Singapore university breaches reveal wider attack surface to safeguard

Government's increasing industry collaboration and research efforts suggest Singapore needs a cybersecurity strategy that goes beyond limiting internet access, as two universities fall prey to APT attacks.
Written by Eileen Yu, Senior Contributing Editor

Security breaches this week in Singapore and around the globe reveal the country will have to safeguard a much wider attack surface and need a cybersecurity strategy that goes beyond simply limiting internet access.

It was revealed on Friday that two Singapore universities suffered APT (advanced persistent threat) attacks last month, with the hackers specifically targeting government and research data.

The National University of Singapore (NUS) had detected the intrusion on April 11 when assessments were being carried out by external consultants brought in to boost its cybersecurity posture. Days later on April 19, the Nanyang Technological University (NTU) uncovered its breach during regular checks on its systems.

The universities notified Cyber Security Agency of Singapore (CSA), the government agency tasked with overseeing the country's cybersecurity operations, which helped both institutions conduct forensic investigations into the attacks.

CSA determined that the breaches were the result of APT attacks and were "carefully planned and not the work of casual hackers".

"The objective may be to steal information related to government or research," the government agency said in a statement Friday, adding that data related to students did not appear to be targeted. Critical IT systems, such as student admissions and databases containing examination documents, also were not affected.

"As the universities' systems are separate from government IT systems, the extent of the APT activities appear to be limited," CSA said. The agency said it was helping the universities with incident responses and measures to further mitigate any potential impact, adding that affected desktop computers and workstations at both universities had been removed and replaced.

"We know who did it and we know what they were after, but I cannot reveal [details on] this for operational security reasons," CSA chief executive David Koh said. The agency also refused to reveal what information the hackers were able to access, but said no classified data was stolen.

It did say, though, that government sectors running critical information infrastructures (CIIs) were informed of the breaches and put on alert. All government bodies and agencies also had been urged to be extra vigilant and beef up checks on their networks.

"There has been no sign of suspicious activity in CII networks or government networks thus far," CSA said.

In a Facebook post Friday, Singapore's Minister for Communications and Information Yaacob Ibrahim said the breaches were "a stark reminder that cyber threats are real in Singapore".

"As we become more digitally connected, such threats will continue to increase in sophistication, and both public and private sector organisations are equally vulnerable," he said. "Everyone has a role in ensuring cybersecurity. At the individual level, we can and should also do our part to be vigilant, and practise good cyber hygiene."

Increasing industry collaboration means increasing surface attack

The minister is right, of course, but that means the government also needs to realise it cannot choke the pipe to stem the leak when new joints are continuously being added to the pipeline.

In its bid to contain potential data leaks, the Singapore government last June said it was restricting internet access on all computers used by civil servants, affecting an estimated network of 100,000 workstations. Government employees would only have online access via dedicated work terminals or be allowed to browse the web via their own personal mobile devices, since these would have no access to government e-mail systems.

However, as part of its efforts to drive its smart nation initiative, the Singapore government had been actively involved in various data research efforts as well as increased its collaboration with industry players. The Land Transport Authority (LTA), for instance, was piloting the use of self-driving buses and conducting research with NTU to improve real-tine monitoring of the national rail system.

The National Research Foundation (NRF), a unit under the Prime Minister's Office, in February also launched a S$8.4 million (US$5.93 million) cybersecurity lab located at NUS to provide a "realistic environment" for cybersecurity research and testing. And just last week, NRF unveiled plans to develop Singapore's capabilities in artificial intelligence and data science, which would involve several government agencies as well as universities including NTU and NUS.

Its efforts to digitally transform the nation and prep its citizens for a digital economy are commendable and should be further encouraged, but it also unravels a significantly wider attack surface on which malicious hackers can target.

Adopting a strategy that involved "separating" or "delinking" internet access in the public sector would unlikely be truly effective in preventing attackers from targeting government data or systems.

As the NTU and NUS breaches demonstrated, "not-so-casual hackers" were more than capable of identifying other entry points and vulnerabilities elsewhere to access government and research data.

What if they were able to get their hands on research NTU was working on with LTA, uncovered information on train operations, and used that to disrupt the national rail system? And they would have achieved that without even having to target or breach LTA's "internet-less" computer systems.

Worse, touting a strategy based on restricted internet access as a way to stop attackers could lull government employees into a false sense of safety. There must be realisation that it wouldn't matter if the universities' systems were "separate" from government IT systems or that this "limited" the extent of the APT activities.

Amid the flurry of smart nation and digitisation efforts across Singapore, government data as well as valuable research data could reside outside of government systems and within the reach of malicious hackers.

Commenting on the university breaches, LogRhythm's Asia-Pacific Japan vice president Bill Taylor-Mountford, said: "The attack shows that hackers are no longer just targeting the usual suspects in Singapore, such as financial institutions, government, and critical infrastructure. Establishments such as universities hold valuable personal data, including intellectual property that can bring about financial gain."

Darktrace's Asia-Pacific managing director Sanjay Aurora concurred, and urged businesses to realise it would be impossible to stop every threat making its way into the network.

Taylor-Mountford added: "Today, we can no longer prevent attackers from gaining access. We are almost fighting a losing battle if we only focus on prevention. It is more important to be able to detect a breach and quickly neutralise it.

"Reducing the mean time to detect and respond must be the key objective for any cybersecurity infrastructure today," he said.

Aurora touted the need for machine learning and artificial intelligence to better detect APT and other emerging attacks within the network. This would alert systems administrators to anomalies and automate processes, such as isolating compromised systems from the internet, to provide security teams more time to investigate and address the threat, he said.

The massive ransomware infection on Friday that affected more than 70 countries, including the UK, Spain, and Russia, further suggest more of such sophisticated and coordinated attacks are in the horizon. And these could shut down critical services such as healthcare, as the UK experienced this week, when the ransomware attacks crippled healthcare systems, forcing hospitals to close emergency rooms and cancel surgeries.

So, it's no longer a question of "if", but "when" cyberattacks will hit. The Singapore government clearly knows this, but it now needs to actually believe it and act on it. It would be quite tragic if it decides instead to extend its internet separation tactic beyond the public sector or scale back its industry collaboration.

Editorial standards