Cyberattacks on StarHub came from subscribers' infected devices

SINGAPORE — Internet-connected devices in the homes of subscribers which were infected, were hijacked for use in the cyberattacks that crippled the StarHub’s broadband service twice in three days, the telco said on Wednesday (Oct 26), adding that it plans to send engineers to homes to clean up these devices.

The DDoS (distributed denial-of-service) attacks on a Singapore telco’s infrastructure were unprecedented, said the Cyber Security Agency (CSA) and Infocomm Media Development Authority (IMDA), which urged users to do their part to beef up their cybersecurity.

A DDoS attack is when IT equipment such as a computer, router or server is flooded with a sudden and enormous volume of traffic from multiple sources, in an attempt to cause congestion or to shut it down.

At a press briefing Wednesday, StarHub chief technology officer Mock Pak Lum explained that subscribers’ devices could have been infected by viruses and malware, or were compromised because users had not changed the default password.

“It allows hackers to control these devices ... (to) automatically send traffic to a destination,” he said. “Many times, the owners of these computers don’t know what’s happening.”

While StarHub has started investigations, it was still not able to answer many questions, such as the intent of the perpetrators, why only it was targeted, or if the attacks were actually something more malicious than they appear to be. There are 473,000 StarHub home broadband subscribers.

DDoS attacks on Domain Name Services (DNS), as in Starhub’s case, are generally rare. But last week, a similar incident hit United-States-based DNS service provider Dyn, causing one of the largest known DDoS attack that took out many popular websites, including Twitter, Netflix and PayPal.

Mr Mock said StarHub would soon ask subscribers if they would allow technical teams to visit and check their Internet-connected devices. He declined to say how many infected devices were detected, citing the information as “sensitive”.

The CSA and IMDA noted that there is “no fool-proof solution” and a collective effort from companies and users was needed to bolster cyber resilience.

“Any Internet-connected device, from WiFi routers to printers to CCTVs, can inadvertently be part of a network of ‘bots’ that can be activated to attack other systems,” they added.

SingCERT (Singapore Computer Emergency Response Team) will be publishing an advisory on what businesses and individuals should do to secure their Internet-connected devices, they said.

Mr Mock added: “Everyone has a role to play in cyber security readiness. If you were to buy a webcam from Sim Lim Square, try to get a reputable one. If you buy a device, try to reset the default password very quickly. If you have a computer at home, set up your firewall. And ... how did the malware get into your system, a lot of times its through phishing email, you click on the attachment, and it carries malware.”Commenting on the incident, cyber security experts said telcos are increasingly the target of cyber attacks, with aging technology infrastructure and Internet of Things with poor security singled out as the weakest links.

Mr Vincent Loy, Cyber and Financial Crime Leader at PWC, said that banks and telcos are increasingly the targets for cyber attacks. 

“The incidents seem to be (mostly) linked to Internet of Things. All the equipment are connected to one another, and this will be used as a weapon to attack companies or countries,” he told TODAY on the sidelines of the Financial Times Cyber Security Summit Asia Pacific, adding that many of such devices do not have password control.

“And, a lot of the equipment has been built many years ago, and you can’t build in the security, you need to identify them and segregate them and think of other actions you can do to mitigate cyber risk.”

Mr Paul Vlissidis, technical director at NCC Group, which specialises in cyber security and risk mitigation, added: “Manufacturers have a role to play, they should not be sending out devices (into the market) with standard setting. There should be a more secure method for setting these things up.”

If ISPs see that many of these devices are being used for criminal acts, they should also step in to block these devices, he said.

Mr Madan Oberoi, director of the Cybercrime Directorate at INTERPOL, who was also at the conference, said there needs to be platforms for multiple stakeholders to investigate and identify criminals, in order for “successful prosecution”.

“Whenever there is an attack, it does not involve just one jurisdiction, or one industry. Pieces of evidence are left in various jurisdictions, and unless the stakeholders come together, it will be difficult to solve the puzzle. Only if they contribute by sharing information, then the possibility of nabbing the criminal is much higher,” he said.