The academic research institution escaped cyber attacks when AI stepped in to prevent spread of crypto-mining malware.
Cyber environments like IoT devices and critical infrastructure have now become a hotspot for attackers that can cause nation-wide chaos at the click of a button: halting production or even causing power outages across cities.
Across borders, cyberwarfare was taken to the next level in Israel and Iran, fueling a possible cyber-attack on several water and sewage treatment facilities around Iran earlier this year, and indicative of a new phase in cyber-attacks on a national and global scale.
In recent times, universities and research agencies have been a prime target for attackers in a bid to steal information on a cure for COVID-19.
According to Darktrace research across their customer base, remote desktop protocol (RDP) attacks rose by 68% in April (post-lockdown) across Singapore businesses, compared to March (pre-lockdown). RDP is exactly the mechanism employees and students need to access their desktop as if they were at their normal desk.
During this period, educational institutions faced the highest number of RDP attacks – 16 times more than the retail sector and 4 times more than the healthcare sector.
Most recently, at a renowned academic institution in Singapore, artificial intelligence (AI) helped to detect and automatically stop a crypto-mining malware in the research organization, likely to be a variant of Shellbot.
Often a tactic used by sophisticated hackers to distract security teams from a more serious attack like subtle data exfiltration, crypto-mining malware is extremely resource-intensive for security teams. Darktrace’s AI stepped in at machine speed, preventing the malware from bleeding into the industrial control systems at the institution, which could have resulted in widespread outages, physically interrupting production of vaccines, medicines or cutting-edge technology.
CybersecAsia discussed with Andrew Tsonchev, Director of Technology at Darktrace, the current situation and what educational and research institutions, as well as businesses, could do to protect themselves.
What would have been the payload from the likely Shellbot variant attack?
Tsonchev: Shellbot is a backdoor capable of scanning for open ports, downloading files, executing UDP floods, and remotely executing shell commands. It is often used to install crypto-mining software, as well as creating a backdoor into the network for the attacker.
Capable of infiltrating the IT network, Shellbot initiates the first attack phase for cybercriminals to undergo network reconnaissance and execute malicious software and ultimately monetize their exploits.
Educational institutions in Singapore have been found to face some of the highest number of cyber attacks when AI stepped in – 16 times more than the retail sector and 4 times more than the healthcare sector. What could be the reasons for this?
Tsonchev: Academic institutions are increasingly storing valuable data as departments work on the front line of research and vaccine development during the coronavirus pandemic. They are targeted by opportunistic cybercriminals looking to quickly profit from the sale of intellectual property and as we have also seen in the news, nation-state actors are now targeting academic institutions with the objective of exfiltrating cutting-edge research, and even as tactics involved in proxy nation-state cyber-warfare aimed at disruption and sabotage.
These organizations are historically difficult to defend and are therefore considered as the soft underbelly for hackers of all kinds. Some of the most common challenges that academic institutions face include large amounts of research-based data sharing in collaboration with peers and outside agencies, non-standardized software and hardware (often outdated and under-funded), and non-standard working methods such as remote working.
Singapore businesses also faced 68% more attacks in April 2020 (post-lockdown) compared to March 2020 (pre-lockdown). What are the possible reasons?
Tsonchev: As organizations adjusted to working remotely, security teams across the world grappled with very serious cyber challenges. Almost overnight, these organizations completely changed. Well-established procedures were rewritten, best practices quickly rethought, and policies stretched to breaking point. Organizations’ cyber rules for what is ‘normal’ and what is ‘bad’ no longer apply.
Such changes were also extremely public, [so] attackers were aware of the situation and worked hard and fast to exploit weaker cyber infrastructure.
How should we protect organizations in the current situation where remote working is the norm?
Tsonchev: AI is very good at handling uncertainty and change – it learns what is normal and is continuously revising this understanding – so it is constantly re-evaluating its assumptions.
Workforces are no longer simply working from home or working from the office – they are dynamic and can be located anywhere.
Humans alone cannot keep up with the number of devices within an organization, new cloud platforms being used by remote workers and constantly-changing user behaviors – all variables are now in flux and are never static. The power of AI is that it is self-learning and unsupervised. It isn’t trained on historical data but works on live data in real-time – learning and evolving with organizations as they navigate a new normal.
Today, 4,000 organizations deploy cutting-edge cyber AI to crunch through enormous data sets at machine speed, relying on the technology to subtly distinguish in seconds what is ‘strange but benign’, and [what is] ‘strange but threatening’. Not only does AI detect the threat, but it understands the action that is necessary to stop the threat from spreading – all before damage is caused.