Cyber attack on S’pore public organisation was by state-sponsored group: CSA

SINGAPORE — An unnamed public organisation here was hit by an advanced persistent threat (APT) malware infection late last year, the Cyber Security Agency of Singapore (CSA) revealed on Thursday (Sept 14).

The agency found, after an investigation, that it was the work of a group of state-sponsored attackers, which had not been known to be active in Asia till then. An APT attack starts with an unauthorised individual gaining access to a network covertly to steal data over a period of time.

In its inaugural report on the cyber landscape in Singapore, the CSA said that the incident last year was assessed to be more opportunistic, rather than a targeted attack.

It added that it was likely to be carried out by a group engaged by a foreign government to carry out cyber espionage for its own national interests.

One computer within the public organisation was found to be infected with malware. “Attackers used sophisticated anti-detection and infection techniques, (such as) multi-stage infection through a phishing email that ultimately allowed the attacker backdoor access,” the CSA said.

The activities went undetected as the warning indicators and malware signatures were not on known anti-malware databases.

No sensitive information was processed on the infected computer, and although the malware could have stolen data, it did not happen.

The organisation was advised to further secure its information communication technology systems to prevent another attack.

The report by the CSA also contained other case studies.

Late last year, there was a series of ransomware incidents in the healthcare sector, where individual users were unable to access their encrypted files within their organisation’s network.

Investigations revealed that these users’ workstations had been infected after they opened attachments or clicked on links in their emails. Affected computers were wiped clean, programmes were reinstalled, and data restored from back-up systems.

The healthcare industry had the highest number of ransomware attacks compared to other sectors, although the figure was not stated in the report.

Ransomware came into the spotlight this year, with two major attacks around the world.

In May, the WannaCry worm encrypted data files, and a month later, Petya locked down the operating system of computers until users made payment to regain access to their files and computers.

In another case, an unnamed Singapore institution was threatened with a Distributed Denial of Service (DDoS) attack, unless ransom was paid. A DDoS attack overloads a system with data, causing disruption to business operations or distracting victims from other ongoing cybercrimes.

A ransom email was sent to the institution, and a “demo attack” was launched before the due date as a warning by the attackers. However, the threat was never carried out.

The attacker at first appeared to be from a cybercriminal group known for its DDoS attacks, but after doing more checks, the CSA assessed that the threat was the work of copycats.