This Southeast Asia Cyber Threat Landscape Report provides a comprehensive overview of the evolving cybersecurity landscape in the region. In recent years, Southeast Asia has witnessed a significant increase in cyber threats, driven by factors such as rapid digitalization, increased internet penetration, and geopolitical tensions. This report aims to provide key insights into the current state of cyber threats, and emerging trends.
The geographical scope of this report: Philippines, Vietnam, Indonesia, Malaysia, Singapore, Thailand
Yet to be updated: Malaysia, Singapore, Thailand
Updated Methodology: This is a running report. Our research team will update this report on an ongoing basis to keep the reader updated on the evolving cyber threat landscape of the region.
Trend: Ransomware attacks on critical infrastructure
Trend: Spyware, malware and plug-ins to collect data
Motive: Reputation impact, disruption, extortion
Trend: Brute force attacks, credential reuse and data exfiltration via malware
Motive: Operational disruption, espionage, IP exfiltration
Trend: social engineering/phishing. jump server Exploits, remote access tool compromise
Motive: Operational disruption, espionage, IP exfiltration
Trend: Device scanning, firmware, phishing/malware download
Motives: Disruption, data harvesting, remote attacks (DDOS)
Trend: Multi-behavioral malware (IT/OT, different operating system
Target: CII trade secrets documents containing proprietary processes
Ransomware attacks have surged across Southeast Asia, targeting both businesses and individuals. Criminal organizations have refined their tactics, often demanding hefty ransoms, posing a significant financial and operational risk.
State-sponsored cyber-espionage and cyber-attacks continue to be a major concern. Regional tensions have escalated the risk of cyber-attacks with political and economic motives.
SUPPLY CHAIN VULNERABILITIES
The supply chain has become a prominent attack vector, with adversaries exploiting vulnerabilities in third-party suppliers to compromise larger organizations. This underlines the importance of robust supply chain security measures.
IOT AND CRITICAL INFRASTRUCTURE RISKS
Internet of Things (IoT) devices and critical infrastructure are increasingly targeted, raising concerns about potential disruptions to essential services and infrastructure.
PHISHING AND SOCIAL ENGINEERING
Phishing attacks remain prevalent, often facilitated through social engineering techniques. Education and awareness campaigns are vital in mitigating these threats.
Financial Motivation: Indonesia is the largest economy in Southeast Asia and possesses abundant natural resources. This makes it an attractive target for cybercriminals seeking financial gains through activities such as hacking into financial institutions, conducting ransomware attacks, or stealing sensitive financial data.
Political Motivation: Indonesia is the world’s fourth most populous country and has a diverse political landscape. Political motivations for targeting Indonesia could include influencing elections, destabilizing the government, or compromising political figures or organizations.
Geopolitical Motivation: Indonesia’s strategic location in Southeast Asia, along with its large population and economic potential, makes it an important player in regional and global geopolitics. Threat actors with geopolitical motivations target Indonesia to gain a competitive advantage, disrupt regional stability, or gather intelligence.
With Indonesia ambitiously aiming to secure a position among the world’s largest economies by 2030, the manufacturing sector has become an appealing target for cyber threats. Threat actors may seek to exploit vulnerabilities within manufacturing infrastructure for various reasons, including potential economic disruption, theft of intellectual property, or industrial espionage.
Travel and Tourism
The diversity of Indonesia, comprising a huge number of islands, each offering a unique atmosphere, makes it particularly appealing to international travelers. The surge in foreign tourist arrivals further highlights the industry’s resilience following the easing of pandemic restrictions. Threat actors are likely interested in this sector due to its economic importance, the sheer volume of transactions, and the potential for exploiting vulnerabilities in the complex travel ecosystem, including booking systems, personal data records, and payment processes.
With Indonesian airports experiencing a surge in air traffic and the expansion of infrastructure to cater to tourist destinations, the need for robust cybersecurity measures Is crucial to safeguard against potential cyber threats and ensure the resilience of the aviation industry’s operations. The areas of growth highlighted by the International Trade Administration, including enhancements to ground infrastructure, runways, and air traffic systems, present specific points of interest for threat actors seeking to exploit potential vulnerabilities within the aviation sector.
Infrastructure and Construction
The Indonesian government’s substantial investment commitment of $430 billion from 2020 to 2024 amplifies the sector’s significance, making it a focal point for both economic development and potential cyber threats. As outlined in a report by PwC the critical areas of roads, tolls, ports, airports, railways, water, and power plants in Indonesia present significant opportunities for investment but also pose cybersecurity challenges. Threat actors may be drawn to this sector due to the potential for financial gains, the large-scale impact of disruptions to critical infrastructure, and the myriad of interconnected systems susceptible to cyber-attacks.
Indonesia stands as a significant player in the global mining industry, renowned for its substantial production of coal, gold, tin, copper, and nickel. Indonesia’s mining sector is poised to emerge as one of the top potential leading industries within the country. This prominence, however, also attracts the attention of threat actors within the cybersecurity realm. The strategic importance of the mining industry in Indonesia, contributing significantly to the country’s economy, makes it a lucrative target for cyber threats. Threat actors may be interested in exploiting vulnerabilities within the mining sector for various reasons, including potential financial gains, stealing sensitive geological data, disrupting operations, or engaging in industrial espionage.
In the Indonesian threat landscape, the surge of eCommerce has been a notable trend intensifying even more in the post-pandemic era. Dominated by platforms such as Tokopedia and Shopee, online shopping has gained significant traction, with a Deloitte survey indicating that 31% of Indonesians opt for online shopping due to its convenience and practicality. This dynamic eCommerce landscape not only presents opportunities but also presents ample opportunities for cybercriminals to exploit vulnerabilities, engage in data theft for monetization on the dark web, and conduct fraudulent transactions.
The Asia-Pacific region, with its significant population and pivotal role in global trade, is a focal point for geopolitical competition, primarily exemplified by the rivalry between the United States and China. Indonesia, as Southeast Asia’s largest economy, holds a vital position in this landscape, thanks to its economic growth and control of critical sea lanes. This competition is compounded by multifaceted geopolitical threats stemming from complex regional relations, demographic shifts, and climate change.
Notably, China’s ascent as a superpower shapes the key geopolitical concerns in the region, with the South China Sea disputes and the Taiwan issue at the forefront. China’s territorial claims extend to the South China Sea, including Indonesia’s exclusive economic zone in the Natuna Sea. This has led to territorial tensions, with near-armed conflict in 2019 and 2020.
Indonesia’s foreign policy historically emphasizes nonalignment, aiming to balance relations with the United States and China. Recent efforts have seen the mending of relations with China, with growing economic ties and political interactions. Simultaneously, Jakarta maintains strong security ties with the United States.
However, these developments strain relations with China, and as regional countries assert their sovereignty and economic interests, tensions could rise. Cyber espionage activities primarily target government entities but are expected to expand to non-governmental organizations and commercial entities. The Asia-Pacific region houses some of the world’s most active state-sponsored cyber actors, led by China, followed by Russia and North Korea, while India emerges as an aspiring cyber power.
The potential flashpoint in the regional security landscape centers around the Taiwan issue, with cyber campaigns likely preceding any conflict. While overt military confrontations remain unlikely, cyberattacks targeting various entities are projected to increase. Strengthening network security standards and cybersecurity practices is the top priority for businesses, as regional stability and economic prosperity depend on cybersecurity resilience in this volatile geopolitical environment.
We observed 5 campaigns targeting various industries in Indonesia during 2023. Chinese, Russian, and North Korean state-sponsored threat actors are behind most of these campaigns. Here are some details about observed sample campaigns.
Chinese state-sponsored threat actors targeting Indonesia could be motivated by various factors, including economic interests, geopolitical considerations, and regional dynamics. Economic espionage may drive attempts to acquire trade secrets and intellectual property, providing China with economic advantages. Geopolitical tensions or strategic interests in the Asia-Pacific region could lead to cyber activities aimed at gathering intelligence, exerting influence, or addressing security concerns. Additionally, the pursuit of military intelligence, political influence, or access to valuable resources in Indonesia may contribute to the motivation behind these state-sponsored cyber operations.
A discernible change is observed in the conduct of Russian threat actors. They are broadening their range of attacks to include additional geographical regions, such as the Asia-Pacific and EMEA, in addition to their typical targets in North America and Western Europe. Moreover, there is speculation that these actors might be planning retaliatory attacks, either directly or indirectly, against the United States and its allied nations.
In May 2023 LockBit Ransomware group successfully compromised Bank Syariah Indonesia (BSI); a subsidiary of the state-owned enterprise Bank Mandiri. The cyberattack resulted in the acquisition of 1.5 terabytes of data, including nine databases containing information about the bank’s employees and more than 15 million customers. The stolen databases contained sensitive data such as customers’ full names, phone numbers, addresses, proprietary documentation, account numbers, card numbers, NonDisclosure Agreements (NDAs), transaction histories, contracts, and passwords. Following the breach, LockBit demanded a ransom of US$20 million. However, negotiations between BSI and the ransomware group broke down, leading LockBit to publish the stolen data on various underground leak forums. This exposure heightened the risk of cyberattacks and scams targeting BSI clients and employees. In addition to the immediate consequences, the data breach poses long-term risks. Efforts to attract global investors may be adversely affected, and the bank faces potential legal consequences, including lawsuits and penalties.
Integra Group (www[.]integragroup-indonesia[.]com); Indonesia’s largest wood manufacturer group was compromised. An unknown threat actor advertised 3.57 GB data of 7 companies under Integra Group.
Badan Tenaga Nuklir Nasional (BATAN); an Indonesian Non-Ministerial Government Institution tasked with carrying out government duties in the field of research, development, and utilization of nuclear energy data got compromised and leaked in an underground forum. Leaked data contains the employee’s name, email address, and password.
During the period spanning from January 1st to October 12th, CYFIRMA’s advanced telemetry systems meticulously detected a staggering total of 568,521 phishing campaigns. Within this extensive dataset, it’s noteworthy that Indonesia emerged as the Third-most targeted geographic region in Southeast Asia.
The observed campaign in Indonesia reveals several prominent themes exploited in phishing attacks. Among these, the sectors most frequently targeted include Social Networking, Logistics and Couriers, Financial, Online/Cloud Services, and Email Providers. These findings shed light on the diverse range of sectors that malicious actors are leveraging to carry out phishing attacks within Indonesia. Understanding these prevalent themes is crucial for enhancing cybersecurity measures and safeguarding against the evolving tactics employed by cybercriminals.
Ransomware groups target Indonesia due to its significant and growing economy, increasing digital transformation, potential vulnerabilities in cybersecurity practices among certain organizations, geopolitical and economic motivations, the widespread use of cryptocurrencies, relative lack of cybersecurity awareness, regional and global connectivity, and, in some cases, political instability. The country’s expanding digital infrastructure and the perceived financial capacity of high-profile targets make it an attractive environment for cybercriminals seeking substantial ransom payouts. Notably, this threat landscape is influenced by formidable ransomware groups, including LockBit, BlackCat (Alphvm), and 8Base, which feature prominently on the list of perpetrators targeting Indonesian companies.
The top 20 exposed device vendors found across Indonesia
Most Exploited vulnerabilities in Indonesia
Over the past six months in Indonesia, the threat landscape has been significantly impacted by distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector bearing the brunt, accounting for a substantial 83.61% of the attacks. Internet-related services also faced notable disruptions at 6.03%, followed by the Telecommunications sector at 3.92%. Information Services, Gaming, and Retail were subject to lower but still impactful percentages, with 1.92%, 1.87%, and 0.59%, respectively. Sectors such as Financial Services, Website Design & Management, Computer Software, Gambling & Casinos, and Banking each experienced less than 1% of the attacks, ranging from 0.48% to 0.32%. The remaining category, labelled as “Others,” accounted for a minimal 0.12%. This comprehensive breakdown underscores the varied impact of DDoS attacks across different industries in Indonesia, emphasizing the diverse targets and the need for robust cybersecurity measures.
The financial sector is the most targeted industry by ransomware in the Philippines. This is because financial institutions store a large amount of sensitive financial data, which is valuable to cybercriminals.
The government sector is also a prime target for ransomware attacks. Government agencies control critical infrastructure and store a large amount of sensitive data, such as personal information and national security secrets.
The healthcare sector is vulnerable to ransomware attacks because it stores a large amount of sensitive patient data, such as medical records and financial information.
The education sector is also a target for ransomware attacks. Educational institutions store a large amount of student data and intellectual property, which is valuable to cybercriminals.
The retail sector is vulnerable to ransomware attacks because it processes a large volume of credit card transactions. Cybercriminals can use ransomware to encrypt credit card data and then demand a ransom payment in exchange for the decryption key.
In the past 90 days, the Philippines has experienced ransomware attacks from various groups, including Cl0p, Medusa, LockBit3, ALPHV, and Everest. These incidents highlight the ongoing and diverse cyber threats faced by organizations in the region, emphasizing the critical need for robust cybersecurity measures and vigilance to protect against ransomware attacks.
Recently, PhilHealth experienced a Medusa ransomware attack, accompanied by a $300,000 ransom demand. This led to the temporary suspension of the online systems of the state health insurer. After the ransom payment deadline passed, the responsible group uploaded more than 600 gigabytes of files to a leak site and a Telegram channel. The leaked information encompassed photos, bank cards, transaction receipts, and other sensitive data belonging to the victims.
Over the last six months, the Philippines has confronted a dynamic landscape of distributed denial-of-service (DDoS) attacks, revealing a nuanced distribution of threats across industries. The Information Technology and Services sector emerged as the primary target, facing a substantial 29.39% of attacks, signifying a heightened and specific risk. Close behind were Internet-based services and Information Services, each with significant percentages, underlining a noteworthy impact on entities involved in data management and online platforms. Noteworthy percentages in the gaming, telecommunications, and Internet sectors emphasize the breadth of the threat, necessitating heightened cybersecurity measures. Although facing comparatively lower percentages, sectors like banking and financial services underscore the critical need for robust cybersecurity practices to protect sensitive data. This multifaceted distribution highlights the diverse industries grappling with DDoS challenges in the Philippines, demanding tailored and vigilant cybersecurity strategies.
A massive data hack in April 2023, which exposed 817.54 gigabytes of both applicant and employee records under multiple state agencies, including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Special Action Force (SAF), has put the personal information of millions of Filipinos at risk.
Scanned copy of police officer’s national police clearance
Bureau of Internal Revenue Card with TIN
Cyber espionage is a growing threat to all organizations, including businesses, governments, and critical infrastructure. It is the use of computers and networks to steal sensitive information, such as trade secrets, government secrets, and personal information.
One specific area where cyber espionage is increasing is in the Philippines. CYFIRMA has identified two advanced persistent threat (APT) groups that have targeted the Philippines, namely, Earth Estries and FamousSparrow.
Earth Estries, a well-known hacking group, has become a major player in a cyber espionage campaign that targets government and technology sectors in multiple countries. The campaign was discovered in August, and its primary focus is on two regions: Asia (Philippines, Taiwan, and Malaysia) and Germany and the United States. Earth Estries has been linked to a highly sophisticated operation with extensive experience in cyber espionage and illicit activities. The campaign has been active since at least 2020 and has global implications.
Interestingly, there are overlaps in tactics, techniques, and procedures (TTPs) between Earth Estries and FamousSparrow.
Earth Estries demonstrates a high level of sophistication, using advanced skills and experience in cyberespionage and illicit activities. Their arsenal includes various backdoors and hacking tools, with a focus on evading detection. They use PowerShell downgrade attacks to bypass security measures and exploit public services such as GitHub, Gmail, AnonFiles, and File.io for communication and data transfer.
FamousSparrow is a cyber-espionage entity with connections to APT groups like SparklingGoblin and Metasploit, which have been associated with activities originating from China and has been targeting government and technology sectors in the Philippines, as well as other countries in Asia, South Africa, Germany, and the United States.
With a strategic emphasis on Information and Communication Technology (ICT), the Vietnamese government has undertaken initiatives to propel its development, recognizing its significance as a priority industry. The ambitious goal is to elevate Vietnam’s digital economy to an impressive US$50 billion by 2025, offering substantial growth prospects for the ICT market. This trajectory is underscored by World Bank data, indicating an annual growth rate of 10% in Vietnam’s digital economy, with the potential to exceed a formidable US$200 billion by 2045. Within this burgeoning digital landscape, the Vietnam Information Technology (IT) industry becomes a focal point of interest for threat actors. The convergence of economic ambitions and technological advancements renders the IT sector susceptible to cyber threats, with threat actors aiming to exploit vulnerabilities for economic gains, intellectual property theft, or to gain a competitive advantage.
The manufacturing sector stands as a pivotal force in Vietnam’s economic landscape, constituting a substantial 24.76% of the country’s GDP and contributing significantly to its merchandise exports, accounting for 85% in 2022. Notably, this industry’s prowess extends beyond traditional production, with recent years witnessing an uptick in the manufacturing of sophisticated products like automotive parts, consumer electronics, and telecom equipment, showcasing Vietnam’s commitment to technological advancement. Leveraging advanced technologies, the Vietnamese manufacturing industry has earned a competitive edge, producing high-quality goods at a cost-effective scale. In the context of the threat landscape, the strategic importance and economic impact of Vietnam’s manufacturing industry make it an attractive target for threat actors. Cyber adversaries may seek to exploit vulnerabilities in the industry’s digital infrastructure for various motives, including economic espionage, intellectual property theft, or disrupting supply chains. Recognizing the nexus between technological innovation and economic growth, safeguarding the manufacturing sector becomes imperative, necessitating robust cybersecurity measures to protect against evolving threats and preserve Vietnam’s economic resilience.
Amidst the first half of 2023, Vietnam’s tourism sector showcased notable growth, welcoming nearly 5.6 million international visitors, achieving 70% of the annual target. Projections from Future Market Insights anticipate a robust tourism revenue of US$27,500 million by the year’s end, with a long-term forecast envisioning an impressive US$135,000 million by 2033. Within this thriving landscape, the Vietnam tourism industry becomes an intriguing target for threat actors. The sector’s economic significance, driven by increasing international footfall and substantial revenue projections, makes it an attractive focal point for cyber adversaries. Threat actors may aim to exploit vulnerabilities in the industry’s digital infrastructure for diverse reasons, such as financial fraud, data theft, or disrupting the country’s image as a tourist destination. Recognizing the symbiotic relationship between a secure digital landscape and the sustained growth of Vietnam’s tourism sector, it becomes imperative to fortify cybersecurity measures to safeguard against potential threats and preserve the industry’s positive trajectory.
The logistics sector in Vietnam stands out as a rapidly expanding industry, constituting approximately 4.5% of the country’s GDP. Positioned as the 10th among emerging logistics markets globally, Vietnam’s logistics market is valued at US$40 billion, with projections estimating a market size of US$45.19 billion by end of 2023 and an anticipated growth to US$65.34 billion by 2029. Notably, over 30 companies, including industry giants like DHL, FedEx, and Maersk, contribute to the provision of international logistics services in Vietnam. Within this dynamic context, the Vietnam logistics industry emerges as a focal point for threat actors. The sector’s substantial economic contribution and strategic position in global logistics networks make it an appealing target for cyber adversaries. Threat actors may seek to exploit digital vulnerabilities in the logistics infrastructure for motives such as supply chain disruption, data theft, or financial fraud. Recognizing the critical role of secure logistics in supporting economic activities, fortifying cybersecurity measures becomes imperative to mitigate risks and ensure the resilience of Vietnam’s logistics industry against evolving cyber threats.
With a current valuation of USD 23.1 billion, the Vietnam construction market is poised for substantial growth, projected to register a robust CAGR of over 8.5% in the forecast period. Emerging as the latest East Asian growth engine, Vietnam has captivated the interest of international investors, underscoring its strategic importance in the global construction landscape. However, this burgeoning sector also attracts the attention of threat actors in the Vietnam threat landscape. The construction industry’s pivotal role in the country’s economic development, coupled with its increasing international prominence, makes it an attractive target for cyber adversaries. Threat actors may aim to exploit digital vulnerabilities within the construction infrastructure for motives such as intellectual property theft, economic espionage, or disrupting critical projects. Recognizing the interconnectedness of digital infrastructure and the construction industry’s growth, bolstering cybersecurity measures becomes imperative to safeguard against potential threats and ensure the sustained development of Vietnam’s construction sector.
Between Jan to October 2023, as part of the external threat landscape monitoring and analysis, we observed 12 campaigns targeting various conglomerates. The following trends have been observed of the different State-Sponsored groups and Cybercriminals who have potentially carried out the observed #cyberattack campaigns:
No. of campaigns carried out by North Korean Groups: 4 out of 12 (33.33%)
No. of campaigns carried out by Chinese Groups: 3 out of 12 (25%)
No. of campaigns carried out by Russian Groups: 5 out of 12 (41.67%)
In the last six months, Vietnam’s threat landscape has undergone a notable impact from distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector being particularly affected, representing a significant 92.06% of the attacks. Moreover, a substantial 45.46% of these attacks endured for periods exceeding three hours, indicating a prolonged and impactful threat scenario. Additionally, attacks within the one to three-hour duration range accounted for 16.85%, underscoring a notable proportion of sustained assaults. Examining bitrates, attacks with speeds ranging from 500 Mbps to 1 Gbps constituted 12.64%, while those with less than 500 Mbps made up the majority share at 85.64%. This diverse distribution highlights the necessity for a comprehensive and adaptive cybersecurity strategy to effectively mitigate the varying intensities of DDoS threats in Vietnam.
LockBit ransomware has primarily targeted Manufacturing, Healthcare, Transportation & Logistics, Telecommunications, and Food & Beverages sectors in Vietnam, affecting the largest proportion of victims at 37% among all targeted organizations.
Top 5 Targeted Countries in Asia
Phishing themes distribution
Most Impersonated Brands
Between 1st January and 11th October, CYFIRMA’s telemetry recorded 648,306 phishing campaigns. In that 12,862 are attributed to Vietnam.
Most Exploited vulnerabilities in Vietnam
We observed Atlassian Confluence has been actively exploited by threat actors in Vietnam.