SINGAPORE: There is “no indication” thus far that Singapore’s critical information infrastructure and Government systems have been adversely affected by the hacking of American software maker SolarWinds, said Minister for Communications and Information S Iswaran on Tuesday (Feb 2).
Even so, the Government is adopting a cautious approach.
Responding to questions by Members of Parliament, Mr Iswaran said: “When first alerted of the breach, the Cyber Security Agency (CSA) immediately raised the National Cyber Threat Alert Level and worked with our critical information infrastructure sectors to check and monitor our critical systems.”
The CSA has also issued public advisories to enterprises and organisations on steps to safeguard their systems, such as having full visibility of their networks and detecting unusual activity in a timely manner, he told the House.
Solarwinds is a leading provider of information technology management software based in Texas. Its clients include US government agencies and large companies, such as Microsoft, FireEye and Cisco Systems.
The breach, first reported by Reuters in December last year, involved hackers breaking into Solarwinds’ systems and added a malicious code into its software system, using the company as a springboard to jump deep into US government and corporate networks.
SolarWinds has said that about 18,000 users of its Orion software downloaded the compromised updates, which sent signals back to the hackers.
“The attacker used the software’s regular updates to implant a backdoor and gain a foothold in the networks of organisations that downloaded and installed the malicious update,” Mr Iswaran said, describing this as “a very sophisticated attack that evaded detection for many months”.
This breach is also “especially noteworthy” given that SolarWinds’ software, being part of the network control and management infrastructure, “was trusted and had privileged access to internal networks”, he added.
SINGAPORE SHOULD ADOPT "ZERO-TRUST" CYBERSECURITY POSTURE
In the longer run, said Mr Iswaran, a “fundamental shift” towards a “zero-trust” cybersecurity posture will be required to deal with such sophisticated cyberthreats.
This means the observation of two key principles.
“First, we should not trust any activity without first verifying it; and second, ensure constant monitoring and vigilance for suspicious activities,” he said.
“This includes compartmentalising and restricting access to different segments of the network, validating transactions across segments, reconciling any escalation of user privileges, and actively and regularly hunting for threats.”
Organisations should also put in place “robust plans” to respond to cyberattacks, while the CSA will strengthen engagements with critical information infrastructure sectors, enterprises and organisations to adopt and sustain these measures, he added.
The minister went on to say that the cyberattack on SolarWinds underscores the global and transborder nature of cyber threats.
Such cyber incidents “will happen from time to time” given the nature of the digital domain, but while difficult to prevent entirely, Singapore will need “deliberate, targeted and consistent efforts” to strengthen its cyber defences.
“Our critical information infrastructure, enterprises and citizens must also maintain their vigilance against cyber threats, as we mitigate the risks while leveraging the opportunities of digitalisation,” said Mr Iswaran.
Earlier this month, the Monetary Authority of Singapore (MAS) issued revised guidelines for financial institutions to better mitigate cyber risks, which includes requiring them to have strong oversight of their third-party service providers and technology vendors.
"The recent spate of cyberattacks on supply chains, which targeted multiple IT service providers through the exploitation of widely-used network management software, is a clear indication of a worsening cyber threat environment," said MAS in its media release.