During Trump-Kim summit, Singapore is under cyber attack and 88% came from Russia

As U.S. President Donald Trump and North Korean President Kim Jong-un met in a hotel in Singapore, F5 Laboratories and their data partner, Loryka found that the number of cyberattacks against Singapore appeared between June 11 and June 12 A large-scale surge.

F5 Labs pointed out that under normal circumstances, Singapore will not be the preferred target of cyber attacks. We can see that the time when the number of assaults increased was precisely coincident with the time of Trump and Kim Jong-un meeting.

Most of the attacks came from Russia, which accounted for about 88% of the total number of attacks. More importantly, 97% of the cyber attacks from Russia during this period directed against Singapore.

Cyber attacks have hit almost any computer system from VoIP phones to IoT devices. The attack began in Brazil with the objective of transmitting SIP 5060, an IP telephony port that communicates in clear text, and such ports are the most vulnerable.

After a few hours of the initial attack, the researchers discovered a reconnaissance activity originating from Russia’s IP address 188.246.264.60. The address is the ASN 49505 operated by Russia’s commercial data centre operator Selectel. The scanning targets various ports.

1. 5060 — clear text Session Initiation Protocol (SIP)
2. 23 — Telnet remote management
3. 1433 — Microsoft SQL Server database
4. 81 — Alternate web server port for host-to-host communication
5. 7547 — TCP port used by ISPs to remotely manage routers via the TR-069 protocol
6. 8291 — Remote management port commonly used by MikroTik routers
7. 8080 — Alternate web server port often used for a proxy server or caching

None of these attacks is intended to spread malware. F5 Labs analysis said: “Telnet is the most commonly attacked remote administration port by IoT attackers. It’s very likely these attackers were looking for any IoT device they could compromise that could provide them access to targets of interest, which would then enable them to spy on communications and collect data. Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.”

In the UTC from June 3, 2018, June 1818 to 12:00 pm, June 12, 2018, that is to say, the local time of Singapore on June 11, 2018, from 11:00 to June 2018. In just 21 hours at 8 p.m., Singapore suffered 40,000 cyber attacks. This happens to be during the meeting between Trump and Kim Jong Eun.

F5 Labs emphasises that only 8% of them exploit attacks and 92% of attacks aimed at scanning vulnerable devices. Russia was the primary source of attacks on Singapore during this period, accounting for 88% of the total number of assaults; Brazil was considered the second largest attacker, accounting for 8% of the total number of attacks; Germany ranked third, accounting for about 2 %.

Finally, F5 Labs pointed out that it is not yet clear what these attackers are aiming for, nor is it clear whether they are successful. The analysis of attack data is still ongoing, and there is currently no evidence to link this attack activity with state-backed hacking attacks directly.