Singapore faced cyber attacks during Trump-Kim summit

Russian hackers were hard at work during the Trump-Kim summit in Singapore on 12 June, scanning internet of things (IoT) devices such as IP phones in the city-state for loopholes to be exploited, according to research by F5’s threat intelligence team.

From June 11 and June 12, the period immediately preceding and following the closely watched meeting between US president Donald Trump and North Korean leader Kim Jong Un, 92% of the incursions were reconnaissance scans looking for vulnerable devices while the remaining 8% were exploit attacks.

Russian IP addresses made up 34% of the attack sources, followed by China, US, France and Italy – all of which launched between 2.5 to 3 times fewer attacks than Russia.

Nearly all attacks launched from Russia during this period were targeted at Singapore, which received 4.5 times more attacks than the US or Canada. It was unclear what the attackers were after or whether they were successful.

In a blog post, the F5 researchers said the attackers targeted the non-encrypted session initiation protocol (SIP) port 5060, which received 25 times more attacks than port 23, the second-most targeted port. No malware was associated with the attacks against Singapore.

“It is unusual to see port 5060 as a top attack destination port. Our assumption is that the attackers were trying to gain access to insecure phones or perhaps the VoIP [voice over IP] server. Attacks against this port haven’t been in the news since 2011 when the SIPVicious VoIP tool was popular,” they added.

The attackers also took aim at port 7547, a network port used by internet service providers to remotely manage routers using a protocol that was also used by the Mirai malware.

The researchers said if devices in Singapore had this port open, and were protected with default administrator credentials, it is likely the attackers could have accessed those devices and used man-in-the-middle attacks to collect data and redirect traffic.

While F5 could not ascertain if the attacks were state sponsored, the researchers noted that “it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin”.

The security of IoT devices has been under the spotlight following major attacks unleashed by the Mirai and Satori botnets that exploited security vulnerabilities of internet-connected devices such as routers and gateways.

Some security experts are advocating the use of blockchain to secure IoT devices, by enabling device networks to protect themselves in other ways – such as allowing devices to form group consensus about what is normal within a network, and to quarantine any nodes that behave unusually.

Others have called for a multi-layer approach towards IoT security – by encrypting data at-rest and in-transit, profiling connections between an IoT device and its gateway, and using tokens to enable specific uses, among other measures.

Amid rising concerns over IoT security, Singapore’s minister in charge of the country’s smart nation initiative Vivian Balakrishnan had recently called for the need to build security into IoT products and services from the onset, rather than as an afterthought.

“Having smart cooling systems and manufacturing systems also makes them extremely vulnerable. You lose privacy and security, and worse, they become available to both state and non-state actors to sabotage critical public infrastructure,” he said at IoT Asia in March 2018. “This is a deep field which requires intimate knowledge of technology, programming and design.”