The Asia Pacific (APAC) Threat Landscape Report provides a comprehensive overview of the evolving cybersecurity landscape in the region. In recent years, Asia Pacific has witnessed a significant increase in cyber threats, driven by factors such as rapid digitalization, increased internet penetration, and geopolitical tensions. This report aims to provide key insights into the current state of cyber threats, and emerging trends.
THE GEOGRAPHICAL SCOPE OF THIS REPORT
Japan, Bangladesh, Indonesia, Philippines, Vietnam, Australia
YET TO BE UPDATED
India, Malaysia, New Zealand, Singapore, South Korea, Taiwan, Thailand
UPDATED METHODOLOGY
This is a running report. Our research team will update this report on an ongoing basis to keep the reader updated on the evolving cyber threat landscape of the region.
Trend: Ransomware attacks on critical infrastructure
Motives: Disruption/Geopolitical/Extortion
Trend: Spyware, malware and plug-ins to collect data.
Motive: Reputation impact, disruption, extortion
Trend: Brute force attacks, credential reuse and data exfiltration via malware
Motive: Operational disruption, espionage, IP exfiltration
Trend: social engineering/phishing. jump server Exploits, remote access tool compromise
Motive: Operational disruption, espionage, IP exfiltration
Trend: Device scanning, firmware, phishing/malware download
Motives: Disruption, data harvesting, remote attacks (DDOS)
Trend: Multi-behavioral malware (IT/OT, different operating system
Target: CII trade secrets, documents containing proprietary processes
INCREASED SOPHISTICATION OF CYBER ATTACKS
The region has witnessed a rise in the sophistication of cyber attacks, with threat actors employing advanced techniques to compromise systems and networks.
TARGETED THREATS AGAINST CRITICAL INFRASTRUCTURE
The region has witnessed a rise in the sophistication of cyber attacks, with threat actors employing advanced techniques to compromise systems and networks.
RISE IN RANSOMWARE INCIDENTS
Ransomware attacks have surged in frequency and severity, posing significant challenges to businesses and government entities. The attackers often demand cryptocurrency payments for the release of compromised data.
NATION-STATE THREATS AND CYBER ESPIONAGE
Evidence suggests an increase in nation-state-sponsored cyber activities, including cyber espionage and information warfare. This poses significant geopolitical and security concerns for the region.
SUPPLY CHAIN VULNERABILITIES
The report identifies vulnerabilities in the regional supply chain, with cybercriminals exploiting weaknesses in third-party relationships to gain unauthorized access to targeted organizations.
MINING
Australia’s mining sector stands as a cornerstone of the nation’s economy, ranking as the world’s fourth-largest mining nation, following China, the United States, and Russia. It boasts prominent positions as a top producer of commodities such as gold, iron ore, lead, zinc, and nickel. Furthermore, Australia holds the world’s largest uranium reserves and ranks fourth in black coal resources. Recent data from the Australian Bureau of Statistics (ABS) reveals that the mining industry contributed a staggering A$455 billion ($298.64 billion) in export revenue during the 2022–23 fiscal year, accounting for approximately two-thirds of the nation’s total export revenue. This marks a notable 10.5% increase from the previous record set in 2021–22.
Given its economic significance and the wealth of valuable data it generates, the mining industry has become a prime target for cyber espionage campaigns. Threat actors, ranging from nation-states to organized criminal groups, are increasingly drawn to the sector’s vast data reservoirs, aiming to steal proprietary information, gain competitive advantages, or influence sales and mergers. The mining sector’s strategic importance in global supply chains further amplifies its susceptibility to cyber threats. Sophisticated and highly targeted cyber-attacks, orchestrated by diverse attacker groups, including hacktivists, hostile governments, and organized criminals, seek to exploit the industry’s vulnerabilities. These threats capitalize on the mining sector’s heavy reliance on integrated and automated systems, which, if compromised, could have cascading impacts on regional and global supply chains and national economies.
MANUFACTURING
Australia’s manufacturing landscape is characterized by its diversity, encompassing major sub-industries such as food, beverages, and tobacco; machinery and equipment; petroleum, coal, and chemicals; and metal products. Anticipating the future, the next two decades will witness a transformative shift in Australia’s manufacturing sector towards a more integrated, collaborative, and export-oriented ecosystem. This evolution is set to emphasize high-value customized solutions within global value chains, with a keen focus on value addition in both pre-production (design and R&D) and post-production (after-sales services). Additionally, sustainable manufacturing practices and a move towards low-volume, high-margin customized production are expected to shape the industry’s trajectory.
According to the 2023 CommBank Manufacturing Insights Report, a significant 72% of Australian manufacturers have optimistic production growth projections for the upcoming year. Concurrently, an equal proportion are gearing up to boost capital expenditure, earmarking investments in innovative technologies to refine processes, enhance efficiency, bolster productivity, elevate quality, and expand capacity.
While technological advancements have been instrumental in propelling the manufacturing sector forward, fostering innovation and driving operational enhancements, they also introduce a burgeoning array of cyber threats. The integration of advanced technologies, interconnected systems, and digital transformation initiatives have expanded the industry’s cyber-attack surface, making it an attractive target for threat actors. Threat actors are increasingly drawn to the manufacturing industry due to its pivotal role in the economy, critical infrastructure connections, intellectual property repositories, and the potential for disrupting global supply chains. The sector’s reliance on interconnected systems, data-driven operations, and integrated technologies presents vulnerabilities that cybercriminals aim to exploit, ranging from intellectual property theft and industrial espionage to operational disruptions and financial extortion.
AGRICULTURE
Australia’s agriculture sector stands as a linchpin of the nation’s economy, playing a pivotal role in both domestic production and international exports. The sector’s diverse array of primary products, including wheat, milk, fruits, nuts, vegetables, and meat, significantly contributes to the country’s GDP. Notably, key export commodities such as beef, wheat, wine, wool, and lamb underscore Australia’s global prominence in agricultural trade. The beef industry, in particular, shines as Australia’s largest agricultural enterprise, positioning the nation as the world’s second-largest beef exporter, trailing only behind Brazil. Impressively, approximately 72% of Australia’s agricultural production finds its way to international markets.
Despite its economic significance and global reach, the Australian agricultural industry finds itself increasingly in the crosshairs of cyber threats. Disturbingly, recent data positions the sector as the sixth most susceptible to data breaches. Threat vectors plaguing the industry encompass a spectrum of cyberattacks, ranging from data breaches and ransomware incidents to phishing campaigns, scam emails, and malware infiltrations.
The multifaceted nature of Australia’s agricultural sector, encompassing a spectrum from small-scale enterprises to expansive global operations, presents a complex cybersecurity landscape. This diversity translates into varying degrees of IT proficiency and cybersecurity awareness across the industry. While the sector witnesses a burgeoning influx of technological investments, there remains a discernible gap in prioritizing cybersecurity measures.
The integration of digital platforms, payment gateways, and advanced agricultural machinery, exemplified by precision agriculture technologies, inadvertently provides cyber adversaries with avenues to exploit vulnerabilities. These vulnerabilities extend beyond financial transactions, encompassing a broad spectrum of risks, including unauthorized access to personal and business data, compromise of production systems, and theft of intellectual property.
IT INDUSTRY
Australia’s IT sector is experiencing robust growth, boasting a compound annual growth rate of 13.47%, projected between 2022 and 2027. By 2027, the industry is forecasted to achieve a commendable value of US$146.98 billion. Demonstrating its momentum, Australia’s broader tech ecosystem currently stands at a valuation of $167 billion, marking an impressive 80% growth over the past five years. This surge is underpinned by Australia’s proficiency in diverse technological domains, encompassing Software as a Service (SaaS), fintech, cybersecurity, and digital gaming.
However, as the IT industry expands and evolves, it becomes an increasingly attractive target for cyber threats within the Australian landscape. The sector’s rapid growth, expansive value, and multifaceted expertise present a lucrative opportunity for threat actors.
Threat actors are drawn to the IT industry due to its pivotal role in the digital transformation era. With its vast repositories of valuable data, intellectual property, and financial transactions, the sector offers a treasure trove for cybercriminals seeking unauthorized access, data theft, or financial gains. Additionally, the interconnected nature of the IT ecosystem, encompassing cloud services, online platforms, and digital infrastructures, amplifies the sector’s susceptibility to cyber threats.
FINANCE
Australia’s financial services industry stands as a cornerstone of the nation’s economy, contributing a substantial $140 billion to the GDP. Notably, the sector’s growth trajectory has outpaced the overall economy in recent decades, evidenced by financial institutions’ assets surging to nearly 500% of GDP by 2020, a significant leap from the 200% recorded in the 1990s.
However, alongside its economic prominence, the finance industry’s digital transformation has attracted heightened cyber threats within the Australian landscape. In 2022 alone, targeted attacks on Financial Service Institutions (FSIs) escalated by approximately 200%. Threat actors are particularly drawn to the finance sector due to its wealth of valuable assets and data. The sector’s vast repositories, including credit card details, account information, personally identifiable information (PII), and critical network access, present lucrative opportunities for cybercriminals. These threat actors, motivated by financial gains or other malicious intentions, frequently target FSIs through sophisticated cybercrime campaigns, leveraging tactics such as ransomware attacks to extort funds or disrupt operations.
TOURISM
Beyond its economic contributions, Australia’s allure as a tourism hotspot is undeniable. The country’s diverse offerings cater to a broad spectrum of travelers, from the captivating depths of the Whitsundays for scuba enthusiasts and the iconic vistas of Uluru to the pristine trails of the Daintree Rainforest and the world-renowned New Year’s Eve fireworks spectacle in Sydney.
However, the tourism industry’s digital evolution and global prominence have inadvertently heightened its vulnerability to cyber threats within the Australian context. Threat actors are increasingly targeting the tourism sector, enticed by its vast customer base, extensive data repositories, and intricate supply chains. Threat actors view the tourism industry as a lucrative target, given its wealth of sensitive data, including traveler information, financial transactions, and reservation details. Additionally, the sector’s interconnected ecosystem, encompassing travel agencies, hospitality services, and online platforms, presents numerous avenues for cybercriminals to exploit vulnerabilities, ranging from data breaches and financial fraud to ransomware attacks.
LOGISTICS
The logistics industry plays an indispensable role in bolstering Australia’s economy, overseeing the intricate processes of production, storage, inventory management, and the efficient delivery and distribution of goods and services. As of 2023, the Australia Freight and Logistics Market commands a significant valuation of approximately 89.86 billion USD, with projections indicating a growth trajectory to reach 113.94 billion USD by 2029. This growth underscores the sector’s vitality, driven by the nation’s robust imports and exports dynamics.
However, as the logistics industry evolves and expands, it concurrently becomes a focal point for cyber threats within the Australian threat landscape. Threat actors are increasingly targeting the logistics sector, drawn by its pivotal role in the supply chain ecosystem, extensive network of stakeholders, and vast volumes of valuable data and goods in transit. Threat actors perceive the logistics industry as an attractive target due to its integral position in facilitating commerce and trade. Disruptions or compromises within the logistics chain can have cascading impacts, ranging from supply chain delays and financial losses to broader economic repercussions. Cybercriminals exploit vulnerabilities within the sector’s digital infrastructure, targeting critical systems, transport networks, and inventory management platforms to execute attacks such as ransomware, data breaches, or operational disruptions.
Nestled in the heart of the Asia Pacific, Australia emerges as a lone state-continent, an outpost of the West facing an increasingly delicate and hostile environment. This unique position sets the stage for a geopolitical tightrope walk with ramifications resonating far beyond its shores.
The Asia Pacific, home to over half the global population, commands strategic importance. Two-thirds of global container trade navigates its sea lanes, making it a vital artery for global trade and energy supply. Australia, with its growing economic power, tradition of aligning with the West, and proximity to critical sea lanes, finds itself thrust into the role of a strategic fulcrum in the unfolding U.S.-Chinese great-power competition.
However, this prominence comes at a cost. The Asia Pacific, and Australia in particular, confront a myriad of geopolitical threats, positioning the region as a hotbed of competition in the 21st century. The historical backdrop of unsettled relations, demographic shifts, and potential climate change fallout add layers of complexity, fostering an environment prone to instability and conflict.
Central to the geostrategic challenges is the rise of China as a superpower. The South China Sea disputes and the Taiwan issue loom large, with China pressing territorial claims that could leave Australia with no cost-free choices of political alignment. Australia’s decision to join the AUKUS defense pact underscores its commitment to the West, but this choice strains relations with crucial partners and triggers a full-blown trade war with China.
China’s coercive tactics extend into cyberspace, exemplified by recent cyber attacks on major Australian infrastructure. The use of cyber tools against allies is not unprecedented, as evidenced by Chinese APTs engaging in cyberespionage against Cambodia. This dynamic cyber landscape is further exacerbated by the divergence in visions between the West, led by Australia, and China, with the former upholding neutral rules and the latter fostering a hierarchical order.
The strained relations manifest in frequent cyber attacks, with Chinese APTs targeting Australian government and military offices. These attacks may spill into the civilian sector if diplomatic ties continue to deteriorate. Economic coercion becomes a weapon as Australia, more than any other country, bears the brunt of China’s restrictions on various products due to geopolitical disagreements.
Beyond the China-centric tensions, the region harbors multiple sources of potential conflicts, ranging from the India-Pakistan feud to North Korea’s posturing. The emergence of security partnerships like the QUAD and AUKUS platforms adds further complexity, as does the economic slowdown in China and the relocation of technology manufacturing.
Russia’s increasing dependence on China raises concerns of a forming Eurasian bloc, intensifying competition in trade, territorial disputes, military buildup, and cyber activities. The Asia Pacific emerges as a hotbed for cyber statecraft, with China leading the charge, closely followed by Russia and North Korea, while India aspires to cyber power status.
North Korea, emboldened by Russian backing, intensifies its cyber criminal activities, targeting South Korea, Japan, Australia, and U.S. security partners like the Philippines. The potential conflict over Taiwan looms as the biggest flashpoint, promising unpredictable cyber fallout and a prelude to a massive cyber campaign to intimidate regional countries.
While overt military confrontation remains distant, cyber attacks targeting governmental and private entities are projected to rise, serving as reminders not to overstep boundaries. The overarching imperative for businesses in the region is clear: bolster common network security standards and cybersecurity practices, fortifying resilience against the uncertainties of the evolving geopolitical landscape.
We observed 35 campaigns targeting various industries in Australia during 2023. Russian, Chinese, and North Korean state-sponsored threat actors are behind most of these campaigns. Here are some details about observed sample campaigns.
Malware Name | Targeted Services/ Vulnerabilities | Campaign Name | Suspected Threat Actor | Target Industries | Target Geographies |
PubLoad, PlugX RAT | Application Infrastructure Software, Web Application, Operating System | territorial integrity | Mustang Panda | Diversified Telecommunication Services, Government, Industrial Conglomerates, Wireless Telecommunication Services, Banks, Electric Utilities, Oil, Gas & Consumable Fuels, Diversified Financial Services | Vietnam, South Korea, United States, Japan, Philippines, United Kingdom, Thailand, Australia, France, India |
FlawedAmmyy RAT, CosmicDuke, Zeus Bot or Zbot | Web Application | Evian | Fancy Bear,TA505,Cozy Bear | Health Care Equipment & Supplies, Multiline Retail, Industrial Conglomerates, IT Services, Diversified Financial Services, Textiles, Apparel & Luxury Goods | Myanmar, Singapore, Cambodia, United States, Japan, Philippines, Malaysia, Thailand, Brunei, Canada, South Korea, Vietnam, Belgium, Timor-leste, Australia, France, Laos, Germany, Indonesia |
NukeSped RAT, FallChill | Web Application, Database Management Software, Operating System | UNC050 | Lazarus Group | Auto Components, Industrial Conglomerates, IT Services, Transportation Infrastructure, Diversified Financial Services, Automobiles | Singapore, Turkey, United States, Japan, Europe, United Kingdom, United Arab Emirates, Australia, India |
The number of observed campaigns significantly increased compared to the last two years, indicating threat actors’ interest in Australia’s economic and geopolitical dominance.
CYFIRMA Research team observed a data leak related to Australia-based Keech (keech[.]com[.]au) manufacturing company. Keech produces a complete range of ground-engaging tools for mining, earthmoving, and construction equipment, as well as high-integrity steel castings for use in agriculture, rail, and defense industries. Indonesia-based threat actor StarsX Cyber Team claimed responsibility for the leak of 125.76MB of data as part of the #opaustralian campaign.
CYFIRMA Research team observed a data leak related to GranvueHomes (www[.]granvuehomes[.]com[.]au). Granvue Homes is Melbourne’s leading new house builder. Leaked data contains name, e-mail, phone, post code, and other information.
The Australian solar energy company; AG Energy suffered a data breach. The leak led to the exposure of data including Full names, Email addresses, Home phone numbers, Mobile phone numbers, and Physical addresses. In total, 138k customers were affected.
CYFIRMA Research team observed a data leak related to IAB Australia. IAB Australia is the peak trade association for online advertising in Australia.
Australia, like many developed nations, is susceptible to ransomware attacks due to its strong economy, advanced digital infrastructure, and global connectivity. The attractiveness of potential high ransom payments, coupled with the interconnectivity of critical systems, makes it a target for cybercriminals. Additionally, if cybersecurity measures are not consistently robust, vulnerabilities may be exploited, leading to an increased risk of successful attacks on both public and private sectors. While specific motives can vary, the combination of economic factors and digital prominence contributes to the likelihood of Australia being targeted by ransomware attacks. Notably, this threat landscape is influenced by formidable ransomware groups, including LockBit, BlackCat (Alphvm), Cl0p, and 8Base, which feature prominently on the list of perpetrators targeting Australian companies.
Vulnerability | CVSS Score | Vendor | Product |
CVE-2023-22952 | 8.8 | SugarCRM | SugarCRM |
CVE-2022-26134 | 9.8 | Atlassian | Confluence |
CVE-2023-20198 | 10 | Cisco | Cisco IOS XE |
CVE-2023-22515 | 9.8 | Atlassian | Confluence |
CVE-2021-44228 | 9.8 | Apache | Log4j |
CVE-2023-36845 | 9.8 | Juniper | Junos OS (J-Web) |
CVE-2020-8193 | 6.5 | Citrix | Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP |
CVE-2020-3452 | 7.5 | Cisco | Cisco ASA and Cisco Firepower Threat Defense |
CVE-2017-5638 | 10.0 | Apache | Struts |
CVE-2019-3929 | 9.8 | Barco/AWIND | Barco/AWIND OEM |
CVE-2021-21315 | 7.8 | Node.js | Node.js |
CVE-2022-35914 | 9.8 | GLPI (teclib) | GLPI |
CVE-2023-35078 | 9.8 | Ivanti | MobileIron Core |
CVE-2021-26855 | 9.8 | Microsoft | Exchange |
CVE-2019-7192 | 9.8 | QNAP | QNAP NAS devices running Photo Station |
In the last six months, Australia threat landscape has undergone a notable impact from distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector being particularly affected, representing a significant 80.90% of the attacks. Moreover, a substantial 56.81% of these attacks endured for periods exceeding three hours, indicating a prolonged and impactful threat scenario. Additionally, attacks within the one to three-hour duration range accounted for 13.05%, underscoring a notable proportion of sustained assaults. Examining bitrates, attacks with speeds ranging from 500 Mbps to 1 Gbps constituted 6.58%, while those with less than 500 Mbps made up the majority share at 90.98%. This diverse distribution highlights the necessity for a comprehensive and adaptive cybersecurity strategy to effectively mitigate the varying intensities of DDoS threats in Australia.
TEXTILE INDUSTRY
When considering the Bangladesh threat landscape, the country’s prominent textile industry becomes a notable focal point for threat actors. Bangladesh stands as the world’s second-largest clothing exporter, second only to China. The textile manufacturing market in Bangladesh is on a growth trajectory, expected to expand from USD 17.99 billion in 2023 to USD 23.86 billion by 2028, with over 4,500 active factories. The clothing and textile sector accounts for a substantial 75% of the nation’s manufacturing employment and contributes significantly to Bangladesh’s GDP, exceeding 13%. Furthermore, textiles and related products constitute over 84% of export earnings. This industry’s lucrative nature, extensive supply chain interconnections, and economic impact make it an appealing target for threat actors interested in disrupting production, compromising trade secrets, and exploiting vulnerabilities, thereby influencing both the country’s economic stability and global trade dynamics.
SHIPBUILDING
The nation’s shipbuilding industry emerges as a significant point of interest for threat actors. Bangladesh, as a maritime nation with aspirations to become a developed economy by 2041 through the prospects of the Blue Economy, places a strategic emphasis on its shipbuilding sector. Presently, with over 200 shipbuilding companies, this industry wields substantial influence with its ability to generate considerable foreign currency through ship exports, drive employment opportunities, establish vital support for backward linkage industries, and significantly contribute to the national GDP. These attributes that make the shipbuilding industry a cornerstone of economic development render it an appealing target for threat actors keen on disrupting economic stability, disrupting international trade, or compromising sensitive shipbuilding technologies, thus undermining Bangladesh’s path towards economic advancement and its maritime ambitions.
TOURISM
Bangladesh boasts breathtaking natural attractions like the Sundarbans; one of the largest mangrove forests globally, and Cox’s Bazar Sea Beach, the longest in the world, among others. These natural wonders position the country as a potential hotspot for local and international tourists. Presently, the tourism industry contributes 3.02% to the nation’s GDP and accounts for 8.07% of its total employment. Notably, the Bangladesh Tourism Board (BTB) has outlined an ambitious 25-year tourism master plan to attract 10 million tourists by 2040 and generate an annual revenue of $8 billion. While this vision holds the promise of increased inbound and domestic tourism and a boost in sector investment, it also garners the attention of threat actors who may seek to disrupt the sector’s growth, compromise the safety of travellers, or exploit vulnerabilities within the industry for economic or political gain, potentially hampering Bangladesh’s path to realizing its tourism aspirations.
INFORMATION TECHNOLOGY
Bangladesh is swiftly establishing itself as a prominent player in the global IT arena, successfully securing a significant share of the IT market in South Asia. This industry is acknowledged as one of the nation’s most promising sectors and is projected to reach a substantial valuation of USD 5 billion by 2025. Notably, the Information and Communication Technology (ICT) sector has already contributed 1.28% to Bangladesh’s GDP, while simultaneously creating over 300,000 jobs. The rapid growth and economic potential of the IT sector make it a prime target for threat actors who may seek to exploit vulnerabilities, engage in cyber espionage, or compromise sensitive information. This heightened interest from threat actors is driven by the industry’s potential for economic disruption, intellectual property theft, and its pivotal role in shaping Bangladesh’s technological future.
LEATHER INDUSTRY
Bangladesh’s leather sector is a well-established industry, ranking second in terms of export earnings. Thanks to its remarkable value, substantial growth prospects, and extensive employment opportunities, the leather industry has been accorded top priority status. Notably, Bangladesh captures a 3% share in the global leather and leather products market, with nearly 60% of its annual output being destined for export. Significantly, the government has formulated a forward-looking ten-year perspective plan that sets a target of elevating the leather sector’s export earnings to a range of $10-$12 billion by 2030. The appeal of this industry to threat actors is underpinned by the potential for economic disruption, exploitation of supply chain vulnerabilities, and the theft of proprietary designs and technologies, all of which could impede the sector’s growth and its vital role in shaping Bangladesh’s economic future.
Bangladesh, positioned as the world’s eighth most populous country with over 170 million people, is becoming a key player in the wider Indo-Pacific region. Despite its historical status as one of the world’s most destitute nations, sustained economic growth and social transformation have propelled Bangladesh into a new era of development. However, the geopolitical landscape in and around Bangladesh remains susceptible to instability and conflict, fuelled by historical relations, demographic shifts, and the potential ramifications of climate change.
The region is currently navigating significant geostrategic challenges, primarily driven by the ascent of India and China as superpowers, with prominent issues such as the South China Sea disputes and Taiwan garnering attention. Meanwhile, Bangladesh’s economic rise has quietly reshaped the geopolitical dynamics, shifting South Asia’s economic center eastward and fostering the reintegration of an eastern subcontinent once divided by animosities and formidable borders.
The geographic proximity of Bangladesh to neighboring countries, including Nepal, Bhutan, China, and Burma, positions it as an attractive partner with growing diplomatic, political, and economic ties. India, in particular, has strengthened its relationship with Bangladesh, transforming a historically complex connection into a productive partnership with tangible outcomes in various sectors.
Amidst this geopolitical landscape, Dhaka’s orientation towards the Indo-Pacific, starting from the Bay of Bengal, holds strategic significance. However, the complexity of regional relationships is evident, with China expressing concerns over Bangladesh joining the Quad, a grouping aimed at countering Beijing’s influence. In addition, Bangladesh’s strategic location is of great value to China, prompting initiatives to build alternative routes and secure port facilities in the Indian Ocean and Bay of Bengal region.
The intricate network of international relationships in the region, shaped by history, geography, economy, and strategic interests, carries the potential for conflict escalation, particularly in cyberspace. Factors such as the Chinese economic slowdown, Western pressure on technology manufacturing relocation, and Russia’s increasing dependence on China add layers of complexity to the regional dynamics, with potential manifestations in trade policies, territorial disputes, military buildup, and cyber conflicts.
The looming prospect of a conflict over Taiwan adds a significant flashpoint to the regional security horizon, with cyber warfare anticipated to play a major role, presenting unprecedented challenges. While overt military confrontation remains distant, cyber-attacks targeting governmental and private entities are projected to rise as a means of enforcing boundaries.
In this evolving landscape, the overarching priority for businesses in the region is to strengthen common network security standards and cybersecurity practices across sectors, acknowledging the potential cyber threats arising from the intricate geopolitical dynamics shaping the Bangladesh threat landscape.
Malware Name | Targeted Services/ Vulnerabilities | Campaign Name | Suspected Threat Actor | Target Industries | Target Geographies |
Crimson RAT | Web Application, Operating System | UNC066 | Transparent Tribe | Aerospace & Defense, Multiline Retail, Government, Industrial Conglomerates, IT Services, Transportation Infrastructure, Diversified Consumer Services, Diversified Financial Services | Bangladesh, South Korea, United States, Japan, United Kingdom, United Arab Emirates, Israel, France, Nepal, Germany, India |
LockBit3.0, Dridex | Web Application | UNC062 | TA505 | Health Care Equipment & Supplies, Multiline Retail, Household Durables, Entertainment, Industrial Conglomerates, Leisure Products, Media, IT Services, Health Care Providers & Services, Diversified Financial Services, Household Products, Textiles, Apparel & Luxury Goods | Canada, South Korea, Bangladesh, Belgium, United States, Japan, Australia, France, Germany, India |
CrimsonRAT, ObliqueRAT | Web Application, Operating System | Unnamed Campaign | Transparent Tribe | Professional Services | Bangladesh, Bhutan, Sri Lanka, Nepal, India |
The CYFIRMA Research team observed the sale of 80 GB of Bangladeshi Navy intel from late 2022 for USD 3000.
We observed a data leak related to Telerad Medical Systems Ltd (TMS). TMS is a Medical Equipment Importer, distributor, sales, supply, and service company in Bangladesh. Leaked data contains 4.4 GB of documents, databases, and other personal medical stuff.
Recently observed data leak of Bangladesh Police Database and files. Threat actor claims that these files were obtained in 2020 from the email account of a high-ranking Bangladeshi Police official.
Link3 Technologies Ltd data leaked in an underground forum. Link3 Technologies Ltd is a full-service IT Solution Provider that has been operating in the Bangladesh market for more than ten `years with a very high level of success, achieved through uncompromised service quality and customer satisfaction. Leaked data includes App installation and registered user data.
Ransomware groups target Bangladesh for various reasons, including the country’s increasing economic significance, growth in critical sectors like textiles and IT, and the potential for financial gains through ransom payments. Bangladesh’s expanding digital infrastructure and financial systems provide attractive targets for cybercriminals seeking to exploit vulnerabilities and encrypt critical data, thereby demanding ransoms. Additionally, its geopolitical location in South Asia and regional conflicts could make it a potential battleground for cyberattacks aimed at exerting influence and promoting political agendas. As a result, ransomware groups view Bangladesh as a lucrative target, leveraging these factors to advance their cybercriminal activities.
Recently, the ALPHV ransomware group infiltrated Bangladesh Krishi Bank’s network, extracting over 170 GB of crucial information. Their presence went undetected for 12 days, allowing them ample time to study internal documentation and steal valuable data. The compromised information includes highly sensitive financial records such as account details, statements, and tax information. The hackers also acquired employee data, including emails, passport copies, labour papers, and employment contracts, potentially exposing the personal information of the bank’s staff.
VULNERABILITY | VENDOR | PRODUCT | CVE SCORE |
CVE-2019-2725 | Oracle | Oracle Weblogic Server | 9.8 |
CVE-2017-10271 | Oracle | Oracle Weblogic Server | 7.5 |
CVE-2019-0193 | Apache | Solr | 7.2 |
CVE-2023-22515 | Atlassian | Confluence | 9.8 |
CVE-2017-12149 | RedHat | JBoss | 9.8 |
CVE-2023-4966 | Citrix | Citrix ADC and Citrix Gateway | 7.5 |
]CVE-2019-19356 | netis | netis WF2419 | 7.5 |
CVE-2017-9841 | PHPUnit – Sebastian Bergmann | PHPUnit | 9.8 |
CVE-2017-12615 | Apache | Tomcat | 8.1 |
CVE-2014-8361 | Realtek | Realtek SDK | 8.3 |
In the last six months, Bangladesh’s threat landscape has undergone a notable impact from distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector being particularly affected, representing a significant 69.30% of the attacks. Moreover, a substantial 39.95% of these attacks endured for periods exceeding three hours, indicating a prolonged and impactful threat scenario. Additionally, attacks within the one to three-hour duration range accounted for 16.62%, underscoring a notable proportion of sustained assaults. Examining bitrates, attacks with speeds ranging from 500 Mbps to 1 Gbps constituted 5.85%, while those with less than 500 Mbps made up the majority share at 87.17%. This diverse distribution highlights the necessity for a comprehensive and adaptive cybersecurity strategy to effectively mitigate the varying intensities of DDoS threats in Bangladesh.
Japan’s diverse industrial sectors and cutting-edge technology products make it an appealing target for nation-state attackers and financially motivated threat actors. Furthermore, hacktivists have also been observed targeting Japanese industries, alongside APT and other threat actors, reflecting the multifaceted cybersecurity challenges these sectors face.
From a geopolitical standpoint, Japan confronts substantial challenges stemming from China, Russia, and North Korea. These challenges relate to regional dominance, its strategic alliances with QUAD and NATO, as well as ongoing territorial disputes.
CHINA
Japan’s geopolitical risk factors in relation to China have shifted significantly in recent years. After World War II, Japan adopted a strong pacifist stance, prioritizing economic growth over military expenditure. However, the rise of China’s expansionist policies in the Indo-Pacific, particularly the looming threat of a Chinese invasion of Taiwan, has prompted Japan to reevaluate its security posture. Japanese Prime Minister Fumio Kishida’s announcement to double defense spending from one to two percent of GDP signifies a substantial departure from the country’s historical defense policy. This change, which builds upon the efforts of the previous Prime Minister Shinzo Abe, reflects Japan’s increasing focus on countering China and deepening military integration with the United States. As Japan strategically shifts military capabilities to its southwest islands, Taiwan emerges as a key flashpoint in its security considerations.
In essence, Japan’s evolving geopolitical risk factors with respect to China are characterized by a departure from decades of pacifism, a substantial increase in defense spending, a growing emphasis on countering Chinese influence, and a heightened awareness of Taiwan’s significance as a potential security flashpoint. These developments represent a significant transformation in Japanese security policy as it adapts to changing regional dynamics and challenges posed by China’s assertive posture in the Indo-Pacific.
NORTH KOREA
During the Cold War, Japan primarily focused on the threat posed by the Soviet Union, positioning its limited military capabilities in the northern regions. However, with the end of the Cold War, Japan shifted its attention towards the threat emanating from North Korea in the east.
In recent years, North Korea has been escalating tensions through a series of missile tests and nuclear posturing on the Korean Peninsula. The year 2022 witnessed unprecedented missile tests, including intercontinental ballistic missiles fired over Japanese territory. Furthermore, North Korea has strengthened its alignment with Russia and China, pledging closer strategic and tactical cooperation which enables North Korea to conduct more aggressive testing with relative impunity.
In addition to this, North Korea’s export of weapons to Russia for its war in Ukraine, possibly in exchange for cyber know-how and intelligence, raises concerns about the potential for North Korean cyber activities. Japan, along with South Korea and Australia, is among the most exposed geographies to North Korean cyber activities, however, North Korean threat actors are known for their opportunistic approach, engaging in criminal activities such as ransomware-based operations to generate financial profit, wherever opportunities arise.
RUSSIA
Japan’s relationship with Russia has been strained due to a longstanding territorial dispute over the Kuril Islands, known as the Northern Territories in Japan. Recent developments indicate a significant change in Japan’s rhetoric concerning these disputed islands: Japanese Foreign Minister Yoshimasa Hayashi has accused Russia of occupying the Northern Territories without legal grounds, while Prime Minister Fumio Kishida asserted Japan’s sovereignty over them.
This shift in Japan’s stance follows Russia’s aggression in Ukraine and contrasts with the previous administration’s efforts to resolve the territorial dispute peacefully using softer language. While Russia’s current military capacity may not permit overt provocation, concerns have arisen about the use of cyberattacks to caution Japan not to overstep boundaries regarding the disputed islands.
Japan’s changing security posture is not occurring in isolation. It is part of a broader transformation in the U.S.-Japan alliance, involving South Korea, Australia, and the Philippines in defense alliances. This shift is in response to China’s assertive behavior in the region; a more capable North Korea, and Russia’s growing discontent, potentially leading to unpredictable actions against states with which it has territorial disputes.
These geopolitical factors require Japan to maintain a vigilant and adaptive approach to its national security and defense strategies.
Recent incidents of data breaches have come to light in Japan. Here are some notable cases:
The research team observed a data leak associated with the Japanese Ministry of Land, and Infrastructure which contains employees’ email, phone numbers, and administration panel credentials.
Japan’s foremost email friend search platform, Atmeltomo, experienced a data breach that subsequently became available for sale on a well-known hacking forum. This security incident led to the exposure of 1.3 million records, encompassing 580,000 distinct email addresses, as well as usernames, IP addresses, and MD5 password hashes.
NipponPaint, one of Japan’s largest manufacturers of paint products, fell victim to a data breach that was later made available for purchase on a widely recognized hacking forum. This cybersecurity incident resulted in the compromise of the company’s employee database, which included personal details such as names, birth dates, email addresses, blood types, addresses, hobbies, and more.
During the period spanning from January 1st to December 1st, CYFIRMA’s advanced telemetry systems meticulously detected a staggering total of 720,038 phishing campaigns. Within this extensive dataset, it’s noteworthy that Japan emerged as the second-most targeted geographic region in Asia.
The observed campaign in Japan reveals several prominent themes exploited in phishing attacks. Among these, the sectors most frequently targeted include Government, Financial, Social Networking, Online/Cloud Services, and Transportation. These findings shed light on the diverse range of sectors that malicious actors are leveraging to carry out phishing attacks within Japan. Understanding these prevalent themes is crucial for enhancing cybersecurity measures and safeguarding against the evolving tactics employed by cybercriminals.
Japan stands out as one of the prominent targets of ransomware attacks in the Asia Pacific region. Among the sectors within Japan, the automotive, manufacturing, IT, and entertainment industries have experienced the most pronounced impact from these ransomware incidents. Notably, this threat landscape is influenced by formidable ransomware groups, including LockBit, BlackCat (Alphvm), and Cl0p, which feature prominently on the list of perpetrators targeting Japanese companies.
During our Open-Source Intelligence (OSINT) investigation, we discovered a substantial volume of internet-connected devices and systems linked to Japan. Specifically, our search revealed a staggering count of approximately 300,000 systems that exhibit vulnerabilities within the multiple versions of the Apache HTTP Server. These vulnerabilities span a spectrum from critical to medium severity, underscoring the potential risks associated with this widespread exposure.
Industrial Control Systems (ICS) are integral to the functioning of various critical infrastructures, such as power plants, water treatment facilities, transportation systems, and manufacturing units. These systems are strategically important, making them potential targets for various threat actors.
In our OSINT research, we found around 3,291 Industrial Control Systems exposed to the Internet, owned by organizations in Japan, potentially allowing an attacker to access them.
JVN trend depicts increased exploitation of vulnerability spread across various IT products.
Note: JVN, which stands for Japan Vulnerability Notes, is a portal site on IT product vulnerability information handled in the Japanese framework called “The Information Security Early Warning Partnership”. It provides detailed information on each vulnerability, including a summarized description, affected products, possible impacts, solutions, vendor statements, and reference documents.
The exploitation of vulnerabilities, particularly zero-day vulnerabilities, serves as a favored entry point for threat actors seeking to bypass detection mechanisms. Notably, both Chinese and Russian threat actors have gained notoriety for their adeptness in leveraging zero-day exploits, as part of their espionage efforts. Moreover, these threat actors actively seek opportunities to launch supply chain attacks, aiming to compromise a wider attack surface. This multifaceted approach underscores the continually evolving tactics employed by these adversaries. Given Japan’s expansive industrial sectors and the significant shift towards industrial automation, it becomes paramount to emphasize the critical importance of effective vulnerability management. This approach is essential to secure various aspects of the technology landscape, including Operational Technology (OT), Industrial Control Systems (ICS), IoT devices, and all interconnected systems, ensuring the continued integrity and security of Japan’s critical infrastructure.
The Quantum of DDoS attacks increased globally after the start of the Russia-Ukraine war, when pro-Russian and pro-Ukraine hacktivists started targeting each other with DDoS campaigns and also started targeting alliance nations to show support to their respective country. Japan is the most targeted country in Asia by pro-Russian hacktivists. Recently we observed a Russian hacktivist group launching DDoS attacks on Japanese Organisations in response to Japanese government general secretary Hirokazu Matsuno announcing, “tough anti-Russian measures”.
Overall, we observed 31 campaigns targeting Japan. Government Institutions, Transportation, and Manufacturing are the most targeted industries by pro-Russian hacktivists.
Along with the pro-Russian hacktivists threat, Anonymous Italy recently re-launched cyberattacks against nuclear power-linked groups in Japan as part of an operation called #OpFukushima, which was initiated earlier in April 2021. The campaign was launched to protest against the Government’s plan to release the treated radioactive water from the Fukushima nuclear plant into the sea. In the campaign, hacktivists started targeting the Japan Atomic Energy Agency, Japan Atomic Power Co., the Atomic Energy Society of Japan, and associated companies.
The cyber threat landscape extends beyond Japan’s geographical borders, with overseas subsidiaries and affiliated companies emerging as appealing targets for threat actors seeking access to global Japanese brands. In recent large-scale attacks on Japanese enterprises, adversaries have strategically chosen to compromise these overseas entities as a gateway into the networks of their Japanese counterparts. Several key factors contribute to this approach:
Varied Security Oversight: overseas affiliates often exhibit varying levels of security oversight compared to their Japanese counterparts. This discrepancy can make them more vulnerable entry points for attackers.
Security Vulnerabilities via Acquisitions: the acquisition of overseas firms can introduce pre-existing security vulnerabilities into the parent company’s network. Additionally, it may lead to the development of separate security hierarchies that do not align with the security culture of the parent company, creating potential weak links in the overall defense.
Language Barriers: language barriers can also play a role in this strategy. Attackers may exploit communication challenges to infiltrate Japanese companies through overseas partners, taking advantage of gaps in understanding and coordination.
Financial Motivation: Indonesia is the largest economy in Southeast Asia and possesses abundant natural resources. This makes it an attractive target for cybercriminals seeking financial gains through activities, such as hacking into financial institutions, conducting ransomware attacks, or stealing sensitive financial data.
Political Motivation: Indonesia is the world’s fourth most populous country and has a diverse political landscape. Political motivations for targeting Indonesia could include influencing elections, destabilizing the government, or compromising political figures or organizations.
Geopolitical Motivation: Indonesia’s strategic location in Southeast Asia, along with its large population and economic potential, makes it an important player in regional and global geopolitics. Threat actors with geopolitical motivations target Indonesia to gain a competitive advantage, disrupt regional stability, or gather intelligence.
MANUFACTURING
With Indonesia ambitiously aiming to secure a position among
the worlds’ largest economies by 2030, the manufacturing sector has become an appealing target for cyber threats. Threat actors may seek to exploit vulnerabilities within manufacturing infrastructure for various reasons, including potential economic disruption, theft of intellectual property or industrial espionage.
INFRASTRUCTURE AND CONSTRUCTION
The Indonesian government’s substantial investment commitment of $430 billion from 2020 to 2024 amplifies the sector’s significance, making it a focal point for both economic development and potential cyber threats, as outlined in a report by PwC. The critical areas of roads, tolls parts, airports railways, water and power plants in Indonesia present significant opportunities for investment but also pose cybersecurity challenges. Threat actors may be drawn to this sector due to the potential for financial gains, the large-scale impact of disruptions to critical infrastructure, and the myriad of interconnected system susceptible to cyber-attacks
TRAVEL AND TOURISM
The diversity of Indonesia comprising a huge number of islands, each offering a unique atmosphere makes it particularly appealing to international travellers. The surge in foreign tourist arrivals further highlights the industry’s resilience, following the easing of pandemic restrictions. Threat actors are likely interested in this sector due to its economic importance. The sheer volume of transactions and the potential for exploiting vulnerabilities, in the complex travel ecosystem includes booking system, personal data records and payment processes.
MINING
Indonesia stand as a significant player in the global mining industry, renowned for its substantial production of coal, gold, tin, copper, and nickel. Indonesia’s mining sector is poised to emerge as one of the top potential leading industries within the country. This prominence, however, also attracts the attention of threat actors within the cybersecurity realm. The strategic importance of the mining industry in Indonesia, contributing significantly to the country’s economy, makes it a lucrative target for cyber threats. Threats actors may be interested in exploting vulnerabilities within the mining sector for various reasoms, including potential financial gains, stealing sensitive geological data, disrupting operations or engaging in industrial espionage.
AVIATION
With Indonesian airports experiencing a surge in air traffic and the expansion of infrastructure to cater to tourist destinations, the need for robust cybersecurity measures is crucial to safeguard against potential cyber threats and ensure the resilience of the aviation industry’s operations. The areas of growth highlighted by the international trade administration, including enhancements to ground infrastructure, runways and air traffic systems present specific points of interest for threat actors seeking to exploit potential vulnerabilities within the aviation sector.
eCOMMERCE
In the Indonesian threat landscape, the surge of eCommerce has been a notable trend intensifying even more in the post-pandemic era. Dominated by platforms such as Tokopedia and Shopee, online shopping has gained significant traction, with a Deloitte survey indicating that 31% of Indonesians opt for online shopping due to its convenience and practicability. This dynamic eCommerce landscape not only presents opportunities but also presents ample opportunities for cybercriminals to exploit vulnerabilities, engage in data theft for monetization on the dark web, and conduct fraudulent transactions.
The Asia-Pacific region, with its significant population and pivotal role in global trade, is a focal point for geopolitical competition, primarily exemplified by the rivalry between the United States and China. Indonesia, as Southeast Asia’s largest economy, holds a vital position in this landscape, thanks to its economic growth and control of critical sea lanes. This competition is compounded by multifaceted geopolitical threats stemming from complex regional relations, demographic shifts, and climate change.
Notably, China’s ascent as a superpower shapes the key geopolitical concerns in the region, with the South China Sea disputes and the Taiwan issue at the forefront. China’s territorial claims extend to the South China Sea, including Indonesia’s exclusive economic zone in the Natuna Sea. This has led to territorial tensions, with near-armed conflict in 2019 and 2020.
Indonesia’s foreign policy historically emphasizes nonalignment, aiming to balance relations with the United States and China. Recent efforts have seen the mending of relations with China, with growing economic ties and political interactions. Simultaneously, Jakarta maintains strong security ties with the United States.
However, these developments strain relations with China, and as regional countries assert their sovereignty and economic interests, tensions could rise. Cyber espionage activities primarily target government entities but are expected to expand to non-governmental organizations and commercial entities. The Asia-Pacific region houses some of the world’s most active state-sponsored cyber actors, led by China, followed by Russia and North Korea, while India emerges as an aspiring cyber power.
The potential flashpoint in the regional security landscape centers around the Taiwan issue, with cyber campaigns likely preceding any conflict. While overt military confrontations remain unlikely, cyberattacks targeting various entities are projected to increase. Strengthening network security standards and cybersecurity practices is the top priority for businesses, as regional stability and economic prosperity depend on cybersecurity resilience in this volatile geopolitical environment.
Malware Name | Targeted Services | Campaign Name | Suspected Threat Actor | Target Industries | Target Geographies |
FlawedAmmyy RAT, CosmicDuke, Zeus Bot, or Zbot | Web Application | Evian | Fancy Bear,TA505,Cozy Bear | Health Care Equipment & Supplies, Multiline Retail, Industrial Conglomerates, Software & Services, IT Services, Web Application, Malware, Software, Capital Goods, Diversified Financial Services, Textiles, Apparel & Luxury Goods | Myanmar, Singapore, Cambodia, United States, Japan, Philippines, Malaysia, Thailand, Brunei, Canada, South Korea, Vietnam, Belgium, Timor-leste, Australia, France, Laos, Germany, Indonesia |
TICK,Lazarus Group | Web Application | UNC069 | TICK,Lazarus Group | Real Estate Management & Development, Government, Software & Services, IT Services, Capital Goods, Automobiles, Construction & Engineering, Food Products, Construction Materials, Multiline Retail, Auto Components, Food & Staples Retailing, Hotels, Restaurants & Leisure, Industrial Conglomerates, Energy Equipment & Services, Leisure Products, Web Application, Malware, Software, Diversified Financial Services, Hospital, Beverages, Textiles, Apparel & Luxury Goods | South Korea, Vietnam, Czech Republic, United States, Japan, Taiwan, United Kingdom, South Africa, Australia, Germany, India, Indonesia |
Winnti for Windows | Web Application | UNC065 | MISSION2025 | Government, Software & Services, Internet & Direct Marketing Retail, Materials, IT Services, Transportation Infrastructure, Exploits, Capital Goods, Automobiles, Vulnerabilities, Water Utilities, Industrial Conglomerates, Banks, Web Application, Independent Power And Renewable Electricity Producers, Malware, Software, Diversified Financial Services, Textiles, Apparel & Luxury Goods, Thrifts & Mortgage Finance | Singapore, United States, Japan, Uzbekistan, United Kingdom, Malaysia, United Arab Emirates, Thailand, India, New Zealand, Turkey, Brazil, Australia, Nigeria, Indonesia |
In May 2023 LockBit Ransomware group successfully compromised Bank Syariah Indonesia (BSI), a subsidiary of the state-owned enterprise Bank Mandiri. The cyberattack resulted in the acquisition of 1.5 terabytes of data, including nine databases containing information about the bank’s employees and more than 15 million customers. The stolen databases contained sensitive data such as customers’ full names, phone numbers, addresses, proprietary documentation, account numbers, card numbers, NonDisclosure Agreements (NDAs), transaction histories, contracts, and passwords. Following the breach, LockBit demanded a ransom of US$20 million. However, negotiations between BSI and the ransomware group broke down, leading LockBit to publish the stolen data on various underground leak forums. This exposure heightened the risk of cyberattacks and scams targeting BSI clients and employees. In addition to the immediate consequences, the data breach poses long-term risks. Efforts to attract global investors may be adversely affected, and the bank faces potential legal consequences, including lawsuits and penalties.
Integra Group (www[.]integragroup-indonesia[.]com) Indonesia’s largest wood manufacturer group has been compromised. An unknown threat actor advertised 3.57 GB data of 7 companies under Integra Group.
Badan Tenaga Nuklir Nasional (BATAN), is an Indonesian Non-Ministerial Government Institution tasked with carrying out government duties in the field of research, development, and utilization of nuclear energy data, that got compromised and leaked in an underground forum. Leaked data contains the employee’s name, email address, and password.
The observed campaign in Indonesia reveals several prominent themes exploited in phishing attacks. Among these, the sectors most frequently targeted include Social Networking, Logistics and couriers, Financial, Online/Cloud Services, and Email Providers. These findings shed light on the diverse range of sectors that malicious actors are leveraging to carry out phishing attacks within Indonesia. Understanding these prevalent themes is crucial for enhancing cybersecurity measures and safeguarding against the evolving tactics employed by cybercriminals.
During the period spanning from January 1st to December 31st, CYFIRMA’s advanced telemetry systems meticulously detected a staggering total of 794,716 phishing campaigns. Within this extensive dataset, it’s noteworthy that Indonesia emerged as the Third-most targeted geographic region in Southeast Asia.
Ransomware groups target Indonesia due to its significant and growing economy, increasing digital transformation, potential vulnerabilities in cybersecurity practices among certain organizations, geopolitical and economic motivations, the widespread use of cryptocurrencies, relative lack of cybersecurity awareness, regional and global connectivity, and, in some cases, political instability. The country’s expanding digital infrastructure and the perceived financial capacity of high-profile targets make it an attractive environment for cybercriminals seeking substantial ransom payouts. Notably, this threat landscape is influenced by formidable ransomware groups, including LockBit, BlackCat (Alphvm), and 8Base, which feature prominently on the list of perpetrators targeting Indonesian companies.
Most Exploited vulnerabilities in Indonesia
Vulnerability | Vendor | Product | CVE Score |
CVE-2021-44228 | Apache | Log4j | 10 |
CVE-2022-37042 | Synacor | Zimbra Collaboration Suite | 9.8 |
CVE-2021-40539 | Zoho | ManageEngine ADSelfService Plus | 9.8 |
CVE-2017-9841 | PHPUnit | PHPUnit | 9.8 |
CVE-2020-5902 | F5 | F5 Big-IP | 9.8 |
CVE-2022-26134 | Atlassian | Confluence | 9.8 |
CVE-2019-2725 | Oracle | Oracle Weblogic Server | 9.8 |
CVE-2014-8361 | Realtek | Realtek SDK | 8.3 |
CVE-2018-10562 | Dasan | Dasan GPON Home Router | 9.8 |
CVE-2021-3129 | Laravel | Ignition | 9.8 |
Over the past six months in Indonesia, the threat landscape has been significantly impacted by distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector bearing the brunt, accounting for a substantial 83.61% of the attacks. Internet-related services also faced notable disruptions at 6.03%, followed by the Telecommunications sector at 3.92%. Information Services, Gaming, and Retail were subject to lower but still impactful percentages, with 1.92%, 1.87%, and 0.59%, respectively. Sectors such as Financial Services, Website Design & Management, Computer Software, Gambling & Casinos, and Banking each experienced less than 1% of the attacks, ranging from 0.48% to 0.32%. This comprehensive breakdown underscores the varied impact of DDoS attacks across different industries in Indonesia, emphasizing the diverse targets and the need for robust cybersecurity measures.
PHILIPPINES
FINANCIAL SECTOR
The financial sector is the most targeted industry by ransomware in the Philippines. This is because financial institutions store a large amount of sensitive financial data, which is valuable to cybercriminals.
GOVERNMENT SECTOR
The government sector is also a prime target for ransomware attacks. Government agencies control critical infrastructure and store a large amount of sensitive data, such as personal information and national security secrets.
HEALTHCARE SECTOR
The healthcare sector is vulnerable to ransomware attacks because it stores a large amount of sensitive patient data, such as medical records and financial information.
EDUCATION SECTOR
The education sector is also a target for ransomware attacks. Educational institutions store a large amount of student data and intellectual property, which is valuable to cybercriminals.
RETAIL SECTOR
The retail sector is vulnerable to ransomware attacks because it processes a large volume of credit card transactions. Cybercriminals can use ransomware to encrypt credit card data and then demand a ransom payment in exchange for the decryption key.
The Philippines has experienced ransomware attacks from various groups, including Cl0p, Medusa, LockBit3, AlphV, and Everest. These incidents highlight the ongoing and diverse cyber threats faced by organizations in the region, emphasizing the critical need for robust cybersecurity measures and vigilance to protect against ransomware attacks.
Recently, PhilHealth experienced a Medusa ransomware attack, accompanied by a $300,000 ransom demand. This led to the temporary suspension of the online systems of the state health insurer. After the ransom payment deadline passed, the responsible group uploaded more than 600 gigabytes of files to a leak site and a Telegram channel. The leaked information encompassed photos, bank cards, transaction receipts, and other sensitive data belonging to the victims.
REDENERGY STEALER-AS-A-RANSOMWARE
MORTALKOMBAT RANSOMWARE
Over the last six months, the Philippines has confronted a dynamic landscape of distributed denial-of-service (DDoS) attacks, revealing a nuanced distribution of threats across industries. The Information Technology and Services sector emerged as the primary target, facing a substantial 29.39% of attacks, signifying a heightened and specific risk. Close behind were Internet-based services and Information Services, each with significant percentages, underlining a noteworthy impact on entities involved in data management and online platforms. Noteworthy percentages in the gaming, telecommunications, and Internet sectors emphasize the breadth of the threat, necessitating heightened cybersecurity measures. Although facing comparatively lower percentages, sectors like banking and financial services underscore the critical need for robust cybersecurity practices to protect sensitive data. This multifaceted distribution highlights the diverse industries grappling with DDoS challenges in the Philippines, demanding tailored and vigilant cybersecurity strategies.
A massive data hack in April 2023, which exposed 817.54 gigabytes of both applicant and employee records under multiple state agencies, including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Special Action Force (SAF), has put the personal information of millions of Filipinos at risk.
Cyber espionage is a growing threat to all organizations, including businesses, governments, and critical infrastructure. It is the use of computers and networks to steal sensitive information, such as trade secrets, government secrets, and personal information.
One specific area where cyber espionage is increasing is in the Philippines. Cyfirma has identified two advanced persistent threat (APT) groups that have targeted the Philippines, namely, Earth Estries and FamousSparrow.
EARTH ESTRIES
Earth Estries, a well-known hacking group, has become a major player in a cyber espionage campaign that targets government and technology sectors in multiple countries. The campaign was discovered in August, and its primary focus is on two regions: Asia (Philippines, Taiwan, and Malaysia) and Germany and the United States. Earth Estries has been linked to a highly sophisticated operation with extensive experience in cyber espionage and illicit activities. The campaign has been active since at least 2020 and has global implications.
Interestingly, there are overlaps in tactics, techniques, and procedures (TTPs) between Earth Estries and FamousSparrow.
Earth Estries demonstrates a high level of sophistication, using advanced skills and experience in cyberespionage and illicit activities. Their arsenal includes various backdoors and hacking tools, with a focus on evading detection. They use PowerShell downgrade attacks to bypass security measures and exploit public services such as GitHub, Gmail, AnonFiles, and File.io for communication and data transfer.
FAMOUSSPARROW
FamousSparrow is a cyber-espionage entity with connections to APT groups like SparklingGoblin and Metasploit, which have been associated with activities originating from China and has been targeting government and technology sectors in the Philippines, as well as other countries in Asia, South Africa, Germany, and the United States.
INFORMATION TECHNOLOGY
With a strategic emphasis on Information and Communication Technology (ICT), the Vietnamese government has undertaken initiatives to propel its development, recognizing its significance as a priority industry. The ambitious goal is to elevate Vietnam’s digital economy to an impressive US$50 billion by 2025, offering substantial growth prospects for the ICT market. This trajectory is underscored by World Bank data, indicating an annual growth rate of 10% in Vietnam’s digital economy, with the potential to exceed a formidable US$200 billion by 2045. Within this burgeoning digital landscape, the Vietnam Information Technology (IT) industry becomes a focal point of interest for threat actors. The convergence of economic ambitions and technological advancements renders the IT sector susceptible to cyber threats, with threat actors aiming to exploit vulnerabilities for economic gains, intellectual property theft, or to gain a competitive advantage.
MANUFACTURING INDUSTRY
The manufacturing sector stands as a pivotal force in Vietnam’s economic landscape, constituting a substantial 24.76% of the country’s GDP and contributing significantly to its merchandise exports, accounting for 85% in 2022. Notably, this industry’s prowess extends beyond traditional production, with recent years witnessing an uptick in the manufacturing of sophisticated products like automotive parts, consumer electronics, and telecom equipment, showcasing Vietnam’s commitment to technological advancement. Leveraging advanced technologies, the Vietnamese manufacturing industry has earned a competitive edge, producing high-quality goods at a cost-effective scale. In the context of the threat landscape, the strategic importance and economic impact of Vietnam’s manufacturing industry make it an attractive target for threat actors. Cyber adversaries may seek to exploit vulnerabilities in the industry’s digital infrastructure for various motives, including economic espionage, intellectual property theft, or disrupting supply chains. Recognizing the nexus between technological innovation and economic growth, safeguarding the manufacturing sector becomes imperative, necessitating robust cybersecurity measures to protect against evolving threats and preserve Vietnam’s economic resilience.
TOURISM
Amidst the first half of 2023, Vietnam’s tourism sector showcased notable growth, welcoming nearly 5.6 million international visitors, achieving 70% of the annual target. Projections from Future Market Insights anticipate a robust tourism revenue of US$27,500 million by the year’s end, with a long-term forecast envisioning an impressive US$135,000 million by 2033. Within this thriving landscape, the Vietnam tourism industry becomes an intriguing target for threat actors. The sector’s economic significance, driven by increasing international footfall and substantial revenue projections, makes it an attractive focal point for cyber adversaries. Threat actors may aim to exploit vulnerabilities in the industry’s digital infrastructure for diverse reasons, such as financial fraud, data theft, or disrupting the country’s image as a tourist destination. Recognizing the symbiotic relationship between a secure digital landscape and the sustained growth of Vietnam’s tourism sector, it becomes imperative to fortify cybersecurity measures to safeguard against potential threats and preserve the industry’s positive trajectory.
LOGISTICS
The logistics sector in Vietnam stands out as a rapidly expanding industry, constituting approximately 4.5% of the country’s GDP. Positioned as the 10th among emerging logistics markets globally, Vietnam’s logistics market is valued at US$40 billion, with projections estimating a market size of US$45.19 billion by end of 2023 and an anticipated growth to US$65.34 billion by 2029. Notably, over 30 companies, including industry giants like DHL, FedEx, and Maersk, contribute to the provision of international logistics services in Vietnam. Within this dynamic context, the Vietnam logistics industry emerges as a focal point for threat actors. The sector’s substantial economic contribution and strategic position in global logistics networks make it an appealing target for cyber adversaries. Threat actors may seek to exploit digital vulnerabilities in the logistics infrastructure for motives such as supply chain disruption, data theft, or financial fraud. Recognizing the critical role of secure logistics in supporting economic activities, fortifying cybersecurity measures becomes imperative to mitigate risks and ensure the resilience of Vietnam’s logistics industry against evolving cyber threats.
CONSTRUCTION INDUSTRY
With a current valuation of USD 23.1 billion, the Vietnam construction market is poised for substantial growth, projected to register a robust CAGR of over 8.5% in the forecast period. Emerging as the latest East Asian growth engine, Vietnam has captivated the interest of international investors, underscoring its strategic importance in the global construction landscape. However, this burgeoning sector also attracts the attention of threat actors in the Vietnam threat landscape. The construction industry’s pivotal role in the country’s economic development, coupled with its increasing international prominence, makes it an attractive target for cyber adversaries. Threat actors may aim to exploit digital vulnerabilities within the construction infrastructure for motives such as intellectual property theft, economic espionage, or disrupting critical projects. Recognizing the interconnectedness of digital infrastructure and the construction industry’s growth, bolstering cybersecurity measures becomes imperative to safeguard against potential threats and ensure the sustained development of Vietnam’s construction sector.
APT41/MISSION 2025
LAZARUS GROUP
TA505
APT28/Fancy Bear
Malware Name | Targeted Services/ Vulnerabilities | Campaign Name | Suspected Threat Actor | Target Industries | Target Geographies |
PubLoad, PlugX RAT | Application Infrastructure Software, Web Application, Operating System | territorial integrity | Mustang Panda (Confidence: High) | Diversified Telecommunication Services, Government, Industrial Conglomerates, Wireless Telecommunication Services, Banks, Electric Utilities, Oil, Gas & Consumable Fuels, Diversified Financial Services | Vietnam, South Korea, United States, Japan, Philippines, United Kingdom, Thailand, Australia, India |
Rifdoor, Nukesped, ShadowPy | Web Application | UNC069 | Lazarus Group (Confidence: High) | Real Estate Management & Development, Government, IT Services, Automobiles, Construction & Engineering, Food Products, Construction Materials, Auto Components, Food & Staples Retailing, Industrial Conglomerates, Diversified Financial Services, Hospital, Beverages | South Korea, Vietnam, Czech Republic, United States, Japan, Taiwan, United Kingdom, South Africa, Australia, Germany, India, Vietnam |
FlawedAmmyy RAT, CosmicDuke, Zeus Bot or Zbot | Web Application | Evian | Fancy Bear,TA505,Cozy Bear (Confidence: High) | Health Care Equipment & Supplies, Multiline Retail, Industrial Conglomerates, IT Services, Diversified Financial Services, Textiles, Apparel & Luxury Goods | Myanmar, Singapore, Cambodia, United States, Japan, Philippines, Malaysia, Thailand, Brunei, Canada, South Korea, Vietnam, Belgium, Timor-leste, Australia, France, Laos, Germany, Vietnam |
Between Jan to December 2023, as part of the external threat landscape monitoring and analysis, we observed 14 campaigns targeting various conglomerates. The following trends have been observed of the different State-Sponsored groups and Cybercriminals who potentially have carried out the observed #cyberattack campaigns:
No. of campaigns carried out by North Korean Groups: 4 out of 14 (28.57%)
No. of campaigns carried out by Chinese Groups: 3 out of 14 (21.43%)
No. of campaigns carried out by Russian Groups: 7 out of 14 (50%)
In the last six months, Vietnam’s threat landscape has undergone a notable impact from distributed denial-of-service (DDoS) attacks, with the Information Technology and Services sector being particularly affected, representing a significant 92.06% of the attacks. Moreover, a substantial 45.46% of these attacks endured for periods exceeding three hours, indicating a prolonged and impactful threat scenario. Additionally, attacks within the one to three-hour duration range accounted for 16.85%, underscoring a notable proportion of sustained assaults. Examining bitrates, attacks with speeds ranging from 500 Mbps to 1 Gbps constituted 12.64%, while those with less than 500 Mbps made up the majority share at 85.64%. This diverse distribution highlights the necessity for a comprehensive and adaptive cybersecurity strategy to effectively mitigate the varying intensities of DDoS threats in Vietnam.
LockBit ransomware has primarily targeted Manufacturing, Healthcare, Transportation & Logistics, Telecommunications, and Food & Beverages sectors in Vietnam, affecting the largest proportion of victims at 37%, amongst all targeted organizations.
Between 1st January and 31st December, CYFIRMA’s telemetry recorded 794,717 phishing campaigns. In that 14,720 attributed to Vietnam.
Most Exploited vulnerabilities in Vietnam
VULNERABILITY | VENDOR | PRODUCT | CVE SCORE |
CVE-2023-22515 | Atlassian | Confluence | 9.8 |
CVE-2022-26134 | Atlassian | Confluence | 9.8 |
CVE-2022-37042 | Synacor | Zimbra Collaboration Suite | 9.8 |
CVE-2014-8361 | Realtek | Realtek SDK | 8.3 |
CVE-2022-26138 | Atlassian | Confluence | 9.8 |
CVE-2019-3396 | Atlassian | Confluence | 9.8 |
CVE-2019-9670 | Synacor | Zimbra Collaboration Suite | 9.8 |
CVE-2023-4966 | Citrix | Citrix ADC and Citrix Gateway | 7.5 |
CVE-2018-10562 | Dasan | Dasan GPON Home Router | 9.8 |
CVE-2023-28771 | Zyxel | Zyxel | 9.8 |
We observed that Atlassian Confluence has been actively exploited by threat actors in Vietnam