To the central content area
Toggle Dark/Light Mode Dark Mode
:::

Cybersecurity Monthly Report (July 2023)

Ex ante joint defense and monitoring
    A total of 60,203 pieces of government agency cybersecurity joint defense intelligence were collected this month, analyzing the types of identifiable threats. The top identifiable threat was information collection (45%), mainly through attacks such as scanning detection and social engineering. This was followed by hacking attempts (26%), which were mainly attempts to acquire unauthorized access to systems or acquire system/user privileges; and intrusion attacks (17%), which were mainly attempts to hack unauthorized hosts. In addition, the distribution of intelligence volume in the past year is shown in Figure 1.
    After further compilation and analysis of joint defense intelligence, it was found that QR code phishing attacks (Quishing) have recently been increasing. Hackers used QR codes to conduct social engineering email attacks, evading agency cybersecurity detection and improving the success rate of attacks. Masquerading as internal emails within government agencies, hackers used subjects such as "Smartphone mobile system going online" to lure recipients into scanning malicious QR codes with their mobile devices. After connecting to a login page, recipients were asked to enter their account ID and password. Once they did, hackers would then achieve the goal of stealing the recipients' sensitive information. The relevant information has been provided to agencies with recommendations for joint defense monitoring and protections.

Figure 1  Statistics of cybersecurity monitoring intelligence in joint defense

In-process reporting and responding
    There were a total of 117 cybersecurity incident reports this month, of which agencies' external network disrupted due to problems with the Internet Service Providers (ISPs) accounted for 25% of the incidents related to "equipment issues." In addition, the statistics of cybersecurity incident reports in the past year are as shown in Figure 2.

Figure 2  Number of reported cybersecurity incidents

Post information sharing
    This month we received a report from an agency that several of their observation post hosts were attacked by ransomware. After investigation, we found that the source of the attack was a vendor-maintained computer in an observation post. The hackers successfully logged into the computer maintained by the vendor. Using the equipment as a jump server, hackers launched attacks through remote desktop by connecting to multiple observation post hosts. Upon further analysis, it was discovered that some of the agency's observation post hosts are set up in remote areas and are difficult to maintain, which is why maintenance vendors are commissioned for the task in a remote way. The agency has changed the account password of the hacked equipment while restricting access to the maintenance vendor's computer. Centralized management was implemented for the observation post hosts to decrease the risk of intrusion.

Additional Reference:
    The commissioning of external vendors to perform remote maintenance of information systems for agencies should be conducted by adopting the doctrine of “prohibited in principle, permitted as exceptions.” If implementation is necessary, it must be compliant with Article 4 of the Enforcement Rules of Cyber Security Management Act and Schedule 10 of the Regulations on Classification of Cyber Security Responsibility Levels, where a management mechanism according to remote access requirements should be established and implemented. In addition, identical account passwords should be avoided across different information devices to reduce cybersecurity risks.

Go Top