Asia is increasingly becoming a lucrative high-tech crime target for cybercriminals, Singapore receiving much of the attention.
Within the past two years, stolen user information including bankcards and government credentials have been put up for sale in the dark web.
Singapore is presently experiencing a worrying trend of leaked data from the public and private sectors.
Banks within the country indicated losses of up to $640,000 in 2018 as a result of the same.
The dark web is without a doubt a hub for bank fraud, but leaks containing government login information introduces a new perspective for cybercriminals.
While such data may not be used to steal money from the agencies, deeper concerns arise from the fact that the information could be used for political sabotage or espionage.
Group-IB, a Russian cybersecurity firm, stated that the Singapore Police Force, the Health and Education Ministries, the University of Singapore and the Government Technology Agency (GovTech) were some of the comprised organizations.
Following investigations by the cybersecurity firm, Singaporean officers were advised to change passwords to all affected portals.
Allegedly, the credentials sold online were not compromised from government systems but from officers’ non-official use of issued email addresses.
Some of the non-official applications include marketing promotions and sign-ups for events.
Group-IB stated that email addresses and passwords were exposed in the cyberattacks.
It further clarified that though seemingly insignificant, such security lapses could be utilized by criminals to disrupt a government severely.
It only takes one compromised account to impact critical operations and even leak confidential material.
North Korea’s ‘Lazarus’ Hacking Group Allegedly Responsible
Last June, the personal data of more than 1 million SingHealth patients were stolen in Singapore’s worst cyberattack.
Additionally, in January 2019, hackers exposed personal data belonging to 14,200 patients from the Ministry of Health’s HIV Registry.
And just last month, approximately 800,000 blood donors also had their information leaked following a vendor’s mishandling of the data.
In a press release, Group-IB CTO and Head of Threat Intelligence Dmitry Volkov accused North Korean hacking group “Lazarus” for the recent attacks.
Volkov suggested that the group devised a new malware called RATv3.ps, which can download and execute programs and commands through a shell, execute screencasting, act as a keylogger to gather passwords, create and alter files, and inject code into other processes.
Because of the malware’s dynamic nature, it is impossible to stop the attacks concurrently. The best option is to prevent them before they occur.
Group-IB predicts that Lazarus will not be ending its activities anytime soon based on their activities last year.
As recently as January, the Smart Nation and Digital Government Group brought to GovTech the case of another 50,000 government email addresses illegally exchanged by criminals.
While most of the addresses were obsolete, 119 of them are reportedly still functional.
Hackers Use Powerful Trojans
Pony Formgrabber, AZORult and QBot are some of the programs that cybercriminals use.
The popularity of such Trojans are attributable to their ability to breach crypto exchanges as well as credentials in users’ crypto wallets.
Pony Formgrabber is capable of obtaining details from databases, configuration files and hidden storage from 70 programs on the target user’s devices.
It then shares the stolen information to a server run by those responsible for the hacking campaign.
AZORult is capable of stealing crypto wallet data and passwords from browsers.
Qbot, the last of the three popular Trojan-stealers, retrieves login details by utilizing a keylogger.
It also gathers cookie files and certificates, initiates internet activities and transmits the ill-obtained credentials to fake websites.
While the investigations by Group-IB were critical in reporting the online criminal activities, they lacked the capacity to verify the credentials themselves.
Verification would involve logging in using the questionable credentials.
However, Alexander Kalinin, head of Group-IB’s Computer Emergency Response Team, did confirm that the details of the investigations were forwarded to the Singaporean Computer Emergency Response Team (SingCert) for verification.
A New Avenue for Cybercriminals
Government login credentials are usually not common in dark web platforms.
However, Group-IB recently found that data from government websites of over 30 countries have been compromised over the last 12 months.
Apart from the common individual hackers, such information is valuable to APT (Advanced Persistent Threat) groups that specialize in espionage and sabotage.
Even though hackers use methods like phishing to access crucial infrastructure networks, Group-IB speculates that the focus of such attacks could transform to target weak network equipment that provide internet connection to the networks.
Out of an estimated figure of 40 state-sponsored groups across the world, more than half are said to be operating in the Asia-Pacific region.
With the headlining cybersecurity news within the region, Group-IB announced last November that it plans to open a new global headquarters in Singapore.
Apart from government agencies, the company appeals to clients from financial and banking industries.
Leaks implicating important government credentials like the recent breaches suffered by Singapore will definitely be on the rise in the coming years.