A recent study by Ensign InfoSecurity has found that the cyber threat landscape in Singapore is heavily focused on two types of attacks: phishing and “watering hole” campaigns. Together, these two attack types accounted for 84% of all illicit access attempts in the country in 2019.
Phishing is the most common global threat, and is frequently the first point of entry into a target network as part of a larger campaign. A preponderance of watering hole attacks is a little more unusual. This anomaly might be chalked up to the special attentions of advanced persistent threat (APT) group OceanLotus, a suspected state-sponsored hacking group out of Vietnam that has been on a spree of such attacks in Southeast Asia since late 2018.
The rise of phishing and watering hole attacks
The research team at Ensign Labs found that watering hole attacks making use of compromised sites were the most common attack type in Singapore in 2019, representing 47.18% of all recorded incidents.
These watering hole attacks begin when an attacker compromises a website that is legitimate and was previously trusted by the public. The attackers surreptitiously upload malware payloads to the web server, disguised as legitimate files. One particular area of focus the study notes is on patches from third-party vendors, which can potentially then distribute the malware to millions of unsuspecting victims as they install seemingly benign updates.
Of course, phishing attempts by email also had robust representation at 36.75% of all attacks. The use of software exploits (10%) and fake non-targeted phishing sites (5%) rounded out the major types of cyber attacks seen in the country in 2019.
The most frequently-targeted industries
Singapore’s most-targeted business sectors are no surprise: high-tech, infocomm, media, higher education and financial services.
The study notes particular activity in intellectual property theft centered around the Emotet trojan, which was the most commonly seen type of malware in Singapore in 2019. Emotet is a polymorphic trojan able to get by signature-based automated defenses, and is generally part of the initial entry into a network. The Mylobot botnet has also been particularly active in the region; this is a relatively new botnet with considerable capability to evade detection.
The frequency of watering hole attacks, combined with some other evidence such as the types of malware used, point to very strong OceanLotus activity in Singapore in the past year.
Also known as APT32, OceanLotus is based in Vietnam and is strongly suspected to be backed by the government. This is one of the more sophisticated threat actors out there, and has historically been known to focus on the Southeast Asia region. It also has a long and established history of using watering hole attacks that are centered on compromised government sites and media outlets.
The report indicates that APT32 had a particular focus on higher education targets in Singapore. The group was most active in April 2019, winding down to a mid-summer lull from there before working back up to a smaller spike in October. However, though the group was not particularly active in the manufacturing sector it had a pronounced burst of activity in targeting these companies in May before dropping back off again for the rest of the year. The group was most interested in automotive manufacturers, particularly BMW and Hyundai.
OceanLotus is not the only group that the report makes note of, however. Naikon, an APT group based in China, was also highly active in Singapore in 2019. Naikon has been making a habit of targeting government and military installations throughout Southeast Asia since 2010. ThreatConnect has tied the group to the People’s Liberation Army of China. The group is known for advanced spear phishing; it is unclear if it is contributing to Singapore’s rash of watering hole attacks.
While these groups tend to target enterprise-scale organizations and government agencies, there was significant activity targeting the average internet user as well. The study noted a particularly sharp spike in phishing email attempts during the extended holiday shopping season (from Cyber Monday through New Year’s Day), a pattern that is almost certain to repeat in 2020.
The report concludes by advising companies in Singapore to move on from signature-based automated cyber defenses to those that use AI learning models to keep up with malicious codes, given the current prevalence of polymorphic phishing and watering hole attacks. It also advises that security analysts be provided with automated tools for lower-level screening work to avoid “alert fatigue,” and implementation of a Security Operations Centre to improve incident response and up-to-date cyber threat intelligence.
The proliferation of Emotet in the region highlights why these advanced measures are becoming necessary for more and more organizations. Emotet has been around since 2014, but standard signature-based antivirus software will usually not detect it. In 2019 Emotet was used against over 1,200 companies in Singapore across 27 different business sectors. Phishing prevention is the first line of defense, but there is no perfect solution to stopping employees from clicking on spear phishing emails.