Hackers broke into NUS, NTU networks in search of government, research data
SINGAPORE - Persistent hackers have broken into the networks of two universities in Singapore in a bid to steal government and research data.
The two attacks, discovered last month (April), against the National University of Singapore (NUS) and the Nanyang Technological University (NTU) are the first sophisticated attacks against universities here.
At a press conference on Friday (May 12), the Cyber Security Agency (CSA) of Singapore said the attacks were carefully-planned and were not the work of casual hackers.
"We know who did it, and we know what they were after. But I cannot reveal this for operational security reasons," said Mr David Koh, chief executive of CSA.
CSA would not say what the hackers made away with, but noted that no classified data was stolen as the universities' systems are separate from government systems. Student personal data was also not stolen.
The intrusions were detected when the universities ran their regular system checks - on April 19 for NTU, and April 11 for NUS.
Both universities alerted CSA, after which forensic investigations ensued.
The breaches were said to be advanced persistent threats (APTs) in which hackers gain unauthorised access into and lurk within computer networks undetected for a long period of time.
Sophisticated techniques using malware are typically deployed to exploit vulnerabilities in systems in such attacks. Malware can be introduced when computer users plug infected portable storage drives into the network, or click on infected links embedded in e-mail messages. Once the malware is planted in the network, hackers remotely monitor and extract data from the target network.
CSA would not say how long the perpetrator had been lurking in the NUS and NTU systems, but said that the affected systems have since been removed.
The hackers were said to have executed the attacks from overseas.
In a Facebook post on Friday, Communications and Information Minister Yaacob Ibrahim urged everyone to do their part to defend important data. For instance, individuals can practise good cyber hygiene.
"As we become more digitally connected, such threats will continue to increase in sophistication, and both public and private sector organisations are equally vulnerable," he said.
In a statement, NTU said it takes cybersecurity and data integrity seriously and has since tightened "security controls at all levels". It said it will also continue to educate employees and students to remain vigilant.
NUS said it is working with consultants to enhance its surveillance and system defences. "This incident highlights the rising sophistication of cybersecurity attacks, and the need for heightened vigilance," it said in a statement.
Mr Aloysius Cheang, executive vice-president of global computing security association Cloud Security Alliance, said that the hackers may have been drawn to NUS and NTU because they are top universities. "There is definitely valuable research data of commercial value."
He added that the hackers may have also assumed that the universities' databases had links to government systems.
CSA added that it had not noticed signs of suspicious activities in critical systems or government networks. But it has advised other universities and critical sectors such as energy, telecoms and finance to step up on security efforts.
The NUS and NTU breaches come on the heels of the theft of the personal details of 850 national servicemen and staff at the Ministry of Defence (Mindef), discovered in February.
Similarly, the Mindef cyber attack was also targeted and possibly aimed at accessing official secrets.
- Hackers gain unauthorised access into and lurk within computer networks undetected for a long period of time.
- Sophisticated techniques using malware are typically deployed to exploit vulnerabilities in systems in such attacks.
- Malware can be introduced when computer users plug infected portable storage drives into the network, or click on infected links embedded in e-mail messages.
- Once the malware is planted in the network, hackers remotely monitor and extract data from the target network.
- The Straits Times understands that the hackers executed the attacks from overseas.
Govt agencies, critical infrastructure in Singapore not affected by global ransomware attacks
SINGAPORE: No Government agencies or critical information infrastructure (CII) in Singapore were affected by the global hacking attacks that started from Friday night (May 12), the Cyber Security Agency of Singapore (CSA) said on Saturday (May 13).
The Singapore Computer Emergency Response Team (SingCERT) has notified CIIs to be on heightened alert, Mr Dan Yock Hau, director of National Cyber Incident Response Centre at CSA, told Channel NewsAsia.
The update came amid a fast-moving wave of cyber attacks that swept the globe Friday, with the suspected culprit - a ransomware known as WannaCry - locking users' files unless they pay the attackers a designated sum in virtual currency. Security experts estimated that the number of countries affected range from 74 to 99, as of early Saturday morning.
Mr Dan added that organisations, businesses and members of the public can seek help from CSA's SingCERT website or its hotline at 6323 5052 if they are affected.
FAQ: Not your usual cyber attack - why NUS, NTU are 'prime targets'
SINGAPORE: The first known instance of sophisticated cyber attacks on universities in Singapore on Friday (May 12) draws attention to institutes of education as a prime target from which to attack Government networks, cybersecurity experts told Channel NewsAsia.
Rather than being the work of casual hackers, both attacks involved what is known as advanced persistent threats (APTs) - and the hackers were possibly after Government information or research, rather than students' data.
Channel NewsAsia put some key questions about such attacks to cybersecurity firms.
Q: What are APT attacks?
The critical word in advanced persistent threat (APT) is "persistent" – sophisticated threats that get into a network and stay undetected for a long time, said Mr Sanjay Aurora of Darktrace.
Attacks can be facilitated through a compromised USB stick or malware in the system. Perpetrators often acquire legitimate user credentials, allowing them to bypass traditional security tools like firewalls easily.
Once these threat actors are inside the network, it becomes extremely difficult to distinguish their behaviour from that of legitimate network users, said Mr Aurora.
He added that these attackers can then move silently within the organisation’s network for weeks or months, searching for critical information before eventually executing an attack.
Q: How long could the APT have been hidden in the network before being detected?
Reports of the NUS and NTU attacks suggest in both cases that the intrusions were detected during regular system checks, said Mr Nick FitzGerald of ESET.
"This could mean that the attackers were only present for the time between such checks, or perhaps, after taking the attackers months to locate the material they were seeking, it was only when they started exfiltrating large amounts of data from the network that they tripped some alarms?"
Citing 2016 statistics, Mr Elon Ben-Meir of CyberInt said that the average dwell time of APTs can be 190 days.
Darktrace's Mr Aurora added that it can take up to 230 days - or longer - for an organisation to realise it has been breached and critical systems compromised. "We once started working with a customer, only to find that there was a sophisticated threat inside their network that had been there for eight years."
Q: How do APTs differ from other targeted attacks?
APT attacks occur over long periods of time, during which the attackers move slowly and quietly to avoid detection, Nick Savvides of Symantec told Channel NewsAsia.
"The main difference is that while common targeted attacks use short-term 'smash and grab' methods, APT incursions are designed to establish a beach head from which to launch covert operations over an extended period of time."
And unlike the fast-money schemes typical of more common targeted attacks, APTs are designed for international espionage and/or sabotage, usually involving covert state actors, Mr Savvides added.
Its objectives may include military, political, or economic intelligence gathering, confidential data or trade secrets, disruption of operations, or even destruction of equipment.
The groups behind APTs are well funded and staffed, and may operate with the support of military or state intelligence.
Q: How are APT attacks evolving?
Attackers are no longer simply stealing data – they are changing it, too, destroying confidence in the integrity of data, through so-called "trust attacks", said Mr Aurora.
"These attackers are not just using their ability to hack information systems now to make a quick buck, but to cause long-term, reputational damage to individuals or groups, by eroding trust in the data itself."
Another trend involves attackers using automated technology that is able to enter a network surreptitiously and carry out the mission without human oversight, Mr Aurora noted.
The beginnings of this trend can be seen in ransomware attacks such as those seen in the UKand Spain on Friday, where the malware automatically encrypts large amounts of data within seconds, before demanding a ransom in return for the decryption key.
"We can only expect this trend to get worse. These attacks are too fast-moving for any security team, no matter how large, to keep up," Mr Aurora said.
Q: Why target educational institutions like NUS and NTU?
This first case of a sophisticated attack on universities in Singapore highlights that cybercriminals do not just target industries such as banks, Mr FitzGerald said, calling education institutions a "prime target".
"It should not be surprising that tertiary education institutions are also attractive to cybercriminals, given that government and research data are likely to be attractive to highly motivated adversaries, including nation-state actors.
Q: What other sectors are potential targets as a point from which to attack Government networks?
Cybersecurity firms Channel NewsAsia spoke with unanimously pointed to third-party vendors and contractors as potential targets.
Mr Savvides noted that while nearly any large organisation is susceptible to targeted attacks, APTs are aimed at a much smaller range of targets: Government agencies and facilities, defence contractors, and manufacturers of products that are highly competitive on global markets.
"We see more and more attacks where third-party vendors are being targeted as they work closely with Government agencies and may have access to Government networks," said Mr Ben-Meir.
Mr Aurora added that any user or device that is connected to a Government network could be used as an in-road – whether that is a supply chain organisation, a Government employee, a subcontractor or any other third party.
Quipped Mr FitzGerald: "(They) should not assume that, just because their work for the government might not be publicly known, the bad guys are not targeting them!"
Q: What should IT professionals do?
IT professionals need to move to a detection-and-response system, said Mr Ben-Meir. "IT professionals need to react to the threat rather than act on the crisis. They need to identify the crown jewels of the organisation and invest more in protecting these crown jewels."
Mr FitzGerald noted that multi-level cybersecurity measures such as two-factor authentication (2FA), which has been adopted by local agencies for SingPass and local banks, could be explored to strengthen the security infrastructure on the government level.
Q: What should end-users do?
Laymen need to equip themselves with the basics such as anti-virus software and firewalls, Mr Ben-Meir said.
They should also be wary of suspicious emails and not follow the instructions given in such emails, such as opening a corrupt file that may plant malware in their devices.
Mr FitzGerald noted that cybercriminals may even use the news of this attack as the basis for subsequent phishing attacks, in which they send emails asking the recipient to change their password due to the recent attack. "These emails helpfully provide a link that, of course, does not go to a legitimate login or password change page but to one controlled by the bad guys," he said.