THE CHANGING : CYBER THREAT LANDSCAPE ASIA-PACIFIC (APAC) REGION – Volume 1

Published On : 2024-06-08

EXECUTIVE SUMMARY

The Asia Pacific (APAC) Threat Landscape Report provides a comprehensive overview of the evolving cybersecurity landscape in the region. In recent years, Asia Pacific has witnessed a significant increase in cyber threats, driven by factors such as rapid digitalization, increased internet penetration, and geopolitical tensions. This report aims to provide key insights into the current state of cyber threats, and emerging trends.

THE GEOGRAPHICAL SCOPE OF THIS REPORT
India, Indonesia, Australia, Bangladesh

APAC Volume – 1
Australia, Bangladesh, India, Indonesia

APAC Volume – 2
Japan, Malaysia, Philippines, Vietnam

YET TO BE UPDATED
New Zealand, Singapore, South Korea, Taiwan, Thailand

UPDATED METHODOLOGY
This is a running report. Our research team will update this report on an ongoing basis to keep the reader updated on the evolving cyber threat landscape of the region.

THREAT LANDSCAPE TODAY

01 MOVEMENT FROM DIGITAL TO KINETIC TARGETS
Trend: Ransomware attacks on critical infrastructure
Motives: Disruption/Geopolitical/Extortion

02 DATA EXFILTRATION FROM IOT DEVICES
Trend: Spyware, malware, and plug-ins to collect data. Motive: Reputation impact, disruption, extortion

03 EXPLOITATION OF LEGACY SYSTEM
Trend: Brute force attacks, credential reuse, and data exfiltration via malware
Motive: Operational disruption, espionage, IP exfiltration

04 CROSS-ENVIRONMENT ATTACK
Trend: social engineering/phishing. jump server Exploits, remote access tool compromise
Motive: Operational disruption, espionage, IP exfiltration

05 USE OF BOTNETS, AI, DEEP FAKE
Trend: Device scanning, firmware, phishing/malware download
Motives: Disruption, data harvesting, remote attacks (DDOS)

06 SUPPLY CHAIN OF INFRASTRUCTURE, UTILITY COMPANIES REMAIN AT RISK
Trend: Multi-behavioral malware (IT/OT, different operating systems
Target: CII trade secrets documents containing proprietary processes

ASIA PACIFIC KEY FINDINGS

INCREASED SOPHISTICATION OF CYBER ATTACKS
The region has witnessed a rise in the sophistication of cyber attacks, with threat actors employing advanced techniques to compromise systems and networks.

TARGETED THREATS AGAINST CRITICAL INFRASTRUCTURE
Critical infrastructure sectors face heightened risks, with threat actors showing a growing interest in targeting key industries such as energy, finance, and telecommunications.

RISE IN RANSOMWARE INCIDENTS
Ransomware attacks have surged in frequency and severity, posing significant challenges to businesses and government entities. The attackers often demand cryptocurrency payments for the release of compromised data.

NATION-STATE THREATS AND CYBER ESPIONAGE
Evidence suggests an increase in nation-state-sponsored cyber activities, including cyber espionage and information warfare. This poses significant geopolitical and security concerns for the region.

SUPPLY CHAIN VULNERABILITIES
The report identifies vulnerabilities in the regional supply chain, with cybercriminals exploiting weaknesses in third-party relationships to gain unauthorized access to targeted organizations.

INDIA

THE CHANGING TRENDS IN INDIA AND ASSOCIATED CYBER THREATS

Digital Payments and Financial Services
India’s digital payments and financial services landscape is experiencing robust growth, fueled by innovations such as the Unified Payments Interface (UPI) and the Bharat Bill Payment System (BBPS). These platforms have significantly simplified transactions and increased their volume. This advancement is supported by the Reserve Bank of India’s regulatory measures that encourage new technologies, including the digital rupee and more sophisticated payment methods. Concurrently, the surge in digital transactions has also led to increased cybersecurity threats, with banking customers facing phishing, vishing, and smishing schemes, and financial institutions being targeted by ransomware and malware attacks.

Work from Home and Remote Operations
In India, remote work and operations have expanded significantly, accommodating a variety of job roles across sectors. This transformation, accelerated by the pandemic, has led to more flexible working conditions and a shift towards hybrid and fully remote jobs. However, this shift to remote operations has also brought with it an increase in cybersecurity threats. Remote work environments often lack the stringent security measures found in traditional office settings, making them more vulnerable to attacks. Cyber threats such as phishing, malware, and ransomware have become more common, targeting both individual remote workers and the IT infrastructures of large organizations.

E-Governance and Digital India Initiatives
India’s e-governance and Digital India initiatives have revolutionized how citizens access government services, enhancing efficiency and creating a digitally empowered society. These programs focus on developing a robust digital infrastructure and ensuring services are accessible on demand while promoting digital literacy. However, this digital shift also increases cybersecurity risks, including advanced persistent threats to government data, disruptive DDoS attacks, data breaches, and unauthorized access.

Healthcare Digitalization
In India, the healthcare sector is increasingly leveraging digital tools for efficient patient data management, telemedicine, and research initiatives. This digital transformation, while beneficial, also introduces significant cybersecurity risks. Prominent among these are data theft incidents, where sensitive personal health information (PHI) is targeted, and ransomware attacks on medical and research institutions.

Growth of E-Commerce
India’s e-commerce sector is experiencing rapid growth, projected to significantly expand from its current market size due to increased internet penetration and evolving consumer behaviors. The market’s expansion is driven by digitalization, facilitating a broader reach into tier-2 and tier-3 cities and introducing new ways to shop and transact online. This boom has not only expanded consumer access but also amplified vulnerabilities within the digital commerce space. One notable risk is supply chain attacks, where the integrity of products and services is compromised through third-party vendors. Additionally, the sector faces serious threats from customer data breaches, involving theft of large databases that contain personal and payment information of users.

Increased Use of IoT Devices
The increasing use of IoT devices in India has greatly enhanced connectivity and utility in various sectors including healthcare, manufacturing, and consumer goods. However, this expansion also presents significant cybersecurity challenges. As the number of connected devices grows, so does the complexity of managing their security. Key threats include IoT botnets, which have seen a sharp increase in activity, and are often used for DDoS attacks that can disrupt network services. Other prevalent risks involve the exploitation of device vulnerabilities, which can lead to unauthorized access and control over devices.

Rising Cyber Espionage
Amid escalating geopolitical tensions, there has been a notable increase in cyber espionage activities within the region, particularly targeting the government, defense, and high-tech sectors. These operations often involve state-sponsored attacks that aim to spy on critical national infrastructure and strategic industries, jeopardizing national security. Additionally, there is a significant threat from the theft of intellectual property, where foreign entities target proprietary technologies and research to gain competitive advantages.

Global Leadership
India’s emerging role as a global leader has inadvertently increased its exposure to cyber threats, making it a more attractive target for cyberattacks. This heightened profile, combined with its significant advancements in technology and digital infrastructure, invites more sophisticated cyber threats from various international actors. These actors are often motivated by geopolitical tensions or the desire to disrupt India’s growing influence and economic progress.

TRENDS IN THE INDIA THREAT LANDSCAPE

• Growth in economic activities in India, especially in various industrial sectors like manufacturing, information and communication technology, financial services, e-commerce, and pharmaceuticals, attracts financially motivated threat actors, state-sponsored threat actors, and other threat actors interested in data leaks.
• The surge of eCommerce and digital payments has been a notable trend, intensifying even more in the post-pandemic era.
• Russian, Chinese, Pakistan, and North Korean threat actors actively target Indian organizations.
• Cyber-attacks on Indian organizations not only do financial and reputational damage but also have a negative impact on attracting investments from potential global investors.
• The adoption of emerging technologies, such as Internet of Things (IoT) devices, cloud computing, and artificial intelligence (AI), introduces new cybersecurity challenges. Vulnerabilities in IoT devices, for example, can be exploited to launch large-scale botnet attacks or infiltrate corporate networks.
• The Micro, Small, and Medium Enterprises (MSME) sector, which accounts for approximately 45% of India’s total industrial employment, faces significant cyber threats due to limited resources resulting from financial constraints. This not only jeopardizes their operations but also exposes the broader supply chain to potential compromises.

GEO-POLITICAL RISK FACTORS

• India’s security is inextricably linked to the security of its neighbors, and it must carefully balance its relationships with both China and Pakistan to maintain peace and stability in the region.
• India also bridges the widening global geopolitical divides. It is a member of BRICS and the Shanghai Cooperation Organization with Russia and China, but also a key member of the Quadrilateral Security Dialogue (QUAD) with the United States, Japan, and Australia.
• India’s strategic autonomy has evolved with changing global patterns, from strategic to non-alignment in the Soviet–American rivalry era towards a new strategy of multi-alignment in times dominated by the Chinese–American competition.
• Unlike China, India seeks to work within the established world order, while it mainly focuses on its immediate neighborhood, where it has a long-term strategic rivalry with Pakistan and China.
• India is pursuing a policy of multi-alignment, which means that it is not aligning itself exclusively with any one major power. This gives India more flexibility and allows it to play a more active role in global affairs.
• The rise in India’s strategic importance led to the reframing of the Pacific Theater into the Indo-Pacific Theater. The majority of global trade passes through the straits of Malacca, the South China Sea, and the Indo-Pacific region, and the amount of commerce projected to flow through India’s neighborhood is on a steady rise as is going to be the role of India in the region.
• India is significantly expanding its defense cooperation in the region and is elevating relations with ASEAN countries into a comprehensive strategic partnership, recently conducting their first-ever ASEAN Indian maritime exercise on top of other significant bilateral developments.
• India is well-positioned to take advantage of the Western push to relocate technology manufacturing from China. The country has a large and skilled workforce, a growing manufacturing sector, and a favorable business environment.
• The West has recently pushed India in the direction of decoupling between India and Russia with which it has historically important ties, including sourcing of hydrocarbons and some key military technologies.
• India is aware of the growing level of dependence of Russia on China which can pose a serious problem for India in the long term. Moreover, India’s relations with the US are now at their highest level ever, with India diversifying its military procurements, while also attempting to indigenize them.
• Despite the current tensions between India and Russia, the relationship is unlikely to collapse completely. India’s most important rivals in the international arena remain Pakistan and China, both of which are sponsoring cyber threat actors that could exploit vulnerabilities in India’s rapidly digitizing economy.

TRENDS FROM THE DARK WEB

We observed 42 campaigns targeting various industries in India during 2023. Chinese, Russian, Pakistan, and North Korean state-sponsored threat actors are behind most of these campaigns.

In 2023, there was a substantial rise in the number of observed campaigns, a marked increase when compared to the preceding two years. This uptick highlights the heightened interest of threat actors in the economic and geopolitical dynamics of India.

In the observed cyber campaigns, threat actors have methodically targeted a multitude of industries within the critical infrastructure. This deliberate focus is generating substantial economic and social repercussions within the threat landscape, amplifying its overall impact.

In the observed campaigns threat actors focused on attacking web applications, operating systems, and various other applications.

Malware Name	Targeted Services/ Vulnerabilities	Campaign Name	Suspected Threat Actor	Target Industries	Target Geographies
NukeSped RAT, DLRAT	Web Application	Gather speed	Lazarus Group	Banks, Diversified Financial Services, Professional Services	Canada, South Korea, United States, Japan, United Kingdom, Australia, India
Winnti, Commodity Malware	Web Application	Camaro Delta	Mustang Panda, MISSION2025	Aerospace & Defense, Multiline Retail, Marine, Government, Industrial Conglomerates, Internet & Direct Marketing Retail, Wireless Telecommunication Services, IT Services, Transportation Infrastructure, Communications Equipment, Diversified Financial Services	Vietnam, South Korea, Singapore, the United States, the Philippines, Japan, Taiwan, Australia, Thailand, India, Indonesia

RANSOMWARE TREND

Ransomware groups target India primarily because of its vast and rapidly digitizing economy, which includes a burgeoning IT sector, extensive digital payment systems, and a growing reliance on technology across both public and private sectors. These factors create numerous vulnerabilities that cybercriminals can exploit. India’s diverse cyber infrastructure often lacks uniform security measures, making it easier for ransomware attacks to penetrate less secure systems. Furthermore, the high value and critical nature of data handled by Indian businesses and government agencies make them attractive targets for ransomware attacks aimed at securing large ransoms. The overall combination of high-tech adoption rates and varied cybersecurity readiness presents ample opportunities for ransomware groups to capitalize on.

We observed a significant increase in Ransomware victims from India. Notably, this threat landscape is influenced by formidable ransomware groups, including LockBit, BlackCat (Alphvm), and Clop, which feature prominently on the list of perpetrators targeting Indian companies.

Banking and Finance, Manufacturing, Computer Services, Health Care, and Information Technology are the top targets of ransomware actors in India.

PHISHING

During the last one year, CYFIRMA’s advanced telemetry systems detected a total of 953,182 phishing campaigns. This sample size gives us enough insight into the overall threat landscape. Geography is based on the ASN origin of the email. India is ranked one of the top targeted countries in the APAC region.

The observed campaign in India reveals several prominent themes exploited in phishing attacks. Among these, the sectors most frequently targeted include Software, financials, Online/cloud service, Government, Logistics, and Telecommunications. These findings shed light on the diverse range of sectors that malicious actors are leveraging to carry out phishing attacks within India. Understanding these prevalent themes is crucial for enhancing cybersecurity measures and safeguarding against the evolving tactics employed by cybercriminals.

HACKTIVIST

In the ongoing conflict between Israel and Palestine, numerous pro-Palestine hacktivist groups from countries such as Indonesia, Brazil, Bangladesh, Turkey, and Pakistan have targeted India’s cyberspace due to India’s stance on Israel. These hacktivist groups have engaged in various activities including defacing, DDoSing, and leaking data from low-security level organizations, schools, universities, and government websites. Additionally, multiple hacktivist groups have been observed resharing old leaked data, falsely claiming it as their own to incite public concern. However, many of these groups are merely obtaining data from underground forums and reposting it on platforms like Telegram, exaggerating their involvement in the leaks.

On April 23, 2024, the Indonesian hacktivist group known as Anon Black Flag defaced the website of Avecgroup, a company involved in real estate business.

On April 20, 2024, a group named irfannotsepuh, an Indonesia-based hacktivist group, conducted a DDoS attack on the website of Neo Foods, a Bangalore-based food processing company, specializing in preserved vegetables and culinary products.

On April 17, 2024, the Indonesian hacktivist group Z-BL4CX-H4T launched an attack on the Public Works Department of Uttar Pradesh, extracting data from their systems. They subsequently shared a sample of the extracted data within their group.

On April 3, 2024, Anonymous Egypt reshared a leaked database of Agri India, an organization likely associated with an AgriTech Hackathon, aimed at addressing challenges within the agricultural sector by proposing tech solutions.

On March 20, 2024, Pro-Palestine Hackers Movement group claimed to have attacked HVL an electrical equipment company.

On March 8, 2024, the Indonesian hacktivist group Z-BL4CX-H4T claimed responsibility for hacking Transforce, a company specializing in air and rail cargo transportation.

On January 31, 2024, Lulzsec Indonesia reposted a DDOS attack originally carried out by another Indonesian hacktivist group, Toxcar Cyber Team, targeting the official website of Indian coal authorities.

There have been instances of Indian hacktivist groups engaging in cyber-attacks against the cyberspace of other countries. In response, hacktivist groups from those targeted countries have initiated counterattacks, leading to a cycle of cyber warfare. This escalation reflects a growing trend of hacktivist activities resembling a virtual conflict between nations.

Indian Hacktivist Groups

• Garunops
• Network nine
• Team UCC
• Team DarkCyber Warrior
• Team BlackDragonsec
• Team NWH Security
• KERALA CYBER BLACK SQUAD
• Kerala Cyber Xtractors
• INDIAN CYBER SANATANI
• Silent-one
• IndianCyberForce
• Hacktivist Vanguard
• Glorysec

Other nation groups attacking Indian Cyber Space

• Anonymous Arabic
• 313 team
• TOXCAR CYBER TEAM
• ETHERSEC TEAM CYBER
• Nusantara
• GARUDA_CYBER_OPERATION
• GHOST_[6669]_TEAM
• Anonymous_Global
• Anonymous_Muslims
• GBAnon17
• Anon Black Flag
• Fredens Of Security
• Cyber Sederhana Team
• Bandung Cyber Team
• LEGION7_HACKERS_TEAM
• Lulzsec Indonesia
• Esteem Restoration Eagle
• KETAPANG_GRAY_HAT
• HIZBULLAH_CYB3R_TEAM
• IXP666SECTEAM
• CIPINANG_BLACKHAT
• KuninganExploiter
• ZERO-XPLOITS-ID
• 5UL4WES1_TENG4H_BL4CKHT
• TEAM_HEROX
• IRoX_TEAM
• Anonymous Bangladesh

Hacktivist attacks on the Indian government and critical infrastructures lead to severe consequences, including the disruption of governmental services and critical operations, such as healthcare, finance, and utilities, potentially leading to economic losses. Such attacks could also compromise sensitive data, undermining national security and eroding public trust in government institutions. Additionally, these cyber incidents could escalate geopolitical tensions if foreign entities are implicated, increasing the risk of retaliatory cyber actions and straining international relations. The overall impact can hinder the nation’s technological progress and deter foreign investments, posing long-term challenges to India’s economic and strategic stability.

DATA LEAKS

Data leaks play a crucial role in the landscape of cyber threats, acting as a significant vulnerability that can lead to a wide range of security issues and potential damages. When sensitive or confidential information is accidentally exposed or intentionally stolen and released, it can lead to identity theft, financial fraud, and a severe loss of trust and reputation for the affected organization. Such leaks often provide cybercriminals with the necessary data to conduct more targeted and effective attacks, such as phishing schemes, ransomware attacks, or further unauthorized access into secure systems. Additionally, data leaks can result in hefty regulatory fines and legal challenges, especially if the leaked information includes personally identifiable information (PII) protected under data privacy laws.

CYFIRMA encountered a threat actor named Tanaka, who is selling a database related to Mutual Fund Investment in India, specifically ZFUNDS. This database allegedly contains sensitive information including IC number, name, address, mobile number, gender, date of birth, and more. Such a breach poses a significant risk to the privacy and security of individuals’ financial information, underscoring the urgent need for enhanced cybersecurity measures within the investment sector.

CYFIRMA came across a threat actor known as ShakalaBumBum, who claims to be a Pakistani hacker. They boast of hacking into India’s CERT network and obtaining data from Indian Oil, an oil company. Additionally, they’ve purportedly leaked government data from entities, such as the police and BSNL.

CYFIRMA detected a threat actor operating under the alias IntelBroker, who is offering for sale a database purportedly from XpressBrees, a B2C logistics company. This database may contain sensitive information pertaining to logistics operations and customer details.

CYFIRMA came across a threat actor known as SenjorZeroday, who is offering for sale a database allegedly from Indradhanush Gas Grid Limited. This poses a serious security risk, particularly within critical infrastructure sectors.

CYFIRMA identified a threat actor known as KrytonZambie, who is advertising the sale of databases from LeadSquared, a marketing automation and CRM software provider for businesses, and WeRize, a company creating software for financial products. The threat actor claims to still have access to their networks, indicating a serious security breach.

CYFIRMA identified a threat actor known as “888“, who is selling a database purportedly containing information about India’s exports, Indian ports, foreign ports, and more. This compromised data presents significant risks, potentially impacting national security and economic interests. It underscores the urgent need for heightened cybersecurity measures to safeguard critical information about trade and logistics.

CYFIRMA encountered a threat actor known as Tanaka, who is selling a database purportedly from GoldenPay, an Aadhaar-enabled payment system, facilitating online financial transactions at POS/Micro ATM. This database likely contains sensitive financial information and personal details of users.

INITIAL ACCESS ACTIVITIES

CYFIRMA identified a threat actor operating under the name PirateJack, who is selling access to Indian companies across various sectors, including IT companies and business services. Additionally, other threat actors are reportedly selling VPN and RDP access. Such activities pose serious cybersecurity threats to Indian businesses, emphasizing the critical need for enhanced security measures to protect against unauthorized access and data breaches.

CYFIRMA detected a threat actor using the alias BLBEV2, who is selling VPN access purportedly from RailTel Corporation of India, a broadband and VPN services provider company, with potential connections to Indian Railways.

ASSET EXPOSURES AND VULNERABILITIES

In our OSINT research, we found more than 500 Industrial Control Systems exposed to the Internet, owned by organizations in India, potentially allowing an attacker to access them.

Exposed IoT devices play a significant role in cyber attacks due to their often inadequate security features and widespread adoption across various sectors. These devices can serve as entry points or targets in larger network breaches, primarily because they frequently lack robust encryption, undergo infrequent updates, and have default or weak credentials that are easily exploited. Once compromised, IoT devices can be used to form botnets, enabling attackers to conduct DDoS (Distributed Denial of Service) attacks, data breaches, or surveillance. Their connectivity and access to larger networks also make them a valuable asset for attackers looking to move laterally within infrastructure, escalate privileges, or disrupt critical services. This vulnerability is exacerbated by the rapid expansion of IoT devices in homes, industries, and cities without corresponding advancements in their security frameworks.

Most Exploited Vulnerabilities in India – Last 3 months

Vulnerability	CVSS Score	Vendor	Product
CVE-2018-10562	9.8	Dasan	Dasan GPON Home Router
CVE-2014-8361	8.3	Realtek	Realtek SDK
CVE-2015-2051	10	D-Link	D-Link DIR-645, DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
CVE-2023-20198	10	Cisco	Cisco IOS XE
CVE-2016-6277	8.8	Netgear	NETGEAR R/D Series Routers
CVE-2017-18368	9.8	Zyxel/Billion	ZyXEL P660HN-T1A v1, ZyXEL P660HN-T1A v2, Billion 5200W-T
CVE-2020-16846	9.8	SaltStack	Salt
CVE-2017-9841	9.8	PHPUnit	PHPUnit
CVE-2021-3129	9.8	Laravel	Ignition
CVE-2024-21893	8.2	Ivanti	Ivanti Connect Secure, Policy Secure and Ivanti Neurons for ZTA
CVE-2024-21887	9.1	Ivanti	Ivanti Secure Connect and Policy Secure
CVE-2024-27198	9.8	JetBrains	TeamCity
CVE-2021-44228	10	Apache	Log4j
CVE-2023-47246	9.8	SysAid	SysAid On-Premise
CVE-2019-9978	6.1	WordPress	WordPress Social Warfare plugin

• All the observed exploited vulnerabilities in the above list are also part of the CISA’s Known Exploited Vulnerability list.
• As per CISA, the following vulnerabilities are exploited by Ransomware Groups as well: CVE-2018-10562, CVE-2021-3129, CVE-2021-44228

#INDIAOUT CAMPAIGN

The Maldives #Indiaout campaign
The #IndiaOut was initially not a campaign but was a thought that originated in 2013 in Maldives, under Abdulla Yameen’s pro-China administration, marked by terminating agreements with India and fostering anti-India sentiment. Despite Ibrahim Solih reinstating pro-India policies in 2018, the campaign persisted, fueled by figures like Yameen and outlets like Dhiyares News. Social media, street protests, and attacks on Indian diplomats characterized the campaign, which was seen in the wild by 2021.

Agenda
The #IndiaOut campaign in the Maldives aimed to diminish India’s influence. Its widespread social media efforts spurred political shifts, leading to the downfall of the Solih government, a hidden agenda of the campaign. Mohamed Muizzu’s rise to power underscored the campaign’s pro-China stance, reshaping regional governance and expanding China’s footprint in the Maldives.

Bangladesh A New Addition to #Indiaout campaign
In January 2024, an “India Out” campaign emerged, backed by opposition parties and certain civilians in Bangladesh. They allege Indian government interference in Bangladesh’s recent election, won by Prime Minister Sheikh Hasina’s Awami League for a fourth term. With the opposition boycotting the polls, the hashtag #IndiaOut is trending. Hackers from Bangladesh and allied groups are reportedly gearing up to launch retaliatory attacks against India.

Agenda of #Indiaout Campaign
After securing more than 220 seats, Sheikh Hasina earned her fourth consecutive term with the Awami League’s victory. Following this, despite the Bangladesh Nationalist Party’s (BNP) election boycott and minimal political influence, it Spearheaded the #IndiaOut campaign. By harnessing anti-India sentiments, the BNP aims to destabilize Hasina’s government, enhancing its domestic position and aspiring to become a major player in regional politics, possibly influencing ongoing Indian elections.

Twitter accounts that engaged in the campaign aggressively
Tweets by PinakiTweetsBD
Tweets by revolt_71
Tweets by RussellAnamul
Tweets by IndiaOutCamp_BD
Tweets by rupom

Telegram Channels recently Participating in Campaign Against India
https://t.me/systemadminbd
https://t.me/IndiaOutbd

Hashtags used in India out Campaign :
#Indiaout #BoycottIndia #OpIndia #BoycottIndianProducts #SaveBangladeshFromIndia

Possible Impact on India

• There will be a rise in cyber-attacks, fueled by hacktivist groups from Bangladesh and other like-minded neighboring countries’ hacktivist groups, posing a significant threat to India. Recent incidents, such as the leak of Indian Railways E-Procurement System admin credentials and the hacking of the Rajasthan gov Email Server by system, highlight the aggression on Indian government agencies and critical infrastructure. Even many private sectors are targeted by other hacktivists under the banner of #indiaout. These attacks could disrupt essential services like banking, telecommunications, and utilities, causing widespread inconvenience and economic losses.
• While India’s exports to Bangladesh amount to $10.63 billion, representing 2.6% of its total exports, and to the Maldives at $341 million, less than 1%, any tension in the relationship may not significantly affect India’s export balance. Conversely, Bangladesh and the Maldives heavily rely on imports from India.

China’s Geopolitical Interest:
China aims to bolster its influence in Asia, countering India, as is evident in the pro-China administration in the Maldives under Mohamed Muizzu. China’s substantial investments in the Maldives, spanning military aid to infrastructure projects, signal its strategic intent. India’s military withdrawal underscores China’s growing sway. In Bangladesh, while direct interference is uncertain, China may indirectly support hacktivists targeting Indian entities, potentially complicating India’s security.

Overall, the #IndiaOut campaigns in the Maldives and Bangladesh, fueled by anti-India sentiments, pose cybersecurity threats to India. With hacktivist groups targeting Indian entities and China’s geopolitical maneuvers, India faces challenges to its security and regional influence. The situation underscores the complexities of regional dynamics and India’s strategic positioning.

INDONESIA

THREAT ACTOR MOTIVATIONS TO TARGET INDONESIA

Financial Motivation: Indonesia is the largest economy in Southeast Asia and possesses abundant natural resources. This makes it an attractive target for cybercriminals seeking financial gains through activities, such as hacking into financial institutions, conducting ransomware attacks, or stealing sensitive financial data.

Political Motivation: Indonesia is the world’s fourth most populous country and has a diverse political landscape. Political motivations for targeting Indonesia could include influencing elections, destabilizing the government, or compromising political figures or organizations.

Geopolitical Motivation: Indonesia’s strategic location in Southeast Asia, along with its large population and economic potential, makes it an important player in regional and global geopolitics. Threat actors with geopolitical motivations target Indonesia to gain a competitive advantage, disrupt regional stability, or gather intelligence.

TRENDS IN THE INDONESIA THREAT LANDSCAPE

• Growth in economic activities in Indonesia, especially in various industrial sectors like manufacturing, eCommerce, Travel and Tourism, Infrastructure, Construction, Mining, and Aviation attracts financially motivated threat actors, state-sponsored threat actors, and other threat actors who are interested in data leaks.
• The surge of eCommerce has been a notable trend, intensifying even more in the post-pandemic era.
• Russian, Chinese, and North Korean threat actors actively target Indonesian organizations.
• Cyber-attacks on Indonesian organizations not only do financial and reputational damage but also have a negative impact on attracting investments from potential global investors.
• Despite government efforts, Indonesia’s digital literacy remains moderate.
• The South China Sea disputes, involving territorial claims and maritime rights, have become a focal point of geopolitical contention. China’s assertion of sovereignty over a significant portion of the South China Sea has led to territorial tensions with neighboring countries, including Indonesia which will continue to create chaos in the region.

INDUSTRIAL SECTORS IN FOCUS

GEO-POLITICAL RISK FACTORS

The Asia-Pacific region, with its significant population and pivotal role in global trade, is a focal point for geopolitical competition, primarily exemplified by the rivalry between the United States and China. Indonesia, as Southeast Asia’s largest economy, holds a vital position in this landscape, thanks to its economic growth and control of critical sea lanes. This competition is compounded by multifaceted geopolitical threats stemming from complex regional relations, demographic shifts, and climate change.

Notably, China’s ascent as a superpower shapes the key geopolitical concerns in the region, with the South China Sea disputes and the Taiwan issue at the forefront. China’s territorial claims extend to the South China Sea, including Indonesia’s exclusive economic zone in the Natuna Sea. This has led to territorial tensions, with near-armed conflict in 2019 and 2020.

Indonesia’s foreign policy historically emphasizes nonalignment, aiming to balance relations with the United States and China. Recent efforts have seen the mending of relations with China, with growing economic ties and political interactions. Simultaneously, Jakarta maintains strong security ties with the United States.

However, these developments strain relations with China, and as regional countries assert their sovereignty and economic interests, tensions could rise. Cyber espionage activities primarily target government entities but are expected to expand to non-governmental organizations and commercial entities. The Asia-Pacific region houses some of the world’s most active state-sponsored cyber actors, led by China, followed by Russia and North Korea, while India emerges as an aspiring cyber power.

The potential flashpoint in the regional security landscape centers around the Taiwan issue, with cyber campaigns likely preceding any conflict. While overt military confrontations remain unlikely, cyberattacks targeting various entities are projected to increase. Strengthening network security standards and cybersecurity practices is the top priority for businesses, as regional stability and economic prosperity depend on cybersecurity resilience in this volatile geopolitical environment.

TRENDS FROM THE DARK WEB

We observed a year-on-year increase in campaigns targeting various industries in Indonesia. Chinese, North Korean, and Russian state-sponsored threat actors are behind these campaigns.

Malware Name	Targeted Services/ Vulnerabilities	Campaign Name	Suspected Threat Actor	Target Industries	Target Geographies
Winnti, Commodity Malware	Web Application	Camaro Delta	Mustang Panda, MISSION2025	Aerospace & Defense, Multiline Retail, Marine, Government, Industrial Conglomerates, Internet & Direct Marketing Retail, Wireless Telecommunication Services, IT Services, Transportation Infrastructure, Communications Equipment, Diversified Financial Services	Vietnam, South Korea, Singapore, the United States, the Philippines, Japan, Taiwan, Australia, Thailand, India, Indonesia
–	Web Application	Void	TA505,FIN11, FIN7, Gamaredon	Auto Components, Real Estate Management & Development, Government, Internet & Direct Marketing Retail, Banks, Interactive Media & Services, Automobiles	South Korea, Vietnam, Singapore, Hungary, the United States, Japan, Ukraine, United Kingdom, Malaysia, Indonesia
Rifdoor, Nukesped, ShadowPy	Web Application	UNC069	TICK, Lazarus Group	Real Estate Management & Development, Government, IT Services, Automobiles, Construction & Engineering, Food Products, Construction Materials, Multiline Retail, Auto Components, Food & Staples Retailing, Hotels, Restaurants & Leisure, Industrial Conglomerates, Energy Equipment & Services, Leisure Products, Diversified Financial Services, Hospital, Beverages, Textiles, Apparel & Luxury Goods	South Korea, Vietnam, the Czech Republic, the United States, Japan, Taiwan, the United Kingdom, South Africa, Australia, Germany, India, Indonesia

THREAT ACTORS TO WATCH

DATA LEAKS

The threat actor “abyss0” purportedly leaked data from Indosat Ooredoo, claiming it occurred in December 2023 but was only posted on April 4, 2024. The leaked data includes employee login information and detailed floor plans, indicating a serious breach. With Indosat Ooredoo estimated to have 102 million subscribers as of 2022, the breach raises significant concerns about privacy and security implications, despite questions surrounding the timing and authenticity of the leak’s claim versus its actual posting date.

Indonesian citizens’ KYC data was leaked in an underground forum. The information provided in the leaked data, which includes various types of personal identification, such as the Kartu Tanda Penduduk (Resident Identity Card), Surat Izin Mengemudi (Driver’s License), KIS Healthy Indonesia card (Health Card), Directorate General of Taxation records, Participant Card, and Family Card, poses a significant threat to individuals’ privacy and security. The leakage of such sensitive data, posted by the threat actor “Blastoise” on January 25, 2024, could potentially lead to identity theft, financial fraud, and other forms of malicious exploitation.

The involvement of the threat actor “Blastoise” in another data leak, this time pertaining to Denpasar, the capital city and economic center of Bali, Indonesia, raises significant concerns about cybersecurity in the region. As a prominent city in the Nusa Tenggara Islands and the second largest in Eastern Indonesia after Makassar City, Denpasar’s exposure to such data breaches could have far-reaching consequences for individuals and businesses in the area.

CYFIRMA discovered a data leak posted by the threat actor “Blastoise” on April 5, 2024, containing admin login and user database information from Petrokimia Gresik, a fertilizer company based in Gresik, East Java, Indonesia.

The discovery of a data leak involving ANGKASA PURA AIRPORTS INDONESIA, posted by the threat actor “TNG2R” on February 7, 2024, is deeply concerning. The leaked data, totaling 72 GB and comprising 68,237,264 records containing sensitive personal information such as names, emails, NIK (Indonesian ID numbers), NPWP (tax identification numbers), phone numbers, addresses, dates of birth, genders, incomes, and more, poses significant privacy and security risks for the affected individuals.

We discovered a data leak involving Jember State Polytechnic, a higher education institution focusing on vocational education in Indonesia, posted by the threat actor “Blasties” on January 7, 2024, which raises serious concerns regarding cybersecurity within the institution. The leaked data, which includes admin login and user database information, underscores the urgency of assessing the breach’s extent, mitigating potential risks, and fortifying the institution’s cybersecurity measures.

A data leak discovered by CYFIRMA, involving MyPertamina, a digital financial service platform integrated with the LinkAja app for non-cash fuel payments at Pertamina’s public fueling stations, posted by the threat actor “Bjorka” on January 24, 2024, is highly concerning. The leaked data, comprising approximately 44,237,264 records in CSV file format, contains sensitive personal information including names, emails, NIK (Indonesian ID numbers), NPWP (tax identification numbers), phone numbers, addresses, dates of birth, and genders. This presents significant privacy and security risks for the individuals affected.

A data leak discovered by CYFIRMA, involving Indonesian banks’ access, posted by the threat actor “Cyber Niggers AKA Aegis” on November 28, 2023, is deeply troubling. The sale of such access poses a significant threat to the security and integrity of the banking system in Indonesia.

A data leak discovered by CYFIRMA, attributed to the threat actor “Ddarknotevil,” posted on December 21, 2023, and February 13, 2024, is deeply concerning. The first leak, concerning the Dareliman Database, is reported to be approximately 13 GB in size and in SQL file format. The second leak purportedly contains private financial data and documents from the Ministry for Economic Affairs, totaling around 136 GB.

A data leak discovered by CYFIRMA, posted by the threat actor “InterSystems” on April 5, 2024, involving the Badan Pemeriksa Keuangan Republik Indonesia (Indonesian Supreme Audit Agency), is a significant security concern. The leaked data reportedly includes admin login credentials and user database information, comprising over 7000+ rows of data from the agency’s database. This breach raises serious issues regarding the integrity and security of sensitive government information.

The sale of Indonesia airport access by the threat actor “TheColorYellow” on March 1, 2024, discovered by CYFIRMA is deeply concerning. Access to airport systems pose significant security risks, not only for the airports themselves but also for the safety and privacy of passengers and personnel.

The sale of Indonesian bank access by the threat actor “comradbinski” on December 1, 2023, discovered by CYFIRMA is extremely alarming. Access to banking systems pose a significant threat to the security of financial institutions and their customers.

HACKTIVIST

The Quantum of DDoS attacks increased globally after the start of the Russia-Ukraine war when pro-Russian and pro-Ukraine hacktivists started targeting each other with DDoS campaigns and also started targeting alliance nations to show support to their respective country.

In the case of Indonesia, the presence of hacktivist channels potentially linked to Indian-origin attacks targeting Indonesia through methods like DDOS, Defacement, and Data leaks were observed. Here are the channels identified:

• GarudaOps
• C͜͡a℘tain々ᴶᵃᶜᵏSᴘᴀʀʀØw
• Teamlapsusindia
• TeamNetworkNine
• anon_sec_Official
• Team NWH SECURITY
• ʀᴀsʜᴛʀɪʏᴀ ᴄʏʙᴇʀ ғᴏʀᴄᴇ
• ParanoidHax
• AnonymousIndia
• lulzsec1ndia
• glorysec
• TeamUcc
• BlackDragonsec
• KeralaCyberBlackSquad
• Indiancybermafia
• anonsec
• Darkcyberwarriors
• Darkcyberwarrior

These channels may represent potential threats to Indonesian cybersecurity and should be closely monitored and addressed by relevant authorities to prevent any malicious activities.

Indonesian Hacktivist Groups in action

Meanwhile, it appears there are several Indonesian hacktivist channels believed to support Palestine and engage in attacks against India and Israel using methods like DDOS, Defacement, and Data leaks. Here’s the list of these channels:

• ETHERSEC TEAM CYBER
• Nusantara
• GARUDA FROM CYBER
• ymous Indonesia
• Level seven cyber
• Hmei7 indonesian
• TOXCAR CYBER TEAM
• ISLAMIC CYBER TEAM | INDONESIAN
• VulzSec Official

Indonesian Hacktivist Groups in action

Cyber hacktivist groups from India and Indonesia have engaged in campaigns targeting organizations in each other’s countries through DDoS attacks, defacement, and data breaches. These activities not only disrupt government entities but also have broader implications for businesses in both countries.

Impact on Organizations

• Operational Disruption: DDoS attacks can cripple online services, leading to downtime and loss of revenue.
• Data Security: The selling of compromised databases and leaking of sensitive information threaten the integrity of data security, increasing the risk of identity theft and financial fraud.
• Reputational Damage: Cyberattacks can tarnish the reputation of targeted organizations, affecting customer trust and long-term business prospects.
• Resource Diversion: Responding to and mitigating these cyber threats requires significant IT resources, diverting them from critical operations and potentially hampering productivity.

Strategic Consequences

• Geopolitical Tensions: These cyber-attacks, often framed as acts of hacktivism, exacerbate existing geo-political tensions between the countries, contributing to a cycle of retaliation that can escalate conflicts.
• Legal and Regulatory Implications: Organizations may face legal challenges if customer data is compromised, leading to potential fines and increased regulatory scrutiny.

PHISHING

During the period spanning from April 10th, 2023 to April 10th, 2024 CYFIRMA’s advanced telemetry systems meticulously detected a staggering total of 981,727 phishing campaigns. Within this extensive dataset, it’s noteworthy that Indonesia emerged as one of the most targeted geographic regions in Southeast Asia.

The observed campaigns in Indonesia reveal several prominent themes exploited in phishing attacks. Among these, the sectors most frequently targeted include Software, Airlines, Air Freight & Logistics, Government, Wireless Telecommunication, Media, and Banks. These findings shed light on the diverse range of sectors that malicious actors are leveraging to carry out phishing attacks within Indonesia. Understanding these prevalent themes is crucial for enhancing cybersecurity measures and safeguarding against the evolving tactics employed by cybercriminals.

RANSOMWARE

We observed a year-on-year increase in ransomware attacks on Indonesia targeting various industries.

Ransomware groups target Indonesia due to its significant and growing economy, increasing digital transformation, potential vulnerabilities in cybersecurity practices among certain organizations, geopolitical and economic motivations, the widespread use of cryptocurrencies, relative lack of cybersecurity awareness, regional and global connectivity, and, in some cases, political instability. The country’s expanding digital infrastructure and the perceived financial capacity of high-profile targets make it an attractive environment for cybercriminals seeking substantial ransom payouts. Notably, this threat landscape is influenced by formidable ransomware groups, including LockBit, BlackCat (Alphvm), and Bianlian, which feature prominently on the list of perpetrators targeting Indonesian companies.

ASSET EXPOSURES & VULNERABILITIES

Exploited Vulnerabilities	Vendor	Product
CVE-2023-20198	Cisco	Cisco IOS XE
CVE-2017-9841	PHPUnit	PHPUnit
CVE-2015-2051	D-Link	D-Link DIR-645, DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
CVE-2014-8361	Realtek	Realtek SDK
CVE-2016-6277	Netgear	NETGEAR R/D Series Routers
CVE-2019-11510	Pulse Secure	Pulse Secure VPN
CVE-2024-24919	Check Point	Check Point Security Gateway
CVE-2024-27198	JetBrains	TeamCity
CVE-2018-10562	Dasan	Dasan GPON Home Router
CVE-2024-1709	ConnectWise	ScreenConnect
CVE-2019-9670	Synacor	Zimbra Collaboration Suite
CVE-2020-25213	WordPress	WordPress
CVE-2023-42793	JetBrains	TeamCity
CVE-2019-3396	Atlassian	Confluence
CVE-2022-26134	Atlassian	Confluence

All the observed exploited vulnerabilities in the given list are also part of the CISA’s Known Exploited Vulnerability list.

As per CISA, the following vulnerabilities are exploited by Ransomware Groups as well: CVE-2019-11510, CVE-2024-27198, CVE-2018-10562, CVE-2024-1709, CVE-2023-42793, CVE-2019-3396, CVE-2022-26134

AUSTRALIA

TRENDS IN THE AUSTRALIA THREAT LANDSCAPE

• According to a 2023 survey, conducted by the Australian Cyber Security Center, findings reveal that 62% of Small and Medium Enterprises (SMEs) surveyed fell victim to cyber-attacks, highlighting the pervasive nature of such incidents within this business sector in Australia.
• The ‘National Anti-Scam Centre,’ SCAMWATCH, reported a significant surge in actual losses to scams in 2023, amounting to $455,436,239 from 280,240 reports. This represents a substantial 30% increase compared to the scams reports in 2022. Notably, investment, payment redirection (business email compromise), and romance scams emerged as the primary contributors to financial losses. Common contact methods for scams included voice calls, text messages, and social media platforms, with payment methods encompassing bank transfers and cryptocurrency. Phishing, False billing, online shopping scams, and identity theft scams were the most reported scams in the year 2023.
• An alarming trend in 2023 reveals a significant 190% increase in cyber campaigns targeting Australia compared to the previous year. Chinese state-sponsored APT groups dominated these campaigns, with Russian and North Korean threat actors following closely.
• Ransomware attacks in Australia experienced a notable 22% uptick in 2023 compared to the previous year. Large-scale, well-funded organizations have recently become victims of ransomware attacks, underscoring the heightened risk and impact on high-profile entities within the country.

INDUSTRIAL SECTORS IN FOCUS

MINING
Australia’s mining sector stands as a cornerstone of the nation’s economy, ranking as the world’s fourth-largest mining nation, following China, the United States, and Russia. It boasts prominent positions as a top producer of commodities such as gold, iron ore, lead, zinc, and nickel. Furthermore, Australia holds the world’s largest uranium reserves and ranks fourth in black coal resources. Recent data from the Australian Bureau of Statistics (ABS) reveals that the mining industry contributed a staggering A$455 billion ($298.64 billion) in export revenue during the 2022–23 fiscal year, accounting for approximately two-thirds of the nation’s total export revenue. This marks a notable 10.5% increase from the previous record set in 2021–22.

Given its economic significance and the wealth of valuable data it generates, the mining industry has become a prime target for cyber espionage campaigns. Threat actors, ranging from nation-states to organized criminal groups, are increasingly drawn to the sector’s vast data reservoirs, aiming to steal proprietary information, gain competitive advantages, or influence sales and mergers. The mining sector’s strategic importance in global supply chains further amplifies its susceptibility to cyber threats. Sophisticated and highly targeted cyber-attacks, orchestrated by diverse attacker groups including hacktivists, hostile governments, and organized criminals, seek to exploit the industry’s vulnerabilities. These threats capitalize on the mining sector’s heavy reliance on integrated and automated systems, which, if compromised, could have cascading impacts on regional and global supply chains and national economies.

MANUFACTURING
Australia’s manufacturing landscape is characterized by its diversity, encompassing major sub-industries such as food, beverages, and tobacco; machinery and equipment; petroleum, coal, and chemicals; and metal products. Anticipating the future, the next two decades will witness a transformative shift in Australia’s manufacturing sector towards a more integrated, collaborative, and export-oriented ecosystem. This evolution is set to emphasize high-value customized solutions within global value chains, with a keen focus on value addition in both pre-production (design and R&D) and post-production (after-sales services). Additionally, sustainable manufacturing practices and a move towards low-volume, high-margin customized production are expected to shape the industry’s trajectory.

According to the 2023 CommBank Manufacturing Insights Report, a significant 72% of Australian manufacturers have optimistic production growth projections for the upcoming year. Concurrently, an equal proportion are gearing up to boost capital expenditure, earmarking investments in innovative technologies to refine processes, enhance efficiency, bolster productivity, elevate quality, and expand capacity.

While technological advancements have been instrumental in propelling the manufacturing sector forward, fostering innovation, and driving operational enhancements, they also introduce a burgeoning array of cyber threats. The integration of advanced technologies, interconnected systems, and digital transformation initiatives has expanded the industry’s cyber-attack surface, making it an attractive target for threat actors. Threat actors are increasingly drawn to the manufacturing industry due to its pivotal role in the economy, critical infrastructure connections, intellectual property repositories, and the potential for disrupting global supply chains. The sector’s reliance on interconnected systems, data-driven operations, and integrated technologies presents vulnerabilities that cybercriminals aim to exploit, ranging from intellectual property theft and industrial espionage to operational disruptions and financial extortion.

AGRICULTURE
Australia’s agriculture sector stands as a linchpin of the nation’s economy, playing a pivotal role in both domestic production and international exports. The sector’s diverse array of primary products, including wheat, milk, fruits, nuts, vegetables, and meat, significantly contributes to the country’s GDP. Notably, key export commodities such as beef, wheat, wine, wool, and lamb underscore Australia’s global prominence in agricultural trade. The beef industry, in particular, shines as Australia’s largest agricultural enterprise, positioning the nation as the world’s second-largest beef exporter, trailing only behind Brazil. Impressively, approximately 72% of Australia’s agricultural production finds its way to international markets.

Despite its economic significance and global reach, the Australian agricultural industry finds itself increasingly in the crosshairs of cyber threats. Disturbingly, recent data positions the sector as the sixth most susceptible to data breaches. Threat vectors plaguing the industry encompass a spectrum of cyberattacks, ranging from data breaches and ransomware incidents to phishing campaigns, scam emails, and malware infiltrations.

The multifaceted nature of Australia’s agricultural sector, encompassing a spectrum from small-scale enterprises to expansive global operations, presents a complex cybersecurity landscape. This diversity translates into varying degrees of IT proficiency and cybersecurity awareness across the industry. While the sector witnesses a burgeoning influx of technological investments, there remains a discernible gap in prioritizing cybersecurity measures.

The integration of digital platforms, payment gateways, and advanced agricultural machinery, exemplified by precision agriculture technologies, inadvertently provides cyber adversaries with avenues to exploit vulnerabilities. These vulnerabilities extend beyond financial transactions, encompassing a broad spectrum of risks, including unauthorized access to personal and business data, compromise of production systems, and theft of intellectual property.

IT INDUSTRY
Australia’s IT sector is experiencing robust growth, boasting a compound annual growth rate of 13.47% projected between 2022 and 2027. By 2027, the industry is forecasted to achieve a commendable value of US$146.98 billion. Demonstrating its momentum, Australia’s broader tech ecosystem currently stands at a valuation of $167 billion, marking an impressive 80% growth over the past five years. This surge is underpinned by Australia’s proficiency in diverse technological domains, encompassing Software as a Service (SaaS), fintech, cybersecurity, and digital gaming.

However, as the IT industry expands and evolves, it becomes an increasingly attractive target for cyber threats within the Australian landscape. The sector’s rapid growth, expansive value, and multifaceted expertise present a lucrative opportunity for threat actors.

Threat actors are drawn to the IT industry due to its pivotal role in the digital transformation era. With its vast repositories of valuable data, intellectual property, and financial transactions, the sector offers a treasure trove for cybercriminals seeking unauthorized access, data theft, or financial gain. Additionally, the interconnected nature of the IT ecosystem, encompassing cloud services, online platforms, and digital infrastructures, amplifies the sector’s susceptibility to cyber threats.

FINANCE
Australia’s financial services industry stands as a cornerstone of the nation’s economy, contributing a substantial $140 billion to the GDP. Notably, the sector’s growth trajectory has outpaced the overall economy in recent decades, evidenced by financial institutions’ assets surging to nearly 500% of GDP by 2020, a significant leap from the 200% recorded in the 1990s.

However, alongside its economic prominence, the finance industry’s digital transformation has attracted heightened cyber threats within the Australian landscape. In 2022 alone, targeted attacks on Financial Service Institutions (FSIs) escalated by approximately 200%. Threat actors are particularly drawn to the finance sector due to its wealth of valuable assets and data. The sector’s vast repositories, including credit card details, account information, personally identifiable information (PII), and critical network access, present lucrative opportunities for cybercriminals. These threat actors, motivated by financial gains or other malicious intentions, frequently target FSIs through sophisticated cybercrime campaigns, leveraging tactics such as ransomware attacks to extort funds or disrupt operations.

TOURISM
Beyond its economic contributions, Australia’s allure as a tourism hotspot is undeniable. The country’s diverse offerings cater to a broad spectrum of travelers, from the captivating depths of the Whitsundays for scuba enthusiasts and the iconic vistas of Uluru to the pristine trails of the Daintree Rainforest and the world-renowned New Year’s Eve fireworks spectacle in Sydney.

However, the tourism industry’s digital evolution and global prominence have inadvertently heightened its vulnerability to cyber threats within the Australian context. Threat actors are increasingly targeting the tourism sector, enticed by its vast customer base, extensive data repositories, and intricate supply chains. Threat actors view the tourism industry as a lucrative target, given its wealth of sensitive data, including traveler information, financial transactions, and reservation details. Additionally, the sector’s interconnected ecosystem, encompassing travel agencies, hospitality services, and online platforms, presents numerous avenues for cybercriminals to exploit vulnerabilities, ranging from data breaches and financial fraud to ransomware attacks.

LOGISTICS
The logistics industry plays an indispensable role in bolstering Australia’s economy, overseeing the intricate processes of production, storage, inventory management, and the efficient delivery and distribution of goods and services. As of 2023, the Australia Freight and Logistics Market commands a significant valuation of approximately 89.86 billion USD, with projections indicating a growth trajectory to reach 113.94 billion USD by 2029. This growth underscores the sector’s vitality, driven by the nation’s robust import and export dynamics.

However, as the logistics industry evolves and expands, it concurrently becomes a focal point for cyber threats within the Australian threat landscape. Threat actors are increasingly targeting the logistics sector, drawn by its pivotal role in the supply chain ecosystem, an extensive network of stakeholders, and vast volumes of valuable data and goods in transit. Threat actors perceive the logistics industry as an attractive target due to its integral position in facilitating commerce and trade. Disruptions or compromises within the logistics chain can have cascading impacts, ranging from supply chain delays and financial losses to broader economic repercussions. Cybercriminals exploit vulnerabilities within the sector’s digital infrastructure, targeting critical systems, transport networks, and inventory management platforms to execute attacks such as ransomware, data breaches, or operational disruptions.

GEO-POLITICAL RISK FACTORS

Nestled in the heart of the Asia Pacific, Australia emerges as a lone state-continent, an outpost of the West facing an increasingly delicate and hostile environment. This unique position sets the stage for a geopolitical tightrope walk with ramifications resonating far beyond its shores.

The Asia Pacific, home to over half the global population, commands strategic importance. Two-thirds of global container trade navigates its sea lanes, making it a vital artery for global trade and energy supply. Australia, with its growing economic power, tradition of aligning with the West, and proximity to critical sea lanes, finds itself thrust into the role of a strategic fulcrum in the unfolding U.S.-Chinese great-power competition.

However, this prominence comes at a cost. The Asia Pacific, and Australia in particular, confronts a myriad of geopolitical threats, positioning the region as a hotbed of competition in the 21st century. The historical backdrop of unsettled relations, demographic shifts, and potential climate change fallout adds layers of complexity, fostering an environment prone to instability and conflict.

Central to the geostrategic challenges is the rise of China as a superpower. The South China Sea disputes and the Taiwan issue loom large, with China pressing territorial claims that could leave Australia with no cost-free choices of political alignment. Australia’s decision to join the AUKUS defense pact underscores its commitment to the West, but this choice strains relations with crucial partners and triggers a full-blown trade war with China.

China’s coercive tactics extend into cyberspace, exemplified by recent cyber attacks on major Australian infrastructure. The use of cyber tools against allies is not unprecedented, as evidenced by Chinese APTs engaging in cyber espionage against Cambodia. This dynamic cyber landscape is further exacerbated by the divergence in visions between the West, led by Australia, and China, with the former upholding neutral rules and the latter fostering a hierarchical order.

The strained relations manifest in frequent cyber attacks, with Chinese APTs targeting the Australian government and military offices. These attacks may spill into the civilian sector if diplomatic ties continue to deteriorate. Economic coercion becomes a weapon as Australia, more than any other country, bears the brunt of China’s restrictions on various products due to geopolitical disagreements.

Beyond the China-centric tensions, the region harbors multiple sources of potential conflicts, ranging from the India-Pakistan feud to North Korea’s posturing. The emergence of security partnerships like the QUAD and AUKUS platforms adds further complexity, as does the economic slowdown in China and the relocation of technology manufacturing.

Russia’s increasing dependence on China raises concerns of a forming Eurasian bloc, intensifying competition in trade, territorial disputes, military buildup, and cyber activities. The Asia Pacific emerges as a hotbed for cyber statecraft, with China leading the charge, closely followed by Russia and North Korea, while India aspires to cyber power status.

North Korea, emboldened by Russian backing, intensifies its cyber criminal activities, targeting South Korea, Japan, Australia, and U.S. security partners like the Philippines. The potential conflict over Taiwan looms as the biggest flashpoint, promising unpredictable cyber fallout and a prelude to a massive cyber campaign to intimidate regional countries.

While overt military confrontation remains distant, cyber attacks targeting governmental and private entities are projected to rise, serving as reminders not to overstep boundaries. The overarching imperative for businesses in the region is clear: bolster common network security standards and cybersecurity practices, fortifying resilience against the uncertainties of the evolving geopolitical landscape.

TRENDS FROM THE DARK WEB

We observed 7 ongoing campaigns targeting various industries in Australia in 2024. Russian, Chinese, and North Korean state-sponsored threat actors are behind most of these campaigns. Here are some details about observed sample campaigns.

Malware Name	Targeted Services/ Vulnerabilities	Campaign Name	Suspected Threat Actor	Target Industries	Target Geographies
PubLoad, PlugX RAT	Application Infrastructure Software, Web Application, Operating System	territorial integrity	Mustang Panda	Diversified Telecommunication Services, Government, Industrial Conglomerates, Wireless Telecommunication Services, Banks, Electric Utilities, Oil, Gas & Consumable Fuels, Diversified Financial Services	Vietnam, South Korea, the United States, Japan, the Philippines, the United Kingdom, Thailand, Australia, France, India
Blackenergy, Kapeka	Operating System, Infrastructure-as-a-service Solutions	graffitist	Sandworm	Government, Industrial Conglomerates, Energy Equipment & Services, Electric Utilities, Oil, Gas & Consumable Fuels, Gas Utilities, Water Utilities	The United States, Japan, Ukraine, Finland, the United Kingdom, Australia, France, Germany

The number of observed campaigns significantly increased compared to the last two years in 2023 indicating threat actors’ interest in Australia’s economic and geopolitical dominance.

DATA LEAKS

CYFIRMA Research team observed a data leak related to Australia-based Keech (keech[.]com[.]au) manufacturing company. Keech produces a complete range of ground-engaging tools for mining, earthmoving, and construction equipment, as well as high-integrity steel castings for use in agriculture, rail, and defense industries. Indonesia-based threat actor StarsX Cyber Team claimed responsibility for the leak of 125.76MB of data as part of the #opaustralian campaign.

CYFIRMA Research team observed a data leak related to GranvueHomes (www[.]granvuehomes[.]com[.]au). Granvue Homes is Melbourne’s leading new house builder. Leaked data contains name, e-mail, phone, postcode, and other information.

The Australian solar energy company AG Energy suffered a data breach. The leak led to the exposure of data including Full names, Email addresses, home phone numbers, Mobile phone numbers, and Physical addresses. In total, 138k customers were affected.

CYFIRMA Research team observed a data leak related to IAB Australia. IAB Australia is the peak trade association for online advertising in Australia.

THREAT ACTORS TO WATCH

RANSOMWARE

Australia, like many developed nations, is susceptible to ransomware attacks due to its strong economy, advanced digital infrastructure, and global connectivity. The attractiveness of potential high ransom payments, coupled with the interconnectivity of critical systems, makes it a target for cybercriminals. Additionally, if cybersecurity measures are not consistently robust, vulnerabilities may be exploited, leading to an increased risk of successful attacks on both public and private sectors. While specific motives can vary, the combination of economic factors and digital prominence contributes to the likelihood of Australia being targeted by ransomware attacks. Notably, this threat landscape is influenced by formidable ransomware groups, including LockBit, BlackCat (Alphvm), Cl0p, and 8Base, which feature prominently on the list of perpetrators targeting Australian companies.

ASSET EXPOSURES & VULNERABILITIES

Vulnerability	Vendor	Product
CVE-2020-16846	SaltStack	Salt
CVE-2019-11510	Pulse Secure	Pulse Secure VPN
CVE-2022-26134	Atlassian	Confluence
CVE-2021-44228	Apache	Log4j
CVE-2019-3929	Barco/AWIND	Barco/AWIND OEM
CVE-2014-8361	Realtek	Realtek SDK
CVE-2021-26855	Microsoft	Exchange
CVE-2023-29357	Microsoft	SharePoint
CVE-2021-38647	Microsoft	Open Management Infrastructure (OMI)
CVE-2023-20198	Cisco	Cisco IOS XE
CVE-2020-3452	Cisco	Cisco ASA and Cisco Firepower Threat Defense
CVE-2021-21315	Node.js	Node.js
CVE-2023-22527	Atlassian	Confluence
CVE-2017-9841	PHPUnit	PHPUnit
CVE-2018-10562	Dasan	Dasan GPON Home Router

• All the observed exploited vulnerabilities in the given list are also part of the CISA’s Known Exploited Vulnerability list.
• As per CISA, the following vulnerabilities are exploited by Ransomware Groups as well: CVE-2019-11510, CVE-2022-26134, CVE-2021-44228, CVE-2021-26855, CVE-2023-29357, CVE-2021-38647, CVE-2023-22527, CVE-2018-10562

DDoS

In the last six months, the Australian threat landscape has undergone a notable impact from distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector being particularly affected, representing a significant 80.90% of the attacks. Moreover, a substantial 56.81% of these attacks endured for periods exceeding three hours, indicating a prolonged and impactful threat scenario. Additionally, attacks within the one to three-hour duration range accounted for 13.05%, underscoring a notable proportion of sustained assaults. Examining bitrates, attacks with speeds ranging from 500 Mbps to 1 Gbps constituted 6.58%, while those with less than 500 Mbps made up the majority share at 90.98%. This diverse distribution highlights the necessity for a comprehensive and adaptive cybersecurity strategy to effectively mitigate the varying intensities of DDoS threats in Australia.

BANGLADESH

TRENDS IN THE BANGLADESH THREAT LANDSCAPE

• The interest of threat actors is primarily driven by the potential for economic gain, disruption of critical infrastructure, and geopolitical significance in regional affairs, making Bangladesh an attractive target for cyberattacks and cyber espionage activities.
• Economic growth in sectors like Textile, Manufacturing, Shipbuilding, Tourism, IT, and Leather Industries attracts financially motivated and state-sponsored threat actors.
• Russian and Pakistan state-sponsored threat actors are actively targeting Bangladesh.
• Mustang Panda, TA505, Gamaredon Group, Lazarus Group, Patchwork, and Transparent Tribe are the observed groups targeting Bangladesh in recent days.

INDUSTRIAL SECTORS IN FOCUS

TEXTILE INDUSTRY
When considering the Bangladesh threat landscape, the country’s prominent textile industry becomes a notable focal point for threat actors. Bangladesh stands as the world’s second-largest clothing exporter, second only to China. The textile manufacturing market in Bangladesh is on a growth trajectory, expected to expand from USD 17.99 billion in 2023 to USD 23.86 billion by 2028, with over 4,500 active factories. The clothing and textile sector accounts for a substantial 75% of the nation’s manufacturing employment and contributes significantly to Bangladesh’s GDP, exceeding 13%. Furthermore, textiles and related products constitute over 84% of export earnings. This industry’s lucrative nature, extensive supply chain interconnections, and economic impact make it an appealing target for threat actors interested in disrupting production, compromising trade secrets, and exploiting vulnerabilities, thereby influencing both the country’s economic stability and global trade dynamics.

SHIPBUILDING
The nation’s shipbuilding industry emerges as a significant point of interest for threat actors. Bangladesh, as a maritime nation with aspirations to become a developed economy by 2041 through the prospects of the Blue Economy, places a strategic emphasis on its shipbuilding sector. Presently, with over 200 shipbuilding companies, this industry wields substantial influence with its ability to generate considerable foreign currency through ship exports, drives employment opportunities, establishes vital support for backward linkage industries, and significantly contributes to the national GDP. These attributes that make the shipbuilding industry a cornerstone of economic development render it an appealing target for threat actors keen on disrupting economic stability, disrupting international trade, or compromising sensitive shipbuilding technologies, thus undermining Bangladesh’s path toward economic advancement and its maritime ambitions.

TOURISM
Bangladesh boasts breathtaking natural attractions like the Sundarbans, one of the largest mangrove forests globally, and Cox’s Bazar Sea Beach, the longest in the world, among others. These natural wonders position the country as a potential hotspot for local and international tourists. Presently, the tourism industry contributes 3.02% to the nation’s GDP and accounts for 8.07% of its total employment. Notably, the Bangladesh Tourism Board (BTB) has outlined an ambitious 25-year tourism master plan to attract 10 million tourists by 2040 and generate an annual revenue of $8 billion. While this vision holds the promise of increased inbound and domestic tourism and a boost in sector investment, it also garners the attention of threat actors who may seek to disrupt the sector’s growth, compromise the safety of travellers, or exploit vulnerabilities within the industry for economic or political gain, potentially hampering Bangladesh’s path to realizing its tourism aspirations.

INFORMATION TECHNOLOGY
Bangladesh is swiftly establishing itself as a prominent player in the global IT arena, successfully securing a significant share of the IT market in South Asia. This industry is acknowledged as one of the nation’s most promising sectors and is projected to reach a substantial valuation of USD 5 billion by 2025. Notably, the Information and Communication Technology (ICT) sector has already contributed 1.28% to Bangladesh’s GDP, while simultaneously creating over 300,000 jobs. The rapid growth and economic potential of the IT sector make it a prime target for threat actors who may seek to exploit vulnerabilities, engage in cyber espionage, or compromise sensitive information. This heightened interest from threat actors is driven by the industry’s potential for economic disruption, intellectual property theft, and its pivotal role in shaping Bangladesh’s technological future.

LEATHER INDUSTRY
Bangladesh’s leather sector is a well-established industry, ranking second in terms of export earnings. Thanks to its remarkable value, substantial growth prospects, and extensive employment opportunities, the leather industry has been accorded top priority status. Notably, Bangladesh captures a 3% share in the global leather and leather products market, with nearly 60% of its annual output being destined for export. Significantly, the government has formulated a forward-looking ten-year perspective plan that sets a target of elevating the leather sector’s export earnings to a range of $10-$12 billion by 2030. The appeal of this industry to threat actors is underpinned by the potential for economic disruption, exploitation of supply chain vulnerabilities, and the theft of proprietary designs and technologies, all of which could impede the sector’s growth and its vital role in shaping Bangladesh’s economic future.

GEO-POLITICAL RISK FACTORS

Bangladesh, positioned as the world’s eighth most populous country with over 170 million people, is becoming a key player in the wider Indo-Pacific region. Despite its historical status as one of the world’s most destitute nations, sustained economic growth and social transformation have propelled Bangladesh into a new era of development. However, the geopolitical landscape in and around Bangladesh remains susceptible to instability and conflict, fuelled by historical relations, demographic shifts, and the potential ramifications of climate change.

The region is currently navigating significant geostrategic challenges, primarily driven by the ascent of India and China as superpowers, with prominent issues such as the South China Sea disputes and Taiwan garnering attention. Meanwhile, Bangladesh’s economic rise has quietly reshaped the geopolitical dynamics, shifting South Asia’s economic center eastward and fostering the reintegration of an eastern subcontinent once divided by animosities and formidable borders.

The geographic proximity of Bangladesh to neighboring countries, including Nepal, Bhutan, China, and Burma, positions it as an attractive partner with growing diplomatic, political, and economic ties. India, in particular, has strengthened its relationship with Bangladesh, transforming a historically complex connection into a productive partnership with tangible outcomes in various sectors.

Amidst this geopolitical landscape, Dhaka’s orientation towards the Indo-Pacific, starting from the Bay of Bengal, holds strategic significance. However, the complexity of regional relationships is evident, with China expressing concerns over Bangladesh joining the Quad, a grouping aimed at countering Beijing’s influence. In addition, Bangladesh’s strategic location is of great value to China, prompting initiatives to build alternative routes and secure port facilities in the Indian Ocean and Bay of Bengal region.

The intricate network of international relationships in the region, shaped by history, geography, economy, and strategic interests, carries the potential for conflict escalation, particularly in cyberspace. Factors such as the Chinese economic slowdown, Western pressure on technology manufacturing relocation, and Russia’s increasing dependence on China add layers of complexity to the regional dynamics, with potential manifestations in trade policies, territorial disputes, military buildup, and cyber conflicts.

The looming prospect of a conflict over Taiwan adds a significant flashpoint to the regional security horizon, with cyber warfare anticipated to play a major role, presenting unprecedented challenges. While overt military confrontation remains distant, cyber-attacks targeting governmental and private entities are projected to rise as a means of enforcing boundaries.

In this evolving landscape, the overarching priority for businesses in the region is to strengthen common network security standards and cybersecurity practices across sectors, acknowledging the potential cyber threats arising from the intricate geopolitical dynamics shaping the Bangladesh threat landscape.

TRENDS FROM THE DARK WEB

• We observed 3 campaigns targeting various industries in Bangladesh during 2023. Russian, and Pakistan state-sponsored threat actors are behind most of these campaigns. Here are some details about observed sample campaigns.
• A noticeable shift has been noted in the behavior of Russian threat actors. They are expanding the scope of their attacks to encompass additional geographic regions, extending beyond their traditional targets in North America and Western Europe to include the Asia-Pacific and EMEA. Furthermore, there are concerns that these threat actors may be considering retaliatory actions, either directly or indirectly, against the United States and its allied nations.
• The motivations driving threat actors from Pakistan to target Bangladesh can be multifaceted and include a range of factors such as historical geopolitical tensions, economic interests, political and ideological motives, cyber espionage, and regional dynamics. These cyberattacks may serve purposes as diverse as exerting influence, economic gain, intelligence gathering, and proxy actions.

Malware Name	Targeted Services/ Vulnerabilities	Campaign Name	Suspected Threat Actor	Target Industries	Target Geographies
Crimson RAT	Web Application, Operating System	UNC066	Transparent Tribe	Aerospace & Defense, Multiline Retail, Government, Industrial Conglomerates, IT Services, Transportation Infrastructure, Diversified Consumer Services, Diversified Financial Services	Bangladesh, South Korea, the United States, Japan, the United Kingdom, United Arab Emirates, Israel, France, Nepal, Germany, India
LockBit3.0, Dridex	Web Application	UNC062	TA505	Health Care Equipment & Supplies, Multiline Retail, Household Durables, Entertainment, Industrial Conglomerates, Leisure Products, Media, IT Services, Health Care Providers & Services, Diversified Financial Services, Household Products, Textiles, Apparel & Luxury Goods	Canada, South Korea, Bangladesh, Belgium, the United States, Japan, Australia, France, Germany, India
CrimsonRAT, ObliqueRAT	Web Application, Operating System	Unnamed Campaign	Transparent Tribe	Professional Services	Bangladesh, Bhutan, Sri Lanka, Nepal, India

DATA LEAKS

The CYFIRMA Research team observed the sale of 80 GB of Bangladeshi Navy intel from late 2022 for USD 3000.

We observed a data leak related to Telerad Medical Systems Ltd (TMS). TMS is a Medical Equipment Importer, distributor, sales, supply, and service company in Bangladesh. Leaked data contains 4.4 GB of documents, databases, and other personal medical stuff.

Recently observed data leak of Bangladesh Police Database and files. Threat actor claim that these files were obtained in 2020 from the email account of a high-ranking Bangladeshi Police official.

Link3 Technologies Ltd data leaked in an underground forum. Link3 Technologies Ltd is a full-service IT Solutions Provider that has been operating in the Bangladesh market for more than ten years with a very high level of success, achieved through uncompromised service quality and customer satisfaction. Leaked data includes App installation and registered user data.

THREAT ACTORS TO WATCH

RANSOMWARE

Ransomware groups target Bangladesh for various reasons, including the country’s increasing economic significance, growth in critical sectors like textiles and IT, and the potential for financial gains through ransom payments. Bangladesh’s expanding digital infrastructure and financial systems provide attractive targets for cybercriminals seeking to exploit vulnerabilities and encrypt critical data, thereby demanding ransoms. Additionally, its geopolitical location in South Asia and regional conflicts could make it a potential battleground for cyberattacks aimed at exerting influence and promoting political agendas. As a result, ransomware groups view Bangladesh as a lucrative target, leveraging these factors to advance their cybercriminal activities.

Recently, Agrani Bank PLC, a state-owned commercial bank of Bangladesh was compromised by a ransomware group.

ASSET EXPOSURES & VULNERABILITIES

VULNERABILITY	VENDOR	PRODUCT
CVE-2017-10271	Oracle	Oracle Weblogic Server
CVE-2017-9841	PHPUnit	PHPUnit
CVE-2018-10562	Dasan	Dasan GPON Home Router
CVE-2019-2725	Oracle	Oracle Weblogic Server
CVE-2024-24919	Check Point	Check Point Security Gateway
CVE-2024-27198	JetBrains	TeamCity
CVE-2021-44228	Apache	Log4j
CVE-2014-8361	Realtek	Realtek SDK
CVE-2019-0193	Apache	Solr
CVE-2019-16920	D-Link	D-Link DIR-615, DIR-655C, DIR-825, DIR-835, DIR-855L, DIR-866L, DIR-652, DIR-862L, DHP-1565, DAP-1533

• All the observed exploited vulnerabilities in the given list are also part of the CISA’s Known Exploited Vulnerability list.
• As per CISA, the following vulnerabilities are exploited by Ransomware Groups as well: CVE-2017-10271, CVE-2018-10562, CVE-2019-2725, CVE-2024-27198, CVE-2021-44228

DDoS

In the last six months, Bangladesh’s threat landscape has undergone a notable impact from distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector being particularly affected, representing a significant 69.30% of the attacks. Moreover, a substantial 39.95% of these attacks endured for periods exceeding three hours, indicating a prolonged and impactful threat scenario. Additionally, attacks within the one to three-hour duration range accounted for 16.62%, underscoring a notable proportion of sustained assaults. Examining bitrates, attacks with speeds ranging from 500 Mbps to 1 Gbps constituted 5.85%, while those with less than 500 Mbps made up the majority share at 87.17%. This diverse distribution highlights the necessity for a comprehensive and adaptive cybersecurity strategy to effectively mitigate the varying intensities of DDoS threats in Bangladesh.