Singapore Cyber Landscape 2018 Contents

SINGAPORE CYBER LANDSCAPE 2018 CONTENTS

Foreword 3

Overview of Cyber Threats in 2018 4

Chapter 1 – Spotlight on Cyber Threats 8

Advanced Persistent Threats 10

Website Defacements 12

Phishing URLs 14

Malware 16

Chapter 2 – Target.SG 20

Target.GOV.sg 22 Case Study – Cyber-attack on SingHealth

Target.EDU.sg 26 Case Study – Cyber-attack on Universities

Target.ORG.sg 28 Case Study – Crypto-jacking SINGAPORE CYBER LANDSCAPE 2018 Target.YOU.sg Copyright 2019 30 Case Study – [email protected] By Cyber Security Agency of Singapore Chapter 3 – Singapore’s Cybersecurity Strategy – Developments in 2018 32 With contributions by the Defence Cyber Organisation, Defence Science and Technology Agency, DSO Pillar One: Building a Resilient Infrastructure 36 National Laboratories, Government Technology Agency of Singapore and Singapore Police Force Pillar Two: Creating a Safer Cyberspace 38

ISBN: 978-981-14-1612-5 Pillar Four: Strengthening International Partnerships 44

Contact Details 52

1 FOREWORD

Cybersecurity incidents made some of the Smart Nation Scholarship, to support talented biggest headlines in 2018. Data breaches, students pursuing a career in cybersecurity. In in particular, were reported across multiple addition, the establishment of the $30 million industries. Facebook, Cathay Pacific and ASEAN-Singapore Cybersecurity Centre of Marriott were just some of the high-profile Excellence underscores Singapore’s efforts organisations that were hacked and had to build regional cyber capacity and promote sensitive information stolen. international collaboration.

Singapore was not spared as well. We were Singapore marks its Bicentennial hit by the most serious data breach in our Commemoration in 2019. This journey over the history – 1.5 million SingHealth patients had last 200 years has seen us develop from a small their non-medical personal particulars illegally trading outpost to a global digital hub. As we accessed and copied. As cyber threats grow in advance towards our vision of a Smart Nation, scale and sophistication, it is clearly no longer a cybersecurity is a vital prerequisite question of “if”, but rather “when” an attack will and key enabler – the invisible glue that instils hit us. Even as we strive to make our systems trust and confidence in our digital plans. We as secure as possible, it is imperative that we hope this third edition of the Singapore Cyber respond to an incident swiftly, robustly and Landscape will provide useful lessons from decisively. The cyber-attack on SingHealth was past incidents, so that we can better prepare a stark reminder for us to push further in our ourselves for the digital future. Let us keep cybersecurity efforts collectively as a nation. Singapore’s cyberspace safe On the international stage, Singapore remains and secure, together. firmly committed to the establishment of a rules- based international order in cyberspace; and condemns all malicious cyber activities, which threaten the safety and security of Singapore and Singaporeans.

2018 also saw significant progress in enhancing Singapore’s cybersecurity. We passed and implemented the Cybersecurity Act, which provides a legal framework for the oversight and maintenance of cybersecurity in Singapore. To nurture a vibrant cybersecurity ecosystem, we David Koh launched initiatives such as the Industry Call for Commissioner of Cybersecurity and Innovation, which laid the ground for long-term, Chief Executive holistic cybersecurity investments, and the Cyber Security Agency of Singapore

2 3 OVERVIEW OF DDoS ATTACK PEAKS PHISHING CYBER THREATS IN 2018

1.7 tbps 1st TIMELINE OF SELECTED CYBER INCIDENTS IN 2018 1.35 tbps 1.2 tbps 2nd 1.1 tbps 3rd

GLOBAL INCIDENTS LOCAL INCIDENTS 0.62 tbps Banking and Financial Services JAN Technology File Hosting Provider • APT-attributed malware (nicknamed FEB ‘Olympic Destroyer’) disrupted Opening Ceremony of the PyeongChang Winter Olympic Games Krebsonsecurity OVH France Dyn GitHub Unidentified US-based serviceprovider

SEP SEP OCT FEB MAR • Largest Distributed Denial-of-Service MAR 2016 2016 2016 2018 2018 16,100 (DDoS) attack in history on unidentified phishing URLs with a US-based service provider RECORD PEAKS OF DISTRIBUTED DENIAL- Singapore-link were detected. • SamSam ransomware disrupted Atlanta’s OF-SERVICE ATTACKS – A COMPARISON municipal services In 2018, the largest Distributed Denial-of- Service (DDoS) attack ever recorded was APR • User accounts belonging to academic staff MALWARE in four Singapore universities compromised conducted using a relatively new method. As in cyber-attack threat actors find new attack methods, even higher peaks of DDoS attacks may be seen. Cases of ransomware MAY • PageUp malware breach affected 300,000 21 were reported to SingCERT Careers@Gov portal users CYBERCRIME IN SG JUN • Personal particulars of 1.5 million patients Unique Command and stolen in cyber-attack on SingHealth Control servers were ONLINE CHEATING 300 observed in Singapore CYBER EXTORTION JUL COMPUTER MISUSE ACT TOTAL 6,179 Botnet drones TOTAL (compromised TOTAL AUG 5,351 computers infected with 5,175 2,900 malicious programs) with • Ransomware attacks hit Port of San Diego SEP Singapore IP addresses • Facebook data breach affected were observed daily, 30 million users on average • Financial information of 429,000 passengers stolen in British Airways data breach

WEBSITE DEFACEMENT • Cathay Pacific Airways data breach OCT • 72 user accounts in Health Promotion affected 9.4 million passengers Board’s HealthHub portal accessed illegally

• Guest information stolen from 383 million NOV • Unauthorised access to more than 200 Marriott International accounts State Courts electronic case files 2016 2017 2018 • Personal details of German DEC politicians exposed 605Singapore-linked website Cybercrime cases accounted for defacements were detected. 18.6% of overall crime in 2018.

4 5 SELECTED MAJOR DATA BREACHES IN 2018

CATHAY PACIFIC AIRWAYS 9,400,000 RECORDS

Type of Information:

Host:

Cause:

MARRIOTT INTERNATIONAL QUORA (STARWOOD HOTELS AND RESORTS) 383,000,000 RECORDS 150,000,000 RECORDS ATRIUM HEALTH DATA BREACHES Type of Type of Information: Information: 2,650,000 RECORDS Threat actors target vulnerable points in public and private organisations, businesses, Host: Host: Type of Information : and even cloud computing systems to pivot Cause: Cause: Host : to sensitive data they are interested in. The figure shows the relative scale of selected Cause : major data breaches that occurred in 2018.

GOOGLE+ NEWEGG LEGEND SINGHEALTH 52,500,000 RECORDS 50,000,000 RECORDS 1,500,000 RECORDS TYPE OF INFORMATION : Type of Type of Personal Information Medical Information Information: Information: Type of * Information: Host: Host: Host: Financial Information Account Information

Cause: Cause: Cause: * Limited information compromised

HOST :

Cloud Infrastructure Third-Party Servers

Company Undisclosed Private Servers FACEBOOK TICKETFLY BRITISH AIRWAYS CAUSE : 429,000 RECORDS 30,000,000 RECORDS 27,000,000 RECORDS Vulnerability Undisclosed Type of Type of Type of Information: Information: Information: Unauthorised Phishing access through Host: Host: Host: third-party supplier Cause: Malware Cause: Cause:

6 7 CHAPTER 1 SPOTLIGHT ON CYBER THREATS Singapore faced a number of cyber threats in 2018, including Advanced Persistent Threats, website defacements, phishing, and malware activities. This chapter details our observations on some of these cyber threats, trends, and motivations from the period of January to December 2018.

INFORMATION

8 9 CHAPTER 1 SPOTLIGHT ON CYBER THREATS

ADVANCED PERSISTENT THREATS

In the past two editions of the Singapore DISRUPTION FINANCIAL GAIN CYBER ESPIONAGE Cyber Landscape, we highlighted the significance and potential impact that Advanced Persistent Threats (APT) have on our cyber ecosystem. Often associated with a nation-state, APT groups have access to a wealth of resources and deep expertise to achieve their objectives, which include causing disruption, cyber theft for financial gain, and conducting cyber espionage.

APT groups may choose to target A number of high-profile cyber-attacks APT groups are known for conducting prominent, highly-visible international targeting payment systems were information gathering and cyber events with the aim of disrupting them to attributed to APTs, resulting in significant espionage. Information gathered can be draw attention. The Opening Ceremony losses to affected financial institutions. useful for intelligence purposes, and/or of the PyeongChang Winter Olympic These attacks typically involve tactics, give countries a competitive advantage Games in February 2018 was one such techniques and procedures (TTPs) such over rivals during state negotiations. example. The attack, attributed to an as phishing e-mails to compromise One such example was a watering hole1 Asia-based APT group, disrupted Internet employee accounts and gain access campaign active in the last quarter of 2018 access and telecasts, and shut down to systems and networks, as well as that compromised several government websites covering the event. technical methods to cover the attackers’ and media websites in Vietnam and tracks. In June 2018, attackers breached Cambodia. These websites were used to Another type of APT attack seeks to the SWIFT payment system at the Bank infect visitors with spying malware. This disrupt operations. Shamoon, a type of Chile and the Cosmos Bank, siphoning attack was attributed to an Asia-based of wiper malware associated with an off US$10 million and US$13.5 million APT group that cybersecurity experts APT group based in the Middle East, respectively, through fraudulent wire had identified as being behind several is designed to wipe data and render transfer requests. These attacks were espionage and spear-phishing campaigns endpoints and servers unbootable. This likely conducted by the same APT group. targeting Southeast Asian countries. prevents the targeted organisation from conducting business as usual. First seen in 2012 in the energy industry, it re- emerged in December 2018, affecting a number of organisations across many industries in the Middle East.

1 A watering hole attack is a type of cyber-attack targeting a particular organisation, where malware is delivered from websites that are regularly visited by the organisation’s members and infects its systems.

10 11 CHAPTER 1 SPOTLIGHT ON CYBER THREATS

NO. OF DEFACED SINGAPORE WEBSITES REPORTED IN 2018

WEBSITE DEFACEMENTS 129

85 64 69 57 47 36 36 28 20 20 14

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

where malicious code is inserted into the web- based application, and by gaining access to the web servers. 3 IN 10 Websites published on the WordPress platform websites were remained the most targeted for defacements in CSA detected 605 cases of website For example, the Singapore website defaced previously 2018, continuing a trend observed since 2016. In defacement in Singapore in 2018, a of a major Japanese advertising firm Singapore, over a third of the websites defaced 70 per cent decrease from 2,040 in was compromised and replaced by a were built on WordPress. A WordPress file 2017. These websites belong to a range message “Sec == ‘0’” in January 2018. deletion vulnerability, first disclosed on 26 June of organisations – from government 2018 and affecting all versions of WordPress up to A spike in defacements observed in agencies, businesses, and media then, could allow an attacker to have full control November 2018 was likely caused by companies. Two Singapore Government over the website. WordPress released an updated an attacker exploiting vulnerabilities in websites were among those defaced. platform version that fixed the vulnerability on 5 an unpatched web server. 101 websites While most affected websites belong to July 2018, and SingCERT published an alert a week belonging to various businesses hosted Small and Medium Enterprises (SMEs), later, advising WordPress website owners and web on this server were compromised larger organisations were also hit. hosting providers to update to the latest version by the same attacker in a single 2 In January 2018, the immediately. However, as of March 2019, about day. Defacements are indicative of Singapore website of a major 40 per cent of the defaced WordPress websites vulnerabilities present in a website’s WEBSITE DEFACEMENTS (2016 – 2018) Japanese advertising firm had yet to be patched to the latest version. underlying infrastructure. This may be was compromised, with its Worryingly, 185 of the defaced websites – or about a harbinger of more damaging cyber- homepage replaced only with 30 per cent of the cases – were defaced previously. Year 2016 1,750 attacks, such as hosting malicious the message “Sec == ‘0’”. content on the website or using it as a Re-defacements suggest that website owners have yet to take appropriate security and patching Year 2017 2,040 platform to launch attacks. measures to protect their websites, even after Defacements usually take place when being attacked before. The variety of intrusion and Year 2018 605 unpatched/ outdated websites and their compromise methods underlines the importance hosting servers are attacked. Common of using stronger login credentials and timely methods of intrusion include Structured patching of known vulnerabilities. Query Language (SQL) injections,

2 “[SingCERT] Alert on WordPress 4.9.7 Security Release,” SingCERT Advisories & Alerts, 12 July 2018, https://www.csa.gov.sg/singcert/news/advisories-alerts/alert-on-wordpress-4-9-7-security-release.

12 13 CHAPTER 1 SPOTLIGHT ON CYBER THREATS

COMMONLY SPOOFED ORGANISATIONS IN 2018 ATB Financial PHISHING URLS GitLab AppleAlibaba Adobe PayPal AT&T DHL Docusign Facebook Yahoo Bank of America Chase Bank 1st Banking and Financial Services Microsoft (e.g. Bank of America) 2nd Technology Google Dropbox (e.g. Microsoft) Postmaster 3rd File Hosting Services Amazon (e.g. Dropbox) Free Mobile France Mailbox

16,100 phishing URLs with a Singapore-link were Users are advised to remain vigilant against observed in 2018, a 30 per phishing attacks, and to be cautious and verify cent decrease from 2017. the identity of the sender, before clicking on suspicious URLs. Phishing e-mails usually OK spoof, or pretend to originate NUMBER OF PHISHING URLS WITH A SINGAPORE-LINK OBSERVED IN 2018 from, reputable firms and organisations. Companies in 3,849 the banking and financial services, technology, and file hosting services made up 2,406

almost 90 per cent of spoofed 1,931 1,867 1,879 1,786 These contained malware companies in 2018. 1,526 1,601 that could be used for 1,155 In Singapore, websites of keylogging and executing 812 767 553 Government organisations such malicious commands on TAKING ADVANTAGE USE OF DYNAMIC DOMAIN LEVERAGING GENERIC as Ministry of Manpower (MOM), compromised devices. OF “HTTPS” NAME SYSTEM SERVICES TOP LEVEL DOMAINS Singapore Police Force (SPF) JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC (DDNS) SERVICES Domains such as Increasingly, threat actors 2,450 phishing URLs and Immigration & Checkpoints were observed using 210 URLs were “.com” (8,100 URLs) by taking advantage of their “giveaways” ended up giving are also using ingenious observed using DDNS and “.club” (700 URLs) “HTTPS” in 2018, a more Authority (ICA) were commonly services in 2018, three were commonly abused, interest in such events. During away their personal information tactics to trick individuals than tenfold jump from spoofed to steal personal and times more than in 2017. making up more than the FIFA World Cup tournament to cybercriminals. Separately, in and evade detection. just 200 of such URLs in financial data from victims. Such services enable half the observations in June 2018, several soccer- the lead-up to the Democratic Some examples include 2017. Using “HTTPS” – malicious URLs to for 2018. They are Phishing activity typically themed phishing e-mails People’s Republic of Korea-USA the use of HTTPS, rather than “HTTP” – change their IP relatively cheap (or lures victims into a false increases when major events and websites were observed, Singapore Summit held in June Dynamic Domain Name addresses constantly even available for free) sense of security, by to evade applications and lack regulation, occur. Threat actors dupe 2018, an intelligence-gathering System (DDNS) services, targeting sports fans with fake having them believe that that block static allowing threat actors to victims into opening phishing gifts from FIFA or its sponsors. campaign targeted South and using generic top they were transacting malicious IP addresses. constantly create new e-mails and their attachments Fans who responded to these Koreans with phishing e-mails. level domains: on a secure website. malicious URLs.

14 15 CHAPTER 1 SPOTLIGHT ON CYBER THREATS

Fewer ransomware cases were reported to FEATURED TOPIC MALWARE CSA in 2018. There were also significantly fewer Command and Control (C&C) servers observed in Singapore; however, the number of botnet ADVERSARIAL AI IN CYBERSECURITY drones – compromised computers infected with malware – remained largely similar.

RANSOMWARE 21 ransomware cases were reported to CSA in ransom payments. In February 2018, a private in 2018, a decrease from 25 in 2017. Although financial institution in Singapore was infected the number of reported cases is low, the actual with GandCrab, when one of its employees number of ransomware cases may be higher as surfed a compromised website and was many go unreported. Ransomware affected prompted to install a ‘font update pack’ for systems across multiple industries in Singapore, displaying the website properly. such as construction, education, and food and Ransomware remains a common threat. Europol beverage. While there were no global widespread has warned that targeted ransomware attacks campaigns like the WannaCry attacks seen which are tailored to specific organisations or in 2017, ransomware remains lucrative, and individuals, such as GandCrab and SamSam,4 continues to evolve in sophistication. may become the new normal.5 Organisations GandCrab was described as “one of the most should ensure that their systems are regularly aggressive forms of ransomware”3 in 2018. updated to thwart known ransomware threats. Since its discovery in January 2018, GandCrab They should also not make any form of payment has infected over half a million computers and is demanded, as there is no certainty they would Machine learning and data- malware that are able to to poison data used to believed to have extorted around US$300 million get their data back. driven detection systems bypass malware detectors. train the models and are being adopted in One way to counter this attack thus influence decision cybersecurity applications would be to include GAN boundaries. One method to cope with rapidly evolving samples during re-training, of defending against GANDCRAB, THE MONEY- Some characteristics of GandCrab cyber-attacks. However, so that the malware detector this type of attack GRABBING RANSOMWARE include: (a) being frequently updated threat actors are now is tuned to identify this class involves processing the to evade detection and deletion, (b) GandCrab is offered in the leveraging adversarial of mutated samples. training data to identify targeting mainly English-speaking Artificial Intelligence (AI) potential adversarial data Dark Web as Ransomware- To combat against new cyber- countries, and (c) customisable technologies to deceive manipulation first, before as-a-Service (RaaS) by attacks, AI engines constantly ransom demands. these systems. One method providing them to train its criminal developers. train and update their models. of deception involves using the AI engines. Modeled after Software-as- As part of the No More Ransom This adaptive learning Generative Adversarial a-Service (SaaS) principles, initiative, free decryption tools for process, however, creates an Networks (GANs) to create cybercriminals without later versions of GandCrab are made opportunity for threat actors programming knowledge available for affected victims to new variants from known would rent such ransomware recover their files. This public-private for their malicious activities, cooperation exemplifies the need for and pay the developers by collaboration between government sharing a portion of and industry partners to combat 3 “The GandCrab Ransomware Mindset,” Check Point Research, 13 March 2018, the collected ransoms. global cyber threats together. https://research.checkpoint.com/gandcrab-ransomware-mindset. 4 On 22 March 2018, the City of Atlanta in the US state of Georgia suffered a ransomware attack which affected several local government systems and disrupted businesses. Almost US$17 million was reportedly spent in recovery efforts. The ransomware used in the attack, dubbed ‘SamSam’, was also linked to another ransomware attack on the Port of San Diego in September 2018. 5 Palmer, Danny. “Cybercrime: Ransomware remains a 'key' malware threat says Europol,” ZDNet, 18 September 2018, https://www.zdnet.com/article/cybercrime-ransomware-remains-a-key-malware-threat-says-europol.

16 17 CHAPTER 1 SPOTLIGHT ON CYBER THREATS

COMMAND AND CONTROL SERVERS AND BOTNET DRONES Gamarue Conficker Mirai WannaCry Gamut Others

SingCERT is responsible for then asks the relevant agencies 100% the prevention, detection and such as the Info-communications 90% resolution of cybersecurity Media Development Authority incidents in Singapore, acting (IMDA) or relevant abuse team of 80% on information provided the local hosting providers to take 70% by government agencies, them down and restore legitimate international counterparts and services. When the hosting 60% the public. When SingCERT provider is located overseas, 50% In 2018, CSA observed about receives information regarding SingCERT collaborates with 300 unique C&C servers in C&C servers hosted in Singapore, the relevant foreign Computer 40% Singapore, a 60 per cent the team first confirms the Emergency Response Teams 30% decrease from 2017. locations of the servers, and (CERTs) to do the same. 20% 10% FEATURED TOPIC 0% JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

OPEN PORTS On average, five common malware accounted for over half the daily infections in 2018. Open ports attract malware infection and may be 0 1 0 1 0 0 1 used to launch cyber-attacks, such as Distributed On average, nearly 2,900 botnet drones with suggests that many users have yet to patch 1 0 1 1 1 0 1 Denial-of-Service (DDoS) attacks. DDoS attacks 7 0 1 0 1 1 1 0 Singapore IP addresses were observed daily. their devices, or use antivirus software, to 1 0 1 0 0 0 0 inundate websites and services with incoming 0 0 0 0 About 470 malware variants were detected, prevent infections. This is also the likely 1 1 1 traffic, causing them to become unavailable. In 1 0 1 0 1 0 1 but the top five malware observed – Gamarue, explanation for how WannaCry – the 0 0 0 0 0 0 0 February 2018, the two largest DDoS attacks Conficker, Mirai, Wannacry, and Gamut – ransomware that wrecked havoc across the 0 1 0 1 0 1 0 1 0 1 0 1 0 1 recorded in history occurred just five days apart accounted for over half of observed infections, globe in 2017 that can now be easily detected 0 1 0 1 0 1 0 from each other. Unlike large-scale DDoS attacks 1 0 1 0 1 0 1 echoing trends observed in previous years. by antivirus software – continued to persist on 0 1 0 1 0 1 0 that usually employ malware-driven botnets, these These are not new malware; Conficker, in local systems and computers. 1 1 1 1 0 0 0 two attacks stemmed from servers where specific 0 0 0 0 0 0 0 particular, dates back to 2008. 6 Separately, the Mirai malware had been linked 0 1 0 1 0 1 0 ports were left open unnecessarily. 1 0 1 0 1 0 1 The top malware, Gamarue, steals personal to botnet campaigns targeting unpatched 0 1 0 1 0 1 0 The first attack peaked at 1.35 Tbps and targeted 1 0 1 0 1 0 1 information and can also function as a Internet of Things (IoT) devices. A number 0 0 0 0 0 0 0 the developer platform, GitHub. The peak was 30 medium to distribute other malicious of malicious campaigns are increasingly 0 0 0 0 1 1 1 per cent higher than the previous record set by the 1 0 1 0 1 0 1 programs. Although Gamarue’s infrastructure leveraging open-source Mirai malware – 0 1 0 1 0 1 0 attack targeting Dyn in 2016. The second attack 1 1 1 1 was largely dismantled in an international shared openly on the Internet – to conduct targeted a US-based service provider, and set the operation in December 2017, efforts to brute-force attacks with common usernames current peak record of 1.7 Tbps. 010010101 wipe it out completely had been slow and and passwords. The observations indicate If users must utilise open ports for their work, they challenging,8 and Gamarue had continued that many users do not change default login should always safeguard them by avoiding default to infect systems throughout 2018.9 The credentials of their smart devices. 0100101010010011 0100101010010011 persistence of Gamarue infections into 2018 0100101010010011 0100101010010011 credentials, and close the open ports promptly 0100101010010011 0100101010010011 when not in use.

7 Based on unique Internet Protocol (IP) addresses (the numerical code assigned to each device that can connect to the Internet or other networks), about 115,000 botnet drones were observed in Singapore in 2018. 8 Parrish, Kevin. “The Andromeda botnet still lingers as nations struggle to clean infected PCs,” Digital Trends, 14 August 2018, https://www.digitaltrends.com/computing/andromeda-botnet-still-infects-pcs-africa-asia. 9 Brumaghin, Edward and Unterbrink, Holger with contributions from Tacheau, Emmanuel. “Old dog, new tricks – 6 Specifically, memcached servers, used for speeding up networks and improving performance of web applications, were instead Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox,” Cisco Talos Blog, 15 October 2018, hijacked to carry out the two DDoS attacks. https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html.

18 19 CHAPTER 2 TARGET.SG

Singapore has been, and will continue to be, the target of cyber-attacks by Advanced Persistent Threat groups and other threat actors. This chapter offers insights and practical lessons from cyber-attacks that affected different segments of Singapore in 2018, and how we can learn from them to strengthen our collective cybersecurity.

20 21 CHAPTER 2 TARGET.SG

Even as we do our best to secure our systems, it is a matter of when, not if, our systems are breached. The cyber-attack on SingHealth is a reminder for us to do TARGET.GOV.SG better in our cybersecurity efforts, together as a nation. – Mr David Koh, Commissioner of Cybersecurity and Chief Executive CSA, emphasising the need for collective cybersecurity CASE STUDY CYBER-ATTACK ON SINGHEALTH

In 2018, SingHealth’s network WHAT HAPPENED? was the target of a deliberate The attacker gained initial access to SingHealth’s IT and well-planned cyber-attack. network around August 2017, by infecting front end The scale of this cyber-attack was workstations, most likely through phishing attacks. unprecedented. The personal After lying dormant for several months, the attacker particulars of 1.5 million patients moved laterally through the network between December 2017 and June 2018, compromising and the outpatient dispensed additional endpoints, servers and user accounts. medication records of 160,000 of From May 2018, the attacker made multiple them were illegally accessed and unsuccessful attempts to connect to SingHealth’s copied. Prime Minister Lee Hsien patient database system. On 26 June 2018, the Loong’s records were specifically attacker obtained credentials to the database, and and repeatedly targeted. began querying and exfiltrating patient records the following day.

There was, however, no evidence that the On 4 July 2018, an IT administrator at Integrated data had been tampered with or deleted. Health Information Systems (IHiS), the IT agency No clinical services were disrupted, and serving the public healthcare sector including patient care remained uncompromised. SingHealth, noticed suspicious queries made on the The Committee of Inquiry (COI) into the database. The suspicious queries were terminated cyber-attack on SingHealth’s database by IHiS’s IT administrators, and measures were put system established that the cyber- in place to prevent further queries from being made. attack was the work of a skilled and On 10 July 2018, the cyber incident was escalated sophisticated actor, which bore the to the Cyber Security Agency of Singapore (CSA), characteristics of an Advanced SingHealth’s senior management, the Ministry of Persistent Threat (APT) group. The Health (MOH), and Ministry of Health Holdings COI found that the attacker was well- (MOHH). CSA’s National Cyber Incident Response resourced, and had used advanced Team (NCIRT) was immediately deployed on site to techniques and tools to target the work with IHiS to carry out joint investigations and SingHealth patient database and illegally remediation. They took steps to contain the threat, exfiltrate patient data. The attacker was eliminate the attacker’s footholds, and prevent persistent, evaded detection for a long recurrence of the attack. time, and even re-entered the network after being detected.

22 23 CHAPTER 2 TARGET.SG

RECOMMENDATIONS The COI made 16 recommendations relating to FEATURED TOPIC strategic and operational measures to strengthen MADE BY THE COI the cybersecurity posture of SingHealth and IHiS. INTO SINGHEALTH These recommendations are generally applicable to STRENGTHEN GOVERNMENT ICT SYSTEMS all organisations responsible for large databases of To build a secure and resilient Smart tapping on technology to support its IT staff personal data. Some key actions that all organisations Nation, the Government’s approach to and automate cybersecurity tasks, such as must consider implementing are as follows: cybersecurity is underpinned by two key patch management. In terms of Technology, principles. First, we adopt a ‘defence- the Government will continue to build up 1 2 3 in-depth’ strategy, with multiple layers the defence and resilience of its systems, of cyber defence to impede attackers. while implementing measures to better These layers of defence cascade from the detect and respond to cyber threats. perimeter to within the systems. Given The Government can more effectively enough time and resources, sophisticated defend our systems if we involve the global and determined attackers may eventually and local communities of cyber defenders find their way into the system. The Include cybersecurity as Provide all staff with Train and equip all to identify vulnerabilities and strengthen layered defence approach will enable part of the organisation’s training to build awareness staff to recognise and the Government’s ICT systems. For example, security teams to detect any breach and risk management, with on the best cyber hygiene respond to cybersecurity the Government Technology Agency deliberations and decisions practices, and cultivate incidents, and to report respond swiftly. Second, we enhance our of Singapore (GovTech) and CSA are on balancing cybersecurity an organisational culture these incidents in a system defence on three fronts – People, partnering local and overseas cybersecurity and trade-offs (e.g. cost, where cybersecurity is timely manner. Processes and Technology. In terms of communities on a Government Bug Bounty operational requirements) everyone’s responsibility. People and Processes, the Government Programme (GBBP) to help search and based on unique business is developing a stronger cybersecurity considerations (e.g. patient uncover vulnerabilities in our system. culture across the Public Service, as well as safety in the case of the public healthcare sector) managed at the senior level of leadership.

CSA also coordinated national also implemented for IT on critical Government systems 4 5 6 efforts to mitigate the risk of a systems in other unaffected were introduced to detect similar attack affecting other public healthcare clusters and respond more quickly to Critical Information Infrastructure (National Healthcare Group and cybersecurity threats. (CII) systems, by sharing threat National University Healthcare SingHealth began contacting the intelligence with CII owners and System) on 22 July 2018. The affected after the Government instructing them to undertake Government also paused the announced the news of the relevant security measures. rollout of new Government Adopt multiple defences, Carry out comprehensive Develop cyber incident cyber-attack on 20 July 2018. such as encryption, and regular checks and response plans for various ICT systems from 20 July to In view of further malicious Concurrently, SingCERT also firewalls and robust data- audits to identify gaps in scenarios, and test and 3 August 2018. During the activities detected on the issued advisories on precautions access practices, to layers the design of and compliance update them regularly pause, a review of its existing SingHealth network on 19 July that organisations and of security measures, to with policies, processes and by conducting realistic cybersecurity measures was 2018, Internet Surfing Separation members of the public could better prevent, detect and procedures, and to ensure exercises and simulations. conducted. Although there was respond to cyber incidents. that these gaps are remedied (ISS) was temporarily imposed take, in anticipation of potential no evidence of Government ICT according to plan. on SingHealth’s IT systems on opportunistic attacks. systems being compromised in 20 July 2018. As a precautionary this attack, additional measures measure, temporary ISS was

24 25 CHAPTER 2 TARGET.SG

TARGET.EDU.SG CASE STUDY CYBER-ATTACK ON UNIVERSITIES Threat actors target academic institutions for a variety of reasons. These include stealing sensitive research information, and using them as stepping stones to gain access to high security systems and networks.

In 2017, the National University of Singapore (NUS) and Nanyang Technological University (NTU) were hit by sophisticated cyber-attacks that were assessed to be the work of APTs. These incidents highlight the need for academic institutions to stay vigilant constantly and strengthen their cybersecurity defences, as part of measures to protect their intellectual property.

TY SI ER IV UN WHAT HAPPENED? FOLLOW-UP ACTION

In April 2018, CSA received resembled the web portals of the The affected universities information that there was a universities. These portals were reset the passwords of breach of user account credentials made to look as if the victims had all users, and scanned at various universities in Singapore. accidentally logged out of their computers and networks Further investigations revealed accounts and prompted them to for signs of further that at least 52 accounts from four enter their login credentials. compromise. SingCERT universities – NTU, NUS, Singapore sent out advisories to The login credentials of the Management University (SMU), alert all users about the victims were later used to gain and Singapore University of incident, and heighten unauthorised access to the Technology and Design (SUTD) – their vigilance against online libraries of the universities, had been compromised. similar attacks and other in order to obtain research potential cyber threats. Unsuspecting victims received publications of staff members spear phishing e-mails that across various research fields and directed them to a credential academic disciplines. harvesting website, which closely

26 27 CHAPTER 2 TARGET.SG

TARGET.ORG.SG FEATURED TOPIC

Organisations are frequently targeted by threat actors, most often to steal private and personal information from their databases. As more Small and Medium Enterprises (SMEs) go digital, business e-mail impersonation scams are expected to grow in tandem. The Singapore Police Force observed 378 business e-mail impersonation scams in 2018, up from 332 cases in 2017. In total, businesses in Singapore suffered losses of close to S$58 million in 2018, an increase of about 31 per cent from 2017.

CASE STUDY CRYPTO-JACKING

WHAT HAPPENED? In January 2018, SingCERT received UNAUTHORISED CRYPTO-MINING information that a training institute’s web servers had been infected by malware. BECOMING MORE PREVALENT FOLLOW-UP ACTION Four of the institute’s web servers were later Cybersecurity firms have observed a In January 2018, security company found to be infected by a crypto-mining SingCERT provided technical assistance to the shift in modus operandi from traditional Sucuri discovered a campaign where malware. No other suspicious activity was organisation to investigate and understand ransomware to crypto-mining, as mining over 2,000 WordPress websites were detected, although the infected web servers the root cause and potential impact of the cryptocurrency becomes more profitable compromised by a malicious script. This were observed communicating to Internet incident. SingCERT also worked together with than other criminal business models. script delivered crypto-mining and Protocol (IP) addresses associated with the organisation to restore all compromised web Internet of Things (IoT) devices have also keylogging malware to devices. Users crypto-mining operations. servers to their last known serviceable state. emerged as a potential attack vector would experience a decline in computing that may be abused by cybercriminals. performance of their devices when they SingCERT later discovered that the institute’s All organisations and businesses should manage ADB.Miner, a Monero crypto-mining visit these compromised websites, whose web server software had not been patched to their cybersecurity risks appropriately. These botnet which borrowed scanning code malware in turn harness the computing the latest versions, leading to its subsequent include ensuring that all systems are regularly from Mirai, was found in February power to mine cryptocurrencies. Sensitive compromise. The attacker exploited these updated and patched for known vulnerabilities, 2018 targeting Android-based devices. information such as payment details vulnerabilities to hijack the systems and and educating employees on the importance of Another Monero crypto-mining botnet, would also be captured by the malware. discreetly link the web servers to a crypto- verifying important email requests with business Smominru, utilises the ETERNALBLUE 11 mining pool. The cryptocurrency produced partners first, before responding to them. The exploit and has since infected more than was then transferred to a cryptocurrency public may refer to the SingCERT alert published 500,000 computers worldwide. wallet for storage. The attacker remains on 9 November 2017 for measures to counter the unknown due to the anonymous nature of rising crypto-jacking threat.10 the encrypted wallet.

10 “[SingCERT] Alert on Browser-based Digital Currency Mining,” SingCERT Advisories & Alerts, 9 November 2017, 11 ETERNALBLUE is an exploit which leverages a vulnerability in Microsoft’s Server Message Block (SMB). SMB is a protocol used https://www.csa.gov.sg/singcert/news/advisories-alerts/alert-on-browser-based-digital-currency-mining. by computers to share access to files and appliances over a network.

28 29 CHAPTER 2 TARGET.SG

TARGET.YOU.SG CASE STUDY [email protected] Many individuals continue to lack cybersecurity awareness and practise poor cyber hygiene. WHAT HAPPENED?

According to the Singapore Police Force, In July 2018, a member of the It was later determined that there were 1,204 cases investigated under public sought SingCERT’s help the e-mail represented a new the Computer Misuse Act (CMA)12 in 2018, after receiving a threatening form of extortion scam that a 40 per cent increase from 2017. Some e-mail. The e-mail claimed surfaced recently. The victim’s of these cases were a result of victims that the victim’s computer had e-mail address and password who were not alert to phishing e-mails been infected with malware, were likely exposed in a intended to steal their sensitive personal and demanded payment in previous data breach – where information such as passwords and credit exchange for not exposing login credentials of affected card details. video clips of the victim in individuals were leaked – and compromising situations, not obtained through malware All individuals should protect themselves allegedly recorded with the that had compromised the from cyber threats proactively, and computer’s own web camera. victim’s computer, as the practise good cyber hygiene habits at all To substantiate the threat, scammer had claimed. times. These include checking for signs the e-mail also contained the of phishing before clicking on unknown victim’s e-mail password. links or opening attachments in suspicious e-mails, installing computer protection software (i.e. anti-virus, anti-spyware/ FOLLOW-UP ACTION malware, and firewall) and keeping SingCERT advised the victim to change all passwords associated them updated, and enabling Two-Factor with the compromised e-mail account immediately, enable Authentication (2FA) where possible. two-factor authentication for the e-mail account if possible, and Separately, online scams continued to not to make any form of payment. As a precautionary measure, be a concern. There were about 2,125 SingCERT also recommended performing anti-virus scans on all e-commerce scams reported in 2018, the victim’s computing devices. with victims losing a total of about S$1.9 million. 70 per cent of such scams took place on e-commerce platform Carousell, As our cyber threat surface increases, potential and involved electronic products and points of vulnerability will become commonplace. tickets to events and attractions. It is All individuals need to play a conscious role in important for all individuals to exercise creating a safe and secure cyberspace. caution towards unrealistic bargains for merchandise on e-commerce platforms – Dr Shashi Jayakumar, Senior Fellow, S Rajaratnam School of to avoid falling prey to such scams. International Studies (RSIS), and Head, Centre of Excellence for National Security and Executive Coordinator, Future Issues and Technology, highlighting individuals’ role in cybersecurity

12 The Computer Misuse Act (CMA) replaces the Computer Misuse and Cybersecurity Act (CMCA) when the Cybersecurity Act came into force on 31 August 2018.

30 31 CHAPTER 3 SINGAPORE’S CYBERSECURITY STRATEGY – DEVELOPMENTS IN 2018

Launched by Prime Minister Lee Hsien Loong at the 2016 Singapore International Cyber Week, Singapore’s Cybersecurity Strategy sets out Singapore’s cybersecurity vision, goals and priorities to create a resilient and trusted cyberspace. It is only with a safe and trusted cyberspace that we can fully realise the benefits of technology, and secure a better future for Singaporeans.

This chapter looks back on some key milestones of the Strategy in 2018.

The Strategy comprises four pillars: Pillar One: Building a Resilient Infrastructure Pillar Two: Creating a Safer Cyberspace Pillar Three: Developing a Vibrant Cybersecurity Ecosystem Pillar Four: Strengthening International Partnerships

32 33 CHAPTER 3 SINGAPORE’S CYBERSECURITY STRATEGY – DEVELOPMENTS IN 2018

CSA has been coordinating the work to realise Singapore’s Cybersecurity Strategy since it was launched in 2016. This chapter provides some of the highlights and achievements across the four pillars of the Strategy in 2018.

PILLAR ONE PILLAR TWO PILLAR THREE PILLAR FOUR BUILDING A CREATING DEVELOPING A STRENGTHENING RESILIENT A SAFER VIBRANT CYBERSECURITY INTERNATIONAL INFRASTRUCTURE CYBERSPACE ECOSYSTEM PARTNERSHIPS

The first pillar aims to secure our Cybersecurity is a collective Cybersecurity is both a security Cyber threats are borderless. digitally-enabled economy and society, responsibility of the Government, imperative and an economic Strong international collaboration in with emphasis on the Government’s businesses, individuals and the opportunity. The third pillar cybersecurity is necessary to combat partnership with the private sector community. The second pillar looks focuses on developing a vibrant the threats in cyberspace. The fourth and the cybersecurity community to at engaging businesses and the cybersecurity ecosystem. This pillar emphasises the strengthening of strengthen the resilience of our Critical public to collectively build a safer includes building a pipeline of international partnerships and creating Information Infrastructure (CII). and more secure cyberspace. talent and a vibrant industry. opportunities for collaboration.

34 35 CHAPTER 3 SINGAPORE’S CYBERSECURITY STRATEGY – DEVELOPMENTS IN 2018

PILLAR ONE: BUILDING A RESILIENT INFRASTRUCTURE

FEATURED TOPIC Participants from the maritime sector being briefed CYBERSECURITY ACT: THE JOURNEY at the opening address for The Cybersecurity Bill was passed in Parliament on 5 February 2018 and came into Exercise force on 31 August 2018. Extensive public consultations were carried out by CSA and CyberArk the Ministry of Communications and Information (MCI) in the drafting of the Act. This in July 2018. Source: CSA. included closed-door consultations with key stakeholders, ranging from Government agencies, potential CII owners, industry associations and cybersecurity professionals, as MEASURING MATURITY OF CII SECTORS CONDUCTING CYBERSECURITY EXERCISES FOR CII SECTORS well as an open public consultation from 10 July to 24 August 2017.

As part of efforts to build a resilient Since its formation, CSA put through a series of The Cybersecurity Act establishes a legal framework for the oversight and maintenance infrastructure, CSA launched its CII has been conducting scenarios that gradually of national cybersecurity in Singapore. Its four key objectives are to: Protection Programme. Under the sector-specific Exercise built up towards a cyber- programme, the Readiness Maturity CyberArk (XCA) to ensure crisis. Simulated media Authorise CSA to Index (RMI) Framework evaluates the readiness of all CII sectors conferences were then Strengthen the prevent and respond to cybersecurity maturity of CII sectors in defending against conducted to validate protection of CII cybersecurity threats delivering essential services, and increasingly sophisticated the sectors’ crisis against cyber-attacks. and incidents. allows Sector Leads to build cyber cyber-threats. In 2018, communication processes. capabilities and resilience against over 300 participants Besides the sector-specific evolving cyber threats. from the Media, Aviation, Establish a light-touch XCA, CSA also conducts and Maritime sectors took Establish a framework licensing framework for The maturity of a CII sector is measured a national-level, multi- part in XCA on separate for sharing cyber- cybersecurity service based on respective CII owners’ sectoral exercise – occasions to review, security information. providers (to come into attributes in the RMI Framework. As of Exercise Cyber Star (XCS) – exercise and validate force at a later date). 2018, all 11 CII sectors have attained a to validate the National their cyber defence maturity level of “measurable”, which Cyber Crisis Management capabilities and incident means that they have demonstrated System. Two runs of XCS A key feature of the Act is the appointment of a Commissioner of Cybersecurity who response plans. The governance, management oversight, have been conducted to is empowered by the Act to oversee all aspects of cybersecurity in Singapore. The 4-month planning and formalised policies, assigned date, with the third one Commissioner is assisted by Assistant Commissioners of Cybersecurity, appointed from development cycle for responsibilities, and training of people, planned for 2019. the respective sectors, who provide the deep domain knowledge and expertise. The with consistent and measurable each run of the exercise Cybersecurity Act provides the Commissioner and his supporting cybersecurity officers outcomes. CSA will continue to culminated in a 2-day with an important regulatory instrument and statutory powers with which to strengthen develop appropriate cybersecurity Table-Top Exercise (TTX), Singapore’s cybersecurity and combat cyber threats. metrics beyond the RMI framework. where participants were

PSA remains fully committed towards strengthening the capabilities and resilience of our people, processes and platforms against cyber threats, to ensure the continuity of global trade and realising the “Internet of Logistics”.

– Mr Ong Kim Pong, Regional CEO of PSA Southeast Asia, on contributing to cybersecurity in Singapore’s maritime sector

36 37 CHAPTER 3 SINGAPORE’S CYBERSECURITY STRATEGY – DEVELOPMENTS IN 2018

PILLAR TWO:

CREATING A SAFER CYBERSPACE FEATURED TOPIC

CYBERGREEN NATIONAL CYBERSECURITY CyberGreen aims to research and Response Teams (CERTs) to carry aggregate open source information out remediation and mitigation AWARENESS CAMPAIGN to measure and create awareness of efforts proactively. the cyber health status of a country. In May 2018, CSA launched the second In 2018, the platform added more In partnership with the CyberGreen campaign, Cyber Tips 4 You. The scanning locations and enhanced Institute, Singapore developed cyber campaign identified four cyber tips for the risk protocols matrix. It also health metrics for the ASEAN region the public to adopt: provided better visualisations and to provide an overview of the overall allowed countries to compare their state of cyber health while allowing state of cyber health with others. regional Computer Emergency

INTERNET HYGIENE RATING AND BENCHMARKING CSA implemented the Internet review of ratings based on industry- Hygiene Rating and Benchmarking specific threats and trends. Use an Use Strong Passwords Anti-Virus and Enable Two-Factor (IHRB) tool for CII Sector Leads and All CII Sector Leads and owners are Software Authentication owners in 2018. The tool incorporates given access to the IHRB for their Visitors trying their hand at creating a strong password a management-friendly dashboard continuous internal monitoring. at the “Cyber Tips 4 You” campaign at Bedok Mall in that improves an organisation’s May 2018. Source: CSA. Through this data-driven security cybersecurity situational awareness, performance rating, Sector Leads and and encourages regular self-checks Starting from November 2018, a Cyber owners are able to create a common by benchmarking against entities in Savvy Machine Pop-Up, featuring a Cyber benchmark for comparison, enabling the same or similar industries. It also Spot Signs Update your Savvy vending machine and information them to come up with proactive of Phishing Software ASAP enhances the organisation’s Internet panels, will make its rounds to one public policies to improve their cybersecurity. hygiene level through the constant library each month over a period of one year. The four tips were presented in various Library-goers can test their cybersecurity broadcast and print formats, including knowledge by attempting a quiz on the FEATURED TOPIC radio channels, bus stops and MRT machine and win a small gift in the process. stations. Members of the public were Supporting the outreach effort are students SECURING OUR COMMUNICATIONS – also invited to attend a café-inspired from Nanyang Polytechnic, who will help to DSO CRYPTO CHIP event, Cybersecurity Awareness For spread cybersecurity messages at the library Everyone (CAFÉ), to learn how to create on selected days. They will also showcase a Through R&D, DSO National Laboratories developed strong and memorable passwords. “Cyber Savvy game”, which they developed the DSO Crypto Chip to protect Singapore’s sensitive About 12,000 visitors attended the two- with CSA, in the respective libraries. communications and information from potential day launch event held at Bedok Mall. adversaries. Its small size and low power consumption13 allow it to be used on space- and power-constrained systems, while meeting the challenging demands of high throughput and security. The chip incorporates DSO’s unique protection mechanism, which destroys all secret data when tampered. This would render the chip useless. 13 The size of the DSO Crypto Chip is similar to a 50-cent coin, and the chip consumes up to 5 times less power than a commercial chip with similar performance.

38 39 CHAPTER 3 SINGAPORE’S CYBERSECURITY STRATEGY – DEVELOPMENTS IN 2018

FEATURED TOPIC PILLAR THREE: DEVELOPING A VIBRANT CYBERSECURITY ECOSYSTEM INNOVATION CYBERSECURITY ECOSYSTEM @ BLOCK71

ENCOURAGING INDUSTRY INNOVATION AND BUILDING ADVANCED CAPABILITIES THROUGH R&D

CSA works with Government agencies, universities, research institutes, and industry to encourage innovation for next-generation solutions to meet the needs of local and international markets. Efforts in 2018 included:

a. Lean LaunchPad Programme (LLP) d. Singapore Common Criteria Scheme. Cybersecurity Track. CSA and the Singapore attained the status of a National Research Foundation (NRF) Common Criteria15 Certificate Authorising supported the LLP Cybersecurity Track, a Nation in January 2019. With this, local 10-week experiential learning programme developers need not send their product to equip cybersecurity researchers and overseas for certification, saving time and A participant pitching his ideas to a panel of cybersecurity experts and representatives young start-ups with the necessary costs. This increases the potential of IT- from investment spaces at the ICE71 Inspire programme in July 2018. Source: ICE71. networks, tools, and market validation security products produced in Singapore to bring their inventions to market. for export, strengthens Singapore’s In March 2018, CSA and the Info-communications Media Development competitiveness in the global cybersecurity Authority (IMDA) supported the establishment of the Innovation b. Industry Call for Innovation. To market, and attracts global evaluation Cybersecurity Ecosystem at Block71 (ICE71), for three key programmes: catalyse the development of innovative and testing laboratories to base their cybersecurity solutions and adoption by 1. ICE71 Inspire – A bootcamp targeting the academia and industry operations in Singapore. end users, CSA initiated an Industry Call to deepen appreciation for entrepreneurship, provide networking for Innovation in 2018. CSA collaborated e. National Cybersecurity R&D Programme opportunities, and enable potential entrepreneurs to get valuable with industry14 to consolidate their cyber (NCR). Together with NRF, CSA chairs insights from cyber and innovation experts. needs into challenge statements. The the NCR to fund projects16 that seeks to 2. ICE71 Accelerate – An accelerator programme for early-stage Call drew more than 70 proposals from improve the trustworthiness of cyber start-ups to gain access to talent, mentors, funding and local industry solution providers to develop infrastructure with emphasis on security, ecosystem events. solutions for 10 challenge statements. resilience, and usability. Examples of funded projects include SecureAge-NUS’s 3. ICE71 Scale – To provide access to complimentary working space, c. Establishing National Satellites of advanced anti-malware solution using testing facilities, regional markets and corporate support services Excellence (NSoEs). Anchored in local deep learning, and Scantist-NTU’s smart for start-ups. universities, the NSoEs were established binary-level vulnerability assessment for to build and consolidate local research In less than a year, ICE71 has organised a total of 40 events and reached cyber-attack prevention. strengths in domains of national interest. out to more than 50,000 members of the public. Its programmes have Their research focuses on Trustworthy also engaged some 200 mentors who have helped guide the start-ups Software Systems, Mobile Systems in their go-to-market strategies. Security & Cloud Security, and Design Science and Technologies for Secure Critical Infrastructure. The Call provides an excellent platform for us to share with innovators and solution providers the challenges facing our sector, and for all of 14 They include Ascendas-Singbridge, PacificLight Power, Singapore LNG Corporation, Singapore Press Holdings, and us to work together to strengthen the country’s capacity to address SMRT Corporation. 15 The Common Criteria product assurance certification, or ISO/IEC 15408, is the de facto standard for cybersecurity product growing cybersecurity threats. certification around the world. 16 In 2018, the NCR secured additional S$50 million of funding till 2020 to focus on four areas – cloud security, cyber forensic and – Mr Chong Nai Min, Vice President, Information Technology at Singapore LNG Corporation assurance, applications security and edge computing, and artificial intelligence for cybersecurity. (SLNG), on CSA’s Industry Call for Innovation

40 41 CHAPTER 3 SINGAPORE’S CYBERSECURITY STRATEGY – DEVELOPMENTS IN 2018

Cybersecurity is essential to safeguard the convenience and productivity we enjoy with digital connectivity and smart devices. I look forward to serving as a cyber defender to protect our cyberspace. Smart Nation Scholars with Dr Vivian Balakrishnan (Minister for Foreign – Mr Sng Yu Feng Chester, recipient of Smart Nation Scholarship, Affairs, and Minister- in-Charge of the Smart expressing his commitment to Singapore’s cybersecurity Nation initiative), Mr Teo Chin Hock (Deputy Chief Executive (Development), CSA), Mr Kok Ping Soon FEATURED TOPIC (Chief Executive, GovTech) and Mr Tan Kiat How (Chief Executive, IMDA) at the inaugural Smart Nation Scholarship Award Ceremony in August 2018. Source: Smart Nation and Digital Government Group.

BUILDING A WORLD-CLASS TALENT POOL

To promote the growth and development of cybersecurity students and professionals, CSA worked closely with industry, academia and associations to build a pipeline of cybersecurity talent for Singapore through the following initiatives in 2018:

• Launching the annual Youth Cyber • Establishing the annual Cybersecurity Exploration Programme (YCEP) with Awards with AiSP and the support of 17 Singapore Polytechnic, to inculcate seven other professional and industry student interest in cybersecurity. associations, to recognise contributions to the cybersecurity ecosystem. • Co-organising the Cybersecurity Career Mentoring Programme (CCMP) • Launching the Cyber Security Competency 18 with the Singapore Computer Society Framework (CSCF) in CSA and introducing MINDEF/SAF’S CYBERSECURITY EFFORTS (SCS) to provide career guidance in it to the Whole-of-Government (WoG) for the field of cybersecurity. cybersecurity professionals. CSCF lays out A key component of the Ministry of MINDEF/SAF has also formed and structured development pathways to drive Defence (MINDEF)/Singapore Armed operationalised Defence Cyber Incident • Launching the Student Volunteer & capability development through targeted Forces’ (SAF) cybersecurity workforce Response Teams (DCIRTs). These DCIRTs Recognition Programme (SVRP) with training, professional certification and development is the Cyber NSF (Full-time are made up of personnel from MINDEF, the Association of Information Security career progression. National Service) Scheme. MINDEF/SAF SAF, Defence Science and Technology Professionals (AiSP). CSA also supported signed a Memorandum of Understanding Agency (DSTA), and DSO National AiSP in updating and maintaining a • Launching the Smart Nation Scholarship (MOU) with the Singapore Institute of Laboratories. Their responsibilities cybersecurity Body of Knowledge (SNS) with the Government Technology Technology (SIT) in February 2018 to offer include responding to cyber incidents (BOK), to provide knowledge-based Agency of Singapore (GovTech) and IMDA to an academic work-learn programme for in the Defence Sector, and supporting perspectives for industry, Institutes of develop and nurture tech leaders and talents Cyber Specialists. Upon graduation, they and augmenting CSA’s cyber incident Technical Education (ITEs), polytechnics in the Public Service. Four scholarships for will be deployed to operational roles in response efforts at the national-level. and universities. cybersecurity were awarded in 2018. MINDEF/SAF and CSA.

17 The seven other associations are: (i) Cloud Security Alliance; (ii) ISACA Singapore Chapter; (iii) (ISC)2 Singapore Chapter; (iv) IT Service Management Forum Singapore Chapter; (v) The Law Society of Singapore; (vi) Singapore Computer Society; and (vii) SGTech. 18 Adapted from the Infocomm and Technology Security Track of the National Skills Framework.

42 43 CHAPTER 3 SINGAPORE’S CYBERSECURITY STRATEGY – DEVELOPMENTS IN 2018

PILLAR FOUR: Singapore has consistently advocated for the international community to build STRENGTHENING INTERNATIONAL PARTNERSHIPS consensus and develop a rules- and norms-based international order in cyberspace, where its users can remain safe and secure. Singapore stands ready to work with all parties toward closer international cooperation in the cyber and digital sphere. ASEAN cybersecurity – Mr S. Iswaran, Minister for Communications and Information, and Minister-in-Charge and ICT Ministers at of Cybersecurity, on Singapore’s efforts in building a safe and secure cyberspace the 3rd AMCC in September 2018 agreed to subscribe In April 2018, under Singapore’s FEATURED TOPIC in-principle ASEAN Chairmanship, a first-ever ASEAN to the 11 Leaders’ Statement on Cybersecurity voluntary, non- binding norms Cooperation was adopted at the 32nd recommended ASEAN Summit. Singapore has worked in the 2015 closely with ASEAN Member States, UNGGE report. industry partners and international Source: CSA. organisations such as the INTERPOL Global Complex for Innovation to follow Singapore is an active participant Affairs (UNODA) on an online training up on tasks set by ASEAN Leaders. at international platforms and fora course to promote understanding on cybersecurity. As an ASEAN and implementation of agreements Singapore hosted the annual ASEAN member, Singapore supported reached by the UNGGE, and a UN- Ministerial Conference on Cybersecurity ENHANCING CAPACITY and contributed to regional efforts Singapore Cyber Programme to build (AMCC) over the past three years to AND CAPABILITIES IN to build cybersecurity capabilities. awareness of cyber norms and cyber bring together Ministers from all ASEAN CYBERSECURITY TOGETHER scenario policy planning in ASEAN Member States who are responsible for Singapore is partnering with Member States. ICT and cybersecurity issues, including Singapore will launch the S$30 million the UN Office for Disarmament the ASEAN Secretary-General. We ASEAN-Singapore Cybersecurity Centre helped to draft the ASEAN Cybersecurity of Excellence (ASCCE) in 2019, an Cooperation Strategy, which was adopted extension of the S$10 million ASEAN FEATURED TOPIC in March 2017 and provides a blueprint Cyber Capacity Programme that has for coordination of cybersecurity capacity been contributing to the enhancement GALVANISING GLOBAL EFFORTS building efforts. Participants at the 3rd of ASEAN’s cybersecurity capabilities in AMCC in September 2018 agreed to both the technical and policy aspects. The In 2017, the National Cyber Security Centre of The Netherlands (NCSC- subscribe in-principle to the 11 voluntary, ASCCE will complement existing initiatives, NL) together with CSA conducted a landscape study to identify gaps in non-binding norms recommended in such as the ASEAN-Japan Cybersecurity Internet of Things (IoT) security standards and technology. The findings the 2015 Report of the United Nations Capacity Building Centre in Thailand. It will were refined into a set of working initiatives for IoT security that were Group of Governmental Experts on focus on strengthening ASEAN Member jointly proposed by Singapore and The Netherlands at the Annual Meeting Developments in the Field of Information States’ cyber strategy development, of the Global Forum on Cyber Expertise (GFCE), co-branded with SICW’s and Telecommunications in the Context legislation and research capabilities, IoT Security Roundtable, during SICW 2018. The initiatives aimed to lead of International Security (UNGGE). They increasing technical expertise and incident and galvanise global efforts in creating a safer and more secure IoT. also agreed to focus on regional capacity response skills of national CERTs in the In the initial phase of the IoT Security Initiative, NCSC-NL and CSA agreed building in implementing these norms. region. The ASCCE will also promote CERT- to prioritise the efforts on three most critical areas, namely, Certification to-CERT open-source information sharing. and Testing, Supply Chain Security, and Unique Device Identities.

44 45 LOOKING AHEAD ANTICIPATED TRENDS

LOOKING AHEAD What would the next few years portend for cybersecurity? The combination of technological advancements and our transition into ever higher levels ANTICIPATED of connectivity means that cyber threats will become even more targeted, sophisticated and deceptive. These TRENDS are six trends we foresee happening in the near future: 1 2 3 4 5 6 MORE FREQUENT INCREASED THREAT MORE DISRUPTIVE GREATER RISKS FOR ARTIFICIAL BIOMETRIC DATA DATA BREACHES TO GLOBAL ATTACKS AGAINST SMART BUILDINGS INTELLIGENCE – MORE VALUABLE TO SUPPLY CHAINS THE CLOUD AND CONNECTED DOUBLE-EDGED THREAT ACTORS SYSTEMS SWORD

0 0100010010010 1 1000100010001000001 1 00100010000010010001 0 00100001000010010010 0001000010000100100 1 1 0 1 0 1 0 1 1 1 0 1 0 0 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 001 1 0 1 1 0 1 0 0 1 0 001 1 1 0 0

Data has become the Threat actors will focus on With more databases hosted As buildings and factories Artificial Intelligence (AI) As biometric authentication most valued ‘commodity’ disrupting supply chains in the cloud, threat actors become ‘smarter’ – through will be a double-edged becomes increasingly in cyberspace, which which have become will be on the lookout for the proliferation of Internet sword for cybersecurity – it common, threat actors will means cybercriminals will highly interconnected potential vulnerabilities in of Things (IoT) devices and can significantly enhance shift to target and manipulate try even harder to breach and automated. Industries cloud infrastructure. While connected industrial control the capabilities of security biometric data, to build virtual computer databases – dominated by a few their primary goal remains systems (ICS) – the risk of systems, such as in anomaly identities and gain access to especially those that store companies are especially data theft, threat actors them being attacked to hold detection and response. personal information. large amounts of private vulnerable, as problems in will also try to exploit cloud their owners to ransom, or However, threat actors and personal information. one stage of production services for other malicious exploited to spread malware can also leverage AI to may potentially lead to a aims, such as to amplify or conduct DDoS attacks, search for vulnerabilities breakdown in the entire Distributed Denial-of-Service also increases. in computer systems, and supply chain. (DDoS) attacks. create ‘smarter’ malware.

46 47 LOOKING AHEAD ANTICIPATED TRENDS