Singapore experienced a significant surge of cyberattacks earlier this month coinciding with the recent historic summit between US President Donald Trump and North Korean leader Kim Jong-un. Security researchers discovered cyberattacks against Singapore spiked by 88% during the recent summit, 97% of which originated from Russia. Researchers also found there were no attempts made by hackers to conceal their attacks.
Researchers at F5 Labs, in cooperation with Lorkya, discovered that the attacks targeted VoIP phones and IoT devices. The attacks started out of Brazil and targeted the SIP 5060 port, which was the single-most attacked port. Meanwhile, the second-most attacked port was Telnet which is consistent with IoT attacks that could allow hackers to gain access or listen-in on their victims.
“Telnet is the most commonly attacked remote administration port by IoT attackers. It’s very likely these attackers were looking for any IoT device they could compromise that could provide them access to targets of interest, which would then enable them to spy on communications and collect data,” F5 researchers wrote in a blog.
“Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers,” the researchers added.
When did the attack happen?
The first phase of attacks primarily involved reconnaissance scans. Around 40,000 attacks were found to be launched between 3PM (UTC) on June 11 and 12PM (UTC) on June 12, which coincides with the day Trump met Kim.
“Ninety-two percent of the attacks collected were reconnaissance scans looking for vulnerable devices; the other 8% were exploit attacks. Thirty-four percent of the attacks originated from Russian IP addresses,” F5 researchers added. “China, US, France, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer attacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks alongside Russia.”
Although Singapore is not a country typically counted as one of the top-most attack destinations in the world, the country was the top destination for attacks by a wide margin in this particular case - receiving 4.5 times more attacks than the US or Canada.
"Russia was the primary source of the attacks against Singapore during this period, launching 88% of the attacks,” F5 researchers noted. “Brazil was the number two attacker, launching 8% of the attacks against Singapore, and Germany was number three with 2% of the attacks. No attempt appears to have been made to conceal the attacks launched from Russia. There was also no malware associated with the attacks against Singapore from Russia.”
Researchers said that if any devices in Singapore had the port 7457 open and were using default administration credentials, hackers may have gained access and launched man-in-the-middle (MITM) attacks to intercept and redirect traffic, steal data and more.
“It is unclear what the attackers were after with the SIP attacks or whether they were successful” F5 researchers said. “We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin.”