Net of the living dead: Hacker-controlled zombie devices triple in Singapore

The sharp rise in botnet drones and the servers controlling them could be due to cyber criminals seizing opportunities created by the pandemic.
The sharp rise in botnet drones and the servers controlling them could be due to cyber criminals seizing opportunities created by the pandemic.ST PHOTO: KELVIN CHNG

SINGAPORE - "Zombie" devices linked to the Internet, and infected with malware that allow hackers to control them and launch cyber attacks, have tripled their numbers here amid the Covid-19 pandemic, according to the latest government findings.

An average of 6,600 malware-laced devices, also called botnet drones, were observed here last year on a daily basis, a big jump from 2,300 in 2019, said the Cyber Security Agency of Singapore (CSA) in a report released on Thursday (July 8).

These devices can be computers, routers and even smartphones hijacked by hackers. Infected with malware, they act like zombies or drones that, without the knowledge of their owners, "mindlessly" follow the instructions of hackers.

By sending commands to large groups of such devices, called botnets, hackers can use them to carry out cyber attacks. This can include causing information technology systems to crash, breaching systems to steal data, phishing information from victims and launching ransomware attacks that cause digital files to be locked up until the hackers are paid.

The number of systems used to control botnets, also called command and control servers, found in Singapore also nearly doubled.

CSA said 1,026 of these servers were recorded here last year, up from 530 in 2019.

The sharp rise in botnet drones and the servers controlling them could be due to cyber criminals seizing opportunities created by the pandemic, said Ms Genie Sugene Gan, cyber-security firm Kaspersky's head of public affairs and government relations for Asia-Pacific.

She explained that IT teams were very stretched because the coronavirus caused businesses to go digital at a breakneck speed.

"Perhaps, cyber security was forced to take a backseat as companies were primarily concerned with business survival and inevitably prioritised business continuity," said Ms Gan.

She added that hackers were also exploiting people who were emotionally and physically vulnerable last year.

"The fear and anxiety brought about by the health crisis plus the need to adapt to lockdown restrictions made every one of us fall prey more easily to cyber attacks, particularly through social engineering like phishing, scams, spams and more," said Ms Gan.

One of the main malware programs spread last year by servers that control botnets here was Emotet, which CSA said is known to use sophisticated social engineering tactics.

Last year, cyber-security firms warned that spam e-mails masquerading as coronavirus alerts from legitimate organisations were being used to trick people into downloading Covid-19 documents which were really Emotet in disguise.

As for why hackers sited so many of the servers in Singapore to control zombie devices, Ms Gan said that this is a by-product of the country's highly developed digital infrastructure and its role as a regional data hub.

Kaspersky's own findings showed that Singapore retained its place as the No. 10 source of online threats globally in 2020.

CSA's report also said that ransomware cases in the Republic surged 154 per cent from 2019's 35 cases to hit 89 last year.

While most of the cases reported were from small- and medium-sized enterprises (SMEs), ransomware operators were observed to be fishing for larger victims in the manufacturing, retail and healthcare sectors, said the agency.

Police figures show that cyber extortion jumped 260 per cent as well, to hit 245 cases last year, from 68 in 2019.

The average number of local ransomware cases a month increased from April last year, which coincided with the start of the two-month circuit breaker period.

CSA said this could possibly be due to more people telecommuting and adopting insecure practices to get work done during prolonged lockdown periods.

It warned that "with the shift in global focus to vaccine development and roll-outs, ransomware operators are likely to evolve their campaigns accordingly and target the vaccine-related supply chains and industries".

Mr Eric Hoh, president for Asia-Pacific at cyber-security firm FireEye Mandiant, said that organisations, in particular SMEs, that have lower priorities in cyber-security investments could become easy targets for ransomware.

He said the manufacturing, retail and healthcare sectors are traditionally not IT-centric, so their cyber-security awareness is lower than industries like technology or finance.

This makes them more prone to phishing attempts or less likely to understand the importance of managing patches for IT systems, he said. Patching software regularly can help plug security holes that hackers exploit.

The spike in ransomware cases here could be due to a trend of ransomware hackers becoming guns for hire as well.

Mr Hoh said that this "ransomware as a service" model "dramatically lowered the barriers of entry for malicious actors, which in turn increased the attack volumes tremendously".

He added that ransomware is no longer just a nuisance like in the past, but can now severely disrupt businesses.

Several high-profile ransomware cases in recent months include the Colonial Pipeline attack in the United States in May that affected the fuel supply for about 50 million customers.

Then over the weekend, a ransomware attack centred on US IT firm Kaseya, which helps other firms manage their IT networks, is estimated to have affected between 800 and 1,500 businesses worldwide.

Minister for Communications and Information Josephine Teo said in a written parliamentary reply on Tuesday that steps have been taken here in the light of the ransomware threat.

For instance, CSA has directed sectors with critical information infrastructure - such as energy and land transport - to boost their cyber security, like beefing up their ability to detect suspicious activities quickly, backing up their data regularly and storing it offline, and ensuring employees know what to do when an attack hits. The Government has also taken similar steps.

But Mrs Teo stressed that the ransomware threat goes beyond attacks on essential services or government agencies, as "it can strike any of us or our organisations, denying us access to our data or disrupting our businesses or operations".

She urged organisations and the public to take preventive action - like in the advisories CSA has been sending out - before any ransomware attack hits them.

The agency's report also said that the number of phishing sites detected with a Singapore link remained steady at 47,000 last year, a slight 1 per cent dip from 2019.

Cybercrime jumped in 2020 to reach 16,117 cases, up from 9,349 in 2019. It accounted for 43 per cent of all crime in Singapore last year, going by police figures.

Most of the cybercrime cases last year were for online cheating with 12,251 cases, a spike from 7,580 in 2019.