In July 2018, Singaporean healthcare system SingHealth was the victim of a cyber-attack. Approximately 1.5 million patients’ medical data was stolen, among them the medical record of the Singaporean Prime Minister Lee Hsien Loong. The Cyber Security Agency of Singapore (CSA) experts recognised unusual activity on one of SingHealth’s IT databases on 4 July, but by that time, the attackers had stolen online credentials and covered their tracks. A police investigation confirmed that data was stolen between June 27 and July 4.
Authorities suspect the attack was state-sponsored, particularly considering the high profile of the key target. The investigation showed that there were several attempts to obtain the Prime Minister’s data. Such data can be used by belligerent countries or local terrorist organisations to plan covert operations against politicians and decision makers. The CSA chief executive said at a news conference it is better not to speculate what the attacker had in mind. Further, the Communication and Information Minister did not name any state in the interest of national security.
The attack on SingHealth shows a great deal of sophistication; according to the CSA, the attackers planned ahead and set up several entry points to the system to avoid detection. They were not preparing for a hit-and-run attack; rather, they built their persistence on the target network. It is also one of those rare cases when the final target of the attack is known, as evidenced by the attempts to breach the system and access the Prime Minister’s data. The other 1.5 million accounts gathered by the attackers are likely a “bonus”, however, this kind of data is highly sought by criminal organisations. Medical data contains not only information related to an individual’s health, but also contains easily identifiable personal and financial details. Until now, the medical data has not surfaced in the public domain and there is no information proving the authorities have tried to contact the attackers.
In most cases of cyber-attack, the final target is unknown. Even if it is unearthed, targets are unlikely to admit that their applied defences were not strong enough to protect their data, or that of their clients. According to SingHealth, they had taken steps to thwart the hackers, including closing entry points to their network and asking their employees to change their passwords. The latter is critical, as these passwords were used to penetrate the system and obtain the medical data.
Cyber attacks and mitigation
The attack on SingHealth is just one example of the dozens of different cyber-attacks, which can target not only people using the internet, but redirecting the online communication of any service, or the changing of commands of any program. All of these activities can have as devastating effects, such as stealing online credentials and using them to penetrate a system for financial gains. Cyber-attacks are among the most significant modern threats. According to Sonicwall’s 2018 Cyber Threat Report, there were 9.3 billion malware attacks registered in 2017, which is a nearly 20% increase compared to the number of attacks in 2016. These attacks are targeting not only individuals, but critical infrastructures, state organisations and businesses as well. Most people are familiar with malicious e-mails that include odd-looking attachments or have heard stories of stolen online credentials.
Unfortunately, there is no 100% perfect protection against cyber-attacks, but there are some best practices everyone advised to follow to minimise the chances of becoming a victim of a cyber-attack. One of the most important defences is our choice of passwords. Sometimes, choosing a simple password that is easy to remember can also be easy to break. Further, using only one password for all the online accounts would make one’s online presence extremely vulnerable to an attack. Once the password is obtained, access is granted to one’s social media accounts, online shopping accounts and so on. As most of the attacks targeting individuals arrive via e-mail, it is important to avoid opening e-mails with unknown origin. Security experts highly recommend building this awareness into our daily online routine. The human component in cyber security is perhaps the most critical, as ill-informed users are often the gateway for cyber-attackers to obtain personal data.
For several years, security experts have warned that outdated technological systems could lead to increased risks to shipping vessels. In recent months, the warnings have grown louder. Most computer based shipping technologies, developed in the 1990s, were initially designed as isolated systems. Over time, the industry has moved increasingly online. The change has opened the industry to more threats from outside actors. As technology and users become more sophisticated, the shipping industry has struggled to keep up to speed with the latest changes, leaving older systems vulnerable to targeting.
Two key risks are the hacking or spoofing of marine traffic. Hacking refers to the unauthorized access to data in a system. A hacker could gain entry into the internal systems of a company and access private information, such as cargo documents, or the personal details of crew members aboard a vessel. A hacker could also install malware into the system, allowing them access to sensitive material such as e-mail transmissions. In the past year, hackers have changed the banking information on email invoices going to shipping companies, redirecting millions of dollars before the issue was identified. In June, the NotPetya ransomware-attack targeted several large businesses, including shipping giant Maersk. The virus wormed through the company’s global network, forcing a stoppage at 76 port terminals globally, and costing the company nearly $300 million.
Spoofing, on the other hand, is a process of falsifying the origin or location of something in order to mislead a user. In terms of the shipping industry, it can be used to alter the coordinates of a vessel, or make the vessel simply disappear from tracking systems. Spoofing attempts are often spotted quickly, however sophisticated actors continue to construct ways to outsmart the systems, causing spoofing to remain a point of concern.
Aboard a vessel, security issues can be amplified. For example, the AIS system uses satellites and marine radar to pinpoint the location of a vessel. This information, often publicly available, can be used to track the location of vessels around the globe, and can be used by pirates as a sort of “shopping list”. Using spoofing, a malevolent actor can theoretically alter the location of a vessel, causing a ship to redirect its course into unknown waters. With hacking, they can access a cargo list, obtain the information about the content of specific crates, and if they successfully board a vessel, they target only the crates with goods they find valuable.
While there are numerous entry points for a hacker to target, aboard a vessel, perhaps the weakest point is maritime satellite communication (satcom) system. Satcom boxes are nearly always connected to the internet, and often do not have updated technology. They are often poorly secured, and can easily allow access to “protected” data and entry into a company’s larger systems.
Governments and corporations have long struggled to keep up with the changes in technology. Because of the rapid rate of sophistication, legacy systems often do not have the features or capacity to protect shipping companies from such attacks. Awareness is growing as cyber-security becomes a more prominent global concern. Experts have called for changes in the industry, including secure firmware, password complexity, penetration testing, and other preventative measures to ensure that vessels, cargo, and crew remain safe.
The International Chamber of Shipping has recently launched guidelines designed to help ship owners protect themselves from hackers. More information can be found here: http://www.ics-shipping.org/docs/default-source/resources/safety-security-and-operations/guidelines-on-cyber-security-onboard-ships.pdf?sfvrsn=16
A conflict which has lasted over five years; dismounted the infrastructures of a country set the entire surviving population to seek asylum in neighbors’ states: the Syrian civil-war. The perfect stage to allow terrorists and extremists to enforce their plans and gain territories. Syria is not the only battlefield of this unbalanced amorphous and revised war on terror. North Iraq, Southeastern Turkey and on a broader spectrum the whole of Europe remains a potential target. A conflict where superpowers as the US and Russia played a major role leading to a ceasefire and alleged peace talks in Ginevra; a conflict where actors, structures and outcomes are yet to be fully unveiled.
This conflict is another historical landmark for many foreign policies; it reshaped the approach to terrorism and justice; showed the world a climate of desperation and fear; cruelty and loss of lives have filled the daily newspapers. Europe has worked on resolving the collateral effect of migrations and has faced attacks within its capitals; other players have tried to eradicate ISIS. No winners; only an apparent and fragile ceasefire.
From any “problem solving” point of view the first step of the analysis is to acknowledge the problem; identify the causes beginning by minimizing the effects. Who is ISIS?
Before describing the organization we should consider the so widely used term “Terrorism”. Historically the term refers to the unlawful use of violence towards civilian’s targets in a desperate attempt to enforce political goals. The rise of ISIS, the Islamic State of Iraq and Syria or Islamic State of Iraq and al-Sham began in 2004 as al Qaeda in Iraq (AQI). It was initially an ally of Osama bin Laden’s al Qaeda and both were radical anti-Western militant groups devoted to establishing an independent Islamic state in the region. AQI was weakened in Iraq in 2007 as a result of what is known as the Sunni Awakening, when a large alliance of Iraqi Sunni tribes, supported by the US, fought against the jihadist group. AQI saw an opportunity to regain its power and expand its ranks in the Syrian conflict that started in 2011, moving into Syria from Iraq. By 2013, al-Baghdadi had spread his group’s influence back into Iraq and changed the group’s name to ISIS. It disowned the group in early 2014 proving to be more brutal and more effective at controlling seized territories.
While ISIL has not been able to seize ground in the past several months, that hasn’t precluded them from conducting terrorist attacks, and it hasn’t precluded them from conducting operations that are more akin to guerrilla operations than the conventional operations that we saw when they were seizing territory. The organization understood the value of pushing out content, specifically videos of atrocities, into the world. Therefore, they could recruit very brutal young men to come and join their struggle. As the organization evolved, it made media very central to its ideology and strategy. ISIS had harnessed the power of the “information arena” to propagate its ideology, recruit, move money and coordinate activities. The question arise naturally: “What can be done?”
A top Pentagon official reported that the US is hitting ISIS with “cyber bombs” as part of its new arsenal of tactics being deployed against the terrorist group. The cyber effort is focused primarily on ISIS terrorists in Syria and that the goal is to overload their network so that they cannot function. An attack of this magnitude can interrupt the group’s ability to command and control forces. Similar principle was applied over the power and water disruptions in the middle of a two-week truce between government forces and certain militant groups. Disruption of critical infrastructure was used in order to gain an advantage over the group. Moreover the Islamic State is clearly frightened by the outflow of refugees. A lot of media have been created excoriating those who flee from these territories. By taking advantage of those refugees a powerful tool could be created in order to tell their stories to the world.
The humanitarian issues, the fallout, the civil war, the core issues have not been addressed yet. So far the military intervention and the coalition of multiple air strikes, carried out by Russia and US, have diminished the capabilities of the group; however there is so much more to do and the future remains uncertain. It is highly likely that ISIS will not cease to exist in the near-medium term; their strategy, tactics and objectives are likely to remain unaffected. The struggle in the region and the level of threat to Europe are still primary concerns and subjects of ongoing discussions.
Hacking is has been a rising trend within the PRC since the Internet entered the country in 1994 and on November 8th 2012 the Chinese president officially announced, “China will speed up full military IT applications”. China alone accounts for the largest national population of Internet users—some 300 million, nearly one-fifth of the global number. Ever since the 90’s, creation of a lot of hacking groups: The Green Corps, The Hong Kong Blonds and the most famous recent one: the Red Honker Union They created an important hacking culture in China. Some evidences link civilian hackers to the government and the States’ creation of a cyber army. Since 1998, according to Timothy Thomas of the U.S Foreign Military Studies Office, the Chinese army has even recruited civilians into its ‘net militia units’ (Militia Information Technology Battalions), the most famous being the unit 61398.
The State cyber army: unit 61398
As everything on the Internet, it is always difficult to prove the origin of a cyber attack. Nevertheless, the company Mandiant has investigated since 2004 the cyber capacity of China, especially through the unit 61398 considered as a part of the Communist Party of China under the Central Military Commission in the GSD 3rd department (2nd Bureau). Since 2006, a rising number of cyber attacks are believed to have come from this unit and most of them targeted the U.S.
The four most important sectors attacked are: Information Technology, Transportation, High-Tech Electronics and Financial Services. China seems to base its cyber warfare on a method often referred as “Acupuncture warfare”: based on attacking critical IT nodes or pressure points, this method capitalizes on optimizing effects on adversary vulnerabilities and follows the principle of acupuncture practiced for medicine—identifying points that serve as “a tunnel, or access route, to the deeper circulatory channels within”. One application of this theory would be finding the key choke points or supply chain vulnerabilities for an enemy military deployments and influencing them by attacking the supporting civilian infrastructure.
Intents and motivation of the cyber attacks
The first reason for China’s cyber offensive is to gain increased military knowledge through cyber espionage: China also has an interest in accelerating its military development since it is still behind the West, especially the U.S. who often has the lead for new military technology. Different cyber attacks can be quoted as examples, the most famous being the “Titain Rain” in 2007: a massive cyber attack against United States defence contractor computer networks (10 to 20 terabytes including Lockheed Martin and NASA) believed to come from China. Furthermore, numerous attackers originating in China have been accused of infiltrating government computers of numerous countries: the United States, Britain, France, Germany, South Korea, and Taiwan.
A second motivation is to make economic gains by stealing technological process. China’s general technological level is also behind that of the United States, which gives it an increased incentive for industrial espionage in order to achieve economic advantage. Numerous attacks believed to come from China supported this theory: the theft of data from U.S. network security company RSA Security in 2011. Moreover, in December 2007, the director-general of the British Security Service (MI5) informed 300 major UK companies that they were under constant attack from “Chinese state organisations”.
One of the last reasons for China to use cyber offensive is to deter other States by infiltrating their critical infrastructure. It puts the other States on notice that any technological edge it believes it enjoys will not be functional in a conflict with China. It also reminds China’s restive domestic audience that unfettered technological advancement alone does not bring security. Deterrence and possible military actions for this reason could be launching probes to identify vulnerabilities that could be exploited in armed conflict. Two main examples of this reason is Operation Aurora in 2009 where the U.S company Google’s source code has been stolen along with the attack of Denial of service on the White House website in 1999 after the U.S attacked the Chinese Embassy.
The characteristics of cyber warfare
- Anonymous: China has an interest in avoiding exposure to political and military pressure from the West and the United States. Chinese embassy representative Geng Shuang maintains that the allegations against China are groundless, stating: “The Chinese government prohibits online criminal offenses of all forms, including cyber attacks, and has done what it can to combat such activities in accordance with Chinese law.” The Chinese Defense Ministry in January 2013 stated, “It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.” Here lies a paradox with one of China’s reason for cyber offensive: anonymity prevent from any possible deterrence: China has to find the equilibrium between anonymous to avoid exposure and famous to create deterrence.
- Cheap: cyber weapons are cheap to build and to use.
- Diverse: cyber weapons can target multiple types of system.
- Timeframe: cyber weapons can act quickly and against multiple targets at the same time.
- Flexible: unlike nukes, a virus or any type of cyber weapon can be used multiple times.
China’s offensive cyber: information warfare
Fitting in the Sun Tzu’s spirit of the need of information, China focus on cyber capabilities as part of its strategy of national asymmetric warfare. The Chinese military and their civilian oversees have hit upon a military strategy that aims all at once to close the gap between U.S. and Chinese technological-military prowess. Hence, China considers the cyber domain to be a battle arena.
An “extremely powerful” cyberattack claimed by supporters of Islamic State of Iraq and il Sham (ISIS) has left French broadcaster TV5Monde working to regain control of its 11 news channels and websites for three hours. The attack occurred around 10 pm local time. Hackers took down the television channels and posted material on the broadcaster’s Facebook and Twitter feeds. The station’s network director, Yves Bigot, said operations were “severely damaged.” The station’s programming and Facebook page are now back up, but its website remains under maintenance.
The hackers posted documents on the TV5Monde Facebook page which they claim are the identity cards of relatives of French soldiers involved in anti-Islamic State operations. The hackers also posted threats against the troops. France is part of the international coalition fighting against ISIS insurgents.
TV5Monde, which broadcasts around the world, is working with police and national security to determine how their security was breached. It is not yet known how the group accessed station operations, but it appears to have been conducted by the “Islamic State Hacking Division.” The hackers referred to themselves as the “CyberCaliphate” on TV5Monde’s Facebook page, which also took credit for the recent hacking of US military servers.
The station has restored broadcast of one signal across all of their channels, however they cannot “send out pre-recorded broadcasts nor restart the production of our news shows,” according to Bigot. He added that it could take days for broadcasts to return to normal, adding that the attack must have required “weeks” of planning. The station is broadcast in nations around the world, including the US, Canada and Britain.
A day before the attack on TV5Monde, the US Federal Bureau of Investigation (FBI) warned that attackers claiming to be sympathetic to the extremist group ISIS are targeting websites that have vulnerable WordPress plugins.
WordPress is a website hosting system which also has a community third-party developers who have created some 37,000 plugins. Occasionally, security vulnerabilities in one of the plugins can put a large number of websites at risk by allowing hackers to gain unauthorized access, inject scripts, or install malware on the affected sites. The attackers have reportedly hit news organizations, religious institutions, and commercial and government websites. The hackers have defaced websites that share some of the common WordPress plugins with vulnerabilities that are easily exploited, the FBI said.
The FBI advisory states, “Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.” The attackers have voiced support for ISIS; they are likely conducting attacks in order to gain notoriety.
On Tuesday, the security company Sucuri issued an advisory for a flaw it found in the WP-Super-Cache plugin. The plugin is utilised by up to a million WordPress sites. The vulnerability in the plugin could allow an attacker to add a new administrator to a site, or create a “backdoor” using WordPress’s theme edition tools.
The same day as the FBI warning was issued, The homepage of AustismIreland.ie showed a photograph of a soldier with their face covered, alongside the words “ISLAMIC STATE HACKERS”
“Hacked By Moroccanwolf and ABdellah elmaghribi ~ Moroccan Attacker ~ I love IS”.
The image remained on the site for six hours before it was removed. CEO of Irish Autism Action, Kevin Whelan, confirmed that the hack “appears to have happened to a number of sites” and was not directed at the charity in particular. It is likely that the hackers scanned several websites to identify vulnerable sites, and conducted hacks at random. The Dublin Rape Crisis Centre were also part of a worldwide hack affecting users of a vulnerable WordPress plugin.