Cyberattacks on information and communications technology (ICT) supply chains are on the rise. This is dangerous as vulnerabilities can be introduced at any phase, from design through development, production, distribution, acquisition, and deployment to maintenance. This can affect governments, enterprises, and the public.
When cybercriminals gain backdoor access to the systems of their clients, they can infect thousands of systems at once. The more entry points, the bigger the attack surface becomes. When one part gets affected, a domino effect soon follows.
There have been a number of high-profile ICT supply chain attacks last year. In 2021, while investigating the artefacts of a supply-chain attack on an Asian government Certification Authority’s website, Kaspersky discovered a Trojanised package that dates back to June 2020.
Unravelling that thread, Kaspersky researchers identified a number of post-compromise tools in the form of plugins that were deployed using PhantomNet malware, which was in turn delivered using the aforementioned Trojanised packages. Kaspersky’s analysis of these plugins revealed similarities with the previously analysed CoughingDown malware.
Genie Gan, Head of Public Affairs and Government Relations for Asia Pacific & Middle East, Turkey, and Africa at Kaspersky, explains that the threat actor’s real target was the government entity. However, as the Certification Authority is a weaker link in this supply chain, the actors decided to exploit the trust between the government and the Certification Authority.
“Supply chain attacks exploit trust relationships – be it a relationship between a reputable body and a government or between a small software supplier and an enterprise. Such attacks have major consequences for all affected parties, impacting the government, enterprises and very possibly individuals like you and me. To prevent this, the defenders need to operate on the basis that their system is compromised and look for signs of an attack rather than assume that they can be prevented using traditional products”.
Rahamzan Hashim, the Chief Executive of National Cyber Security Agency, National Security Council of Malaysia (NACSA, NSC), who opened Kaspersky’s latest media event, stated that trust and transparency are timely topics to be discussed given the urgent need to boost Malaysia’s cyber resilience.
“Cyber incidents are on the rise. There were 4,194 reported in 2020, 5,575 in 2021 and so far 5,626 as of September this year. Mutual collaboration between public and private entities is key to strengthening our cybersecurity capabilities as a nation. We know this well, which is why our Malaysia Cyber Security Strategy 2020 – 2024 is founded on multi-stakeholders partnerships between the government and private sectors as well as industries here in Malaysia.” he added.
Kaspersky in H1 2022 also detected 20,948,843 different web threats on the computers of Kaspersky Security Network (KSN) participants in Malaysia.
Attacks via web browsers are the primary method for spreading malicious programs. Exploiting vulnerabilities in browsers and plugins, as well as social engineering, were the most common ways used by cybercriminals to penetrate the systems.
Global cybersecurity company’s fresh data also showed that 16,498 malicious installation packages on mobile were detected and blocked here by Kaspersky and 3,285,350 bruteforce attacks against Remote Desktop Protocol (RDP) on computers running Windows were also foiled during this period.
In addition, Kaspersky’s Anti-Phishing systems also blocked 1,791,751 phishing attempts in Malaysia during the first six months of the year.
Recognising the risks and impact of ICT supply chain cyberattacks, countries are taking action. As far as the local government is concerned, legal policies and regulatory frameworks on cybersecurity have already been laid out and are currently in place. Kaspersky executives urge the state to collaborate with its neighbors and private companies to further build its cyber-resiliency.
Gan adds that while the cybersecurity landscape in Malaysia is distinct from the rest of SEA countries, it is still interconnected with its regional neighbours in so many ways. “This is why we encourage the government regulators to begin boosting its cyber capacity-building and cooperation efforts. These two are basically the building blocks of cybersecurity,” she said.
“Looking at Malaysia’s unique cybersecurity landscape and how it is dealing with cyberattacks, it appears that the country is now in the intermediate stage of cybersecurity readiness. Intermediate-level countries are those that have identified cyberattacks as areas they need to look into and have attempted to make some inroads. The goal is to have the country move to the Advanced stage where we hope to see it doing more in terms of development,” added Gan.
Gan recommended the following specific action steps to strengthen the ICT supply chain in Malaysia:
- Develop core principles, technical standards to ensure a consistent level of cybersecurity across all companies involve.
- Actionable national cybersecurity strategies.
- Improve procedures and regulations on ICT supply chain infrastructure.
- Private and public mutual cooperation and cybersecurity capacity building.
From Kaspersky’s experience, an effective formula includes constant improvement of security awareness. This includes engagement with the wider cybersecurity community and stakeholders including cybersecurity providers to validate and verify the trustworthiness of their products, internal processes, and businesses — an important pillar held by Kaspersky and implemented within the overall framework of its pioneering Global Transparency Initiative (GTI).
One of the GTI’s cornerstones included the opening of a network of Transparency Centers, one of which is located in Malaysia open for partners, stakeholders, and government regulators keen to review Kaspersky’s cybersecurity practices.
The Transparency Center in Malaysia is fully operational and available for on-site (physical) and remote access.
More Transparency Centers are also in Zurich (Switzerland), Madrid (Spain), Kuala Lumpur (Malaysia), São Paulo (Brazil), Singapore, Tokyo (Japan), Woburn, MA (the United States), Rome (Italy), and Utrecht (Netherlands).
This global network of Transparency Centers serves as facilities for trusted partners and government stakeholders, responsible for cybersecurity, to review the company’s code, software updates, and threat detection rules.
The GTI also paved the way for the creation of Kaspersky’s Cyber Capacity Building Program to help government organizations, academia, and companies around the world develop mechanisms and skills for security assessment of ICT products they use. Requesting access is as easy as sending an email to TransparencyCenter@kaspersky.com.
Another pillar forming Kaspersky’s Global Transparency Initiative is the release of Kaspersky Transparency reports, revealing information on requests received from government and law enforcement agencies, and users for their personal data. The latest report covers the first six months of 2022.
During the first half of 2022, Kaspersky received a total of 89 requests from governments and law enforcement agencies from eight countries (Brazil, China, Italy, Japan, Jordan, Russia, Singapore, and South Korea), a 15% decrease in requests year-on-year (105 requests in H1 2021).
For Malaysia, Kaspersky also advised to continually promote skills training and enhanced collaboration to support incident response capabilities and ensure the safety and wellbeing of their citizens.
“Cyber threats are here to stay as it is parallel with the digitalization drive in Malaysia. Malaysia Digital Economy Corporation (MDEC) reported that the digital economy is currently contributing 22.6% to the country’s gross domestic product (GDP), and the number is set to rise to 25.5% by 2025. A huge opportunity that will be realized best if digitalisation efforts are built upon trusted and transparent cybersecurity foundations,” said Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky.
“Organisations, industries, and governments will always be lucrative targets for cybercriminals but through collaborative multi-stakeholder efforts, we can explore strategies and expand our cybersecurity implementation as we enhance our confidence and trust in technology. When a country achieves cyber-resiliency, the digital future no longer becomes a scary unknown realm but a place with endless opportunities for growth,” he adds.