As the most targeted region in the world by ransomware and state-sponsored advanced persistent threat (APT) groups, the Asia Pacific region (APAC) experienced a 168% increase in cyberattacks between May 2020 to May 2021. In addition to this staggering year-on-year increase, APAC saw an overall 53% increase in cyberattacks from April to May of 2021 alone, with Japan (40%), Singapore (30%), and Indonesia (25%) leading the pack in sharpest increases.
So which vulnerabilities make APAC a valuable target for cyberattacks and what kind of threats are hitting the region the most?
Home to four of the five most populous nations in the world, APAC is one of the fastest-growing arenas in terms of digital transformation and internet penetration. Because of its competitive markets, APAC has experienced exponential growth in financial technology and e-commerce, resulting in a rising demand for Internet and broadband services.
The COVID-19 pandemic expedited this digital transformation as more companies adopted technologies to supplement the new remote work environment. While this transition brought many benefits and has significant future potential, it also opened the door to a considerable number of cybersecurity threats, leaving companies and individuals scrambling to protect themselves.
As digital transformation accelerates and IoT (Internet of Things) technologies rapidly spread in APAC, the region has faced an explosion of new cyber vulnerabilities and threats.
The rise in connectivity between companies and their employees has exposed vulnerabilities in hardware and software environments, giving cybercriminals greater attack surfaces to exploit. This includes employees’ smaller, personal IoT devices, which can provide a potential backdoor into more well-protected systems.
However, even with this heightened risk, a large number of companies are leaving their systems unprotected and have not implemented the necessary cybersecurity protocols to prevent, detect, or respond to attacks on their networks.
Unlike in the West, where digital progress has been incremental and regulators have had time to adapt and implement essential cyber defenses, the rapid speed of digital transformation in APAC has forced governments in the region to play catch-up.
Several countries have attempted to impose data protection and data breach notification laws, but as a whole, cybersecurity regulation in APAC is still in the early stages of development and tends to focus primarily on critical infrastructure and regulated industries.
In countries that do have comprehensive cyber laws, there are often other issues that have yet to be resolved, such as a lack of enforcement, a misalignment of regulations and perceptions, and a general lack of organizational compliance.
In 2020, APAC had an average dwell time of 76 days, which is 3x longer than the global median of 24 days.
According to the FireEye 2021 M-Trends Report [PDF], 10% of the breaches investigated in APAC during 2020 had dwell times of more than three years while 4% showed dwell times of more than nine years. Though the APAC median dwell time worsened in 2020 — increasing from the 54-day median in 2019 — the region improved overall from the 2018 median of 204 days (and even more from 2017, when it stood at 498 days).
This exceedingly long dwell time in APAC is very attractive to cybercriminals, who see an overall larger window to navigate target environments undetected.
The COVID-19 pandemic sent 92% of organizations scrambling to adopt new technologies to facilitate secure remote work, with 53% of APAC companies surveyed in a Sophos study [PDF] stating they were fundamentally unprepared for the security requirements needed for remote working.
Skills shortages, cloud migrations, and increased threat activity leave many APAC organizations struggling to keep up with the pace of these security developments, and low budgets and organizational apathy pose further challenges to implementing an effective cybersecurity strategy.
However, one positive is that the pandemic has increased cybersecurity awareness and motivated organizations to pay more attention to their security approaches. Seventy percent of APAC companies surveyed in a CrowdStrike study [PDF] agreed that they are more concerned about cyberattacks now than before the pandemic, and almost 75% of respondents believe that cybersecurity enhancement should be a top priority for future investment.
Mobile attacks
Mobile platforms have become an extremely attractive attack vector, with social media and the Google Play app store serving as popular means to distribute malware.
Many mobile attack campaigns have been targeted at the APAC region, like the PhantomLance campaign — a five-year-long Android espionage campaign carried out by the Vietnamese APT OceanLotus from 2015-2020. Aimed at several Southeast Asian countries (e.g. India, Indonesia, Bangladesh, Malaysia, etc.), this campaign involved malware that was hidden in the Google Play store.
Another example is Roaming Mantis, a Chinese-speaking threat group that has been impersonating logistics companies in smishing messages. These messages are targeted at Japanese Android users in the hope to infect their devices with a new malware named SmsSpy, which extracts data from users’ text messages, intercepts incoming texts, and hijacks targets’ contact lists.
Both PhantomLance and Roaming Mantis have successfully leveraged various mobile platforms, exhibiting a smart and covert approach to distribute malware on a large scale.
Phishing
As threat actors intentionally leverage relevant events and impersonate legitimate institutions and persons, phishing and spearphishing attacks are appearing more authentic and harder to spot if not paying close attention.
Small and medium-sized businesses (SMBs) in countries such as Indonesia, Malaysia, and Vietnam are especially vulnerable to phishing attacks with Southeast Asian banks being one of the most targeted sectors in the world, accounting for 21% of phishing attacks globally in 2020.
Ransomware
Organizations in APAC are targeted by ransomware attacks more than any other region in the world. On average, APAC organizations are attacked by ransomware roughly 51 times per week as of April, which is a 14% increase from the beginning of 2021.
Ransomware-as-a-service (RaaS) makes it easier for people with less technical expertise to carry out ransomware attacks to earn a quick buck, thus allowing more pe
ople to enter the ransomware game. Coupled with double-extortion and triple-extortion, where cybercriminals can now demand more money to provide decryptors and not post sensitive data online, ransomware poses a large threat to APAC entities, exemplified by large-scale attacks on corporations such as FujiFilm and GIGABYTE. (Data provided by Check Point Research)
APTs
NAIKON
Recent examples of APT activity in APAC include the NAIKON campaign carried out between June 2019 and March 2021. Chinese APT NAIKON abused legitimate software to side-load malicious payloads, namely first-stage backdoor RainyDay and second-stage malware Nebulae, in order to target military organizations in Southeast Asia for the purpose of espionage and data exfiltration. Countries targeted include Indonesia, Vietnam, the Philippines, Myanmar, Thailand, and Brunei. This is only one example of NAIKON’s activities in APAC, as the group has been targeting government agencies and military organizations in the region for over a decade.
FunnyDream
There is also the long-running attack campaign carried out by Chinese state-sponsored APT “FunnyDream” [PDF], which has successfully infected over 200 APAC government systems since 2018. With targets in Malaysia, the Philippines, Taiwan, and Vietnam, the group concentrates on exfiltrating sensitive files from compromised hosts, focusing specifically on data related to national security and industrial espionage.
FunnyDream — whose espionage attacks appear to be ongoing — uses a combination of three malware strains: the PCShare RAT, the Chinoxy backdoor, and the custom-made FunnyDream backdoor (after which the group was named). These variants each have distributed command-and-control (C2) servers to help evade detection and are used for a variety of purposes, including spying, installing backdoors, collecting documents, and establishing persistence within infected systems.
LuminousMoth
In July 2021, a Chinese APT, dubbed LuminousMoth by Kaspersky, was discovered spreading fake Zoom software to spy on targets in South East Asia since at least October 2020. The earliest sightings of this currently ongoing campaign were in Myanmar, but the attackers now appear much more active in the Philippines and have a specific interest in targeting government entities.
LuminousMoth has targeted at least 1,500 victims in this campaign so far (1,400 of which are in the Philippines); however, it seems that the actual targets are only a subset of these. Similar to other large-scale attacks, like the SolarWinds attack, LuminousMoth tries to gain access to a large number of systems, but only conducts further post-compromise activity on a few targets that are of particular interest.
With tactics appearing to overlap with that of prolific Chinese APT Mustang Panda, LuminousMoth uses a spearphishing email containing a DropBox download link for initial access, then employs a second infection vector, in which the malware attempts to spread by infecting removable USB drives. In environments of interest, the attackers deploy a post-exploitation tool that impersonates Zoom software with a valid digital signature, using it to scan compromised systems for files with pre-defined extensions that are then copied and transferred to a C2 server.
China is the leading nation-state threat actor of China cyber attacks in the APAC region, and NAIKON, FunnyDream, and LuminousMoth only represent a sliver of the total number of Chinese APT attacks against APAC entities.
Chinese state-sponsored hacking groups are the most active perpetrators of cyberespionage and intellectual property (IP) theft according to FBI director Christopher Wray. As China aims to be the predominant power in terms of military, space technology, AI, business, and more, it has sought to use cyberattacks to gain access to IP, specifically blueprints and trade secrets related to defense and technological advancement.
For example, in August 2020, seven semiconductor vendors in Taiwan were identified as victims of a two-year Chinese cyberespionage campaign targeting corporate data. Exploiting vulnerabilities in VPN software, the Chinese threat actors were able to gain access to the Taiwanese semiconductor corporations’ source code, software development kits, and chip designs.
Apart from IP theft, China also uses the cyber realm to spy on other government entities, and APAC countries are some of China’s main targets due to continual disputes in the South China Sea and ongoing conflicts with many nations in the region, including India, Taiwan, and Hong Kong.
APAC contains many high-value targets in a low-security environment, increasingly attracting the attention of cybercriminals and nation-state hackers. Rapid digital transformation has expanded APAC cyber attack surface, but there remains a disproportionately low level of investment in cybersecurity and risk management strategies by many organizations. Yet, the region should take comfort in the fact that there has been increased attention brought to the need for improved cybersecurity among APAC companies, catalyzed by COVID-19 and the shift to remote working.
In this increasingly digitized world, the sooner entities become aware of a cyber threat, the sooner they can take concrete steps to mitigate the risks and neutralize the threats targeting their networks. Given that cyber threats often target various organizations in multiple countries, there is a vital need for stronger regulatory compliance and breach notification laws, in addition to increased collaboration between governments, companies, and security vendors in order to collectively strengthen the cybersecurity ecosystem.
For additional insights on the state of cybersecurity in Singapore specifically, see IronNet's 2021 Cybersecurity Impact Report.