“We took a blood oath and swore to never reveal the content of our meetings,” asserts Chin Ching-po, director of information security for the ASUS Group, speaking about the High Tech Information Alliance that he was instrumental in bringing about.

With the assistance of the Taiwan Network Information Center, in 2021 the ASUS Group invited ten corporations to secretly assemble the High Tech Information Security Alliance, becoming Taiwan’s first cyber security group whose participation is limited to major manufacturers in the high-tech field.

From IC design to chip packaging and testing, to major assembly plants, the heads of cyber security from famous corporations are all on the alliance’s list. “ASUS is the most downstream, making it a client of most of the participating enterprises. So that made it easy to put the call out,” says Chin, frankly.

From Taiwan Semiconductor (TSMC) getting hit with the WannaCry computer virus in 2018, to Quanta encountering the infamous hacker group REvil in 2021, ransomware blackmailers have continued to plague Taiwan’s high- tech manufacturing industry, putting everyone from tiny vendors to big names across the entire supply chain on alert.

Containment requires intelligence sharing

“The Five Big Boys electronics companies (Quanta, Wistron, Pegatron, Compal, and Inventec) aren’t protected by special data security, unlike Taiwan’s eight critical infrastructure installations. So we wanted to take action ourselves,” states Chin.

Having operated for over a year since its founding, other than meeting regularly to discuss such things as how to set up system frameworks, what kind of data security products to buy, and even an anecdote related by one enterprise detailing how it had been hacked, they discuss and exchange solutions.

Over the past several months, significant amounts of private information have been publicly leaked in a torrent, as if a faucet was opened.

From iRent, the Hotai Motor Company’s car sharing brand, to CarPlus auto leasing, China Airlines and Breeze, enterprises’ core data has either been found by overseas data security personnel to have been leaked, or directly posted on forums. Each person’s information is sold, starting at just a few pennies per head.

Taiwan has long been one of the targets for worldwide Internet attacks. According to CheckPoint, a major Israeli data security company, Taiwan was attacked an average of 2,664 times per week in 2021. A year hence, the numbers had grown by 10 percent, to 3,118 times per week, led by the financial industry, which had the most attacks aimed at it.

“Recently it looks like successive cyber security incidents have broken out, but a lot of leaks have existed for a long time,” stresses Howard Jyan, former chief of the Department of Cyber Security, Executive Yuan, and currently an executive vice president at Deloitte. “Data is bound to get breached; the key is how quickly can you handle it once it gets exposed? Containment requires intelligence sharing,” says Jyan.

He cited the Financial Supervisory Commission’s introduction of a new regulation effective April 27, 2021 that publicly listed companies must issue an important market bulletin immediately when major cyber security incidents take place.

What are the advantages of going public? First, it can help avert expanded attacks. Next, companies with similar systems can use the opportunity to run checks and coordinate on joint cyber security measures.

It sounds like basic stuff, but in the face of high-frequency Internet attacks we can be surprisingly cavalier.

“Based on cyber security reports, over 90 percent of cases are due to the lack of basic data security measures. Many cases occur in which only a password has been set, or a password isn’t even used,” relates Huang Sheng-hsiung, head of operations for the Taiwan Computer Emergency Response Team / Coordination Center.

Taking the example of the iRent data breach, there was not even a password line for customer information temporarily stored in the cloud, allowing anyone with the URL to directly read the information. This is akin to exposing data to “go streaking” out in the open.

Howard Jyan, former chief of the Department of Cyber Security, Executive Yuan, and currently an executive vice president at Deloitte. (Source: Chien-Tong Wang)

Hacker groups adopt new business models

This is not the only frightening thing. An even greater risk is that we are currently up against the golden age of the hacker industry.

“The underlying cause of scores of data breaches lately is that hackers have changed their methods,” says Bob Hung, general manager of the Taiwan and Hong Kong region at prominent cybersecurity software company Trend Micro, pulling no punches in his assessment.

Up until a year ago, the cyber security issue that gave everyone worldwide the most fits, including Taiwan, was so-called “ransomware.”

Hackers would first get into a system, and threaten to halt all system operations and make it impossible for you to run your business unless they are paid a hefty ransom. All companies have a publicly listed contact email, which becomes the entry point for blackmail letters.

However, while blackmail seemed to be an effective money-making venture, hacker groups failed to anticipate that their high-profile actions would attract the forceful involvement of national law enforcement departments around the world.

In May 2001, the Colonial Pipeline, which moves oil along the entire east coast of the United States, was hacked by the infamous Eastern European hacker group, the Dark Side. They forced an immediate shutdown of the pipeline in anticipation of attacks. As soon as the pipeline was shut down, at least five U.S. states saw fuel shortages, and even airplanes were grounded as a result.

As fuel pipelines are major items of critical infrastructure, U.S. President Joe Biden issued an emergency executive order, declaring an offensive against hackers and hacking.

Yet this also caused the hackers to change course and try new approaches.

Bob Hung observes that, for many years hackers’ techniques changed very little. However, starting in the second half of last year, the large hacker groups started to adopt new business models.

New method #1: locking up key data

First, in order to evade the watchful gaze of national security departments, they ceased shutting down corporate operations in an elaborate fashion, instead locking up key company data they obtained, demanding high ransoms after encrypting and locking up the information.

Next, rather than cover upstream, midstream and downstream avenues, the big hacker groups turned into “arms dealers.”

New method #2: ransom amounts scaled to company revenues

Not only do hackers know how to read financial reports, they also set ransom amounts according to company revenue, and even rent out platforms or software used for attacks to smaller hackers, waging guerilla warfare, so that ransomware became “Ransom as a Service” (RaaS).

“It’s relatively easy for smaller hackers to attack Tier 2 companies. This is why we see more data breaches concentrated among small- and medium-sized enterprises,” relates Hung.

Unfortunately, over the near term we can anticipate that more small- and medium-sized Taiwanese enterprises will be exposed to the risks of data compromises.

In data security circles, the most often uttered basic concept is the “bucket principle,” which says that how much water a bucket can hold is not determined by the longest plank of wood, but the shortest. This represents a system’s weakest link, and determines the entire system’s capacity.

All companies must take heed.

---

Have you read?

• A NT$36 Billion Hacker Brought Down in Taiwan 
• A cyber timebomb is ticking, is Taiwan at risk? 
• Hack for a Sustainable Future

Translated by David Toman
Edited by TC Lin
Uploaded by Ian Huang