Cyber battle was relentless in year gone by

By Amit Roy Choudhury

Ransomware, supply chain attacks and phishing-related scams remained the top choices of hackers in 2021. The current year is likely to be the same.

With the Covid-19 pandemic dominating the year, it is little wonder that 2021 felt more like 2020 with the same problems and worries. For businesses and organisations in the Asia Pacific and Japan (APJ) region, this translated into scrambling to digitalise even more systems and processes. At the same time, they had to ensure that their networks were protected from malicious cyber attacks.

Criminal groups and hackers have never had it so good. Studies have shown that countries in the APJ region face a higher potential threat of cyber attacks, in large part due to the speed and scope of growth in the region’s digital footprint and connectivity. According to a Check Point study published in May 2021, there was a whopping 168 per cent increase, year-on-year, in the number of cyber attacks in the region. The study estimated that an organisation in the Asia Pacific region suffers from 1,245 weekly attacks. The yearly figures close matches May’s numbers.

We list below what we think are the top three types of cyber attacks that kept the C-suite in APJ worried in 2021. This is by no means an exhaustive list, as hackers have become extremely sophisticated and ingenious in their attack methodologies. Cybersecurity experts, almost daily, are discovering new intrusion techniques being used by hackers to gain access to networks.


Ransomware


With data becoming a major currency of business and key to decision making across organisations of all sizes, its value has increased exponentially. Its loss, even for a short while, can have devastating consequences, including both financial and reputational damage.

This is the prime driving force in the spate of ransomware attacks that companies around the world, and particularly in the APJ region, have faced in 2021. Cyber criminals are constantly on the lookout for ways to slip malicious code into networks to encrypt data, to demand a massive payoff for the decryption key.

In the APJ region, ransomware has been the top cyber threat for two years running. The average cost of remediating a ransomware attack has grown more than US$1 million with the cost, including business downtime going up from an average of US$1.16 million in 2020 to US$2.34 million in 2021. According to Sophos’ The State of Ransomware 2021 report, India had the dubious distinction of topping its global list of countries hit by ransomware, with 68 per cent of the respondents from the country to their survey reporting that they were hit by attacks.

A Check Point 2021 mid-year cybersecurity report adds that, globally, there was a 93 per cent rise in ransomware attacks during the year. Asia Pacific had the highest number of organisations being attacked weekly (1,338), compared to EMEA (Europe, Middle East and Africa) at 777 cases and the Americas at 688. Japan, Singapore and Indonesia experienced the sharpest increase in attack activity in the region till the middle of the year.

Research agency IDC adds that organisations in the Asia Pacific excluding Japan (APEJ) region have shown more of a tendency to pay the ransom to get their data freed in comparison to other geographies. The survey, done in July 2021, showed that 49.4 per cent of APEJ organisations that encountered a ransomware incident chose to pay the ransom.

However, out of those who paid, 82.4 per cent managed to retrieve a working decryption key. This means that nearly 20 per cent paid the ransom but got nothing in return. That is a scary piece of statistics.

IDC states that among the countries that it looked at in the Asia Pacific, Australia and Singapore were at the top in terms of having companies that are likely or willing to pay a ransom, with 60 per cent and 49 per cent respectively. The research agency says that legislations in the region pertaining to ransomware payment are quite “fuzzy”. While most regulators in the region discourage the payment of ransom during an attack, there are no laws particularly restricting the transaction.

GovInsider has a detailed piece on ransomware attacks here.


Supply chain attacks


With more companies turning to managed service providers (MSPs) for their IT needs, hackers have found out that it is often more profitable to infiltrate the MSPs, using a technique known as supply chain attacks.

By compromising a service provider, hackers gain access to hundreds of the MSP’s customers. This has proven to be a far more efficient way to infiltrate malicious code into company networks rather than going after them one at a time.

The most high profile example of a supply chain attack is the one on IT services provider, US-based SolarWinds. The company sells system management tools for network and infrastructure monitoring to several hundred thousand organisations around the world.

Hackers deployed malicious code into different builds of SolarWind’s hugely popular Orion software, which is an IT monitoring tool that has deep access to a customer’s log and system performance data. The malicious code with a backdoor got distributed to SolarWinds customers via an automatic software update.

By the time the breach was discovered, more than 30,000 organisations had the infected Orion platform on their network with access to manage their IT resources. The victims included some of the top companies in the world.

Along with ransomware, supply chain attacks are likely to give sleepless nights to chief information security officers (CISOs) in 2022.


Business email compromise


Compared to the top two cyber attack methodologies in the list, our Number 3, business email compromise (BEC), is a low tech hacking technique that is more of a specialised phishing scam. Ironically, the fact that it is more of a con job rather than a gee whiz piece of malicious code makes it more dangerous as criminals with little knowledge of writing software can use it. At the same time, its very nature allows it to pass through all the sophisticated filters set up to protect networks.

BEC scams are extra dangerous because they rely on social engineering techniques to infiltrate networks. Hackers then secure conversations within the network by impersonating a legitimate user, like the CEO or other top officials.

BEC usually targets companies that conduct a lot of wire transfers and have suppliers abroad. The usual modus operandi is to first harvest corporate and publicly available email accounts of high-level executives who are involved in financial transactions and wire transfers.

Then, hackers either spoof their email accounts or use key loggers to gain access to passwords. This gives them access to authorise fraudulent money transfers, resulting in hundreds of thousands of dollars in losses.

Hackers also pose as legitimate business contacts of the target company and trick the email recipient, usually middle to low ranking employees, into providing sensitive information or updating financial information to divert payment to a new account. Studies have indicated that 30 per cent of employees are quite susceptible to social engineering, especially phishing campaigns. It takes only one unsuspecting employee to help set the stage for a lucrative BEC attack.

Though BEC makes up only seven per cent of all phishing attacks, it has caused more than US$26 billion in losses in the last four years, according to the US Federal Bureau of Investigation (FBI). Even in 2019, cybersecurity firm Trend Micro identified Singapore as being the most vulnerable country in Southeast Asia for BEC scams. It is likely to remain so in future.

What makes Singapore particularly vulnerable, and this applies to other countries in the region as well, is that the vast majority of firms here are small and medium-sized enterprises (SMEs). They usually have 100-500 employees or fewer, and have a lean management structure. Finance staff are often used to the CEO, owners and regular suppliers directly emailing them, asking for money transfers without going through intervening layers of management oversight.

BEC scams are also lucrative for hackers because usually the stolen amounts are small and often companies find that it is not worth the time, effort and money to try and recover it.

Since there are very limited technology tools available to prevent a BEC attack, the best course of action for companies is to set up identifiable and well-established processes for payment disbursement, irrespective of the size of the company and the person or entity asking for it.

Apart from these three major areas, companies in APJ faced a regular barrage of pandemic related scams and cyber attacks. These include ones targeting their remote working tools, like video conferencing solutions, along with network intrusion attempts. It has been a relentless war between the good guys and bad guys in cyber space.

The best course of action for organisations in 2022 would be to remain vigilant, invest in systems, processes and best practices and most importantly train employees in good cyber hygiene as that can go a long way in preventing most attacks that happen due to human error or oversight. In this respect, 2022 will not be much different from previous years. Attacks will happen. It is what is done after and during an attack that determines the winners and losers in cyber defence.

Amit Roy Choudhury, a media consultant, and senior journalist writes about technology for GovInsider.