Singapore’s CSA says cyber threats to OT systems an ‘evolution of carnage,’ as phishing, ransomware prevail

The Cyber Security Agency of Singapore (CSA) announced Monday that ever since the computer worm Stuxnet disabled Iran’s Internet-disconnected Natanz nuclear facility in 2010, threat actors have been researching and refining similar methods to strike targets. Given the high potential for disruption and destruction, they are widely regarded as national security concerns, the agency outlines that such threats have come a long way in the 13 years since Stuxnet first crossed the theoretical barrier that divided the cyber and physical worlds. 

“Threat actors have, and will, deploy OT-targeting malware against weak links in such systems. However, the emergence of Pipedream is an indication of the increasing sophistication and capability of threat actors in manipulating and disrupting industrial systems and processes,” CSA wrote in its report titled ‘Singapore Cyber Landscape (SCL) 2022.’ The document reviews Singapore’s cybersecurity situation in 2022 against the backdrop of global trends and events and highlights Singapore’s efforts in creating a safe and trustworthy cyberspace. 

The agency added that Pipedream is “particularly troubling given the breadth of its functionality which expanded its capabilities, thus setting it apart from other OT-targeting malware (e.g. Stuxnet, Triton, which were purpose-built to target one particular network, with specific equipment and controllers from a particular vendor). The growing nexus between IIoT applications and OT, which sees the latter become increasingly connected to IT systems to allow their infrastructure to be controlled and monitored remotely, will also expand the attack surface further,” it added.

“2022 saw a heightened cyber threat environment fuelled by geopolitical conflict and cybercriminal opportunism as COVID-19 restrictions began to ease. Emerging technologies, like Chatbots, are double-edged, as with many new technologies,” David Koh, commissioner of cybersecurity and chief executive of CSA, said in a media statement. “While we should be optimistic about the opportunities it brings, we have to manage its accompanying risks. The government will continue to step up our efforts to protect our cyberspace, but we need businesses and individuals to play their part too so that we can fully reap the benefits of our digital future.”

“As in all cyber-attacks, the malware carries out reconnaissance in the first stage, allowing attackers to survey the targeted network environment,” according to the CSA. “This allows the attacker to understand the target’s security posture, including how the OT and IT networks interface with each other, and to identify the ‘air gaps.’ By properly researching the target, attackers can identify potential points of entry into those networks.” 

In the second stage, threat actors ‘engage’ with their target to achieve intrusion into the latter’s network. In the case of an OT environment, threat actors can accomplish this via removable media and devices such as USB sticks and cables, through unsecured links between an organization’s IT-OT systems, or through an IIoT interface. 

Thereafter, in the third stage, the CSA defined that hackers can employ different tactics to accomplish their objectives. In the case of systems that can be controlled remotely – such as SCADA (supervisory control and data acquisition) systems – this might mean gaining control of a management workstation, which can then be used to make changes on the target system, and/or hide valid alerts. Alternatively, malware can directly target individual components to cause malfunction. One instance would be to change the state of control system hardware – such as Programmable Logic Controllers (PLCs) – and make them operate beyond safe parameters with the intention of causing an accident. 

CSA also added that some malware also targets adjacent IT systems to cause disruption as well. “One example of this would be ransomware, which rarely have the capability to affect OT-controlled infrastructure. However, it can still cause operations to fail when deployed on workstations intended to run OT systems,” the document added.

Ransomware remains a significant issue globally, with cybersecurity vendors reporting a 13 percent increase in 2022 incidents, CSA disclosed. In Singapore, the number of reported ransomware cases slightly decreased, with 132 cases reported to CSA in 2022. These cases mainly affect SMEs (small and medium enterprises) in the manufacturing and retail sectors, which often hold valuable data and IP. Many firms lack dedicated resources to counter cyber threats.

Ransomware continues to be a borderless threat that shows no sign of letting up in 2023, CSA assesses. “BlackFog’s tracking indicates that there have been 73 publicly disclosed ransomware attacks globally by end-February 2023, with potentially up to 543% more attacks (i.e. 396) going unreported. Ransomware attacks are a clear demonstration of how cyber incidents can have significant real-world consequences.”

CSA is closely monitoring local developments in ransomware attacks and working with international counterparts on collective efforts to counter the global ransomware threat. “We have issued several advisories on steps that organisations and individuals can take to protect themselves, many of which relate to basic cyber hygiene practices. Organisations with a robust cybersecurity posture will invariably fare better against ransomware that outlines how a Singapore-based precision engineering company managed to regain access to its systems and data without paying the ransom,” it added. 

The agency also identified that regardless of their direct impact, the involvement of hacktivists has increased the level of unpredictability and instability of the cyber landscape amidst the Russia-Ukraine conflict. “Any serious cyber incident triggered by the hacktivists may inadvertently escalate the conflict – or be used as a pretext by either side for escalation. Globally, the resurgence of hacktivism poses an increased risk of collateral damage and unintended effects on uninvolved countries. As the conflict enters its second year, organisations are reminded to remain vigilant, and take the necessary actions to review their security preparedness and strengthen their cybersecurity posture,” it added. 

CSA data revealed that in 2022, the Singapore Cyber Emergency Response Team (SingCERT) reported 8,500 phishing attempts, more than double the 3,100 cases handled in 2021. Over 50 percent of cases involved URLs ending with ‘[dot]xyz,’ a popular TLD among threat actors. The average length of reported phishing links decreased by almost half, suggesting that threat actors are using URL shortener services more frequently to mask malicious intent and track click-through rates. 

Additionally, the most commonly-spoofed sectors were banking and financial services, government, and logistics. Over 80 percent of reported phishing sites masqueraded as entities within these sectors, which are often targets for phishing attacks. SingCERT facilitated the takedown of 2,918 malicious phishing sites in 2022. 

In 2022, Singapore had 81,500 infected systems, a 13 percent decrease from 94,000 in the previous year. Despite global growth, Singapore’s share of infected infrastructure fell from 0.84 percent in 2021 to 0.34 percent in 2022. The top three malware infections on locally-hosted command-and-control (C&C) servers were Colbalt Strike, Emotet, and Guloader, while Gamarue, Nymaim, and Mirai were the top three on locally-hosted botnet drones.

When it came to the trends to watch, the CSA report zeroed in on ransom for reputation, artificial intelligence (AI) for bad and good, and systemic risks for economic analysis. 

In 2022, data breaches have led organizations to pay ransoms to mitigate reputational damage rather than regaining encrypted data. Threat actors may continue to rely on extortion, but actual ransomware deployments may decline. Ransomware-as-a-Service (RaaS) providers may focus on data exfiltration and public shaming on ‘leak sites.’ Hackers may also conjure fictional breaches by publicizing repackaged data or information fused through open-source data scraping.

CSA said that AI is expected to grow in cybersecurity, with a market size of US$60.6 billion in 2028. It can be used for both attackers and defenders, with NLP (Natural Language Processing) and ML (machine learning) technologies providing real-time insights. Threat actors may use AI for targeted campaigns, deepfakes, account takeovers, business fraud, and organizational reputation impact.

The Russia-Ukraine conflict has led to increased financial pressures and a rise in living costs, as inflation remains high. Hackers exploit these opportunities through phishing and capitalize on psychological weaknesses. Organizations must scrutinize their budgets and cut unnecessary expenditures, as cybersecurity is often seen as an overhead. Tighter cybersecurity budgets and fewer resources may result in subpar security postures, amplifying the risks of ransomware attacks and breaches.

The CSA said that it will launch a new national cybersecurity campaign later this year, focusing on raising awareness and driving the adoption of good cybersecurity practices. It will also publish the internet hygiene ratings of the healthcare sector this month. The national campaign augments existing efforts by the agency to target various stakeholders including students and seniors under SG Cyber Safe Students and Seniors Programs.

Last December, the Singapore government released its Counter Ransomware Task Force (CRTF) report which serves as a blueprint to drive the nation’s efforts to foster a resilient and secure cyber environment, domestically and internationally, to counter growing ransomware threats. The CRTF document identified how ransomware threats have grown significantly in scale and impact, emerging as an urgent problem for countries around the world, including Singapore.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.