The Cyber Security Agency (CSA) of Singapore released its inaugural “Singapore Cyber Landscape” publication featuring facts and figures on key cyber threats and incidents in Singapore for 2016. The publication provides an overview and analysis of Singapore’s cyber health. It also seeks to raise awareness of cyber threats among stakeholders from the public and private sectors, industry, academia, and providers of essential services so that they can take appropriate action to defend against such threats.
Singapore is particularly susceptible to cyber-attacks given the high level of Internet connectivity. Common types of cyber threats observed in Singapore’s cyber landscape during 2016 included ransomware[1], phishing[2], website defacements[3], and compromised Command & Control[4] (C&C) Servers.
CSA received 19 reports of ransomware cases from individuals and SMEs in 2016, up from two cases reported in 2015. Many cases go unreported as companies may be reluctant to admit being affected because of potential impact on reputation. Cerber, CryptoLocker and Locky were among the types of ransomware reported. SingCERT issued an advisory in May 2016 to warn the public of such dangers and provided precautionary measures to be adopted.
Nearly 1,800 website defacements were detected in Singapore in 2016, with the majority being websites of SMEs from a range of businesses such as interior design and manufacturing. The perpetrators included hacktivists promoting a certain ideology, and their attacks were observed across other countries also. One in 10 defaced websites was hosted on servers running outdated operating systems, which may have made them vulnerable.
More than 60 C&C servers were detected during the year. Potentially, C&C servers could be used to control botnets – a network of compromised computers ¬ that in turn could be mobilised for DDoS (Distributed Denial of Service) attacks. Whenever a new C&C server is detected, SingCERT will inform the respective Web hosting providers to rectify the issue.
Five malware (Conficker, XcodeGhost, Zero access, Mirai and Sality) accounted for over 50% of botnets observed in Singapore’s cyberspace.
Around 43 per cent of security incidents reported to SingCERT by individuals and SMEs occurred through phishing attacks. Over 2,500 phishing URLs were detected in 2016, with the Banking & Finance sector appearing to be the most spoofed, accounting for 31 per cent of all observed phishing URLs. Among online services, PayPal was spoofed most often in phishing campaigns.
CSA also observed that filehosting service providers, such as Dropbox and Google Drive were popular targets as hackers could easily harvest user credentials from there. Some government institutions, such as Ministry of Manpower (MOM) and Immigration & Checkpoints Authority (ICA) were also spoofed, with attackers seeking personal data, such as passport numbers that could be traded in underground markets.
Those affected by cyber-attacks include Small and Medium Enterprises (SMEs), individuals and Critical Information Infrastructure (CIIs), including the Government, Healthcare, and Banking & Finance sectors.
One of the most common cyber threats reported to SingCERT by SMEs in 2016 was business e-mail scams. Millions of dollars were lost through phishing scams where hackers impersonated company executives or business partners via e-mail. SPF figures also showed that there was a 20 per cent rise in e-mail impersonation scams in 2016 compared to 2015.
The Internet Surfing Separation (ISS) policy announced in June 2016 is expected to contribute significantly towards securing the Government’s ICT environment, as removing the link between the public officers’ computers from the Internet can disrupt the attackers’ cyber kill chain.
Ransomware incidents were detected in Singapore’s Healthcare sector, with individual users unable to access their files on the network. Investigations by CSA showed that these users were infected after they opened attachments or clicked on links found in e-mails they had received. Upon detection, affected computers were successfully isolated to prevent the ransomware infection from spreading to the wider network and there was no impact to the sector’s CII assets.
Advanced Persistent Threats
The report also highlights the risk of Advanced Persistent Threats (APTs) in a time of increasing geopolitical tensions. APTs are often state-sponsored and can be used for espionage, data exfiltration, and data manipulation. They hide in networks for prolonged periods to plan their targeted attacks.
CII (Critical information infrastructure) sectors such as the Government, Banking & Finance, Healthcare and Energy sectors are attractive targets for APT attacks because a strike on them could have significant impact on the economy and society. One APT group was discovered to be eyeing a Singapore institution, using its signature tactic of phishing on individuals there. Through close collaboration between the institution and the authorities, the APT attempt was detected and halted before further harm could be done.
The report notes that early identification and stopping of malicious APT activity is a multi-stakeholder effort that would involve the intelligence community, law enforcement agencies, the targeted institution, and even foreign counterparts.
Cybercrime
The proportion of cybercrime to the total number of crime cases has been growing from 7.9 per cent in 2014 to 13.7 per cent in 2016. In 2016, cyber criminals mostly committed online cheating cases (top 3 categories- e-commerce, Internet love scam and credit-for-sex), accounting for 83 per cent, followed by Computer Misuse and Cybersecurity Act (CMCA) cases such as unauthorised access to computer material (15 per cent) and cyber extortion (2 per cent) respectively.
CMCA cases more than doubled year-on-year, from 280 in 2015 to 691 in 2016. The top five CMCA cases in 2016, in no particular order, were related to ransomware, hacking, compromise of online accounts (such as Facebook), SingPass and Internet banking accounts.
Read the complete report here.
[2] Websites that are compromised or created by hackers to trick Internet users into believing they are accessing a legitimate, trusted website.
[3] Hackers change the visual appearance of a single webpage or an entire website by gaining unauthorised access to the web hosting server. Defaced websites may also contain malicious code to infect visitors to the affected site.
[4] A C&C server is a machine operated by hackers to communicate with devices that have been infected with malware.