KUALA LUMPUR, April 16 ― A national cyber security centre has claimed it has no details on the alleged espionage against Malaysia by hackers believed to be backed by the China government.
CyberSecurity Malaysia’s CEO Dr Amirudin Abdul Wahab also confirmed that the centre is “not investigating” the purported spying as it did not receive any complaints based on the claims in US cyber security firm FireEye Inc’s recent report.
“No. We do not have information on the spying activities by the hackers as reported by FireEye,” the head of the cyber security centre under the Ministry of Science, Technology and Innovation told Malay Mail Online in an emailed statement yesterday.
“Usually the public or organisations would report intrusion incidents or other cybersecurity breaches to CyberSecurity Malaysia’s Cyber999 Help Centre if they know that such security incidents have happened or still being done to their system,” he added.
On April 12, FireEye Inc claimed in its report that the state-sponsored hackers dubbed “APT30” have been targeting governments, companies and journalists across Southeast Asia for over a decade to gather intelligence on regional political, economic and military issues.
The report said Malaysia is among the countries that are confirmed targets of the hackers who have been running the cyber-attacks on various sources, possibly including classified government networks, since at least 2005.
FireEye said malware was detected in several countries including Malaysia from October 2012 to October 2014, further claiming that hackers have been targeting nations in Asean ― currently chaired by Malaysia ― around the time of official Asean meetings.
Amirudin told Malay Mail Online that government departments and ministries’ security measures to prevent hacking would be covered by their Public Sector ICT Security policy, standards and guidelines, which all civil servants have to comply with.
For ministries or departments certified under the Information Security System Management System (ISMS) global standard, their “security measures to protect sensitive information and prevent hackings” would be in line with the same ISMS or ISO/IEC 27001’s guidelines, he said.
Amirudin provided advice on how private companies can protect their data and classified information from hackers, including allowing only authorised users to access their system and emails, as well as monitoring of access activities for prompt action on unusual and suspicious behaviour.
“Transmission of classified information, ie. confidential and sensitive information, must be protected through encryption to protect the interest of the organisation. No personal e-mail should be used for the purpose of transmitting official information,” he said.
In another case of espionage, secret documents leaked by intelligence whistleblower Edward Snowden in 2013 showed that the United States has been running a monitoring station in its Kuala Lumpur embassy to tap telephones and monitor communications networks.