It’s no secret Russia has been launching a steady barrage of coordinated cyber-attacks against the U.S. as many sanctions have been issued against Russian officials and businesses since the 2016 Presidential election.1 Beyond official sanctions, the US-Cert issued an alert in April regarding Russia maintaining persistent access to small office and home office routers warning of widespread espionage. From June 11 to June 12, 2018, F5 Labs, in concert with our data partner, Loryka, found that cyber-attacks targeting Singapore skyrocketed, 88% of which originated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted Singapore. We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted VoIP phones and IoT devices, which appears to be more than a mere coincidence.
- Russia accounted for 88% of the attacks against Singapore on 6/12/2018.
- The attack began out of Brazil targeting port SIP 5060, which is used by IP phones to transmit communications in clear text; this was the single most attacked port.
- Following this initial phase, the attacks were primarily reconnaissance scans from the Russian IP address 126.96.36.199, targeting a variety of ports.
- The number two attacked port was Telnet, consistent with IoT device attacks that could be leveraged to gain access to or listen in on targets of interest.
- Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.
June 12, 2018 Attacks
Approximately 40,000 attacks were launched between 3:00 p.m. UTC on 6/11/2018, and lasted through 12:00 p.m. UTC on 6/12/2018. That translates to 11:00 p.m. through 8:00 p.m. Singapore time on June 12, the day President Trump met with Kim Jong-un in Singapore.2
Figure 1. Timeline of Singapore attacks
Ninety-two percent of the attacks collected were reconnaissance scans looking for vulnerable devices; the other 8% were exploit attacks. Thirty-four percent of the attacks originated from Russian IP addresses. China, US, France, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer attacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks alongside Russia.