Attempts to Attack Singapore's Supply Chain Software

17 Mr Mohd Fahmi Aliman asked the Minister for Communications and Information in light of the recent global cyber attack that forced Swedish Coop supermarkets to close, whether there have been any attempts to attack Singapore’s supply chain software in the past three years.

The Minister for Communications and Information (Mrs Josephine Teo): Mr Deputy Speaker, Swedish Coop supermarkets were forced to close earlier this month due to what is known as a supply chain attack. The Coop used the Kaseya Virtual System Administrator (VSA), which is a software management platform designed to help organisations manage their IT services remotely.

Similar attacks have occurred in recent months, such as the SolarWinds breach reported in December 2020 and the attack on the Microsoft Exchange Server reported in January 2021. How are these supply chain attacks orchestrated? Essentially, they take advantage of unsuspecting companies’ introduction of new software into their systems that turn out to contain malicious elements or ransomware. Usually, neither the companies nor their vendors that supplied the software were even aware that the software had been compromised.

The same software that was afflicting tens of thousands of organisations and businesses can also find its way into IT systems in Singapore. To date, we have not observed any adverse effects on our Critical Information Infrastructure or CII and Government systems. The Singapore Computer Emergency Response Team (SingCERT) has also not received reports of any Singaporean businesses falling victim to these attacks.

Nevertheless, the Government continues to adopt a cautious stance and the Cyber Security Agency (CSA) monitors global developments very closely. Whenever potential threats arise, CSA will immediately direct our CII sectors to check for any potential compromise in their networks. SingCERT issues alerts and advisories to the public on actionable steps to take, should they be affected. Given the global and transnational nature of such cyber attacks, CSA also works closely with regional CERTs and its international counterparts to track developments and share information.

The attack through the Kaseya VSA is yet another example of how cyber attacks have spilled over into the physical realm, with real-world consequences. Attackers are clearly learning and evolving their tactics to maximise their gains from a single attack. We must expect that cyber attacks will become increasingly commonplace and sophisticated. They can strike any of us or our organisations and we must assume that our systems will be breached at some point.

As was mentioned in the response to a query on the SolarWinds attack in Parliament earlier this year, CSA is strengthening its engagements with CII sectors, enterprises and organisations to shift towards a "zero-trust" cybersecurity posture. This comprises two key principles: first, do not trust any activity on your networks without first verifying it; and second, ensure constant monitoring and vigilance for suspicious activities.

Organisations should also implement simple steps not only to prevent breaches, but to detect incidents early and recover quickly from them. These include keeping systems and software updated, backing up data regularly and keeping the back-up offline and practising incident response and business continuity plans to ensure that employees are well-prepared when breaches happen.

The Government is taking steps to reinforce this mindset and raise the national cybersecurity posture against this new normal. CSA will launch the CII Supply Chain Programme later this year, in partnership with the owners of such infrastructure and their vendors to ensure that stakeholders adhere to international best practices and standards for supply chain risk management. At the same time, CSA is developing the SG Cyber Safe Programme to provide businesses with actionable cybersecurity tool-kits and resources to bolster their cyber defences.

Mr Deputy Speaker, I would like to stress that everyone must play their part. Businesses and organisations are ultimately responsible for their own cybersecurity and must take action to strengthen their posture. Conduct an assessment of the risks, consider in advance how you will mitigate them and ensure that you have business continuity plans after an attack. It is in our own interest to stay vigilant against cyber threats, even as we leverage the opportunities of an increasingly digital world.

Mr Deputy Speaker: Mr Leon Perera.

Mr Leon Perera (Aljunied): Thank you, Mr Deputy Speaker. I thank the Minister for her reply. Just one supplementary question, specifically on ransomware. That is an increasing threat around the world and while prevention is better than a cure, many companies do end up paying these ransoms in cryptocurrency. In the Colonial Pipeline case, I think the US government actually worked with the company that was victimised to help them to recover the cryptocurrency that was paid, using law enforcement methods.

I am just wondering whether this is something that the Government can assist companies with, companies who have had to pay ransomware. I am sure that such support in the systems is something that many companies would also be prepared to pay for, to bear a share of that cost in order to recover the cryptocurrency that is paid.

Mrs Josephine Teo: Mr Deputy Speaker, I thank the Member for his question. In the first place, prevention is better than cure. So, continued vigilance, I think, is the first line of defence.

Second, the Government does not recommend the payment of ransoms to cyber criminals as there is no guarantee that the business will be able to restore their business operations or get their data back. This is a very important point to keep in mind. These are criminals. They are there for financial gain and they are not necessarily going to acknowledge the payment of ransoms in order to help you to restore your systems.

The payment of ransom also encourages these threat actors to continue their criminal activities and target more victims. Additionally, we also see that the threat actors will take notice that an organisation is willing to pay up and, therefore, consider that organisation to be a soft target and, therefore, strike again in future. So, the businesses have to consider what their message is to the cyber criminals. Is your message to them that, well, we have been compromised, we will cough up the ransom as you require? Or is your message that we have taken preventive measures and, yes, we were affected but we were able to recover and we will strengthen our defences? That is a very important consideration for businesses to take.

We would also suggest that they refer to the advisory that is published on SingCERT's website for further guidance on responding to ransomware attacks.