Attacks on network came from infected devices, says StarHub

Singapore

STARHUB has said that the two attacks on its home broadband service last Saturday and on Monday originated from hacked devices located within Singapore.

The telco said that its preliminary investigations indicate that Internet-connected devices other than computers - such as video cameras, routers and DVR players - were taken over by hackers and used in these attacks. These hacked devices then participated in the attacks without the knowledge of their owners.

StarHub's chief technology officer Mock Pak Lum said at a press conference that the company's investigators are combing through the data collected on the attacks, particularly the IP addresses of those devices which have been blocked. Teams from the company will soon visit the homes of affected subscribers to help them disinfect their devices.

Mr Mock said the equipment could have been hijacked because users may have forgotten to change the default device passwords; another possibility is that these are unbranded products already infected with malware.

He appealed to customers to buy equipment made by reputable brands and to shop from well-known merchants. He also advised subscribers to upgrade their cyber-security software and use precautions such as firewalls.

He did not rule out the possibility that the hackers could have orchestrated the attack from outside Singapore.

The first attack on Saturday came to StarHub's notice at 10.05 pm, when there was a spike in attempts to log into its network from certain local IP addresses; there was also a rise in the number of calls to call centres from subscribers who were failing to get an Internet connection.

StarHub resolved the problem by 12.15 am.

The second attack on Monday started at around the same time, at 10.25 pm, but StarHub - having learnt from the first incident - fixed the problem in just under half an hour. Services were restored.

Mr Mock noted that the patterns behind the two attacks were similar and involved what is known as a distributed denial of service (DDoS) attack on StarHub's Domain Name Servers (DNS).

In a DDoS attack, machines are infected with a malicious code, which allows hackers to take over control and use them simultaneously and repeatedly to send queries - such as log-in requests - to a server or website, with the objective of overwhelming it.

In this particular case, StarHub's DNS servers were the targets. These servers run special-purpose networking software, which translate a web address such as www.starhub.com.sg into a machine-readable set of digits that give devices connectivity.

StarHub has multiple DNS servers (server farms) to provide connectivity to its 473,000 internet subscribers. The telco has three broadband networks that run independently of each other: The one that was hit was the home broadband network; the other two are the corporate broadband network and the mobile broadband network, both of which were unaffected.

Sanjay Aurora, managing director for the Asia-Pacific for security firm Darktrace, said such attacks can be mounted as a distraction, that is, undertaken to draw attention away from other intrusions being carried out against the target organisation at the same time. Such intrusions could entail delivering malware, opening a route into a key enterprise subscriber or perpetrating a large-scale ransomware attack.

Asked about this, Mr Mock told The Business Times that at this point, StarHub is looking at all angles and hasn't ruled out this possibility.

Commenting on how StarHub tackled the problem more quickly on the second day, he said that since the company's DNS servers are virtualised, it can ramp up the provisioning of such servers so that services are not overwhelmed.

Darktrace's Mr Aurora, pointed out that the core infrastructure of telecommunications companies is a very desirable target for cybercriminals.

"Having said that, gaining access is extremely difficult and requires deep expertise in specialist architecture. This is, therefore, often initiated by highly-skilled and well-resourced international advanced persistent threat (APT) groups or nation-state attackers, who have strong interest in obtaining inner network access to intercept calls and data to control, track and impersonate subscribers," he said.

The CSA and the Infocomm Media Development Authority (IMDA) said in a joint statement that telcos must ensure that they have resilient and robust systems, and put in place measures to detect and respond quickly to such attacks, so as to avoid disruption of services to their subscribers.

"CSA and IMDA are working closely with StarHub to investigate the matter and strengthen its infrastructure and processes. The IMDA has also advised the other telcos to step up their defences in case there are similar disruptions to their systems.

"In addition, owners of Internet-connected devices should adopt good cyber-hygiene practices to secure their devices. SingCERT will be publishing an advisory on what businesses and individuals should do to secure their Internet-connected devices," the statement added.

SingCERT stands for Singapore Computer Emergency Response Team.