TM-RE News Issue No.

27 | November 2022

Current Status of Cyber-Attacks and

Required Countermeasures

There is no doubt that information systems are now essential resources for the lives of individuals and for
the activities of governments and companies. On the other hand, cyber-attacks aimed at disrupting or
destroying information systems or stealing information from them are on the increasing worldwide, and the
attacks are becoming more large-scale and diverse, making them a serious risk for both governments and
businesses. Furthermore, in recent years, cyber-attacks via the supply chains and cyber-attacks targeting
overseas subsidiaries, whose countermeasures are considered to be weaker than those of the head offices,
have been increasing, requiring a wider range of responses from each organization.
This article provides an overview of cyber-attack risks, which are considered relatively difficult to
understand for those outside the information systems sector, and introduces the characteristics of incidents
that have occurred in recent years and the responses required from each organization.

1. Outline of Cyber-Attack Risks

Since the explosive spread of the Internet in the
early 1990s, all assets, whether wired or wireless,
PCs or equipment, are now connected via
networks and we live in an era of information
distribution. At the dawn of the Internet, it was
only intended for use within organizations, and
many local networks were easily accessed by
unauthorized intrusion from the outside. This has
became the cause of “cyber-attacks” that have
continually plagued government organizations,
private companies and individuals to the present
day. For example in Japan, the amount of cyber-
attack-related communication data observed and
confirmed in a year has increased 66-fold in the
last 10 years from 2012 to 2021. It is expected
that cyber-attacks will continue to increase in the
future.
Total annual number of observed packets*
related to cyber-attacks (billion)
5705
6000
5000
3756
4000
3000 2169
2000 1440 1559
128.8
631.6
1000 78 241
0 technology Promotion Agency, Japan (IPA),
* Number of packets: amount of data in packets
(one of the data communication methods).
Networks have expanded from within
organizations to inter-organizational links, now
extending to home appliances such as lights,
televisions and air conditioners and the
smartphones that operate them, to cars with
communication functions, to excavators and other
heavy machinery on excavation sites and the
system centers that manage them. Cyber-attacks
are targeted locally against individual information
systems, However, as today's information systems
are linked to each other through networks, their
impact can spread throughout the network.
Furthermore, cyber-attacks on satellites have
been increasing in frequency in recent years. For
example, if a cyber-attack on a satellite used for
observation disables its functions, weather
forecasting becomes impossible, and if a cyber-
attack on a satellite used for location information
disables its functions, car navigation systems and
smartphone navigation functions become unusable
extensively. The shutdown of weather satellites
has a major impact on the fishing industry, which
uses weather forecasts to consider if to sail, and
the wholesale and retail industry, which considers
what items to stock and how much to stock on any
given day. Thus, the threat of cyber-attacks is
becoming more widespread and serious.
5180
2. Incidents in Recent Years
1) 10 Major Threats to Information Security in 2022
In the "10 Major Information Security Threats
2022" paper published by the Information-
threats related to cyber-attacks account for
60% of the total, but the breakdown is
completely different from 10 years ago.
The table in the next page shows the case of
Japan. Since the internet world is borderless,
it is considered that the situation in other
countries to be the same. From this table, you
can understand that it is not enough to take
the same measures against cyber-attacks every
year.

-1- @ Tokio Marine Asia Pte. Ltd. All Rights Reserved

 TM-RE News Issue No. 27 | November 2022

[Actual Case 1]
Rank 2022 2012
In 2020, a major Japanese video game
Damage caused by
1st Targeted attack manufacturer, Company A, received
ransomware
unauthorized access from a third party,
Theft of confidential
Business suspension resulting in the spread of ransomware infection
2nd information by
due to disaster within the company's internal network. The
targeted attacks
cybercrime group “Ragnar Locker” stole
Attacks exploited
Attacks by common confidential information, including personal
3rd weaknesses in the
thought groups data of customers/employees/applicants for
supply chain
employment and secrets of marketing,
Attacks aimed at new- Attacks targeting
encrypted the data and demanded USD
normal working style client software that
4th 11million in Bitcoins (equivalent to JPY 1.15
such as Work From has forgotten to
billion in value at the time) as a ransom in
Home update
exchange for the decryption and deletion of
Information leakage Attacks targeting
5th the stolen data.
due to internal fraud websites
Increased exploitation As the company refused to pay, the attackers
following the release Attacks targeting disclosed at least 100 gigabytes of the stolen
6th of vulnerability smartphones and data on the internet on three separate
countermeasure tablets occasions. As a result, the company suffered a
information major information leakage incident.
Attacks targeting
Conventional ransomware
before the release of a Unexpected pitfalls in
7th
corrected program electronic certificates
Encryption of data & systems
(zero-day attacks)
Financial damage
Internal crimes and
8th caused by business
information leaks
email fraud
Business suspension
9th due to unforeseen IT Reuse of accounts
infrastructure failures
Damage caused by Recent ransomware
Improper handling of
10th carelessness Encryption of data Disclosure of confidential
user information.
information leaks, etc. & systems information

In the following sections, we introduce incident

cases related to “Damage caused by ransomware”,
“Attacks that exploit weaknesses in the supply
chain” and “Attacks targeting new-normal working
style such as Work From Home”, which are the top
threats in 2022.
2) Ransomware attacks
Ransomware is a type of malicious software
(malware) that aims to harm or exploit devices,
services and networks. It causes infected
computers to become encrypted and restricts
users’ access to their systems. In order to
remove this restriction, the hacker demands the
victim to pay a ransom. More recently, in
addition to encrypting the target, a “double
threat” type of attack has become more
common, in which confidential information is
stolen and threatened with exposure.
-2-
3) Attacks exploiting supply chain weaknesses
A series of business processes from procurement
of raw materials and components,
manufacturing, inventory management,
distribution and sales, as well as a group of
organizations involved in this business process is
called a “supply chain”, and nowadays,
information systems are increasingly integrated
within the supply chain or mutually
interconnected by networks. Attacks that are
exploiting this relationship to target suppliers
with weak security, leak confidential information
of the original target company, or use the
suppliers as a foothold to launch attacks on the
original target company are on the rise.
@ Tokio Marine Asia Pte. Ltd. All Rights Reserved

[Actual Case 2]
Company B has been a primary trading partner
of major automobile manufacturer Company C
since the company was founded, thus its
system for ordering and receiving parts was
directly linked to Company C, despite the
company's small size.
In 2022, Company B's internal server failed, and
when the server was restarted, a threatening
message “the information would be disclosed
unless this link was accessed” appeared on the
screen in English. Therefore Company B shut
down its network with its business partners. In
response to this situation, Company C shut
down its order and supply system, resulting in
the suspension of automobile production at all
14 plants in Japan.
More efficient for attackers to attack smaller suppliers
Large
Scale
Ordering/Receiving
System Automobile manufacturers
and Major primary suppliers
Size of company
Small primary suppliers
and secondary and
Small tertiary suppliers
Scale
Level of Countermeasures
Low
4) Attackers targeting vulnerabilities in telework
environments
With the global spread of novel coronavirus
infections, “Work From Home (WFH)”, the use of
ICT (Information and Communication Technology)
to work away from the office, has become
widespread around the world. Opportunities to
access company systems from home via VPNs
(virtual private networks) and to hold meetings
with their own or other organizations using web
conferencing services have increased, however
the use of personal computers and home
networks and the hasty introduction of first-time
software without adequate preparation have
made the work environment vulnerable. This led
to vulnerabilities in the work environment and an
increase in incidents such as unauthorized access
to internal systems, peeping into web conferencing
and PCs for WHF being infected by viruses.
TM-RE News Issue No. 27 | November 2022
Theft or loss of devices for WFH
Virus infection of devices for WFH
Internal System
Shoulder
Unauthorized hacking hacking
Source: IPA
[Actual Case 3]
In 2020, a major Japanese manufacturing
Company D was infected with a virus when an
employee working from home using company-
owned computer connected to an external
network without going through the internal
network, and used a social networking service.
Subsequently, the employee connected the PC
to the internal network when he worked at
work, and the virus infection spread to the
internal network.
In the same year, a vulnerability was found in
the web conferencing service, which allowed
access to private online meetings. The default
password used to access online meetings is a
six-digit number, which would result in a
million attempts to log in. Therefore, the
vendor had set a limit on the number of
attempts to enforce the password, but by using
a specific access method, the password
enforcement limit could be circumvented. The
vulnerability has now been resolved.
３. Measures required by companies
■ Common Countermeasures
High
Common countermeasures against cyber-attacks are
similar to general information security measures.
They can be broadly divided into countermeasures
against human errors and mechanical errors.
❑ Countermeasures against human errors
This includes regular education and training of
information system users to prevent them from
opening suspicious emails. For this purpose, it
is effective to educate them which sites they
should not access and how to identify
suspicious emails they should not open files
from. It is also necessary to inform them that
they must voluntarily report to the information
systems department etc., in the event that
they do access or open an infected file.
There are two types of training, training for
individuals and training for the organization as
a whole. For individuals, the training is called
“phishing email training”, in which dummy
suspicious emails are sent to each employee, and
if they open the file, they are instructed that “you
have accidentally opened a targeted email...”.
-3- @ Tokio Marine Asia Pte. Ltd. All Rights Reserved
 TM-RE News Issue No. 27 | November 2022

For Organizations, they are required to be ❑ Countermeasures against attacks that exploit
trained in procedures for responding to supply chain weaknesses
incidents such as information leaks (detection It is effective to establish an information
and reporting), decisions on setting up task sharing system among supply chains. Firstly,
forces, whether forensics should be carried out identify organizations that share the same
or not, public relations responses, etc.). information systems so that the impact of an
incident can be quickly ascertained in the
[Example] Suspicious emails used in event of the incident. Moreover, if a software
targeted email training
used by other organizations or linked to their
Subject Virus infection detected information systems becomes infected with a
“Information Security”
virus or receives unauthorized access, a system
From
<isecalert325@gmail.com> should be established to promptly share this
➢ Free email account information with all organizations using the
software.
For users of terminal number PX215456D
➢ Fictitious ID ❑ Countermeasures against attacks targeting
A virus infection has been detected on a PC used by you in vulnerabilities in remote work environments
our terminal monitoring system. It is effective to establish an information sharing
There is still a risk that personal and confidential system between supply chains. Identifying
information may have leaked. organizations that share the same information
systems so that the impact of an incident can be
In order to prevent the damage from spreading, please take
immediate action according to the linked procedure. quickly ascertained when it occurs.

Security Lab. ➢ Promote to click the link URL

➢ Non-existing Department
➢ Does not match the sender address.
❑ Countermeasures against mechanical errors
Keeping the operating system and software up-
to-date (version) and eliminating vulnerabilities
reduces the risk of infection. In addition, the risk
of infection with ransomware should be reduced
by installing security software that keeps
programs up-to-date and by keeping programs
up-to-date.
■ Measures based on the aspect of the attack
❑ Countermeasures against ransomware attacks
When infected with file-encrypting
ransomware, decrypting encrypted files is
difficult. Therefore, it is necessary to make
backups of important files that would have a
significant impact in case of lost. If a backup is
saved, it will enable to restore the files from
the backup in the event that they are infected
by ransomware and encrypted.
If a software that is also used by other
organizations or linked to other organizations’
information systems is infected by a virus or
illegally accessed, establish a system to
promptly share this fact with all organizations
using the software.
▪ When Working From Home
For home routers, check the manufacturer's
website and apply the latest firmware (software
update).
▪ When working at public places
When using a computer or other device in a
public place such as a café, take care not to be
peeped the computer screen. When conducting
web conferencing in public places, make sure
that others cannot hear you talking.
▪ When using public Wi-Fi
The best practice is to prohibit the use of
public Wi-Fi. If you really need to use it
urgently, turn off the file sharing function on
your computer and use a reliable VPN service
where possible.

Published By: [Contact]

Risk Engineering Department
Email: TMA_RE@tokiomarineasia.com

Disclaimer: The information, suggestions, and recommendations contained herein are for general informational purposes only.
This information has been compiled from sources believed to be reliable. No warranty, guarantee, or representation, either
expressed or implied, is made as to the correctness or sufficiency of any representation contained herein.
Writer: Mr. Kenji Aoshima, General Head Consultant, Risk Management Dept., Tokio Marine dR Co., Ltd.
-4-
-4- @ Tokio Marine Asia Pte. Ltd. All Rights Reserved