Cybercrime across Asia has increased markedly as the COVID-19 pandemic sweeps the region.
Denis Donnelly is a cyber security expert based in Singapore, dealing with an increasingly complex criminal underworld that is using computers, computer systems, and other technology to make money, disrupt governments , and create doubt and confusion across nations.
The Asia Media Centre spoke to Denis about cybercrime and cybersecurity, in a post-COVID world.
What is the current extent of cyber-based crime in Asia, and are cyber-criminals benefiting from the COVID-19 pandemic?
This a big expansive question to start with! It’s worthwhile taking a step back and understanding the wide range of economies we have in Asia, and the varying levels of cyber maturity within each.
Advanced economies such as Singapore, New Zealand and Australia, have always been a prime target for cyber-criminals due to their wealth and broad technology adoption.
Cyber-criminals are an enterprising bunch and they have a history of piggy-backing on news trends to infect unsuspecting users with malware – in this regard COVID-19 is just the latest ‘wrapper’ they have put around their activities.
Cybercrime exists on an individual level, a business level, and a national level. What trends are you seeing in those three aspects?
Common to all three, we see continued rapid evolution of the threat landscape - cyber-criminals are quick to exploit new technology and global events to compromise companies and individuals.
Privacy is also becoming much more intertwined with cybersecurity, particularly in light of the EU’s GDPR (General Data Protection Regulation) in 2018 which has resulted in a lot of Asian countries working to update their own legislation. More specifically:
- Individual: As smartphones become more pervasive in our day-to-day activities (such as online banking), there has been an increase in fraudulent activity with mobile-specific malware & an rising levels of identity theft.
- While individuals are getting desensitized to on-going data breaches, at the same time they are becoming more wary of over-sharing sensitive data online. In particular, younger tech users are more savvy in how they manage their digital footprint, especially on social media.
- They are more likely to use Instagram and Snapchat compared to Facebook due to functionality and ease of sharing content, but also the ability to share more limited personal data amongst a closer group of friend’s.
The end result is an environment that remains in flux – individuals becoming more informed, but at the same time cyber criminals continuing to probe for gaps to exploit.
- Business: There is a lot more focus on privacy as a result of the EU’s GDPR which includes mandatory breach notifications to the general public. Australia is currently one of the only Asian jurisdictions with a mandatory breach law, enacted in 2018, but we can expect to see similar legislation enacted in Singapore and New Zealand this year. There are numerous other countries working to update their privacy laws and it is a challenge for regional businesses to keep up to date with all of the changes and ensure they remain compliant.
- National: We will continue to see investment in the national-level capabilities, such as Singapore’s creation of the Cyber Security Agency (CSA) in 2015 with the task of protecting Singapore’s cyberspace. The equivalent of the CSA in New Zealand is the Government Communications Security Bureau (GCSB) and in Australia the Australian Signals Directorate (ASD).
- Over the last number of years each of these organizations have expanded their remits beyond traditional signals intelligence in the case of GCSB and ASD, to providing valuable guidance about cyber-threats, coupled with recommendations on how to reduce risk. (more specifics below)
While there have been a number of threats somewhat specific to COVID-19, the huge majority are actually a ‘re-brand’ of existing threats. A prime example of this is Emotet, which has been one of the most prevalent malware families over the last number of years. In February, Cisco Talos observed updated Emotet distribution campaigns leveraging COVID-19 related themes.
In the same month, IBM also reported Emotet targeting users in Japan. The advice to people working from home would be the same now as it was pre-COVID; be wary of unsolicited emails with attachments or links.
Almost every company has some kind of training to help employees identify some of these threats, my advice would be to constantly ensure this content is relevant and not just a tick-box exercise.
A broader concern that has emerged since the onset of the COVID-19 crisis is related to the huge number of employees that have shifted to home working.
Whilst remote workers are not in and of themselves a threat, very few companies were resourced for such a significant shift in such a short amount of time.
This has led to many instances of employees logging into company systems from personal devices, over which the company has little to no visibility or control.
This raises a whole host of concerns – is there even a corporate policy for remote working? What level of visibility or enforcement can an employer mandate for an employee-owned device? (Hint: Little to none in most jurisdictions). But fundamentally, with all of these additional devices accessing company networks, how can executives be assured that sensitive data is not being placed at risk?
Are cybercriminals directly targeting health-related computer systems as the region struggles with COVID-19?
Unfortunately, whenever there’s a crisis anywhere in the world, there are criminals eager to take advantage. There are not many public mentions in Asia but there are two from Europe that made global headlines.
In Germany, health authorities were seeking to procure face masks but it turns out the buyers were dealing through a fake website branded as a legitimate company.
The website was the lure, but the attackers had also compromised the legitimate companies email system, allowing them to masquerade as genuine employees of that company.
The unwitting buyers handed over €2.38M before they uncovered the fraud but thanks to prompt action most of the bank accounts containing the funds have been frozen.
Meanwhile, in the Czech Republic, the Brno University Hospital had to shut down their IT systems, cancel surgeries and re-route incoming patients due to a ransomware attack (denying access to files until a payment is made). The hospital is one of the Czech Republic's biggest COVID-19 testing laboratories and the timing of the attack only adds to stress at this worrying time.
Phishing, malware, permutation of domain names etc - what are the latest scams you’ve seen?
Most scams will follow current events to get their malware on to end user devices. They will improve their chances of success by registering COVID-19 related domains and renaming their malicious attachments to something COVID-19 related – all with the goal of baiting unsuspecting users to click on these links and open the attachments.
A good example is the COVID-19 Map maintained by Johns Hopkins University in the US, and a valuable resource being used globally to track the outbreak.
How can organisations large and small best defend themselves against cybercrime now?
A lot of the advice that applies to individuals also applies to businesses, both large and small. It’s important to understand that lots of the expensive technology solutions relied on by organizations can be undone by an unwitting user clicking on a link or opening an attachment. Users in all organization should be wary of unsolicited mails that contain attachments or links.
To better defend themselves, organizations should look to a number of government publications & frameworks that provide a framework to increase their resilience to cybercrime. These frameworks have been receiving increased awareness and include concise steps and activities that were created for the layperson to understand. They include:
- The New Zealand government’s ‘Top 11 tips for cyber security’ includes specific advice for individuals and businesses. Some of the steps will be well-known to most laypeople, including the installation of software updates, backing up data, choosing unique passwords per online service, and using multi-factor authentication.
- While Australia’s guidance has a more catchy title; "The Essential 8", and on first glimpse are more technical, they include most of the same guidance: Patch applications and operating systems, and backup your data.
It should be noted that organizations don’t necessarily have to implement all of these measures, as even these would not make you 100 percent secure (Pro-tip: There’s no such thing). However, every incremental step that can be implemented will only increase your cyber resilience.
Is cross-national policing of cybercrime working in Asia, and what are governments actually doing?
There’s not really one single over-arching body working to address cybercrime in Asia, but there are numerous global, regional and bilateral relationships being developed around the problem.
These efforts have accelerated significantly since Interpol opened an office in Singapore in 2015, and in parallel, governments in the region become more aware of how critical cyber security has become to the protection of their citizens and the resilience of their economies.
- New Zealand and Australia are members of the UKUSA Agreement, an international intelligence-sharing alliance more commonly known as ‘Five Eyes’. This group has recently taken a more open & proactive stance to discuss common global cyber issues, such as the shortage of skilled personnel and election security.
- Interpol have been leading global efforts, opening an office in Singapore in 2015 with the intent of fighting internet-based criminal activities, to complement their HQ in Lyon, France. This office facilitates the sharing of threat intelligence information with corporate partners, such as Cisco.
- The Singapore government is also encouraging its use as an ASEAN hub in order to collectively address online threats in the region. One valuable piece of outreach is a report that Interpol published in February 2020 highlighting key threats in South East Asia.
- And at a national level, Singapore has signed MOU’s with Australia in 2017 and New Zealand in 2019 which allow for the sharing of best practices, as well as regular information exchange on cybersecurity incidents and threats
How might cybersecurity change in a post-COVID world ?
An even bigger question is, how will the nature of work change post-COVID? It has already completely changed, and it’s not going to go back to the way things were. This will result in cybersecurity having to adapt to address this new environment.
- Globally, Google, Facebook and others have announced plans for most of their workers to continue working remotely into 2021. Twitter went so far as to say that employees could work from home forever if they wish to.
- A little closer to home in Singapore, a recent survey found that 90 percent of employees want to continue working from home in some capacity post-COVID.
- Jose Vinals, the chairman of Standard Chartered, one of the largest employers in the Singapore, and across the region, gave an insightful interview to Bloomberg which captured the prevailing mood and articulated a forward-looking view that a lot of organizations are coming to grips with:
- Surprise at how productive employees have been: “If you had asked me three months ago what would happen if we had a shock like this, I don’t think I would have been as confident as I am now, having seen what I’ve seen”
- Commitment to a fundamental review of work-from-home post-COVID: “One thing is for sure -- after this crisis is over we may have to rethink our work-from-home practices”
But with concerns about cybersecurity: “We have some questions on the cyber-security features, and those questions have to be appropriately answered. It’s clear that companies, large and small, have a lot to consider over the next few weeks and months as lock-downs are lifted and employees start making tentative steps to return to the office, or not, as the case may be.
My advice to companies would be a holistic review of their work from home policies (as part of an integrated IT and cybersecurity strategy) to ensure only authorized users and devices are allowed to access specific systems & applications.
In my experience, a small investment here in terms of technology and training pays huge dividends regardless of where employees work from.
- Asia Media Centre