Published in INDVSTRVS on 16 Sep, 2020
By Kumar Ritesh
The world was unprepared for the COVID-19 health crisis. Factories grounded to a halt. Borders were closed. Office workers were asked to work from home. Streets were empty. Hospitals ran out of beds and ventilators. Toilet paper hoarding became a thing.
That was all in the first couple of months this year, and the world is now gradually rousing back to action with governments eager to resuscitate their economies. There is no more apt way to describe the world today than ‘VUCA’ – volatile, uncertain, complex, and ambiguous. And beneath the social, economic, and political turmoil lies the menace of cyber threats, risks and attacks.
The pandemic has triggered an unprecedented movement towards digitization, be it work, live or play. The mass migration to remote work has created the perfect environment for cyber criminals to thrive. Porous home networks have made it almost too easy for hackers to gain access to confidential and sensitive corporate data.
Fake VPNs that lure unsuspecting users to divulge credentials and thereby offering hackers access to corporate data has increased multi-fold during the course of the current health crisis. Phishing campaigns leveraging creative social engineering have also tricked employees into sharing information that hackers can either sell in dark web marketplaces or use for other malicious agendas.
The switch to digital ecosystems has resulted in an increase in attack vectors and surfaces. The hyper-connected systems have given cyber criminals pathways to manoeuvre across applications, databases and networks. Many traditional business models have given way to digital formats, and the hasty way which applications and cloud services were launched overnight has resulted in the reduced emphasis on cyber security.
Compound all the above with the psychological element of people’s fear and uncertainty over the virus spread and we have a perfect storm where vaccine scams, and other COVID-themed cyberattacks are raging across nations.
The Asian threat landscape is particularly worrying. The China-United States trade war is not abating. When these giant economies collide, everyone feels the reverberations. The economic and ideology battle is also taking the form of cyber espionage where wars are fought on the wire instead of the battlefield. Increased cyber attacks against businesses by state-sponsored or affiliated hackers for political hegemony has seen financial records, health records, and personal data pilfered, and this can very well include vaccine research information and other intellectual properties.
The ongoing geopolitical competition across Asia – China-India border conflict, China-Japan race for supremacy, Japan-Korea legacy animosity – has also caused an uptick in cyber espionage. Corporate espionage, in these cases, is not only focused on creating brand damage but also to secure competitive advantage. Actions often include exfiltrating intellectual property and R&D data. This sort of corporate espionage has significant ripple effects that can bring upon the demise of corporations.
At CYFIRMA, we have picked up signals in our research indicating new cyber attack campaigns backed by suspected state-sponsored groups with affiliation to Chinese, Korean and Russian hacking communities. We see accelerated cyber exploit activities across many industries (automotive, aviation, education, energy, finance, healthcare, hi-tech manufacturing, pharmaceuticals, and telecommunications).
A particular Mission2025 threat actor group (suspected to have affiliation with the Chinese government) is alleged to have leveraged the ‘Speculoos Backdoor’ malware to target Citrix appliances running FreeBSD. The malware gets delivered via a known Citrix vulnerability and has the potential to infiltrate many corporate networks. This is a global campaign and organizations in Singapore, South Korea, Taiwan and Thailand have been on the receiving end.
Another threat actor group Lazarus, widely known to be a North Korean state-sponsored vehicle, has been observed to deploy advanced persistence threats (APT), open proxy, botnet, commodity malware, custom command and control protocols, DLL malware, and obfuscation techniques to carry out their cyberattack campaigns. Lazarus most recent activity involved a major COVID-19 themed phishing campaign targeting India, Japan, Singapore, South Korea, United Kingdom and United States where hackers masquerade as government authorities to elicit financial and personal information from unsuspecting individuals as well as business organisations. This campaign targeted over 5 million email accounts.
In Asia, we have also observed new entrants into cyber warfare. Developing nations in this region are getting into the game as our telemetry is picking up more noise and conversations amongst many other hacking groups. These emerging threat actors are leveraging commodity malware to execute their campaigns. This sort of malware is designed from readily available tools which hackers can quickly re-jig to launch attacks.
Across Asia, ransomware with the ability to conduct three-phased attacks is fast becoming the cyberattack method of choice among cybercriminals. These latest range of ransomware stem from extortion cartels like Maze, DoppelPaymer and REvil where cybercriminals would infiltrate the corporate network, exfiltrate data to hackers-controlled systems before encrypting files and leaving behind their ransom notes. The ransom demands have also increased from a couple of hundreds in bitcoin-equivalent to hundreds of thousands.
Asia, and particularly Southeast Asia (SEA), makes a lucrative target for hackers. SEA economy consists of micro, small and medium enterprises (MSMEs) that account for between 89% and 99% of total establishments, and between 52% and 97% of total employment. The level of cybersecurity maturity of these MSMEs are relatively low. And the lack of IT know-how and resources make them vulnerable to cyberthreats on all fronts. For cybercriminals looking to make a fast buck, MSMEs are perceived as easy targets.
According to CB Insights, Asia is also the home of many start-up powerhouses. There are an estimated over 140 Asia-based unicorns out a total of 400 globally. These companies hold massive amount of information ranging from users’ financial records and spending habits to behavioural patterns and video/facial recognition data – a treasure trove for cybercriminals.
Asia’s youthful population are digitally connected and mobile-enabled. However, the lack of cybersecurity awareness makes the people here highly vulnerable to phishing attacks and other cybercriminal activities. For the population to stay digitally safe, cybersecurity education needs to be brought to the masses.
Against the backdrop of heightened cyber espionage, governments have a significant role to play to ensure businesses can operate without the constant fear of cyber attacks. Regulatory environment can be improved to build cyber resiliency.
One action to take would be to make incident reporting mandatory. This will create a body of research data which can provide insights on threats to the nation and inform the government on strategies it can undertake to strengthen the nation’s cyber posture.
Another key area would be to impose mandatory risk and vulnerability assessment, at least biannually, on large enterprises. This will help identify threats early and remediations can take place to close any cyber security gaps.
The third approach would be to commence attack vector assessments at least once a year – these assessments will uncover new attack surfaces as businesses adopt new digital formats and build further supplier-partner-customer connectivity.
A cyber reward culture can also be cultivated where the discovery of bugs and vulnerabilities are rewarded. This effort will uplift the cyber security community and promote a culture of knowledge sharing and joint solutions.
For many small and medium businesses looking to ensure cyber resilience, it is important to build a basic level of cyber hygiene. The most important being ‘people’ where employees and individuals must be educated on cyber threats and risks. This is particularly vital given the prevalence of phishing attacks and social engineering hacking campaigns.
When it comes to processes, businesses should perform threat profiling, creation of threat segmentation, zoning and risk containerization. Keeping core content encrypted would be both prudent and necessary. The basic process of daily data backup would be a good policy to adopt too.
From the technology perspective, businesses should incorporate layered defences with data and endpoint security, gateway-based security, automating scanning, monitoring and malware removal.
Finally, when it comes to governance, businesses should incorporate a good cyber threat visibility and intelligence program to complete their cyber security strategy.
In Asia, cyber attacks are expected to increase exponentially in sophistication and volume, and yet defences remain rudimentary. Security efforts by most organisations have focused on building strong defensive walls designed to keep malicious actors, viruses and programs out; the reality is that these walls will only last until the attackers find a way to jump over.