Read more at https://www.channelnewsasia.com/news/singapore/singhealth-cyberattack-the-work-of-sophisticated-usually-state-10592762
(Updated: )
Unker Will
We have been hearing the same old tune..."state-linked cyberattack"! Any news of who was behind it???? Identify the culprit. That's what we want to hear!!
Justice Boa
Well said. Since we have the evidence and the identity of state-linked hackers, please summon the ambassadors of China or Russia to show cause. Prosecute them in International Court of Justice. We must safeguard our sovereignty at all cost, especially our PM and millions of sensitive medical records were stolen.
Ricky Lim
Justice Boa - Based on the comments made in this board, many people think that forensic evidence churn out can be proven in Courts and conclusively nail the hackers.
This is a wrong misconception, and the Minister has rightly pointed out that :-
"He added that in these matters, "whilst once can have a high level of confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility" and the evidence may not stand up in the court of law."
So far no Countries even knowing through "inference" certain State is involved in the hacking - it can't be prosecuted in Courts with the forensic evidences - which I will elaborate with examples later.
This is a wrong misconception, and the Minister has rightly pointed out that :-
"He added that in these matters, "whilst once can have a high level of confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility" and the evidence may not stand up in the court of law."
So far no Countries even knowing through "inference" certain State is involved in the hacking - it can't be prosecuted in Courts with the forensic evidences - which I will elaborate with examples later.
Like · Reply · 1m · Edited
Ricky Lim
Eg. a group of State sponsored Hackers Country Z decided to launch an attack on Country A.
(1) Country A hackers - launch a VPN IPSec tunnel from its VPN gateway that encrypt its payload and hide its original IP address - by inserting a dummy IP address - which cannot be trace.
(2) Through the VPN IPSec encrypted tunnel and hidden IP identity, it jump into Country Y weak router, take control over it by breaking its admin password.
(3) They set up a VRF secured tunnel - to joing a valid VRF secured tunnel, access Country Y VRF intranet and take control of a weak server.
(4) By breaking the supervisor password of the Country Y, the hackers launch a remote desktop access to Country X desktop, break its password and take over Country X desktop.
(5) From Country X desktop, the hackers launch a SSH secure tunnel to the Country W apps server and break its password.
(6) From Country W apps server, it do a ICMP reconnaisance scanning of the Country A network to discover its network topology follow by a TCP scan.
(7) The hackers will then try to attempt to break the password of all the IP devices that it discover in Country A network from Country W apps server.
(8) After many tries without triggering the alarm system, it identify one weak workstation and break the password to take control over the workstation.
(9) From the workstation, based on the network topology that the hackers discover, will attempt to bypass the network security devices and features and go straight to the database server to access the database by breaking the database administrator password and copy its content.
(10) After its has done so, hackers will try to remove traces of its illegal access by clearing the records of its access by amending the various IT devices security logs, access logs, system logs, clear cache etc.
(1) Country A hackers - launch a VPN IPSec tunnel from its VPN gateway that encrypt its payload and hide its original IP address - by inserting a dummy IP address - which cannot be trace.
(2) Through the VPN IPSec encrypted tunnel and hidden IP identity, it jump into Country Y weak router, take control over it by breaking its admin password.
(3) They set up a VRF secured tunnel - to joing a valid VRF secured tunnel, access Country Y VRF intranet and take control of a weak server.
(4) By breaking the supervisor password of the Country Y, the hackers launch a remote desktop access to Country X desktop, break its password and take over Country X desktop.
(5) From Country X desktop, the hackers launch a SSH secure tunnel to the Country W apps server and break its password.
(6) From Country W apps server, it do a ICMP reconnaisance scanning of the Country A network to discover its network topology follow by a TCP scan.
(7) The hackers will then try to attempt to break the password of all the IP devices that it discover in Country A network from Country W apps server.
(8) After many tries without triggering the alarm system, it identify one weak workstation and break the password to take control over the workstation.
(9) From the workstation, based on the network topology that the hackers discover, will attempt to bypass the network security devices and features and go straight to the database server to access the database by breaking the database administrator password and copy its content.
(10) After its has done so, hackers will try to remove traces of its illegal access by clearing the records of its access by amending the various IT devices security logs, access logs, system logs, clear cache etc.
Like · Reply · 1m · Edited
Ricky Lim
(1) Now assume you as investigators can trace and track through forensic evidences left in the system --- hop by hop to each individual Countries --- how do you know the individual Countries will willingly provide you with forensic evidence that the hackers have intercepted their devices to launch attack at us?
(2) The hackers have used encrypted tunnel, hide its digital identity, used secured tunnel ---- that will need the "encryption keys", the "digital passwords", the "digital certificates" of all the individual Countries before we can decrypt the contents and reveal the hidden identities.
Which Countries will willingly do so - without embarrassing themselves or give away their "digital secret"?
(3) Without the above, how to prosecute the hackers in Courts ---- as Courts need "clear, unambigous evidences" - that can identify and prosecute the hackers.
(2) The hackers have used encrypted tunnel, hide its digital identity, used secured tunnel ---- that will need the "encryption keys", the "digital passwords", the "digital certificates" of all the individual Countries before we can decrypt the contents and reveal the hidden identities.
Which Countries will willingly do so - without embarrassing themselves or give away their "digital secret"?
(3) Without the above, how to prosecute the hackers in Courts ---- as Courts need "clear, unambigous evidences" - that can identify and prosecute the hackers.
Like · Reply · 1m · Edited
Ricky Lim
Prosecution is successful only if "All Countries in the World" sign a Universal obligations to reveal and prosecute hackers - and willing to participate in a Worldwide digital forensic exercise to nab the hackers.
But if it is a State Sponsored hackers --- what make you think Countries or its allies will willingly volunteer in the investigation and forward forensice evidences to assist you in the investigation and the subsequent prosecution of hackers in the International Courts?
But if it is a State Sponsored hackers --- what make you think Countries or its allies will willingly volunteer in the investigation and forward forensice evidences to assist you in the investigation and the subsequent prosecution of hackers in the International Courts?
Like · Reply · 1m · Edited
Ricky Lim
Inferences and traces of digital forensics evidences can be found --- to "infer" or "give clues" that point to the likely hackers identity.
Such traces are the techniques the hackers used, the malware developed by certain group of hackers, the languages they used to develop their tools and other IT traces that i will not elaborate on etc.
But conclusive digital evidences that can be prosecuted in Courts will not be possible - without the cooperation of all Countries affected or involved.
Thus a State Sponsored APT (Advanced Persistent Threat) attack - is almost impossible to prosecute in International Courts.
So far USA and even Europe has make noise and can only retaliate in kind - but are not able to haul any State Sponsored hackers into International Courts or their own Courts.
Such traces are the techniques the hackers used, the malware developed by certain group of hackers, the languages they used to develop their tools and other IT traces that i will not elaborate on etc.
But conclusive digital evidences that can be prosecuted in Courts will not be possible - without the cooperation of all Countries affected or involved.
Thus a State Sponsored APT (Advanced Persistent Threat) attack - is almost impossible to prosecute in International Courts.
So far USA and even Europe has make noise and can only retaliate in kind - but are not able to haul any State Sponsored hackers into International Courts or their own Courts.
Like · Reply · 1m
Ricky Lim
Assume you reveal the "likely identity of the hackers" in Country Z, what do you think how Country Z will respond?
Country Z will tell you to show proof.
Even if you show proof (without other Countries taking part) --- Country Z will say "your proof is not good enough ---- as it involved so many Countries" --- how can you prove it come from Country Z?
Then indeed we will be shooting ourselves in the foot.
Country Z will tell you to show proof.
Even if you show proof (without other Countries taking part) --- Country Z will say "your proof is not good enough ---- as it involved so many Countries" --- how can you prove it come from Country Z?
Then indeed we will be shooting ourselves in the foot.
No comments:
Post a Comment