Last year, I rounded up the three most significant events for 2020 and crossed my fingers for brighter days ahead. Trapped in the tropics for most parts of 2021, I wasn’t sure if it was the cabin fever or the mask-fatigue but things were not looking great for me. Having spent the past couple of weeks in Europe, it has been quite liberating – breathtaking, dare I say – to be on a plane again, seeing sights and experiencing weather I wouldn’t normally be able to (goodbye humidity and frizzy hair).
With my slightly clearer mind, I thought I should tap into my pensive self and reflect on all that has been going on, before everyone starts making resolutions for 2022. In this post, I am also going to expend a bit more effort on thinking about all the cyber attacks that have affected the APAC region and what we can expect in the year to come.
Looking back on 2020
SolarWinds, ransomware attacks, and the “ZeroLogon” vulnerability made my Top 3 most significant event for 2020. So, how far have we come since then? I don’t think there is a more fitting way to describe how far we’ve come, than with the saying “一山还比一山高”. It literally translates to “one mountain will always be higher than the other”, and in reality means there will always be someone or something that outshines its predecessor. Now, tell me that has not been the case. I dare you, I double dare you.
For one, supply-chain attacks are probably on par with ransomware attacks in terms of popularity. We can get into a fight arguing about which is the more popular one. But does it matter? Ransomware attacks now abuse the supply chain (read: Kaseya VSA) too.
Ask me which vulnerability I would award as vulnerability of the year and I’ll be at a loss of words. ProxyLogon comes to mind. But again, how does one decide? After my foray with the Photon Research Team into vulnerability intelligence and management in our latest whitepaper (titled “Vulnerability Intelligence: Do You Know Where Your Flaws Are?”), I now know that I know nothing.
APAC, far away but not forgotten
As one of the few Asia Pacific (APAC) employees in Digital Shadows (now ReliaQuest), take it from me when I say that timezone is a bit tricky to manage. Some of my colleagues are sound asleep when I’ve just started my day, and vice versa. This part of the world gets so lonely.
That’s not the same for cyber threat actors. With nary a complaint, they are always active.. In APAC, we are at least 8 hours ahead of some of you but surely, we’ve not been forgotten by these actors and groups.
Enter Exhibit A: the supply-chain attack leveraging Accellion’s File Transfer Appliance (FTA). For those of us who are still not tired of the phrase “supply-chain attack” yet, you may recall that the specific incident involving Accellion affected quite a few organizations. To give credit where it is due, Accellion first discovered signs of exploitation on 23 Dec 2020 and patched the vulnerability within 72 hours, which is certainly no mean feat.
But APAC organizations were predominantly the victims during initial disclosure of the attack. And this was likely the case because of time differences. Accellion released the patch on 24 Dec 2020, but the 21-hour time difference between Accellion’s location in the US and the APAC region meant that the time frame was too short for organizations in the eastern part of the world to address these issues properly. The timeliness, or lack thereof in this case, to apply patches is further complicated by malfunctioning of Accellion’s email notification system, and all of this occurring around the Christmas period.
Fastest fingers first. With the Clop ransomware group quick to exploit this vulnerability, the rest, as we know, is history.
Cyber attacks are only gonna get real-er
The Western world tends to get a lot more love when it comes to reporting on cyber attacks and developments in the cyber threat landscape. But we already know this is by no means an indication that threat actors don’t target APAC at all. Low crime does not mean no crime; make no mistake, where there are vulnerable organizations, there will be attackers.
APAC continues to see a surge in cyber attacks. So far in 2021, we have already put out 170 intelligence updates for the APAC region alone. That’s almost double the number we have for 2020. I’m not alone, surely! You’ll likely see numbers and figures put out by other researchers all echoing similar sentiments.
Things will only become spicier in the days to come, I promise you. In the volatile domain of cyberspace, physical developments often influence the conduct of cyber activity. In the APAC region, we’ve been paying some attention to AUKUS, the strategic alliance between Australia, the UK, and the US.
A lot of hype on the AUKUS has got to do with the provision of nuclear-powered submarines to Australia. That’s a huge deal. Under the pact, Australia will probably be the first non-nuclear-armed state to possess nuclear-powered submarines. This does draw some non-proliferation debate but we can nerd out about those issues another time.
Hold your horsies, there’s more! Subs shouldn’t be all that the pact should be known for. The AUKUS agreement also includes the sharing of cyber and marine technology, including artificial intelligence and quantum technology. Beneath it all, the alliance hints at the priority placed by the US in attempting to balance an increasingly power hungry China. As we recall, China treats its critics with hostility, so we can be sure this competition is only going to fuel cyber activity. Even without poking the beast, AUKUS’ cyber technology component probably ranks high on China’s priority.
Equally as important are policies and frameworks enacted by regional players. China’s government has passed or implemented several data and/or privacy-related laws. In attempting to address the “chaos” data has created, the Personal Information and Privacy Law has been enacted on 01 Nov 2021. Not another GDPR, some might bemoan, but pay no heed to these laws and you might just face the wrath of the Cyberspace Administration of China (CAC). The laws also apply to foreign firms – some like Apple have chosen to comply, but it’s a more bleak prospect for others like Yahoo Inc, which has decided to withdraw operations from China, citing an “increasingly challenging” operating environment.
Slowly but surely, we are getting somewhere
With so much going on in the APAC region, there is no excuse to think that cyber attacks won’t affect us. The silver lining is also that many organizations (and their leadership management team) are increasingly sitting up at the mention of cyber attacks and how to defend against them.
There are very few things that make me proud to be Singaporean. Our food and hawker culture are two of those few things but this year, I’m thrilled to add our Singapore’s Cybersecurity Strategy to the list. There is a sentence in the announcement that particularly struck a chord with me – “Singapore thus reviewed and refreshed its cybersecurity strategy which was first launched in 2016”.
Reviewing and refreshing our approaches for ensuring a more secure network and digital infrastructure is such a hassle, I feel you. But this is so, so important. In the reports I write, I often have to stress that there is no such thing as a one-size-fit-all method. Nor are there mitigation measures that will be valid forever.
Perhaps the most dignifying of all – Singapore’s approach to Zero Trust. We’ve already established the growing popularity of supply-chain attacks; a Zero Trust architecture is one of the most useful ways to break that chain. With Singapore’s updated strategy, the country makes it clear Zero Trust is the way to go, moving away from perimeter defence and towards a zero-trust model.
In Singapore, a top-down approach is perhaps the most typical way forward; the Singapore government will take the lead with its Government Trust-based Architecture that translates Zero Trust principles into government context. With our lead, hopefully more countries will follow suit. Fair’s do, implementing Zero Trust is not easy but if this little red dot can do it, you can too.
On to the next one
Aaaaaand that’s a wrap. I can’t possibly put everything we’ve gone through in 2021 into this post, but hopefully this has provided an inkling as to what has happened and what can come next. With threat actors lurking around the corner, each trying to outdo the other, there is never a dull day in cyber-security. Without an inch of a doubt, 2022 will surely be a hectic year, but I’m in good hands with the Photon Research Team and I look forward to another year of working with you lot #thnksfrthemmrs
The Photon Research Team does a tremendous job covering a variety of cyber threats, including primary research on cybercriminals. Beyond that, we also look at policy implications, wider geopolitical developments, and how they can potentially herald a shift in the cyber threat landscape. Check out some of our works here, or let us walk you through a demo with a 7-day test drive of Search Light (now ReliaQuest GreyMatter Digital Risk Protection).