Similarly, Israel stipulates that 8 per cent of its total government IT budget must go to cyber security, while South Korea channels as much as 10 per cent.

Prime Minister Lee Hsien Loong, when announcing the move in October last year, said: "We are investing more to strengthen government systems and networks, especially those that handle sensitive data, and protect them from cyber attacks. Singapore aspires to be a Smart Nation. But to be one, we must also be a safe nation."

A Government Technology Agency spokesman says the Government has put in place a range of measures, including hiving off Internet surfing from the computers of 143,000 public servants, for starters. It will also invest in next-generation solutions and technologies to safeguard systems and information.

Says the spokesman: "As the recent cyber attacks demonstrate, it is not just the Government that needs to be alert. Companies, institutions and individuals, too, have been impacted. We should neither be paralysed by fear nor lulled by complacency."

A new overarching Cybersecurity Act is in the works towards building a safe Smart Nation.

The Bill is being drafted and could require all operators of critical information infrastructure to proactively secure their systems and report security breaches immediately. Public consultation is planned for the middle of this year.

Ties have also been forged between Singapore's Cyber Security Agency (CSA) and its counterparts in France, India, the Netherlands, Britain and the United States to exchange best practices and intelligence.

CSA chief executive David Koh says: "Cyberthreats will continue to evolve and, in this volatile climate, collective action by governments, businesses (and) individuals will be our best defence.

"The WannaCry attack is a wake-up call (showing) how vulnerable Singapore and the rest of the world is. We need to do more to safeguard our online assets and we need to do it now."


Digital warfare - the new global arms race

Seven years ago, a USB drive infected with the Stuxnet computer worm found its way into Iran's Natanz uranium enrichment plant.

There, likely plugged into computers by unsuspecting engineers, the worm wreaked havoc, taking control of the uranium centrifuges and causing them to spin themselves to failure.

The use of the worm, which was reportedly developed by the United States and Israel, is widely regarded by cyber security experts as one of the first cyber attacks carried out by nation states. A documentary was even made about Stuxnet, called Zero Days, and it was screened in Singapore last year.

There have been other attacks since the one using Stuxnet in 2010. Last December the capital of Ukraine suffered a blackout for over an hour after cyber attackers hacked into the utility company and took power offline.

In 2015, the US Office of Personnel Management, the agency that manages America's federal civil service, discovered that hackers had swiped biometric data, such as fingerprints, of 5.6 million government employees.

Both incidents are suspected to be the work of nation states - Russia and China respectively.

The latest WannaCry ransomware attacks that began on May 12, and infected banks, hospitals and government agencies in about 150 countries, have shown links to a group connected to North Korea. As the digital space becomes a bigger part of daily life, such digital incursions will only become more apparent and frequent as countries use cyberspace to further their objectives.

"It's a natural extension of state activity and state-influenced activity, there is nothing illogical about it. (States) are simply responding to the technical capabilities," Sir John Scarlett, former head of the British intelligence service MI6, said earlier this month.

Sir John, who is now senior associate fellow at the Royal United Services Institute for Defence and Security Studies in the United Kingdom, was speaking at a panel discussion on digital warfare at the St Gallen Symposium in Switzerland.

He added that it was important to understand the motivations surrounding different forms of cyber attacks in order to best defend against them.

There are three main types which can be carried out by nation states or cyber criminals:

• Cyber espionage, where the primary intent is to stealthily gather and steal as much data as possible.

• Cyber attacks, where the intent is to harm systems, disrupt, deny or destroy the data and networks.

• Cyber crime, which uses the same digital tools as the former two but the intent is to generate financial gain.

Speaking at the same St Gallen conference, Ms Shira Kaplan, CEO of cyber security firm Cyverse, added that vulnerabilities in cyberspace would increase as digitalisation sped up, pointing out that by next year, there are going to be more than 20 billion devices connected to the "Internet of Things".

"Everything from our phones to our wallets, financial systems, nuclear plants, are going to be connected to the Internet, and that means a big risk," said Ms Kaplan, who was an intelligence analyst with the Israeli Defence Force.

STATE-SPONSORED ATTACKS

And as states move to exploit these vulnerabilities, this is already resulting in a "cyber arms race", where states are identifying digital weaknesses and developing cyber weapons that can be used to exploit them.

For instance, the perpetrators that deployed the WannaCry ransomware reportedly used a hacking tool developed by the US National Security Agency (NSA) to gain access to computers.

"It's completely inevitable. Obviously some actors are going to be already very advanced like the Russians, US and Israel - others will also be pulled into this arms race," said Ms Kaplan, in a separate phone interview with The Sunday Times last week.

And unlike physical attacks, state-sponsored cyber attacks are often difficult to prove or attribute.

"State-sponsored attackers thrive on stealth, denial and deception. The anonymity of Web-based attacks means that nation states can operate via puppet actors, which make it extremely difficult to prove links between individual hacks and state intelligence," said Mr Jeffrey Kok, CyberArk's director of Asia-Pacific and Japan.

These state actors can plant hidden malware on system networks which might remain untouched or dormant for years to achieve their goals, Mr Kok said.

Because state-sponsored attacks are hard to prove, this could "increase the propensity" of states to conduct cyber attacks, said Dr Michael Raska, from the S. Rajaratnam School of International Studies. "At the same time, as cyber defences also increase, it will be very difficult for lower-end hackers to operate," he added, pointing out that attacks will become more sophisticated and have more severe impacts.

According to Verizon's latest Data Breach Investigations Report, 18 per cent of data breaches last year were conducted by state-affiliated actors.

Public-sector entities comprised 12 per cent of all breach victims, the third-largest group after financial and healthcare organisations.

Already, cyber attacks are having ramifications in the physical world - the WannaCry ransomware hit Britain's National Health Service particularly hard, causing widespread disruptions and interrupting medical procedures across hospitals in the United Kingdom.

A nightmare scenario would be when such attacks cause a loss of human life.

Experts say organisations and governments should adopt the mindset that they already have been breached and install appropriate security to mitigate the risk.

"The question is, how quickly can you detect what is crawling in your system and how can you minimise the damage?" said Ms Kaplan.

The weakest link is most often human, said Mr Jerry Tng, vice-president of IT management software provider Ivanti in the Asia-Pacific.

He added that employees and IT users "need to receive ongoing training to help them spot potential attacks" such as phishing e-mails.

"For organisations that work in critical environments, (they need) to make sure that senior managers are aware that they also could be targeted for very specific cyber attacks," he said.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Sunday Times on May 21, 2017, with the headline Cyber hackers and digital defences: Gone phishing... So, everyone, on guard. Subscribe