China usually gets a pretty tough ride when it comes to any discussion of online threats and cyber-crime. There is certainly a pretty compelling dossier of evidence by now linking state-sponsored actors to advanced and persistent attack campaigns on government and civilian targets outside the Great Firewall, dating back years. The Middle Kingdom also ranks consistently first when it comes to global sources of attack traffic. However, the latest threat intelligence from Asia suggests that focusing attention on China alone would be a dangerous oversight.
Akamai’s quarterly State of the Internet report is a good indicator of where attack traffic is coming from around the globe. Although China remained in the number one spot in Q1 2013 – accounting for 34% of threat traffic – Indonesia made a dramatic appearance in second place with 21%. Given that it accounted for just 0.7% of attack traffic in the previous quarter, this is a sudden and massive spike, taking it above the US (8.3%), Turkey (4.5%) and Russia (2.7%), among others. What’s more, Akamai told me it’s not just a single quarter anomaly, with Q2 stats so far showing a similar pattern.
Of course, this is attack traffic by source IP address and can’t be attributed to actors from within the country. A criminal in Russia could easily launch an attack from a remotely controlled machine in China or Indonesia, for example. However, the stats do show that a huge number of machines/IP addresses in Indonesia have been compromised; ergo that country has technically become a major threat.
Akamai said the following in its report:
“The vast majority (94%) of the attacks from Indonesia targeted Ports 80 (WWW/HTTP) and 443 (HTTPS/SSL), potentially indicating aggressive botnet activity. Hong Kong and India were the only two other countries/regions among the top 10 that also saw quarterly increases in observed attack traffic volume — the remaining countries/regions saw nominal declines, in general.”
If nothing else, the stats prove the point that cyber criminals aren’t particularly fussy when it comes to compromising PCs. They’ll go for wherever the largest number of exposed machines is located and use them as a platform to launch attacks. In the case of Indonesia, and of course China, it’s a numbers game. China is the most populous nation on earth but Indonesia is up there in fourth place and with a rapidly growing internet population of 55 million, according to local tech market watcher Redwing. Although internet penetration stands at around 25%, Redwing reckons the number of connected users will grow by 30% each year to 2017 – and with them more opportunities for hackers to compromise machines.
As for what IT managers and home users can do to limit the risk of infection, Akamai product line director David Belson sent me the following:
“Best practices include ensuring that operating system and application patches are applied in an expedient fashion, limiting inbound and outbound connections as appropriate or necessary with properly configured firewalls, running regular anti-malware/anti-virus scans with updated definitions, not browsing to ‘questionable’ web sites, and being on alert for email-based phishing attempts. Educating end users and system administrators on the relevant dangers and best practices can also be useful, though the most critical thing will be to put that education into practice.”
Derek Manky, global security strategist at vendor Fortinet, told me that launching a country-level CERT coordination centre can also help to improve security by investigating and taking down infected machines and liaising with security experts when an attack is underway.
“This team is crucial for building better education, a cyber-defence force, and international co-operation,” he added. “On the latter, FIRST is the best example of a forum that is built for exactly this. I was in Bangkok two months ago for the 25th annual FIRST symposium, where the Thai Prime Minister keynoted the importance of collaboration and incident response between countries. There was really good attitude between country CERT teams and collaboration, and more country-level CERT teams are being built.”
It’s not just Indonesia that warrants more attention from the international community. India is also proving a fertile ground for cyber attackers. Akamai ranked it eighth in terms of attack traffic with a global share of 2.6% – one of the few countries to grow its share from Q4 2012. In addition, a high profile report from security firm Norman Shark in May revealed that a sophisticated APT-style attack targeting businesses and governments around the world had originated in the sub-continent.
India has similar socio-economic conditions to Indonesia, meaning rapid numbers of users coming online for the first time without taking proper security precautions – the perfect recipe for large numbers of compromised machines. It’s also emerging as an attractive place to recruit hackers, thanks to increasing unemployment in the domestic IT industry and the prospect of easy money for out-of-work techies, according to a recent Times of India report.
Of course, for IT security teams tasked with defending critical systems and data, it doesn’t really matter where attacks come from as long as they’re successfully deflected. However, the latest intelligence from Asia should be proof if any more were needed of the tenacity, resilience and agility of today’s cyber criminals.
John Anderson has been writing about technology and all things Asia for over a decade. From his perch in the Far East he keeps a keen eye on the global significance of emerging trends in the region.
PREVIOUS ARTICLE«Benchmark Report: Pan-African Social Business
One of greatest challenges of IT is to prevent privileged users from doing things in systems which are not allowed. While the acti