A report on Singapore's cybersecurity landscape in 2020 released by the Cyber Security Agency of Singapore (‘CSA') on 8 July 2021 shone a spotlight on cyber threats during COVID-19.
2020 saw an increase in cyber threats such as ransomware, phishing attacks and online scams, as cyber criminals capitalised on the COVID-19 pandemic by:
- Exploiting fear and anxiety to deceive victims through impersonation of government or health agencies, vaccination-related scams, and fake COVID-19 websites and apps for activities such as credentials theft and malware distribution.
- Exploiting the increased use of new untested technologies and workarounds to facilitate contact tracing and work-from-home arrangements.
- Targeting the vaccine value chain and using sophisticated phishing campaigns to steal data, credentials and sensitive information relating to vaccine research, development, and distribution.
US-based information technology vendor SolarWinds had also seen a supply-chain attack in the same year. Hackers had earlier infiltrated SolarWinds' production network to insert malicious code in a software update for a widely-used platform. The update was downloaded by SolarWinds' customers, including governments and Fortune 500 companies. This created a backdoor into each victim's network and was used by hackers to install more malware, allowing the hackers to disguise themselves as legitimate users and gain unrestricted access to the victim's networks and stored assets. The SolarWinds breach had a potential domino effect as victims who were major vendors were susceptible to a second level breach, where hackers could further compromise other supply-chains.
Key Cyber Threats of 2020
Cybercrime cases increased in 2020, accounting for 43% of overall crime in Singapore, with online cheating forming the top cybercrime category. Cybercrime refers to online cheating, cyber extortion, and offences under the Computer Misuse Act relating to unauthorised access, use or modification of computers, computer materials and computer services.
The most common cybersecurity threats include:
- Ransomware: The CSA saw a 154% spike in reported ransomware cases, mainly affecting small and medium enterprises (SMEs). The CSA has also observed that ransomware operators were shifting from indiscriminate, opportunistic attacks to a targeted approach in fishing for larger victims. Ransomware operators have also adopted ‘leak and shame' tactics to pressure victims into paying ransoms to prevent stolen data from being publicly leaked, like a data breach.
- Command and Control (C&C) Servers and Botnet Drones: The CSA observed a 94% rise in the number of malicious C&C servers hosted in Singapore. C&C servers are centralised devices operated by attackers to maintain communications with compromised systems, also known as botnets, within a targeted network. A daily average of 6,600 botnet drones with Singapore IP addresses were also detected, an increase from 2019's daily average of 2,300.
- Phishing: Despite a 1% decrease in phishing attacks, the CSA has detected 47,000 Singapore phishing URLs. More than half of the organisations spoofed in these phishing incidents were big technology or social networking firms, or in the banking and financial sector. The Singapore Police Force, Ministry of Manpower and Ministry of Education were the three most spoofed Singapore government agencies, with many cases involving phishing emails.
- Website defacements: There was a 43% decrease in ‘.sg' website defacements from 2019, with the majority of victims being SMEs and no government websites that were affected. However, the significant decrease may also mean that activist groups have chosen other platforms with potentially wider reach, such as social media, to push their agenda.
As cybersecurity threats continue to evolve, organisations face the following issues:
- Poorly configured networks and systems that have been put in place to facilitate business continuity during a time of remote work expanding threats and exposing organisations to further risk.
- An increasing risk of supply chain attacks as organisations depend on technology vendors to support their business operations.
- Constantly evolving ransomware attacks transforming from sporadic isolated incidents to massive systemic threats, potentially becoming national security concerns.
It is of paramount importance that organisations regularly review their cybersecurity hygiene, network connections and operational dependencies, as well as ensure that systems / software are updated, employees are educated on threats, and intrusions are detected and contained quickly.
As organisations navigate against cyberthreats, the following serves as a non-exhaustive list of preventive measures that organisations can consider in the fight against evolving cybersecurity threats. ( ‘Good Data Protection by Design Practices for ICT Systems' jointly developed by Singapore's Personal Data Protection Commission and Hong Kong's Privacy Commissioner for Personal Data.)
- Minimise the collection of personal data, by ensuring the organisation does not collect data unless necessary, and there is a valid purpose for doing so.
- Implement data protection and security by design, where data protection and security issues are considered at the initial stages of any system, service, product, or process, and throughout its lifecycle.
- Spell out your organisation's security requirements to ICT vendors when developing bespoke solutions and ensure these are documented in the contract or scope of work. In putting the requirements together, organisations should identify and consider industry standards and codes of practice for technology and cybersecurity. Instances include the Technology Risk Management Guidelines published by the Monetary Authority of Singapore for the financial sector, or the Cybersecurity Code of Practice for Critical Information Infrastructure published by the CSA for owners of Critical Information Instructure under the Cybersecurity Act 2018.
- Conduct data protection impact assessments at the beginning of projects, or when the preliminary design of a new ICT system has been established, to assess the types of data and processing activities. This would help organisations to identify and assess gaps and risks in the design of the new system in relation to personal data and processing activities.
- Be accountable to users and personnel through data protection policies and notices which notify these persons of the purposes and obtain requisite consent for the collection, use, processing and disclosure of their personal data.
As the saying goes, cybersecurity today is much more than a matter of technology. Beyond the tools made available to them, organisations cannot afford to let their guard down but must remain vigilant, and keep pace with emerging technologies and shifts in the landscape, to minimise their exposure to cyber threats and risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.