Cyber incidents, cyber crimes on the rise, warns PM
© Provided by Free Malaysia Today Muhyiddin Yassin said with more Malaysians going online for e-commerce and virtual classes, cyber criminals are exploiting the situation.
PETALING JAYA: The number of cyber incidents and cyber crimes reported in Malaysia is expected to increase this year based on the number of cases reported in the first quarter, Prime Minister Muhyiddin Yassin said today.
Stating that 3,787 cyber incidents were reported in 2019, he said such incidents increased by 10% to 4,194 last year, and stood at 1,300 in the first quarter of 2021.
According to Muhyiddin, cyber crimes have also shown an upward trend with 4,327 cases reported in the first quarter of this year alone.
“Statistics by the police show that in 2019, the number of cyber crimes reported was 11,875 cases, with RM498 million in terms of losses,” he said in his speech at the opening of the Cyber Defence & Security Exhibition and Conference 2021 (CYDES 2021) today.
“Last year, the number of cases increased to 14,229, with total losses of RM413 million. In the first quarter of this year, the number of cases reported was 4,327 and the losses amounted to RM77 million.”
Muhyiddin said that while the amount of losses associated with cyber crimes has been declining over the past three years, he said that the number of cases is on the rise.
“This proves that cyber crimes are a problem that warrants serious attention.”
He noted that an increasing number of Malaysians are involved in e-commerce and online learning, both of which have opened a floodgate of threats, risks and vulnerabilities which have been exploited by cyber criminals.
Among the various types of cyber crimes include hacking, identity fraud and data breaches. Cyber incidents refer to unauthorised access, or attempted access, to an IT system.
Cyber crime expert warns businesses: ‘If they don’t start taking precautions now, they could be victims later’
The cyberattack on Colonial Pipeline in May gained national attention, with the $4.4 million ransom demand it paid, the temporary shutdown of the company’s pipeline operation and the long lines at gas stations generated by panic-buying consumers.
But while this the first time many Americans heard of ransomware — where someone gains access to a computer system and encrypts it so the owner of the machine can’t use it until paying a ransom — it was hardly the first case, having been around for decades. And cybersecurity experts agree, it will not be the last incident unless precautions are taken.
US President Joe Biden said that a Russia- based group was behind the ransomware attack that forced the shutdown of the largest oil pipeline in the eastern United States. (FRANCOIS PICARD/AFP/TNS)
Cyberattacks aren’t just hitting large corporations with deep pockets. The criminals, who usually live in countries like Russia or North Korea where they have no fear of being extradited to the U.S. to pay for their crimes, have also targeted smaller businesses, government entities, utility companies, school districts and health care operations, many of which have systems containing sensitive information.
According to Purdue University Professor Eugene Spafford, who specializes in computer network security, cyber crime and ethics, there are about 100 ransomware cases every day, most of which go unreported.
“Right now a lot of places are being taken by surprise. They didn’t realize they would be targets,” Spafford said. “In a year’s time, I don’t think any organization can claim ignorance. If they don’t start taking precautions now, they could be victims later.”
Some companies and other entities in the Region contacted by the Post-Tribune declined to comment on the matter, afraid they would become a target, others didn’t respond at all. BP, NiSource and the Ports of Indiana said they’re taking the threat very seriously.
“We seek to manage this risk through a range of measures, which include cybersecurity standards, security protection tools, ongoing detection and monitoring of threats and testing of cyber response and recovery procedures,” BP stated in its 2020 annual report.
The cost of ransomware
Ransomware attacks could be costly not only to the target, but ultimately to consumers, as well.
In 2020 the malicious software hit more than 2,300 government entities, health care facilities and schools, the security software company Emsisoft stated in its report, “The cost of ransomware in 2020. A country by country analysis.”
The average ransom demand was $84,000 in these incidents, but the company said recent evidence shows the amount may have increased. Spafford said while large corporations like Colonial Pipeline could see demands in the millions of dollars, the average ransom for smaller businesses is $50,000 to $60,000 and going up.
But Spafford said the real loss to a company, government entity or organization could be 10 to 20 times the ransom amount when taking into consideration the downtime, which Emsisoft estimated at 16 days on average, reporting requirements and money needed to be spent to make changes to the system. And this could ultimately result in increased taxes and prices for products, affecting the average person as well, Spafford said.
He said while the long lines at gas stations following the Colonial Pipeline ransomware attack was a matter of panic buying, not a lack of gasoline, attacks on electric grids, health care systems, railroads, air traffic, the federal government and other critical areas could result in system shutdowns of more than a week, which could affect consumers.
“That could be a real problem,” he said.
Edison Electric Institute, a trade organization for the electric power industry, which Merrillville-based NiSource is a member, said ransomware is a known threat that EEI and its member companies have been working to defend against since the attack strategy first emerged.
Scott Aaronson, EEI vice president for Security & Preparedness, said working through the CEO-led Electricity Subsector Coordinating Council, the electric power industry developed ransomware preparedness guidance in 2017 that includes measures that electric companies can put in place to defend against ransomware attacks and mitigate the impact of a successful attack.
Part of that strategy includes the ESCC’s Cyber Mutual Assistance program, which extends the industry’s practice of sharing critical personnel and equipment for emergency response to the cyber realm.
Aerial picture of the BP Whiting Refinery in Whiting. A spokeswoman said “We collaborate closely with governments, law enforcement agencies and industry peers to understand and respond to new and emerging cyber threats.” (Zbigniew Bzdak/Chicago Tribune) (Zbigniew Bzdak / Chicago Tribune)
“Addressing dynamic threats to the energy grid requires vigilance and coordination that leverages government and industry resources. That is why we work across the sector and with our government partners to share actionable intelligence and prepare to respond to incidents that could affect our ability to provide electricity safely and reliably,” Aaronson said.
BP spokeswoman Christina Giannelli said the company takes safety and security, including cybersecurity, extremely seriously and works hard to remain aware of and respond to ever-revolving risks.
“We collaborate closely with governments, law enforcement agencies and industry peers to understand and respond to new and emerging cyber threats. We build awareness with our staff, share information on incidents with leadership for continuous learning and conduct regular exercises including with the leadership team to test response and recovery procedures,” the company stated in its 2020 annual report.
The Ports of Indiana, which includes the Burns Harbor port, has a dedicated information technology manager on staff who monitors and implements all best practices.
“Our ports and customers are our top priorities and security protocols have always been in place,” spokeswoman Jennifer Hanson said.
Coke, a purified coal used in the steelmaking process, is unloaded from the Federal Rhine bulk carrier at the Port of Indiana on Wednesday, July 22, 2020. The Burns Harbor port has a dedicated information technology manager on staff who monitors and implements all best practices regarding computer safety. (Kyle Telechan / Post-Tribune)
Taking precautions Emsisoft said in its report that 33% of companies paid the ransom demand, which in many cases ends up being less expensive than fighting the criminals.
Spafford said that’s a bad idea.
“Eighty percent of the victims of ransomware are victimized by the same group again in the next couple of months. They’re gangsters,” Spafford said.
He said there are several measures companies can take to lessen the chance of being attacked or the damage caused if it is. He said a lot of companies purchased cyber insurance, but the payouts for ransomware got so large some insurance companies are dropping ransomware.
He said some insurers are asking companies to have precautions in place in order to get the insurance. Smaller businesses without a lot of money could look at putting their data in the cloud, which provides some protections, or hiring a security provider on a contract basis.
Spafford said smaller government units, such as a town, also could contract with an outside agency, although he said health care agencies and school districts may be uncomfortable with this approach due to privacy issues. Companies also need to have a backup system and procedure in place so they could rebuild their system from scratch in the event of an attack.
“Unfortunately, many companies don’t have backups. They’re not used to having disasters,” Spafford said.
Another step would be to have a password to log in to an account, then sending a code to your cellphone. This way, if a password is captured, no one can get into your account, Spafford said.
Computer systems could also be partitioned so not all information is on one network. This way if someone gets into one part of the system, they can’t encrypt the entire system. Lastly, be sure to regularly install updates, run security software and have a robust, well-supported security department.
“Not a lot of mid-size companies have that,” Spafford said.
Karen Caffarini is a freelance reporter for the Post-Tribune.
Eight Kenyans jailed in Rwanda over cyber related crimes
Twelve suspects, among them eight Kenyans, three Rwandese and a Ugandan were Monday sentenced to eight years imprisonment for cyber-related crimes committed in Rwanda.
The group had been arrested in October 2019 in Rwanda, by the Rwandan Investigation Bureau (RIB), while trying to hack into the Equity Bank System to steal clients’ money.
The Kenyans include Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Kinyua Erickson Macharia, Godfrey Gachiri Githinji, Eric Dickson Njagi Mutegi, Reuben Kirogothi Mwangi , Damaris Njeri Kamau and Steve Maina Wambugu.
All the 12 suspects were convicted of criminal mischief or misdemeanor, computer access to information intended to commit a crime, change of computer information or network, unauthorized computer access and stealing.
They were also directed to collectively reimburse Equity Rwanda a sum total of 56,525,439 Rwandan Francs (equivalent to Sh6 million) for expenses related to the crime committed. as follows:
The money include Sh332,753 for Equity bank losses, Sh11,111 for system review by a consultant, Sh203,000 for travel and incidentary expenses of system security experts in 2019, Sh60000 for experts’ travel tickets in 2020, Sh5,555,555 for damages incurred by Equity Bank, Sh111,1111 for attorney fees.
The case had previously been delayed due to covid-19 restrictions.
Officials aware of the proceedings said the Kenyan suspects have been on the radar of police for cyber related crimes within the country involving millions of shillings.
Kirongothi skipped bail in a court case where he was accused of stealing Sh80 million by hacking into a Kenyan bank while Njagi stole Sh2.7 million in a similar fashion.
Gachiri, a former Standard Group employee, had also been accused of electronically stealing Sh21.5 million in 2016 from Sidian Bank, then K-Rep Bank, though the charges were later dropped after the money was recovered.
In other separate cases, two Kenyan suspects were released from Rwandan jails ater serving time for various crimes. Charles Kinuthia , was released on June 16, 2021 after serving two years for fraud and paying a fine of 3 million Rwandan Francs (Sh332,000) while Asman Macharia, who had been convicted for human trafficking in 2016 , was released on June 20, 2021 after a five year jail term and a fine of 10 million Rwandan Francs (Sh1.2 million).
Macharia is still under Rwandan custody until he completes paying the fine, despite a plea to pay it within a one-year period while in Kenya.
The Rwandan convictions come in the wake of increased cyber -crime activities buoyed by rapid information technology infrastructure development in the country and the region.
Pundits within the security sector have hailed the case as a win in the fight against cybercrime while rooting for more collaboration among regional states, without which it would be impossible to curb such transitional crimes.