You are here

NUS, NTU hit by cyber-attacks aimed at govt and research data

No evidence points to student databases having been targeted; the daily operations of the two varsities were also unaffected

The universities were hit by what is known as APT (advanced persistent threat) attacks. These are carefully planned cyber intrusions, and not the work of casual hackers. The malicious activity was uncovered during regular checks by NUS and NTU on their IT systems.

"We know who did it, and we know what they were after." - David Koh,chief executive of the Cyber Security Agency


BREACHES to the IT systems of the National University of Singapore (NUS) and Nanyang Technological University were discovered last month, said the Ministry of Education (MOE) and Cyber Security Agency (CSA) in a joint statement on Friday.

The cyber-attacks, which appeared aimed at stealing government information and research documents, were what is known as APT (advanced persistent threat) attacks - carefully planned cyber intrusions executed over a considerable period of time, and which are not the work of casual hackers.

Singapore has faced APT attacks before, but this is the first time this kind of attack has been directed at institutions of higher learning.

Market voices on:

Investigations by the CSA appear to indicate that the attacks on the two institutions were not coordinated.

The agency also found no evidence to suggest that information or data related to students of the two universities had been targeted.

The daily operations of both institutions, including critical IT systems for student admissions and examinations databases, were also unaffected.

David Koh, CSA's chief executive, said: "We know who did it, and we know what they were after."

He added, however, that the details could not be revealed for "operational security reasons".

The intrusions into NTU's networks were detected when the university ran its regular checks on its systems on April 19.

NUS detected an unauthorised intrusion into its IT systems on April 11, during cybersecurity assessments by external consultants engaged to strengthen its cyber defences.

Both universities have since stepped up their vigilance and adopted additional security measures beyond those already in place.

CSA has notified other autonomous universities, critical-information infrastructure providers and the government sector about the attacks and advised them to be on alert and to monitor their systems.

Instances of malicious activity detected in other institutions, government agencies and other industries were found to be isolated ones and have since been cleaned up, the agency said.

Giving some background on APT attacks, Sanjay Aurora, Asia-Pacific managing director for security company Darktrace, said the critical word in "APT" is "persistent".

"These are sophisticated threats that are getting into your network... Perpetrators often acquire legitimate user credentials or gain access through unprotected software or hardware, which enables them to easily bypass traditional security tools like firewalls."

He added that once these threat actors are in the network, it becomes extremely difficult to distinguish their behaviour from that of legitimate network users.

"These attackers can then move laterally and silently within the organisation's network for weeks or months, conducting reconnaissance and searching for critical information, before eventually executing an attack or exfiltrating data."

He added that it can take up to 230 days for a company to realise it has been breached and its critical systems, compromised. "At Darktrace, we once started working with a customer, only to find that there was a sophisticated threat inside this client's network that had been there for eight years."

Nick Savvides, Symantec's security advocate for the Asia-Pacific including Japan (or APJ), noted that complex APT attacks are not a recent phenomenon. He cited the Banswift attacks of last year, in which banks using the Swift network were targeted; US$81 million was stolen from the Central Bank of Bangladesh.

Bill Taylor-Mountford, the APJ vice-president at LogRhythm, noted that hackers are no longer just targeting the usual suspects in Singapore, such as the financial institutions, government and critical infrastructure.

Bodies like the universities hold valuable data, "including intellectual property that can bring about financial gain". LogRhythm is a US-based security intelligence company.

Research agency IDC's Asia-Pacific head for government and education Gerald Wang commented that APT attacks will continue taking place, given that operational silos still exist when it comes to securing IT systems and digital data.

"Most public-sector organisations that IDC has spoken to take a rather reactive stance when it comes to securing digital data... With widespread reactionary mindsets to IT security, where remedial action is taken only after the discovery of an attack, APT attacks will only continue to endure."

CSA's Mr Koh said cyber threats are rising in scale and frequency, and the perpetrators are becoming more sophisticated.

"They are looking for the weakest link, any vulnerability they can exploit. Attackers are not just targeting government systems but are also looking for any kind of network that's connected or remotely related to the government. Hence, private-sector organisations also need to pay more attention to cybersecurity."

He added that it was through the regular checks by NTU and NUS that the malicious activity in their IT systems was uncovered.

"We urge all organisations to be vigilant and to proactively check their IT networks for malicious and unusual activity. This way, we can all work together to secure our networks."