SingHealth Cyberattack Analysis

SingHealth Cyberattack Analysis

Major cyberattacks on SingaporeÔÇÖs government health database resulted in the personal information of about 1.5 million people ÔÇö including Prime Minister Lee Hsien Loong ÔÇö being stolen. Of these, 160,000 people, including Prime Minister Loong and a few ministers, had their outpatient prescriptions stolen as well.


SingHealthÔÇÖs database containing patient personal particulars and outpatient dispensed medicines has been the target of a major cyberattack. (Ministry of Health Singapore, 2018).

About 1.5 million patients who visited SingHealthÔÇÖs specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race, and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, i.e., no records were amended or deleted. No other patient records, such as diagnosis, test results or doctorsÔÇÖ notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems as the Ministry of Health later stated.

ÔÇ£When SingHealth digitised its medical records, they asked me whether to computerise my own personal records too or to keep mine in hardcopy for security reasons. I asked to be included. Going digital would enable my doctors to treat me more effectively and promptly. I was confident that SingHealth would do its best to protect my patient information, just as it did for all their other patients in the database.ÔÇØ (H. Loong, 2018).

The attackers specifically and repeatedly targeted Prime Minister Lee Hsien LoongÔÇÖs personal particulars and information on his outpatient dispensed medicines. The Ministry of Health added here. Mr Loong has survived cancer twice. (BBC., 2018).

ÔÇ£I am personally affected, and not just incidentally. The attackers targeted my own medication data, specifically and repeatedlyÔÇØ. As the PM added in his lengthy Facebook post.

How and why, it occurred?

Well, on 4 July 2018, IHiSÔÇÖ database administrators detected unusual activity on one of SingHealthÔÇÖs IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity while putting in place additional cybersecurity precautions. On 10 July 2018, investigations confirmed that it was a cyberattack, and the Ministry of Health (MOH), SingHealth and CSA were informed. It was established that data was exfiltrated from 27 June 2018 to 4 July 2018. SingHealth lodged a police report on 12 Jul 2018. A police investigation is ongoing. (Integrated Health Information Systems (IHiS) is the technology agency for the public healthcare sector. It runs the public healthcare institutionsÔÇÖ IT systems).

Similarly, On Friday, May 12, 2017, a massive cyber-attack was launched using WannaCry (or WannaCrypt). In a few days, this ransomware virus targeting Microsoft Windows systems infected more than 230,000 computers in 150 countries. Once activated, the virus demanded ransom payments unlock the infected system. The widespread attack affected endless sectors ÔÇö energy, transportation, shipping, telecommunications, and of course health care. BritainÔÇÖs National Health Service (NHS) reported that computers, MRI scanners, blood storage refrigerators and operating room equipment might have all been impacted. Patient care was reportedly hindered, and at the height of the attack, NHS was unable to care for non-critical emergencies and resorted to the diversion of care from impacted facilities. While daunting to recover from, the entire situation was entirely preventable. Microsoft released a ÔÇ£criticalÔÇØ patch on March 14, 2017. Once applied, this patch removed any vulnerability to the virus. However, hundreds of organisations running thousands of systems had failed to apply the patch in the first 59 days it had been released. (Ehrenfeld, 2017) wrote about it.

However, in this recent event, no mention of ransom was reported by the officials nor motives or perpetrators other than ÔÇ£It was not the work of casual hackers or criminal gangs,ÔÇØ the ministry said, adding that the attackers targeted details about Lee and the medicines he received as (Tham, 2018) later analysed and published on his paper.

The Cyber Security Agency of Singapore (CSA) has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration.

In the official Facebook Post (H. Loong, 2018) writes, ÔÇ£I donÔÇÖt know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.ÔÇØ

For those conducting cyberattacks on the healthcare sector, it is an attractive target for two simple reasons: it is a rich source of valuable data, and it is a soft target. More worrisome are attacks that result in breaches of protected health information and personally identifiable information. Such information is valuable to attackers for two main reasons. First, it has direct monetary value: attackers can sell these data in anonymous online forums that are part of whatÔÇÖs sometimes referred to as ÔÇ£the dark web.ÔÇØ For example, in June 2016, a hacker posted on the ÔÇ£Real DealÔÇØ dark web marketplace offering for sale more than 600,000 medical records from three different systems, one of which was an entire electronic health record, including screenshots. Medical records can be used for various fraudulent activities, including falsified claims, medical device purchasing (and reselling), and credit card identity theft. (Gordon, Fairhall & Landman, 2017).

Second, protected health information is durable. Whereas credit card numbers, insurance identifiers, and even Social Security numbers can be changed, a piece of medical history is indelible and can be used as identifying information even years after an initial breach. The data can also be used for highly targeted e-mail ÔÇ£phishingÔÇØ campaigns to collect credentials that, in turn, give attackers access to systems and information.

What Could Have Been Done to Prevent It?

This entire situation highlights a critical need to re-examine how we maintain our health information systems. Equally important is a need to rethink how organisations sunset older, unsupported operating systems, to ensure that security risks are minimised. For example, in 2016, the NHS was reported to have thousands of computers still running Windows XP ÔÇö a version no longer supported or maintained by Microsoft. There is no question that this will happen again. However, health organisations can mitigate future risks by ensuring best security practices are adhered to. Ehrenfeld explained it very well.

In a recent study (Gordon et al., 2017), Protecting our information systems and our health data is critical to ensuring the safe delivery of health care. Unfortunately, protection against the myriad threats to healthcare data is sophisticated, and there is no silver bullet. More suggestions can be found on the link above.


The healthcare sector is complex, fragmented, and chronically short of resources, yet it holds vast amounts of sensitive and valuable data in vulnerable systems. Cybersecurity is not just about protecting data; it is fundamental for maintaining patients’ safety, privacy, and trust. Effective cybersecurity must become an integral part of healthcare systems, a pillar of regulation, and the subject of future research strategies. We must urgently develop reasonable standards and solutions that are specific to the healthcare sector, agree on clear lines of responsibility and governance, and commit appropriate resources to the provision of adequate security. (Martin, Martin, Hankin, Darzi & Kinross, 2017).

Based on the Singapore Government Official statement made earlier by the Ministry of Health Singapore; the Integrated Health Information Systems (IHiS), with CSAÔÇÖs support, has implemented further measures to tighten the security of SingHealthÔÇÖs IT systems. These include temporarily imposing internet surfing separation. We have also placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.

Cloud Computing: The Juice That Remained Un-named

Cloud Computing: The Juice That Remained Un-named

The growth of the phenomenon commonly known as Cloud Computing represents a fundamental change in how information technology (IT) solutions are developed, maintained, updated, scaled, deployed, expanded, along with settled for.

As most organisations require efficient ways to store and analyse the vast amount of information that they collect and produce, Cloud Computing as an enabler provides scalable resources and substantial financial advantages in the form of reduced operational expenditure. Nonetheless, if Cloud Computing is to achieve its potential, there needs to be a clear understanding of the various issues and challenges associated, both from the perspectives of the consumers and the providers of the technology.

Additionally, Cloud Computing has unveiled key enabling technologies such as hypervisors and virtual machines to develop an extraordinarily agile and dynamic computing ecosystem. These technologies, however, also result in a host of challenges and risks.

Furthermore, the substantial sharing of infrastructure and computing resources in a multitenant environment, particularly with users spanning different organisations and security needs, creates a ÔÇ£shared virtual environmentÔÇØ where users/organisations are no longer clearly divided by physical server racks and separate networks. Within a cloud, it is difficult to physically locate where the data is stored and how it is segregated. Thus, this paradigm raises a diverse range of privacy and security issues that must be considered. In this brief article, we recognise the critical challenges in Cloud Computing environments such as multi-tenancy, loss of controls and trust as the subject of our discussion.


Any architectural considerations regarding data-privacy protections begin the moment the data is collected. Privacy issues must be addressed at all stages of the data lifecycle ÔÇö from collection to storage to analysis to action (not to mention the periods when data is no longer being used: archival, purging, and destruction). Meanwhile, all of the privacy controls in the world (and any information security built to protect them) are useless if administered to irresponsibly collected data. Protecting privacy means data must be handled responsibly at every step of the process that moves it from the initial point of collection to its ultimate home in a privacy-protected data store.

Corporate policymaking regarding information privacy has been primarily reactive in nature, in that, executives focus on information privacy issues only in response to a perceived external threat as (HJ Smith, 1994) brilliantly puts it in his book titled Managing Privacy: Information technology and corporate America. Meanwhiles, calls for voluntary adherence to industry privacy principles are common, as call for additional regulation of many industry practices. However, voluntary adherence in many industries has been at best sporadic (Culnan, 1993), which given rising concerns, may result in broad regulation of information privacy issues in the private sector.

I have no intention whatsoever to bore my beloved readers. If youÔÇÖve come thus far, please spare an extra minute. Alright, letÔÇÖs go.

The charity requires individuals to provide a range of personal information about themselves to conduct its business functions. The charity needs to ensure that clients are aware that their personal information has been/needs to be collected, why it has been/needs to be raised, where the data is stored and who has access to it.

The charity should take steps to ensure that personal information is protected from misuse, loss and inappropriate access and disclosure. Additional consideration should be given to the protection of sensitive personal information. Storage and security practices should apply to personal information stored in both ICT systems and paper files.

Should we have a Privacy Strategy statement for The Charity? This would be an encompassing statement that identifies the requirement for privacy given the data and the overall strategy. However, if it was left unchecked, that could reflect a lion blow. You know folks, privacy canÔÇÖt be bought for certain.

Cloud computing has touched every one of us recently. I wouldnÔÇÖt assume that all my readers host their own email servers in some spare room within their dwellings. If Gmail, iCloud, Hotmail, Yahoo, etc., happened to maintain your email account, consider buying them coffee. Because it is what constitutes Cloud.

If I were to describe t Computing, I would lazily dumb words such as it is on-demand nuggets, that only requires a quick microwave warming to make it eatable. But, as a Computer Scientist, IÔÇÖm at least obliged to serve more than nuggets. LetÔÇÖs go.

Rather than owning your own data centre, why donÔÇÖt you just rent one? ItÔÇÖs a sound great option to me. Oh, you might be questioning security. I sense that, and I appreciate it. But letÔÇÖs cover Cloud Security next time. Just stick with me on Cloud Privacy for now.

As I promised, my intentions werenÔÇÖt to bore you. But letÔÇÖs briefly dig in a bit further on what Cloud Computing is.

The definition of cloud computing according to the Nation Institute of Standard and Technology (NIST), (Mell & Grance, 2011): ÔÇ£Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.ÔÇØ. This definition describes cloud computing as having five characteristics, i.e., on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Although it is not disgustedly nuggets, letÔÇÖs explore it a bit further.

Cloud computing has emerged as a significant shift in how computing resources are deployed and consumed, both by individuals and enterprises. However, despite benefits such as reduced up-front investment, lower costs and more eco-friendly operation, a significant proportion of potential cloud customers are voicing misgivings concerning how security and privacy are handled in the cloud. This distrust has been further fuelled by media events, such as the PRISM scandal, which shows how difficult it can be to know to what extent our data is being monitored for legitimate or illegitimate purposes.

What Is Your Concern? Multitenancy or Data Breach? LetÔÇÖs take on the latter first.

An organisationÔÇÖs cloud-based data may have value to different parties for different reasons. For example, organised crime often seeks financial, health and personal information to carry out a range of fraudulent activities. Competitors and foreign nationals may be keenly interested in proprietary information, intellectual property, and trade secrets. Activists may want to expose information that can cause damage or embarrassment. Unauthorised insiders obtaining data within the cloud are a significant concern for organisations.

The risk of a data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers. A cloud environment is subject to the same threats as a traditional corporate network as well as new avenues of attack by way of shared resources, cloud provider personnel and their devices and third-party partners of the cloud provider.

Cloud providers are highly accessible, and the vast amount of data they host makes them an attractive target As Murugesan & Bojanova describe it.

LetÔÇÖs flip the coin to exposing some of the multi-tenancy and take a short drive, shall we?

Multi-tenancy is an architectural feature whereby a single instance of software runs on a SaaS vendorÔÇÖs servers, serving multiple client organisations. The software is designed to virtually partition its data and configuration so that each client organisation works with a customised virtual application instance. The cloud service model affects the security in the SaaS model, customers are users of multi-tenant applications developed by CSPs, it is likely that CSP stores personal data and even financial data in the cloud, and it is the responsibility of the CSP to secure the data. Ultimately, usage of the cloud is a question of trade-offs between security, privacy, compliance, costs and benefits. Trust is key to the adoption of SaaS, and transparency is an important mechanism. Furthermore, trust mechanisms need to be propagated right along the chain of service provision (Pearson & Benameur, 2010).

Software-as-a-Service (SaaS) Security Issues

Forgive me for being alarming. Now it is what we all hold in our pockets. If you guessed phone, you probably know what I mean or where IÔÇÖm coming from.

With SaaS, the burden of security lies with the cloud provider. In part, this is because of the degree of abstraction; the SaaS model is based on a high degree of integrated functionality with minimal customer control or extensibility. By contrast, the PaaS model offers greater extensibility and greater customer control. Primarily because of the relatively lower degree of abstraction, IaaS provides greater tenant or customer control over security than do PaaS or SaaS. (Hashizume, Rosado, Fernández-Medina & Fernandez, 2013).

The New form Of Wars: History Of Cyberwarfare Incidents

The New form Of Wars: History Of Cyberwarfare Incidents

On December 23, 2015, a temporary malfunction of the power supply in three provinces in Ukraine resulted in power outages that lasted up to six hours and affected 225,000 customers. Following the event, an investigation identified evidence that cyber-attacks had compromised several regional Ukraine power control systems. This was the first publicly documented successful cyberattack on an electric utilityÔÇÖs control system. Both asset owners and government officials around the world now are asking, ÔÇ£What happened, and could a similar cyber attack happen in our control systems?ÔÇØ (Whitehead, Owens, Gammel, & Smith, 2017). The cyber-attack was reportedly synchronised and coordinated, probably following extensive reconnaissance of the victim networks (US-CERT, 2016). According to the report, the cyber-attack at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.

On December 17, 2016, a second power outage occurred in Ukraine and deprived part of its capital, Kyiv of power for over an hour. Although the official investigation is still ongoing, an assessment was made that a more advanced malware, Industroyer, was used in the second cyber-attack against the power grid in Ukraine (Cherepanov, 2017). This paper discusses the history of cyberattacks against Ukraine and provides an analysis of the Ukrainian conflicts, the malware used, and what constitutes cyberwar from a legal perspective.


The Ukrainian Conflicts

At the end of 2013, the Ukrainian President abandoned an Association Agreement with the European Union that would have strengthened ties between the entities significantly, triggering mass public demonstrations. A few months later, disgraced President Yanukovych fled to Russia, and Russia invaded the Crimean Peninsula. Throughout the Euromaidan protests and the resulting conflict, institutions and media outlets in both Ukraine and Russia fell victim to DDoS attacks, website defacement, and Remote Administration Tools (RAT) delivered by spear-phishing emails. These cyberattacks were used to either disrupt, spy on or damage the enemy. By employing non-state actors as proxy forces to conduct these attacks, the warring parties were also ensured of plausible deniability for their actions in cyberspace (Baezner, 2018).

The cyberattacks in the conflict between Ukraine and Russia can be categorised into three types: DDoS attacks, website defacement and malware infection by spear phishing. The first two tools are more accurately described as cyber-disruption, while the latter is oriented more strongly toward cyber espionage for intelligence collection and battlefield preparation for further kinetic offensives or cyberattacks (Torruella, 2014).

Ukraine gained its independence at the fall of the Soviet Union, but Russia still tried to maintain absolute control or influence over former Soviet Republics. Disputes, including the Orange Revolution, have characterised the relations between Russia and Ukraine during the Ukrainian elections in 2004 and disputes over natural gas supplies. Ukraine first initiated its rapprochement with the EU with an association agreement, but later turned back towards Russia instead. This decision precipitated the Euromaidan protests and provoked the departure of Ukrainian President Yanukovych. In parallel with the protests, DDoS and website defacement occurred on Ukrainian websites. A few months later, when Russia invaded Crimea, there was another increase in cyber-activities in Ukraine and Russia, but these then dropped again to a more or less constant low level. However, there were two spikes in the form of two attacks against the Ukrainian power grid, as discussed earlier.

The Hybrid War

Hybrid warfare has been defined by (Newson, 2014) as, a combination of conventional, irregular, and asymmetric means, including the persistent manipulation of political and ideological conflict, and can include the combination of special operations and conventional military forces; intelligence agents; political provocateurs; media representatives; economic intimidation; cyber-attacks; and proxies and surrogates, para-militaries, terrorist, and criminal elements. Hybrid war involves multi-layered efforts designed to destabilise a functioning state and polarise its society (Thiele, 2015).

During the 2000s, the use of the term ÔÇ£hybridÔÇØ became a common way to describe contemporary warfare, mainly because of the increasing sophistication and lethality of violent non-state actors and the growing potential of cyber warfare. Although there was no agreement that this necessarily constituted a new form of warfare, (GAO, 2010) definitions of hybrid warfare emphasised the blending of conventional and irregular approaches across the full spectrum of conflict (Wither, 2016).

In his study (Thiele, 2015), the author stated that the hybrid war appears vaguely connected. The pieces are a part of a whole. It is a war that appears to be an incomprehensible sequence of improvisations, and disparate actions along various fronts ÔÇö humanitarian convoys followed by conventional war with artillery and tanks in Eastern Ukraine, peacekeeping operations in Transnistria, cyber-attacks in Estonia, vast disinformation campaigns on mass media, seemingly random forays of heavy bombers in the North Sea, submarine games in the Baltic Sea, and so on. In essence, Hybrid tactics reflect an order behind the spectrum of tools used. In thinking through the ongoing hybrid campaigns, it is essential to understand that ÔÇ£hybridÔÇØ refers to the means of war as opposed to the principles, goals, or nature (Thiele, 2015).

As discussed before, RussiaÔÇÖs actions in Ukraine in 2014 intensified interest in the concept of hybrid warfare. For many Western commentators, ÔÇ£hybridÔÇØ appeared to be the best way to describe the variety and blending of tools and methods employed by the Russian Federation during its annexation of Crimea and support to separatist groups in eastern Ukraine. Russian techniques included the traditional combination of conventional and irregular combat operations, but also the support and sponsorship of political protests, economic coercion, cyber operations and, in particular, an intense disinformation campaign (Wither, 2016).

Information Warfare

The Russians generally do not use the terms cyber or cyberwarfare, except when referring to Western or other foreign writings on the topic. Instead, like the Chinese, they tend to use the word informatisation, thereby conceptualising cyber operations within the broader rubric of information warfare (Connell & Vogler 2017). The term, as Russian military theorists employ it, is a holistic concept that includes computer network operations, electronic warfare, psychological operations, and information operations (Adomeit, 2017), (Thomas, 2009). In other words, cyber is regarded as a mechanism for enabling the state to dominate the information landscape, which is regarded as a warfare domain in its own right. Ideally, it is to be employed as part of a whole government effort, along with other, more traditional, weapons of information warfare that would be familiar to any student of Russian or Soviet military doctrine, including disinformation operations, PsyOps, electronic warfare, and political subversion.

In the West, cybersecurity and information security are considered to be two different things. In Russia, however, cyber is subject to information security, which allows national security planners to oversee both technical data (e.g. the integrity of password files) and cognitive data (e.g. political information on websites). Thus, any information found on the World Wide Web could be a ÔÇÿmissileÔÇÖ fired at Russia that is more dangerous than a typical cyber-attack as currently understood in the West (Jaitner, 2015).

Russia has been using an advanced form of hybrid warfare in Ukraine since early 2014 that relies heavily on an element of information warfare that the Russians call ÔÇ£reflexive control.ÔÇØ (Snegovaya, 2015). Reflexive control causes a stronger adversary voluntarily to choose the actions most advantageous to Russian objectives by shaping the adversaryÔÇÖs perceptions of the situation decisively. Moscow has used this technique skilfully to persuade the U.S. and its European allies to remain mostly passive in the face of RussiaÔÇÖs efforts to disrupt and dismantle Ukraine through military and non-military means. The West must become alert to the use of reflexive control techniques and find ways to counter them if it is to succeed in an era of hybrid war.

The key elements of RussiaÔÇÖs reflexive control techniques in Ukraine have been (Snegovaya, 2015):

ÔÇó Denial and deception operations to conceal or obfuscate the presence of Russian forces in Ukraine, including sending in ÔÇ£little green menÔÇØ in uniforms without insignia;

ÔÇó Concealing MoscowÔÇÖs goals and objectives in the conflict, which sows fear in some and allows others to persuade themselves that the KremlinÔÇÖs aims are limited and ultimately acceptable.

ÔÇó Retaining superficially plausible legality for RussiaÔÇÖs actions by denying MoscowÔÇÖs involvement in the conflict, requiring the international community to recognise Russia as an interesting power rather than a party to the conflict, and pointing to supposedly equivalent Western actions such as the unilateral declaration of independence by Kosovo in the 1990s and the invasion of Iraq in 2003;

Simultaneously threatening the West with military power in the form of overflights of NATO and non-NATO countriesÔÇÖ airspace, threats of using RussiaÔÇÖs nuclear weapons, and exaggerated claims of RussiaÔÇÖs military prowess and success;

ÔÇó The deployment of a vast and complex global effort to shape the narrative about the Ukraine conflict through formal and social media.


The focus in cyber warfare is too often on the technical details without understanding the strategic context. War is always a matter of policy, and a state operating in the cyber domain is a struggle for power and influence (Limn├®ll, 2015). Additionally, Cyber offers one more tool. From this, we must not turn a blind eye. Cyberwarfare should not be separated into its own as a standalone area as the broader political, strategic and geopolitical context.

Cyber operations have to be considered within the context of the whole conflict. Although cyber can be used as a standalone operation, the more likely case ÔÇö and this holds true in Ukraine ÔÇö is that cyber is used as a facilitator for other, more traditional types of warfare (Stinissen, & Geers, 2015). The law applicable to the conflict as a whole should be applied to the cyber activities that are part of it. In other words, the broader context determines the legal framework for cyber operations. Particularly relevant is whether the conflict in Ukraine is an ÔÇÿarmed conflictÔÇÖ that leads to the application of the Law of Armed Conflict (or international humanitarian law).

When analysing the cyber warfare in the (ongoing) Russo-Ukrainian war, it must be understood what kind of war there has taken place. The war in Ukraine is widely seen as the most significant security crisis in Europe since the end of the Cold War (Limn├®ll, 2015). Nevertheless, it is also seen as an example of what appears to be a new kind of conflict called hybrid warfare, which combines military, economic, diplomatic, political and other mostly nonphysical activities to achieve long-term strategic goals.

Today, more than 100 of the worldÔÇÖs militaries have some organisation in place for cyber warfare, and over 40 countries worldwide have published their National Cyber Strategy. (Singer, 2015), referring to war, the cyber instrument has become a domain like land, sea, air and space. Nation-states are spending more money in order to create their cyber capabilities, and the role of using cyber domain has become emphasised in National security and military strategies.

International law applies to cyberspace. During armed conflict, the Law of Armed Conflict applies to any cyber operation conducted in association with the hostilities. Until now, we have not seen a case where cyber hostilities between parties by themselves constituted an armed conflict. Instead, they have remained as one part of a more significant, traditional conflict. This dynamic has not changed during the conflict in Ukraine (Stinissen, & Geers, 2015).

During the conflict in Ukraine, cyber means have been used to gather intelligence, including Snake, Blackenergy, and Sandworm. Intelligence gathering and espionage are not forbidden by international law. Espionage, in the context of the Law of Armed Conflict, has a narrow scope: it refers to operations that are conducted clandestinely or under false pretences, taking place on the territory controlled by the adversary; ÔÇÿbehind enemy lines. For instance, a close access cyber operation where an agent is gaining access to servers being used by the adversary by feigning a false identity and extracting information by using a thumb drive could be espionage. An agent captured before reaching his own troops has no Prisoner of War ( PoW) status and can be tried as a spy. Gathering intelligence from a distance is not espionage in the meaning of the Law of Armed Conflict (Stinissen, & Geers, 2015). Black energy reportedly has a Russian connection.

BlackEnergy Malware

The reports about cyber-attacks on the Ukraine power grid revealed that one or more malware was deliberately developed to attack industrial facilities, with power systems as one of the primary targets. Once the cyber attackers have access to the power grid control system, an attacker could trigger cascading outages and thereby cause a large-scale load loss. Such cybersecurity threats have been considered and studied by the North American Electric Reliability Corporation (NERC) since at least 2012 (Huang, Majidi, & Baldick, 2018).

The BlackEnergy malware targeting critical infrastructures has a long history. It evolved from a simple DDoS platform to quite sophisticated plug-in-based malware. The plug-in architecture has a persistent malware core with easily installable attack-specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high-profile cyber-physical attacks, including the recent Ukraine power grid attack in December 2015 (Khan, Maynard, McLaughlin, Laverty, & Sezer, 2016).

According to research (Nazario, 2007), BlackEnergy is a web-based distributed denial of service (DDoS) bot used by the Russian hacker underground. BlackEnergy gives the attackers an easy-to-control web-based bot that can launch various attacks and control the bots using minimal syntax and structure. The BlackEnergy tools appear to have been developed by one or more Russian hackers. Also, at the time, most of the BlackEnergy command and control system (C&C) systems they have seen are hosted in Malaysia and Russia and are attacking Russian targets.

The role of malware in modern, sophisticated multistage cyber attacks cannot be ignored. The success of a cyber attack depends on the attackerÔÇÖs ability to install malware on a targeted system without being noticed by the system owner. The time malware can disguise itself and persist inside an infected system is also an essential factor for successful cyber attacks (Khan et al., 2016). BlackEnergy evolved as one of the most sophisticated and modular malware for targeting critical infrastructures since its first discovery. Initially designed for Distributed Denial of Service (DDoS) attacks, BlackEnergy evolved into a plug-in-based architecture easing the development of new attack-specific modules for espionage, DDoS, spam and fraud. BlackEnergy has been involved in several significant cyberattacks including coordinated DDoS attacks on GeorgiaÔÇÖs finance, military and government agencies, fraudulent bank transactions and the Ukraine power grid (Khan et al., 2016).

In the past two years, BlackEnergy has become one of the top malware families of interest to system administrators with the responsibility of protecting the networks of potential targets, to security researchers who have the family in their sights, and also to the media ÔÇö both technical and mainstream. BlackEnergy recently made the headlines again after researchers discovered that it was used in cyberattacks against electricity distribution companies, which resulted in massive power outages in Ukraine in December 2015.

According to a recent study (Cherepanov, & Lipovsky, 2016), one of the main reasons why the BlackEnergy attacks have grabbed so much attention is because they were ÔÇö and still are ÔÇö used amid a tense geopolitical situation in Ukraine. In addition to electricity distribution companies, the targets in that country have included state institutions, news media organisations, airports, and railway companies. Ukrainian officials were quick to point an accusing finger at Russia, and many others ÔÇö including security companies ÔÇö followed with similar allegations. The power grid compromise has become known as the first-of-its-kind confirmed cyber warfare attack affecting civilians.

The BlackEnergy malware has evolved significantly from its initial version first seen in 2007, which has little in common with the samples in the wild (and in the headlines) in 2016. Over the years, the malware family has been used for (petty) cybercrime, cyber espionage, and most recently, cyber sabotage.

While some security experts are sceptical about any involvement of the BlackEnergy malware in the power outage incident, the authors (Cherepanov, & Lipovsky, 2016) affirm that this malware was indeed detected in Ukrainian energy companies. Likely, attackers did not use the BlackEnergy malware to cause the outage itself, but the malware was used for the preparation of power outage attacks.


Russia has shown it can occupy whole slices of another stateÔÇÖs territory using no more than information warfare, deniability and a few highly disciplined special forces. The Russian military, supported by a substantial information warfare infrastructure, has employed the tenets of hybrid warfare remarkably skilfully. Such activities have, of course, to be countered by NATO and the EU to ensure Moscow cannot use these tactics so easily in future (Thornton, 2015).

In a traditional war, weapons and strategies are relatively well-understood; the international community and previous experiences have developed rules of the road for armed conflict. That is not the case with cyber. The most challenging is to understand how the cyber domain is blurring our dichotomies ÔÇö how we as humans tend to organise the world. In this sense, it can be said that we are just living in the dawn of the cyber warfare era and ÔÇ£cyber toolsÔÇØ will get more powerful and ÔÇ£cyber playbooksÔÇØ more sophisticated as the world becomes more connected and ever-more dependent on the cyber domain. (Limn├®ll, 2015). Also, the cyber operations in the Ukraine conflict have been used either to gather intelligence or as part of an ongoing ÔÇÿinformation warÔÇÖ between the parties. They were not launched to inflict damage to infrastructure and other military capabilities. As a result, most of these cyber operations have not yet risen to the level of activities proscribed or even governed by the Law of Armed Conflict. That would be different when cyber would be more integrated into kinetic warfare operations (Stinissen, & Geers, 2015).

In light of the Ukrainian experience, it seems more likely that cyber operations (even destructive) will in future wars and conflicts be deployed to shape and condition the battlespace rather than as specific activities in their own right. For future wars and conflicts as well as the skirmishes that precede them policymakers must expect the use of cyber capabilities as a disruptor or force multiplier, deployed in conjunction with more conventional kinetic weaponry. (Limn├®ll, 2015). However, in the Ukraine conflict, the publicly known cyber operations have not generally been considered to be sophisticated ÔÇö likely not corresponding to the real national capabilities of Russia and Ukraine. The prevailing assumption is that, except for some advanced cyber-espionage malware such as Snake, the known cyber-attacks could have been conducted by non-state actors. These hackers or hacker groups, trying to affect the adversaryÔÇÖs military activities, are participating in hostilities and have to conduct their operations following the Law of Armed Conflict (Stinissen, & Geers, 2015).

Cyber Is The New Fear: Cover Your Back

Cyber Is The New Fear: Cover Your Back

The world wide web (www) was preliminary designed to connect people electronically from different parts of the world. However, over the last couple of decades or so, grave concerns have been raised about the safety of the internet. keep in mind; before I elaborate further, there are three layers of the Internet that function completely differently from each other. consider it as Olympic, but only limited to three categories of sports. Allow me to add it here instead of starting a new paragraph; (I) Surface Web (which I personally classify as a Community Club), thatÔÇÖs the Internet where you can read my blog or navigate to Facebook, Twitter, Google search, Gmail, Hotmail, Yahoo, Uber Eats or maybe (II) Deep Web (basically designed for P2P (Peer to peer) collectively right-minded groups who prefer to have their contents hidden and unindexed by any search engine spiders. It is mainly meant to share illegal content such as pirated downloads, live penetration of an illegal act, child pornographies, protected wildlife trades which ÔÇ£I personally witnessed on many occasions while I was a delivery driverÔÇØ, underground activities such as brothels, etc., (I trust you got my point since IÔÇÖm trying to make this piece as short as I can by invoking your thoughts). Anyhow, I still wouldnÔÇÖt start a new paragraph when it arrives at the last layer. (III) Dark Web (IÔÇÖll publish a detailed separate piece dedicated to it in the near future), at any rate, let’s keep dancing along! Simply, the Dark Web can only be accessed through ÔÇ£ Overlay NetworksÔÇØ. Whether you are using Chrome, Firefox, Safari (God forbids), Opera, etc., your hands are tied. The Dark Web is preliminarily designed and intended to run and to only function on top of your internet. That is, your browsers or favourite search engines wonÔÇÖt ever discover the Dark Web which is responsible for over 80% of the entire Internet.

Undoubtedly, the internet is one of the best resources available to us today, whether we are talking about performing our day-to-day duties or simply bonding with our families and/or friends. However, the internet has now become extremely dangerous and many industries have been created through the misuse of the platform.

For instance, letÔÇÖs take the case of applications we use for our mobile phones devices. There are thousands of these apps available on the internet. Everyone is entitled to download any application they wish for whatever reason. However, one would expect that their right to privacy is not lost whenever they decide to download and use an app on their mobile device. But the sad reality is that many people have poor knowledge and little understanding of the terms and conditions that are assigned to the use of such an app, and often this ignorance comes back to bite them. We are all victims of this.

Sooner or later, our online privacy will be a thing of the past as the authorities may not be able to effectively police the consumers’ privacy when it comes to using apps. Because of the highly complex nature of and confusion surrounding the terms and conditions, which are deliberately created by the attorneys of the developers of these applications. Surely, none of us would willingly forfeit our rights to the government to act as ÔÇ£Big BrotherÔÇØ in our behaviour. But it is fair to expect the developers & their Attorneys to disclose all relevant information in simple, succinct ways and clarify where customersÔÇÖ information is stored when using the applications. Hosting companies such as the Store Play of Google & App Store of Apple must be held accountable for hosting unverified hidden codes that would potentially compromise usersÔÇÖ privacy & security.

I found it extremely prominent to disclose that the two largest app hosting providers listed above are the beneficiaries of each & every sold or subscribed, used, tried, or even downloaded through their platforms.

Many developers and service providers often seek to hide their malign intentions through the presentation of several dozens of pages of terms and conditions. They count on consumerÔÇÖs ignorance and unwillingness to read the terms and conditions. These providers need to be reminded that we cannot hire a lawyer every time we purchase or freely install an app to ensure they explain the liabilities and entitlements related to such products.

Additionally, the use of third-Party entities (in the form of plugins, etc.,) in the provision of services to consumers should be demolished by the big corporations and service providers. If these companies use third-party companies to provide services or products, they should take full responsibility when it comes to any liability suffered by consumers.

The same should also apply to the use of Credit Cards or rewards cards. These days rewards points are being used quite frequently. These companies also use the so-called surveys as instruments to collect our personal information. Companies like Google even go further as they know our private affairs in detail and they are using it against us for marketing purposes.

Most of us have no idea where our details are stored and what is done with them. Therefore, do not be surprised when you receive a phone call from Switzerland or Bangladesh.

IÔÇÖm afraid that one day a stranger will knock on my door and call me by my name, even if I did not invite them.

These things should be of concern to us all. As an IT guy, I urge everyone to take privacy seriously when using the internet on any device.

To protect yourself and minimise any liability or inconvenience, consider taking the following steps:

  • Pay attention to warranties and Disclaimers,
  • Be very careful with online surveys;
  • Never use one email address only, create multiple email addresses (the free ones) and use them for different types of communication;
  • Never use your real date of Birth (unless you have to);
  • Never use your real full name (unless you have to);
  • Never give your physical address (unless you have to);
  • Changes your password regularly;