Malaysia

Malaysia is a leading knowledge economy in Southeast Asia with aspirations to become a global leader in tech and innovation. Having invested in cybersecurity early on, Malaysia has the legal and operational foundations to deal with sophisticated cyber-threat actors and counter cyber-enabled IP theft. Given Malaysia’s position in global value chains and ambitions for technology-driven growth, it’s important that the government continues to invest in cybersecure innovation.

ASPI assesses

Malaysia

to be

Moderately vulnerable

to state-sponsored acts of cyber-enabled theft of IP.

Author

Farlina Said and Dr. Ben Stevens

Kl-skyline-at-night-2022 - 2022 CC 4.0 Shahee Ilyas

Key Facts

R&D Investments

USD $9 billion (2021)

Patent Applications

1,863 (2021)

Cybersecurity Agency

National Cyber Security Agency (NACSA)

How at risk is

Malaysia

Malaysia's ambitious digital transformation and its focus on developing a knowledge-based economy with significant investments in ICT, manufacturing, and electronics sectors, make it a prime target for cyber-enabled IP theft. Malaysia is an upper-middle-income economy with the third-highest GDP per capita in Southeast Asia. In 2019, 43% of Malaysians had completed tertiary education. Malaysia ranks 35th in the list of economies, based on the number of (full-time equivalent) researchers per million inhabitants in 2018 (2,185 researchers per million). That places Malaysia slightly above other upper-middle-income countries.

Malaysia considers scientific and technological development to be central components of its economic growth. Government initiatives such as the MyDigital program emphasise Malaysia’s drive for digital transformation across various sectors, focusing on infrastructure, talent development, and cybersecurity. Large firms adopt cloud services, though SMEs lag. Through tax breaks and innovation funds, the government promotes cloud adoption and supports R&D within its Industry 4.0 framework. Malaysia’s primary IP-rich sectors include manufacturing, electronics, and natural resources, with substantial investment in R&D by global firms such as Motorola, Sony, and Panasonic. These sectors’ IP intensity heightens their vulnerability to cyber-attacks.

Malaysia's extensive linkages of economic and scientific partnerships and its role in global supply chains for IP-intensive industries make it an attractive target for state-sponsored actors seeking to exploit valuable intellectual property and economic information. Malaysia also has extensive international partnerships. Diplomatic and economic ties with major economies, including Japan, South Korea, the US, and UK, are reinforced by scientific collaborations and trade relationships, particularly in the electrical and electronics (E&E) sectors. China, Malaysia’s third-largest E&E export destination, is a major partner in scientific and technological development.

While Malaysia’s advanced economy and international integration bolster its digital capabilities, they also amplify the risks of cyber-enabled IP theft, particularly in sectors where Malaysia plays a critical role in global supply chains. This dual-edged growth requires Malaysia to strengthen its cybersecurity strategies to protect its valuable IP assets from external threats.

How prepared is

Malaysia

Given its relatively advanced knowledge economy, Malaysia emerges as a potential target for cyber-enabled IP theft. For that reason, its cybersecurity strategies have identified cyber-enabled threats to innovation since 2006. While there’s no road map on how the government intends to protect major knowledge-producing industries, Malaysia maintains strong foundations to combat the threat of cyber-enabled IP theft based on the strengths of its national IP system and cybersecurity ecosystem.

Malaysia performs well in global rankings on IP protection owing to its strengths in enforceability. This includes the work of IP courts and the Ministry of Domestic Trade and Consumer Affairs. Malaysia is also one of the most cybersecure nations in Southeast Asia. It has comprehensive cybersecurity legislation that criminalises computer intrusions and IP theft, while also providing incident response support to key IP-intensive industries, including those in ICT and energy. Petronas is a major IP-intensive entity. However, no specific sectoral legislation addresses cybersecurity matters and overlapping mandates within the government constrain the capacity to respond efficiently to major crises and to implement protective policies.

The Royal Malaysia Police is primarily responsible for enforcing cybersecurity laws, while the Attorney-General’s Department and specialised cyber and IP courts assist with prosecutions. The Malaysian Communications and Multimedia Commission, under the Ministry of Communications and Multimedia, has the authority to enforce cybersecurity regulations related to content and industry governance. The National Cybersecurity Agency is mandated to develop and implement cybersecurity policies, while protective measures are partly executed through the national Cyber Emergency Response Team (MyCERT). There’s also the National Cyber Coordination and Command Centre, which is connected to the Cyber Defence Operation Centre, which deals with national cyber threats; a network security centre; a government integrated telecommunications network security operation centre; and the Cybersecurity Malaysia Security Operation Centre. Those multiple entities with ambiguous and partly overlapping responsibilities complicate cyber governance in Malaysia, including the obligations, practices and culture to report cyber incidents. As such, cases of economic cyber-espionage may go unreported.

Malaysia is strongly committed to international cybersecurity standards (it requires government contractors to comply with IT security standards, such as the ISO/IEC 27000 series) and the UN framework for responsible state behaviour in cyberspace. Malaysia views the UN open-ended working group process as an inclusive method to share unique perspectives and views on the issue of setting cyber norms. Singapore and Malaysia co-chair the ASEAN working committee on establishing norms for responsible state cyber behaviour.

Reported cases of economic cyber-espionage

Name of Incident

Victims (entities)

Sectors Affected

Affected economies

Threat Actor

Alleged state sponsor

Date reported

Ocean Lotus Campaign (APT32)

Australia, Brunei, Cambodia, China, Germany, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, USA and Vietnam

Ocean Lotus Campaign (APT32)

2017

Context

In 2017, FireEye announced that they have observed APT32 conducting cyberespionage operations targeting foreign companies with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The campaign has gone about since 2013. There are indicators that APT32 actors are targeting peripheral network security and technological infrastructure corporations. Some of the targets have included government agencies in Cambodia, oil companies from China, and maritime construction firms. The affected economies have included Australia, Brunei, Cambodia, China, Germany, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, USA and Vietnam. The objectives are likely to be diverse, ranging from political objectives to stealing sensitive business information.

Economic objectives

Assets stolen

Possibly intellectual property

Attribution

FireEye(Mandiant), Volexity, ESET

Governments' response

None

‍

Sources

Level of confidence

High Confidence (10 out of 12)

Private entities are a majority of known sectors targeted in the intrusion (2 points)
Commercial data are known to be the dominant targets of intrusion (3 points)
APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

2020-2021 Cyberespionage Campaign (APT41)

Banking/Finance, Civil Society, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Research, Software development companies, Social Media, Telecommunications, Transportation, Travel, and Utility

1. Finance 2. Construction Services 3. Defense 4. Public Administration 5. Medical and Other Health Care Services 6. Professional, Scientific and Technical Services 7. Computer System Design and Related Services 8. Tertiary Education 9. Manufacturing 10. Information Media and Telecommunications 11. Personal and Other Services 12. Oil and Gas Extraction 13. Basic Chemical and Chemical Product Manufacturing 14. Property Operators and Real Estate Services 15. Telecommunications Services 16. Transport, Postal and Warehousing 17. Administrative Services 18. Electricity, Gas, Water and Waste Services 19. Transport, Postal and Warehousing 20. Machinery and Equipment Manufacturing 21. Heavy and Civil Engineering Construction 22. Publishing

Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA, Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam

APT41

China

2020, 2021

Context

From January 2020 until 2021, cybersecurity firms detected a massive cyberespionage campaign targeting private entities. These campaigns were conducted in three clusters. First, from January to March 2020, there was a broad campaign against 75 private entities in 20 countries, with a focus on industries ranging from petrochemicals to defense industrial base. Mandiant notes that while it’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, the victims appear to be more targeted in nature. The economies affected were Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA.

Second, in September 2020, hackers associated with APT41 were charged by the U.S. Department of Justice in connection with computer intrusion campaigns against more than 100 victims globally, including in Indonesia, Malaysia, Thailand, and Vietnam. The entities affected were those that specialize in software development, manufacturers, telecommunications, non-profit, universities, and civil society organizations.

Third, from July 2020 until August 2021 (ongoing as of then), Trend Micro observed an espionage campaign against victims in India, m, Malaysia, Philippines, Taiwan, and Vietnam in the airline, computer hardware, automotive, infrastructure, publishing, media, and IT industries.

Economic objectives

Assets stolen

Sensitive business information, source codes, software codes signing certificates, and customer account data

Attribution

US Government, Mandiant; Trend Micro

Governments' response

In second incident, U.S. Department of Justice indicts seven individuals (two arrested, five remaining)

Sources

Level of confidence

High Confidence (9 out of 12)

Private entities are a majority of known sectors targeted in the intrusion (2 points)
Commercial data are likely to have been targeted (2 points)
APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state’s industrial policies (2 points)

Mabna Institute Attacks

176 universities in 21 countries; 47 domestic and foreign private firms; several U.S. government agencies, United Nations, UNICEF

1. Public administration 2. Public and Other Services 3. Broadcasting 4. Professional, Scientific, and Technical Services

Primarily U.S., but also Malaysia, Singapore, Australia, Denmark, Israel, Poland, Spain, Turkey, Canada, Germany, Italy, Netherlands, Sweden, UK, China, Ireland, Japan, Norway, ROK, Switzerland

Mabna Institute

Iran, with members of the Mabna Institute having links to the Islamic Revolutionary Guard Corps

2018

Context

Nine officials belonging to the Iranian company, Mabna Institute, were indicted by the U.S. Department of Justice for conducting state-sponsored cyber operations on behalf of the Iranian Revolutionary Guards from at least 2013 to 2018. The campaign had targeted 4,230 academics and researchers in 176 universities in 21 countries, with an additional set (3,768 academics in 144 universities) targeted against the U.S. They had also targeted 36 private companies in the U.S., 11 foreign companies, 5 U.S. government agencies (energy, state governments), United Nations, and UNICEF. The campaign had sought to obtain usernames and password for the accounts of academics and researchers in order to obtain propriety academic information.

Valuable intellectual property and data from hundreds of universities in the US and other countries, and a media company was stolen for private financial gain. The Mabna Institute reportedly stole more than 31 terabytes of academic data and intellectual property from universities, and email accounts of employees at private sector companies, government agencies, and non-governmental organisations. The data stolen were likely used for the benefit of Iran’s Islamic Revolutionary Guard Corps, though they were also sold through two websites: Megapaper.ir and Gigapaper.ir. These websites sold stolen research materials and academic credentials to customers in Iran.

The cyber campaign coincided with ”ario’s developments in Iran’s foreign policy and economy, including negotiations over the failed Iran nuclear deal and the subsequent imposition of harsh US sanctions, placing Iran under “maximum economic pressure”.

Economic objectives

Assets stolen

The Mabna Institute reportedly stole more than 31 terabytes of academic data and intellectual property from universities, private firms, government agencies, and non-governmental organizations.

Attribution

U.S. government

Governments' response

U.S. charged nine Iranian nationals linked with the program.

Sources

Level of confidence

High Confidence (9 out of 12)

Private entities are a majority of known sectors targeted in the intrusion (2 points)
Commercial data are known to be the dominant targets of intrusion (3 points)
APT actor is strongly associated with economic espionage operations, with motivations strongly tied to certain states’ industrial policy objectives (3 points)
There is not enough information to conclude whether stolen data was used to aid domestic private businesses (1 point)

Malaysia Government Hacks (APT40)

Malaysian government officials

Public administration

Malaysia

APT40

China, associated with the Ministry of State Security

2020

Kasawari Block Incident (APT40)

Malaysian oil and gas refineries, along with companies involved with deep water drilling, oil and petroleum exploration, and Australian Naval Defense

1. Professional, Scientific, and Technical Services 2. Oil and Gas Extraction 3. Petroleum and Coal Product Manufacturing 4. Defence

Malaysia, Australia

APT40

China, possible ties to the Ministry of State Security

2022

Context

From March 2021 until September 2021, the hacking campaign consisted of phishing attacks targeting users in Australia and Malaysia.

On 2 June 2021, phishing emails were sent out to several offshore energy companies operating in the Kasawari gas field, off the coast of Sarawak in Malaysia. The campaign’s focus was primarily on companies engaged in the engineering, extraction of natural gas, or export of natural gas products, with four of the eight entities associated with the project. There were additional operations targeting several institutions in Australia, including defense universities and a consumer healthcare firm.

Given its strategic and economic importance, the Kasawari gas project has been subject to a series of grey zone tactics in 2021. On June 1 of that year, when the assembly of the wellhead platform was underway, 16 Chinese aircrafts were spotted off the coast of Sarawak, prompting Malaysia to scramble its fighter jets to intercept the transport lanes. The first phase of the phishing campaign had begun one day after the aircraft incident. The South China Sea disputes is a major security flashpoint in the Indo-Pacific, hosting six different claimant states, including China and four Southeast Asian states. With the waters being heavily contested and many major oil companies competing to win contracts and extract energy sources, there is plenty of room for potential uses of cyber tools.

Through joint technical work by Proofpoint and PwC Threat Intelligence, investigators are moderately confident that the campaign has been perpetrated by TA423 / Red Ladon, a China-based hacking group that has traditionally targeted organizations with operations associated with the South China Sea.

Economic objectives

Assets stolen

Likely sensitive data information

Attribution

Proofpoint and PwC

Governments' response

None

Sources

Level of confidence

High Confidence (10 out of 12)

Private entities are either the sole or the primary targets of intrusion (3 points)
Commercial data are known to be the dominant targets of intrusion (3 points)
APT actor has some history of stealing IP and other commercially valuable data (2 points)
No concrete evidence that data stolen was used to aid domestic private businesses of malign state, but data stolen likely aligns with malign state's industrial policies (2 points)

Office

40 Macquarie Street
Barton ACT 2600

Contact

Ph: +61 2 6270 5100

E: enquiries@aspi.org.au

Explore

Home About Country Profiles Insights Media Case Repository