Professionals with substantial resources and skills likely carried out the breach in one of the Ministry of Defence’s (MINDEF) Internet-connected systems – but MINDEF may never get to the bottom of why it had been attacked, or by whom exactly, a cyber security expert told Channel NewsAsia on Tuesday (Feb 28).
The breach resulted in the theft of personal data belonging to 850 national servicemen and employees, although no classified military data was stolen.
Channel NewsAsia put some key questions about the breach to cyber security firms.
Q: How serious is the attack?
Only limited amount of personal information from 850 users were exposed, pointed out CyberArk’s Jeffrey Kok. He called it a “small incident”, contrasting it to the severity of breach suffered by US health insurer Anthem in 2015, where hackers stole the personal information of 78.8 million people.
However, Dick Bussiere of Tenable Network Security added that stolen personal data is often sold by cyber criminals in a large underground black market, and each type of data can be sold for various purposes.
Q: MINDEF said that the breach was not the work of criminal gangs or casual hackers. What are the tell-tale signs?
Based on the choice of target and modus operandi, it is possible to eliminate the types of culprit in any attack, said Mr Kok.
He noted that cyber criminals and gangs are predominantly profit-driven, which does not seem to be the case here, as there are few financial assets and little information to be gained.
Hacktivists typically launch cyber attacks to send a message and claim credit – and as no one has come forward to claim credit or spread a message, this is similarly unlikely.
Based on the amount of effort, time and skill needed to pull this off, Mr Kok also ruled out casual or opportunistic hackers.
“By elimination, it’s likely to be professionals with substantial resources and skills to carry out this type of attack,” he said.
Q: How difficult will it be to track down the culprits?
It has become more difficult to pinpoint who is responsible for an attack, as tools and techniques are widely distributed, shared, studied, used and reused, said Mr Kok.
“It has become next to impossible for an organisation to know why and by whom it may have been attacked.”
Q: What can be done to prevent a replay of such a breach?
The proactive and continuous monitoring for vulnerabilities, misconfigurations and active threats is essential, said Tenable’s Mr Bussiere.
However, CyberArk’s Mr Kok asserted that there is no silver bullet to prevent data breaches. “Chances are that MINDEF has already implemented the necessary strategies to prevent something like this from occurring,” he said.
He pointed out that cyber threats facing companies today require a new security approach, which assumes that the attacker has already breached the network.
“Once this assumption has been made, companies can focus on the potential risks by identifying the particular data and systems on the network that are most likely to be compromised and which ones would be the most devastating to have infiltrated,” he said.
“This allows companies to prioritise the discovery and subsequent lockdown of privileged accounts and administrative credentials needed to access these sensitive assets and limit attacker movement once they have made it within the network.”