Southeast Asia: An Evolving Cyber Threat Landscape - FireEye
S P E C I A LR E P O R TF I R E E Y E T H R E AT I N T E L L I G E N C ESOUTHEAST ASIA:AN EVOLVING CYBERTHREAT LANDSCAPEMARCH 2015SECURITYREIMAGINED
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeCONTENTSMARCH 2015Introduction 3Key FindingsDetecting Targeted Threats in Southeast Asia and BeyondMalware Hitting Southeast Asian TargetsTargeted Malware, Industry BreakdownDetecting Non-Targeted ThreatsSoutheast Asia’s Leading Industry Sectors Attract APT ActorsRegional Governments and Militaries: In APT Groups’ CrosshairsAPT Groups and the South China Sea: Territorial Disputes with a Digital EdgeThreat Groups Target Southeast Asian Governments and Militaries over Territorial ClaimsAPT Groups Gather Political IntelligenceConclusion44566712121313142
SPECIALSPECIAL REPORTREPORTINTRODUCTIONWhile many of the headlinegrabbing cyber security breachesof 2014 involved major U.S.companies, Southeast Asia quietly dealtwith its share of cyber attacks. Like the U.S.,companies in this region face a complexthreat landscape filled with advanced cyberattackers intent on stealing corporate dataand state secrets.THE MISSION IS TWO-FOLD:Advanced persistent threat (APT) actorsare one of the biggest challenges for theregion. Leading companies that do businessin the energy, telecommunications, hightech, finance, and transportation sectors aretargets of APT groups.This report describes malware detected atcommercial and government entities acrossSingapore, Malaysia, Thailand, Vietnam,Philippines, Indonesia, and Brunei. It also discussesadvanced threat groups behind many of theseattacks and their unique motives in this region.Steal intellectualproperty and insideinformation fromleading companies.Obtain intelligence on rivalgovernments during longrunning political disputes,especially those involving thedisputed South China Sea.3
Southeast Asia: An Evolving Cyber Threat LandscapeSPECIAL REPORTKEY FINDINGSDETECTING MALWARE ACROSSSOUTHEAST ASIACYBER THREATSTO KEY INDUSTRIESCYBER THREATSTO GOVERNMENTSSoutheast Asian companies regularlyattract the interest of cyber spies andcriminals looking to steal informationabout the region’s growing industrysectors—energy, telecommunications,high-tech, transportation, and finance.Territorial disputes in the South ChinaSea drive cyber espionage activity inSoutheast Asia. Both government andprivate industries are targets of threatactors seeking to steal information inthese disputes.29%From July to December 2014, FireEyeproducts helped 29 percent of ourcustomers in Southeast Asia detectmalware used by APT groups and otheractors targeting their networks.Detecting Targeted Threats inSoutheast Asia and BeyondFrom July to December 2014, FireEye productshelped 29 percent of our customers in SoutheastAsia detect malware used by APT groups andother attackers targeting their networks. Whenfactoring in the rest of our Asia-Pacific clients, thatpercentage jumps to 37 percent—significantlyhigher than the global average of 27 percent.(These statistics are generated from customerswho have opted to share anonymized datathrough FireEye.)In the Asia-Pacific region, FireEyeproducts helped 37% of our customersdetect malware.PERCENTAGE OF FIREEYE CUSTOMERS’ TARGETED MALWARE ALERTSJULY - DECEMBER ONAUSTRALIAGLOBALJAPANTHAILANDSINGAPORE4
Southeast Asia: An Evolving Cyber Threat LandscapeSPECIAL REPORTMalware Hitting Southeast Asian TargetsLecna, Mirage, CannonFodder, and Leouncia were among the most frequently detected malware families.APT AND TARGETED MALWARE DETECTIONS JULY - DECEMBER 2014: SOUTHEAST uncia5%Kaba (aka SOGU)5%LV (aka NJRAT)6%Houdini5%XtremeRAT4%NetEagle4%1qaz4%APT AND TARGETED MALWARE DETECTIONS JULY-DECEMBER 2014: GLOBAL20%15%24%11%3%3%9%3%4%8%LV (aka NJRAT)24%Gh0STRAT20%Kaba (aka %PHOTO3%Page3%SAFERSING3%56
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeTargeted Malware, Industry BreakdownMore than half of the targeted malware that FireEye detected in Southeast Asia came from governmentand telecommunications sites. (Note: these statistics do not account for the number of appliances at acustomer site or the number of FireEye customers in a given industry.)APT AND TARGETED MALWARE DETECTIONS BY INDUSTRY IN SOUTHEAST ASIA7%16%6%10%Government27%Telecom24%Financial lities7%Education6%27%24%10%Detecting Non-Targeted ThreatsNON-TARGETED MALWARE DETECTIONSJULY - DECEMBER 2014 cker4%Carberp4%Necurs4%In addition to the targeted and APT malware,organizations in the region frequently detect otherthreats, including banking Trojans, botnets, andother types of cyber crime.Regionally, our customers most frequently detectZeus (a banking Trojan) and Sality (a multi-featuredTrojan) on their networks.These commodity malware families are widelyknown, but dismissing the threat they pose isa mistake.For one, they continue to evade detection bytraditional security tools, making them highlyeffective. And advanced threat groups oftenuse these common malware families to gain afoothold into corporate environments.6
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeSOUTHEAST ASIA’SLEADING INDUSTRYSECTORS ATTRACTAPT ACTORSWe observe APT groups routinelytargeting companies in Southeast Asiato steal intellectual property (IP). Webelieve that once stolen, this IP often makes itsway to Chinese companies. These companies canuse the stolen IP to bypass years of research anddevelopment costs and get an inside edge whenthey deal with competitors in the region.Southeast Asia’s financial sector faces a dualthreat. First, standard cybercriminals are lookingto steal money from them. Second, advancedthreat actors are seeking sensitive financialinformation for a business advantage.As increasing investments and diversifyingeconomies spur development in the region, thisgrowth simultaneously becomes even moreattractive to APT groups.These industry sectors appear to be most heavily targeted by APT TIONFINANCIAL SERVICES7
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeThe following table outlines some of the targeted sectors and why APT groups would target companies’ information:SectorWhy are APT GroupsInterested?Recent CasesMost Likely CorporateTargetsEnergyAPT groups have longtargeted U.S. and multinationalcorporations with strongofferings in green technologyand other clean energyproduction. R&D breakthroughsin this sector would providetremendous value to China’senergy sector, especially inlight of continued internationalpressure to lower emissions.FireEye has observed multipleinstances of APT groupsbreaching the networks ofregional energy companies.In one case, we discoveredthree different threat groupsattempting to gain access tothe network of an oil companythat conducts offshore oilexploration. Green Energy TechnologyResearchers and ProvidersSoutheast Asia is an importantpotential source of hydrocarbonreserves. The disputed territoriesin the South China Sea areestimated to contain a considerableamount of natural gas andpetroleum. As rapid economicgrowth creates a surge in energydemand, energy resources in thedisputed maritime territories havebecome increasingly valuable.All of these factors are likely toprovoke further APT activity. Utilities Oil and Gas Producers Critical InfrastructureProviders and OperatorsThe threat groups appearedto target affiliates of thecompany, as well as itsinfrastructure developmentdivisions. We believe thesethreat groups chiefly soughtdata of competitive value. Butthey were also on the lookoutfor any information about thecompany’s exploration plansand movements in the area.We have also observed targetedthreat actors deploying malwareagainst the networks of a majorelectric grid operator in the region.8
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeSectorWhy are APT GroupsInterested?Recent CasesMost Likely CorporateTargetsTelecommunicationsWe have observed oneAPT group, which we callAPT5, particularly focusedon telecommunications andtechnology companies. Morethan half of the organizationswe have observed beingtargeted or breached by APT5operate in these sectors. Severaltimes, APT5 has targetedorganizations and personnelbased in Southeast Asia.APT5 targeted the network ofan electronics firm that sellsproducts for both industrialand military applications. Thegroup subsequently stolecommunications related to thefirm’s business relationship witha national military, includinginventories and memorandaabout specific products theyprovided. RegionalTelecommunicationProvidersHigh-TechAPT5 has been active sinceat least 2007. It appears tobe a large threat group thatconsists of several subgroups,often with distinct tacticsand infrastructure. APT5has targeted or breachedorganizations across multipleindustries, but its focus appearsto be on telecommunicationsand technology companies,especially information aboutsatellite communications. Asia-Based Employees ofGlobal Telecommunicationsand Tech Firms High-Tech Manufacturing Military ApplicationTechnologyIn one case in late 2014,APT5 breached thenetwork of an internationaltelecommunications company.The group used malware withkeylogging capabilities tomonitor the computer of anexecutive who manages thecompany’s relationships withother telecommunicationscompanies. This methodallowed APT5 to collect data ontopics such as: Pricing discussions, biddingstrategies and competitorpricing information Schedules for contractbidding and productdeployment Opportunities in Asiantelecommunications market Business opportunities withother telecommunicationscompaniesAPT5 also targeted thenetworks of some ofSoutheast Asia’s majortelecommunications providerswith Leouncia malware. Wesuspect that the group soughtaccess to these networksto obtain information thatwould enable it to monitorcommunications passingthrough the providers’ systems.9
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeSectorWhy are APT GroupsInterested?Recent CasesMost Likely CorporateTargetsTransportationAPT groups likely targetthe region’s transportationcompanies to monitor theprogress of high-profile projectsthat have the potential to fuelcontinued economic growth inthe region.In one case, a threat groupthat has historically focusedits operations on targets inthe Philippines and Malaysiaspoofed the domain names oftwo well-known internationalshipping companies. One of thespoofed companies was a majorcommercial freight companythat transports commoditiesaround the globe. The otherwas a regional shipbuildingcompany. The plausible URLswere designed to enticepotential victims withintargeted industries to click. Shipping Companies Port Operators Airlines Public Transit SystemsAnother APT group targeteda major operator of containership terminals in Southeast Asia.We suspect the group targetedthe port operator to monitorits communications withregional security and militaryorganizations that partner withthe company.A threat group targeted a railoperator. We detected variantsof the Lecna/BackSpace APTmalware in the transit company’snetworks in early 2014.10
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeSectorWhy are APT GroupsInterested?Recent CasesFinancial ServicesBanks in Southeast Asia appearto face a double threat. The firstis the pernicious cybercrimeactivity we observe aroundthe world, such as credit cardfraud and the theft of bankingcredentials. The second threatis focused specifically on bankswith a development mission inthe region.In one case, a threat group Bankstargeted a development bank Companies Funding Majorthat invests in the growth ofRegional Developmentstrategic projects and industriesProjectsin the region.In another instance, we saw twodifferent threat groups infectthe networks of a central bank.Stolen data on the country’smonetary policies and bankingsystem could be highly valuableinformation to someone lookingto understand and anticipatebroader banking and fundingtrends in the country and region.Most Likely CorporateTargets Institutions Dealing WithMonetary PolicyBanks that invest in the region’s strategicgrowth face more threats than traditionalcredit card fraud and financial hackers.11
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeREGIONAL GOVERNMENTS AND MILITARIES:IN APT GROUPS’ CROSSHAIRSPHILIPPINESSOUTH CHINA AThe APT groups that we track actively targetgovernments and militaries for insideinformation into negotiations and politicalissues. APT groups that target governments in theregion are frequently interested in topics relatedto the South China Sea. And they are increasinglyactive during times of heightened political tensionor transition.APT Groups and the South ChinaSea: Territorial Disputes with aDigital EdgeFireEye routinely observes APT groups stealinformation dealing with South China Sea disputesand their economic effects from the networks ofgovernments and companies involved. Controlover territory in the South China Sea is a fiercelycontested issue between China, the Philippines,Brunei, Vietnam, Taiwan, and Malaysia.The territorial disputes have huge consequencesfor each claimant's national and economic security.The stakes are high: more than half of the world'scommercial shipping passes through the SouthChina Sea. It contains potential reserves of up to11 billion barrels of oil, 190 trillion cubic feet ofnatural gas, and prime fishing areas.Territorial disputes have lingered for decades.Along with militaries and coast guards of claimantcountries, South China Sea disputes involveregional oil firms, cargo companies, and fisheries.The territory has been at the center of manyinternational incidents, reflecting the considerablenational and economic security implications forthe rival claimants.12
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeGovernment and military entities arefrequently targeted with malware thatsteals sensitive security details.Threat Groups Target SoutheastAsian Governments and Militariesover Territorial ClaimsSoutheast Asian government and military entitieshave been targeted several times in what wesuspect are efforts to obtain intelligence relatedto territorial disputes. An APT group stole data from one country’sgovernment and military networks on severaloccasions, including a period of heightenedtension over competing claims in the SouthChina Sea.1Some of the files that the APT group tookincluded the following:–– General military documents–– Internal communications–– Equipment maintenance reports andspecifications–– Event-related materials–– Documentation of organizationalprograms and initiatives Other threat groups have targeted a country’sair force with spear-phishing emails thatreferenced the country’s military and regionalmaritime disputes. These emails were designedto appear to originate from email accountsassociated with other elements of the military.1 Other threat actors have used the Grillmarkbackdoor to attempt to gain access to thenetworks of two countries’ government andmilitary entities. These threat actors targetedtheir victims through spear-phishing emailsthat contained weaponized documents relatingto either diplomatic or military affairs.APT Groups GatherPolitical IntelligenceIn August 2014, an APT group appeared totarget intelligence related to a Southeast Asiagovernment. The threat actors sent a spearphishing email that referenced the country’sleadership and contained a document withsections extracted from related news articles.The email appeared to originate from acompromised intelligence agency email account,although the threat actors may have faked theemail address. Many of the email’s recipientswere associated with the targeted country’sgovernment and military or were involved in intelsharing partnerships. In either case, the recipientwould likely have access to information regardingthe country’s security and internal stability.Whaley, Floyd. “A Leviathan Turns Philippine Fishermen into Desperate Darters.” The New York Times. 18 May 2014. Web. 23 May 2014.13
SPECIAL REPORTSoutheast Asia: An Evolving Cyber Threat LandscapeCONCLUSIONPublic and private organizations in theSoutheast Asian region are prime targets foradvanced threat groups. The data is clear:targeted threat actors are focused on getting intothe networks of and stealing from fast-growingindustries, as well as from organizations involvedin territorial claims over the South China Sea.The outcome of the dispute has major geopoliticaland economic implications for multiple countries.The area is key to regional trade because of itsrich energy reserves, prime fishing waters, andsignificance to commercial shipping routes. Theseissues and the region’s mounting importance willlikely propel state-sponsored threat groups tocontinue targeting Southeast Asian governmentsand companies for the near future.State-sponsored threat groups willcontinue to target Southeast Asiangovernments and companies.ABOUT FIREEYEFireEye protects the most valuable assets in the world from those who have them in their sights. Our combination oftechnology, intelligence, and expertise — reinforced with the most aggressive incident response team — helps eliminate theimpact of security breaches. We find and stop attackers at every stage of an incursion. With FireEye, you’ll detect attacks asthey happen. You’ll understand the risk these attacks pose to your most valued assets. And you’ll have the resources toquickly respond and resolve security incidents. FireEye has over 3,100 customers across 67 countries, including over 200of the Fortune 500.14
To download this or otherFireEye Threat Intelligence reports,visit: www.fireeye.com/reportsFireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 877.FIREEYE (347.3393) info@fireeye.com www.fireeye.com 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark ofFireEye, Inc. All other brands, products, or service names are or may be trademarksor service marks of their respective owners. SP.SEA.EN-US.022015
5 SPECIAL REPORT Southeast Asia: An Evolving Cyer Threat Landscape APT AND TARGETED MALWARE DETECTIONS JULY-DECEMBER 2014: GLOBAL LV (aka NJRAT) 24% Gh0STRAT 20% Kaba (aka SOGU) 15% SpyNet 11% XtremeRAT 9% ZXShell 8% ChinaChopper 4% PHOTO 3% Page 3% SAFERSING 3% APT AND TARGETED MALWARE DETECTIONS JULY - DECEMBER 2014: SOUTHEAST ASIA Lecna 27% Gh0STRAT 14% Mirage 7% Page 7% .
Southeast Asia IPO Capital Market Southeast Asia IPO Market Performance Capital markets across Southeast Asia recorded robust initial public offerings ("IPOs") activity in 2021, having produced 152 IPOs which raised US 13.3 billion in funds and US 50.9 billion in market capitalisation. Southeast Asia IPO Market Overview
The art of not being governed : an anarchist history of upland Southeast Asia / James C. Scott. p. cm. Includes bibliographical references and index. isbN 978--300-15228-9 (cloth : alk. paper) 1. Ethnology—Southeast Asia. 2. Peasantry— Southeast Asia—Political activity. 3. Southeast Asia—Politics and government—1945-. 4.
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
Partner and Leader, Cyber Security, PwC India Sivarama Krishnan Partner and Leader, APAC Cyber and India Risk Consulting, PwC Based on our study, this paper highlights the key trends for the future of business, the evolving cyber security priorities a nd the various ways of optimising the cyber security function. In
risks for cyber incidents and cyber attacks.” Substantial: “a level which aims to minimise known cyber risks, cyber incidents and cyber attacks carried out by actors with limited skills and resources.” High: “level which aims to minimise the risk of state-of-the-art cyber attacks carried out by actors with significant skills and .
Cyber Security Training For School Staff. Agenda School cyber resilience in numbers Who is behind school cyber attacks? Cyber threats from outside the school Cyber threats from inside the school 4 key ways to defend yourself. of schools experienced some form of cyber
the 1st Edition of Botswana Cyber Security Report. This report contains content from a variety of sources and covers highly critical topics in cyber intelligence, cyber security trends, industry risk ranking and Cyber security skills gap. Over the last 6 years, we have consistently strived to demystify the state of Cyber security in Africa.
The Baldrige performance excellence framework assesses seven categories of performance including (1) Leadership; (2) Strategy; (3) Customers, (4) Measurement, Analysis, and Knowledge Management; (5) Workforce; (6) Operations; and (7) Results. SOAR Vision Group reframes the seven Baldrige categories as an Organizational Hierarchy of Needs in which successful organizations must fulfill each .
