Singapore Cyber Threat Landscape report (H1 2019)September 26, 2019
Despite being the second smallest country in Asia, Singapore is a global financial and economic hub. On top of this, Singapore is also one of the most interconnected and technology-advanced cities in the world: fast internet speed is given to all residents, almost 100% of their population has a mobile device (on average, there are three mobile phones for every two inhabitants), and the city has a large number of wireless access points. Digital Shadows itself has expanded to Singapore shores, with intelligence, customer success, and sales teams all having a presence there.
Respectively, these factors place Singapore in a strategic position for the Asia-Pacific (APAC) area: as a regional powerhouse and a global ‘Smart City’. But as the country strives to remain digitally superior, it faces a challenge that even small companies struggle to overcome: cybersecurity. Such a challenge is illustrated by the fact that Singapore suffered one of 2018’s highest profile cyberattacks, which saw 1.5 million SingHealth patients’ personal information illegally accessed and copied. The same year, Singapore’s Cyber Security Agency saw an increase in the number of cybercrimes reported overall.
Committed to enhancing the country’s cybersecurity posture, the country passed the Cybersecurity Act which provides a legal framework for the oversight and maintenance of cybersecurity in Singapore. Compared with other countries in the Association of Southeast Asian Nations (ASEAN) and the APAC region, Singapore has a relatively high level of preparedness. Despite this, Singapore has not escaped cybersecurity incidents. Instead, such a strategic positioning is indirectly allowing Singapore to become a prime target for cyber threat actors.
As part of the Searchlight service, Digital Shadows clients are able to view all regional threat landscape reports, including some not published on our blog. If you would like to view former reports for this region, please email us at firstname.lastname@example.org.
Singapore Cyber Threat Landscape Overview
This blog looks at the publicly reported cyber incidents affecting Singaporean entities between the first and second quarters of 2019. In particular, we highlight the sectors that experienced attacks, speculate why they were attacked, and how this changes the country’s cyber threat landscape.
Figure 1: Findings from our Singapore threat landscape research
Of the incidents reported, espionage and financially motivated attacks were the most reported-on-type of cyber incidents, while financial services, and in particular cryptocurrencies, were the most targeted sectors during this reporting period. The Healthcare sector was also affected during this reporting period, as the SingHealth breach was attributed to the advanced persistent threat group: Whitefly.
Let’s dig into each of these top findings.
1. Financially motivated attacks in Singapore
During this reporting period, cryptocurrency exchanges were an attractive target for threat actors. In June 2019, Singapore-based cryptocurrency trading platform, Bitrue, reported that threat actors had stolen $4.5 million worth of cryptocurrency, exploiting a review process within the “Risk Control” team at Bitrue, which allowed the attackers to exfiltrate funds from the wallets of Bitrue users.
Singapore is widely thought to have a friendly approach to cryptocurrency adoption, and its government has been seen to support this form of financial innovation, as part of its commitment to remain as a technological hub. Despite this, virtual currency is not recognized as legal tender in Singapore and the Monetary Authority of Singapore (MAS) does not, as of yet, regulate cryptocurrency exchanges in the same way it does for incumbent financial institutions. The country is still in the process of fleshing out a regulatory framework. Combined with low user awareness around cyber threats associated with cryptocurrencies, cryptocurrency trading platforms are prime targets for threat actors.
2. Singaporean entities remain an espionage target
Likely due to Singapore’s strategic position among the geopolitical landscape, state-associated espionage remained the most significant threat to organizations operating in the Asia-Pacific region in the first half of 2019. The Whitefly APT group was active in the region during the first two quarters of 2019. The group was attributed to the SingHealth breach outlined above, and a second attack targeted unnamed entities in the region with the “Termite” malware. The deployment of Termite was assessed to likely be an effort to conduct information gathering from affected systems. Whitefly has consistently targeted Singaporean entities since 2017. Therefore, these incidents do not represent any dramatic change in focus from the group.
3. Decrease in hacktivist activity
Singapore experienced a decrease in reported hacktivist activity, with no notable incidents being reported by Digital Shadows. The last reported incident was the announcement of OpIcarus 2.0 at the end of 2018: OpIcarus is an Anonymous Collective operation targeting the financial services sector; however, it has witnessed significantly reduced participation levels and diminished impact over the last year, and there were no further reported associated incidents. This decrease in hacktivist activity is in line with global trends, which has seen hacktivist groups reduce in number and organizational capabilities.
2019 APAC Cyber Threat Forecast
Singapore is highly likely to remain an attractive target to cyber threat actors throughout 2019. Here’s what you can expect:
- An uptick in breach disclosures: Absent from the public reports, though equally important to mention was the Personal Data Protection Commission’s (PDPC) 2019 revision to its “Guide to Managing Data Breaches”. The revision essentially means Singaporean firms are obliged to notify the PDPC of data breaches. Such a revision could lead to an increase in the number of public breach reports. Such an impact was seen particularly in the United Kingdom following the effective start date of the General Data Protection Regulation (GDPR) [https://www.pinsentmasons.com/out-law/news/report-flags-gdprs-impact-on-data-breach-notification-]. Already, in Singapore, we’ve seen the following breach disclosures between this reporting period, and we certainly expect more throughout the rest of 2019.
- Cyber espionage operators will continue to seek sensitive information: The country will remain an attractive target for sensitive information should Singapore continue to host high-profile events, such as the yearly regional security summit: the Shangri-La Dialogue. Espionage activity, mainly originating from or attributed to China, is also likely to target Singapore for economic and political information regarding US influence in the region. This is significant as the People’s Republic of China’s (PRC) the Belt and Road Initiative (BRI) and Made In China 2025 (MIC2025) policies, respectively, are at critical, but successful positions. Likely from now and throughout 2020, though, the PRC’s strategic priorities are expected to be assessed and evaluated, as part of the Five Year Plan. As state–associated cyber activity is typically aligned with the PRC’s strategic priorities, state-sponsored activity will either likely continue to target organizations in line with their current priorities, or shift targeting depending on the outcomes of the evaluation.
- Financially motivated activity level is likely to stay: Threat actors will likely continue attacks against cryptocurrency exchanges and wallets. This activity is not limited to the typical financially motivated cybercriminals, as North Korean-associated threat actors often break the mould of espionage activity and seek financial gain, too. Attacks involving banking trojans may also start to escalate as Singapore attempts to increase the levels of banking conducted digitally. Ransomware attacks are likely to remain relatively low; although Singapore was affected by a ransomware campaign during the first half of the year, it was untargeted and likely opportunistic.
- Traditional hacktivist activity is likely to remain relatively low: The last high profile hacktivist incident occurred in 2013, where a hacker going by the moniker “the Messiah” and linked to the group Anonymous, broke into the websites of government-linked entities over a new Internet licensing framework. Smaller-scale hacktivist incidents have resulted from petty disputes. For example, in 2011, Malaysian hackers, identified as M43L Tro0pers, defaced a Singapore website dealing with used cars, after Singapore defeated Malaysia at the world cup qualifier matches. Hacktivist activity in the region can be expected, although their activity is likely opportunistic.
To stay up to date with our global threat intelligence, make sure to subscribe to our email list below.