SINGAPORE – Singapore Telecommunications Ltd., Singapore’s largest mobile carrier, was breached by Chinese state-sponsored hackers this summer as part of a broader campaign against telecommunications companies and other critical infrastructure operators around the world, according to two people familiar with the matter.

The previously undisclosed breach was discovered in June, and investigators believe it was pulled off by a hacking group known as Volt Typhoon, according to the two people, who asked not to be identified to discuss a confidential investigation.

Officials in the US, Australia, Canada, the UK and New Zealand – the “Five Eyes” intelligence-sharing alliance – warned earlier in 2024 that Volt Typhoon was embedding itself inside compromised IT networks to give China the ability to conduct disruptive cyberattacks in the event of a military conflict with the West.

The breach of Singtel, a carrier with operations throughout South-east Asia and Australia, was seen as a test run by China for further hacks against US telecommunications companies, and information from the attack has provided clues about the expanding scope of suspected Chinese attacks against critical infrastructure abroad, including in the US, the people said.

In an e-mailed response to queries from Bloomberg News, Singtel did not directly address questions about the alleged breach. “We understand the importance of network resilience, especially because we are a key infrastructure service provider,” the company said. “That’s why we adopt industry best practices and work with industry-leading security partners to continuously monitor and promptly address the threats that we face on a daily basis. We also regularly review and enhance our cybersecurity capabilities and defences to protect our critical assets from evolving threats.”

A spokesperson for the Chinese Embassy in Washington, Liu Pengyu, said he was not aware of the specifics, as relayed by Bloomberg, but that in general, China firmly opposes and combats cyberattacks and cybertheft.

The US is currently battling its own suspected Chinese attacks of political campaigns and telecommunications companies. Officials have described the telecom breaches as one of the most damaging campaigns on record by suspected Chinese hackers and one that they are still seeking to fully understand and contain. 

In the US telecommunications attacks, which investigators have attributed to another Chinese group called Salt Typhoon, AT&T Inc. and Verizon Communications Inc. are among those breached, and the hackers potentially accessed systems the federal government uses for court-authorised network wiretapping requests, the Wall Street Journal reported in early October.

US intelligence officials think the Chinese hacking group that Microsoft Corp. dubbed Salt Typhoon may have been inside US telecommunications companies for months and found a route into an access point for legally authorised wiretapping, according to a person familiar with their views.

AT&T declined to comment. Verizon did not respond to a request for comment.

Through those intrusions, the hackers are believed to have targeted the phones of former President Donald Trump, running mate JD Vance and Trump family members, as well as members of Vice-President Kamala Harris’ campaign staff and others, the New York Times has reported.

In the case of the alleged Singtel breach, one of the people familiar with that incident said the attack relied on a tool known as a web shell. 

In August, researchers at Lumen Technologies Inc. said in a blog post they assessed with “moderate confidence” that Volt Typhoon had used such a web shell. A sample of the malware was first uploaded to VirusTotal, a popular site for security experts to research malicious code, on June 7 by an unidentified entity in Singapore, according to Lumen researchers.

The web shell allowed hackers to intercept and gather credentials to gain access to a customer’s network disguised as a bona fide user, they said.

The hackers then breached four US firms, including internet service providers, and another in India, according to Lumen researchers.

General Timothy Haugh, director of the National Security Agency, said in early October that the investigations into the latest telecommunications breaches were at an early stage. Later in October, the FBI and the Cybersecurity and Infrastructure Security Agency said they had identified specific malicious activity by actors affiliated with the Chinese government and immediately notified affected companies and “rendered technical assistance.”

A spokesperson for the National Security Council last week referred to the “ongoing investigation and mitigation efforts,” but directed further questions to the FBI and CISA. 

Singtel uncovered the breach of its network after detecting suspicious data traffic in a core back-end router and finding what it believed was sophisticated, and possibly state-sponsored, malware on it, according to the other person familiar with the investigation.

The malware was in “listening” mode and didn’t appear to have been activated for espionage or any other purpose, the person said, adding that it reinforced a suspicion that the attack was either a test run of a new hacking capability or that its purpose was to create a strategic access point for future attacks.

There is evidence that Salt Typhoon reached the US at least as early as spring 2024, and possibly long before, and investigators tracking the group think it has infiltrated other telecommunications companies throughout Asia, including in Indonesia, Nepal, the Philippines, Thailand and Vietnam, according to two people familiar with those efforts.

The NSA has warned since 2022 that telecommunications infrastructure was vulnerable to Chinese hacking. Volt Typhoon has been active since at least mid-2020, having attacked sensitive networks in Guam and elsewhere in the US with a goal of burrowing into critical infrastructure and staying undetected for as long as possible. 

The hacks by both Chinese Typhoon groups have alarmed Western officials and raised concerns about the number and severity of backdoors – a way to get around security tools and gain high-level access to a computer system – that China has placed inside critical IT systems. Those entry points could be used to conduct espionage or prepare the battlespace for use in a potential military conflict with the West.

Chinese hackers have long been accused of conducting espionage attacks against the US – including, most notably, the theft of security clearance applications for tens of millions of US government workers held by the Office of Personnel Management.

But officials say the latest hacks go a step further and in some cases suggest China may be amassing capabilities to disrupt or degrade critical services in the US and abroad.

Paul Nakasone, a retired general who led the NSA for nearly six years until February, told reporters in October that the latest telecommunications hacks by Salt Typhoon were distinguished by their scale, and that the two Chinese groups represent a tremendous challenge for the government. “I am not pleased in terms of where we’re at with either of the Typhoons,” he said. BLOOMBERG

WASHINGTON – Chinese hackers who tapped into Verizon’s system targeted phones used by Republican presidential candidate Donald Trump and his running mate JD Vance, the New York Times reported on Oct 25, citing people familiar with the matter.

The newspaper said investigators were working to determine what communications, if any, were taken.

The Trump campaign was made aware this week that Trump and Mr Vance were among a number of people inside and outside of government whose phone numbers were targeted through the infiltration of Verizon phone systems, it added.

The campaign did not immediately respond to a request for comment.

The Trump campaign was hacked earlier this year. The US Justice Department charged three members of Iran’s Revolutionary Guards Corps with the hack and trying to disrupt the Nov 5 election. REUTERS

SEOUL – Pro-Russia hacking groups have conducted cyberattacks against South Korea after North Korea dispatched troops to Russia to support its war against Ukraine, Seoul’s presidential office said on Friday.

The office held an emergency intra-agency meeting after detecting denial-of-service attacks on some government and private websites in recent days.

Some of the websites experienced temporary outages but there was no serious damage, it said, adding that the government will strengthen its ability to respond to such attacks.

“Cyber ​​attacks by pro-Russian hacktivist groups on our country have occurred intermittently in the past, but have become more frequent since North Korea dispatched troops to Russia and participated in the Ukraine war,” the office said in a statement.

Seoul and Washington have said there are more than 10,000 North Korean soldiers in Russia, and U.S. officials and Ukraine’s defence minister said some of them have engaged in combat in Kursk, near the Ukraine border.

The new military cooperation between Pyongyang and Moscow has been condemned by South Korea, the United States and Western allies. Ukrainian President Volodymyr Zelenskiy said on Tuesday that the first battles between his country’s military and North Korean troops “open a new page in instability in the world.” REUTERS

DUBLIN – Ireland’s data protection commission has fined LinkedIn €310 million (S$442 million) for illegally processing the personal data of users within the European Union to deliver targeted advertising.

The decision also includes an order for Microsoft Corp-owned LinkedIn to bring its data processing into compliance with the EU’s General Data Protection Regulation (GDPR), according to a statement by the Irish Data Protection Commission (IDPC) on Oct 24. 

Deputy Commissioner Graham Doyle said in a statement that LinkedIn’s processing of personal data without an appropriate legal basis was a “clear and serious violation of data subjects’ fundamental right to data protection”.

It is the sixth-largest fine to be issued under GDPR since it was introduced in 2018.

The Irish regulator has issued hefty fines to several social media companies for GDPR violations in recent years.

Facebook and Instagram parent Meta Platforms Inc has faced the brunt of the penalties, including a record €1.2 billion charge in May 2023 for transferring EU users’ data to the US. The commission fined ByteDance Ltd’s TikTok €345 million in September 2023 over its handling of children’s data.

It is part of a broader crackdown on Big Tech companies by the EU over a range of issues including data privacy, competition and disinformation.

LinkedIn said the case relates to claims from 2018 about some of its digital advertising efforts in the EU. 

“While we believe we have been in compliance with the General Data Protection Regulation (GDPR), we are working to ensure our ad practices meet this decision by the IDPC’s deadline,” a spokesperson said in a statement.

Ireland’s data protection commission launched an inquiry into LinkedIn’s data processing practices following a complaint made to the French data regulator. LinkedIn, like many other big tech companies, has its European headquarters in Ireland, which means that local regulators are tasked with enforcing EU rules. BLOOMBERG

SINGAPORE– The Cyber Security Agency (CSA) is starting a study aimed at raising the productivity and professionalism of cyber-security workers.

It may result in an outline of the competencies required of chief information security officers – known by the acronym Cisos – and their teams of security executives who are in high demand, given their key role amid surging cyber attacks.

Ms Veronica Tan, CSA’s director at safer cyberspace division, told The Straits Times: “For organisations, clarity in standards and desired skills at various roles will mean greater improvements in workforce competency and productivity.”

The study will involve industry players, training institutions and certification bodies, she added.

CSA’s plan comes as companies warm to the idea of designated cyber-security personnel, but sometimes find themselves hindered by limited budgets and a shortage of skilled talent.

Mr Nyan Yun Zaw, the first Ciso at Singapore cyber security advisory firm Athena Dynamics, said: “The industry turnover rate for Cisos is unfortunately pretty high because it is a highly challenging and stressful job.

“When the organisation faces a security incident, this is the first person everyone looks to.”

Chief information security officer, a title that arose up in the 1990s after Citibank appointed one following a cyber attack, have risen in prominence in recent years as some countries made mandatory disclosures of material cyber breaches or attacks.

There have also been high-profile cases of criminal charges taken against such officers, such as at Uber and SolarWinds.

Mr Zaw took on the job at Athena Dynamics just over a year ago when his company expanded it beyond IT infrastructure and support.

His background was a string of roles ranging from engineering, cyber security, programming, to business development and sales in the firm since its set-up in 2014.

He added to his expertise by becoming a Certified Information Systems Security Professional, a label granted by the International Information System Security Certification Consortium, also known as ISC2.

He said: “We felt that there is a need to have a dedicated Ciso since we are also part of a listed company.”

Cisos spend their time securing their companies’ assets, learning new threats and technologies, and working with cross-functional teams, he said.

He added: “Ciso is a management position, so it is important for a Ciso to be knowledgeable in various aspects of cyber ranging from governance, risk and compliance to network security architectures.”

In the 12 months leading up to September, job portal Indeed recorded 48 per cent of its postings in Singapore seeking communication skills in cyber security leaders, compared to 38 per cent specifying expertise in IT, and 16 per cent in information security.

Around the same time, the number of postings for such roles on its portal dropped 36 per cent, suggesting that firms might be filling positions through internal promotions or team restructuring, said Mr Saumitra Chand, Indeed’s career expert.

“This decline may be due to the demanding nature of leadership positions like Cisos, which require high levels of expertise and specialisation,” he said.

To help small and medium-sized enterprises (SMEs) or non-profit organisations that cannot afford designated security personnel, CSA launched its CISO-as-a-Service (CISOaaS) scheme in February 2023.

It has received about 200 applications so far.

Organisations tapping the scheme can use CSA’s panel of 19 vendors to audit their cyber health and guide them to attain CSA’s Cyber Essentials and Cyber Trust marks, with up to 70 per cent subsidies.

CSA is planning updates to the two marks to reflect new risks in cloud, operational technology and Artificial Intelligence (AI), said Ms Tan.

Digital agency Digipixel, which has used CISOaaS, said achieving both trust marks helped it gain trust from customers.

Its director, Mr Leon Tan, said: “Pooled services can sometimes lack industry-specific context, but our collaboration with CSA has been a productive exchange.”

Mr Dave Gurbani, chief executive at CyberSafe, an appointed vendor, said: “We start by conducting a cyber-security health plan, like a doctor’s check-up.”

The firm then helps its mostly SME clients work through their internal controls, configurations, policies, and training to pass the audits for CSA’s marks.

“Many SMEs still think of cyber security in terms of anti-virus tools or maybe a firewall. To put it simply, that’s like thinking you’re ready for the day just because you have your socks and shoes on,” Mr Gurbani said.

Gaps that frequently show up include outdated systems, misconfigurations from third-party vendors, and weak access controls like shared passwords and lack of Multi-Factor Authentication.

“Without guidance, these vulnerabilities can be hard to recognise and fix,” Mr Gurbani added.

Another vendor, Momentum Z, takes firms calling on the CISOaaS service through a three-pronged assessment of employees’ cyber-security basics, company’s processes and policies, and cyber-security infrastructure such as firewall, antivirus, back-up data use and endpoint security.

Chief executive Shane Chiang said he has had clients that have not changed passwords for six years, or who had been granting external vendors remote access to their network with no inkling.

He said: “’Clients are often surprised to learn the vulnerabilities in their systems, which reinforces the importance of having a Ciso to bring structure and foresight into cyber security.”

CSA’s 2023 cyber security health survey released in March noted that only one in three organisations have fully implemented at least three of CSA’s five categories of recommended measures.

More organisations need help with knowing what data they have, where the data is stored and how to secure the data, CSA’s Ms Tan said. Businesses are also weak at safeguarding their systems and networks against malicious software, as well as guarding access to data and services.

She urged more organisations to tap CSA’s tools to up their game, adding: “Unless all essential measures are adopted, organisations are still exposed to unnecessary cyber risks, especially as they accelerate digitalisation and adopt fast-evolving technologies such as AI.

“Partial adoption of measures is inadequate.”