Understanding Cyber Security Risks in Asia

OTSIKKOALAOTSIKKO, KUUKAUSI VUOSI

UNDERSTANDING CYBER SECURITY RISKS IN ASIA

A FUTURE WATCH REPORT PREPARED FOR BUSINESS FINLANDBY CONTROL RISKS

About Control Risks 03

Introduction 05

Who are the threat actors in Asia? 09

What kind of attacks should firms be aware of in the region? 13

Regulatory & threat spotlight on China & Singapore 18

Moving forward and managing cyber security risks 23

The information contained herein does not constitute a guarantee or warranty by Control Risks Group Holdings Limited, its subsidiaries, branches and/or affiliates (“Control Risks”) of future performance nor an

assurance against risk. This document is based on information provided by the client and other information available at the time of writing. It has been prepared following consultation with and on the basis of

instructions received from the client and reflects the priorities and knowledge of the client as communicated to Control Risks. Accordingly, the issues covered by this document and the emphasis placed on them may

not necessarily address all the issues of concern in relation to its subject matter. No obligation is undertaken by Control Risks to provide the client with further information, to update this information or any other

information for events or changes of circumstances which take place after the date hereof or to correct any information contained herein or any omission therefrom. Control Risks’ work and findings shall not in any way

constitute recommendations or advice regarding the client’s ultimate commercial decision, which shall, in all respects, remain the client’s own.

This document is for the benefit of the client only (including its directors, officers and employees) and may not be disclosed to any third parties without the prior written consent of Control Risks.

Copyright © Control Risks. All rights reserved. This document cannot be reproduced without the express written permission of Control Risks. Any reproduction without authorisation shall be considered an infringement

of Control Risks’ copyright.

TABLE OF CONTENTS

Team Finland Future Watch Report, January 2018

ABOUT CONTROL RISKS



Control Risks is a specialist risk consultancy. We are committed to helping our

clients build organisations that are secure, compliant and resilient in an age of

ever-changing risk and connectivity.

Risk and opportunity

We believe that responsible risk taking is at the core of our clients’ success.

We have unparalleled experience in helping clients solve the challenges and

crises that arise in any ambitious organisation seeking to convert risk into

opportunity globally. The insight and depth of experience we have gained over

more than forty years proves invaluable in giving our clients the intelligence

they need to grasp opportunities with greater certainty.

Who we work for

Confidentiality is important to many of the organisations we work for, so we

don’t identify clients as a matter of course. They include national and

multinational businesses in all sectors, law firms, government departments

from many parts of the world and an increasing number of non-governmental

organisations.

We support small and medium-sized national and international companies on

their journey to greater security, compliance and resilience.

Our people

Control Risks is the sum of diverse expertise - bringing multiple perspectives

and deep experience to bear on our clients’ behalf. Our expertise reflects our

backgrounds as technologists, lawyers, aid workers, investigators, cyber

experts, political scientists, soldiers, strategy consultants, intelligence officers

and a host of other professions. It is this combination based in multiple offices

on all continents that makes Control Risks relevant and distinctive

About Control Risks

INTRODUCTION



Cyber threat landscape 2018-2020

Nation states are increasingly seeing data as a critical

element of national security and hence framing laws to

restrict the location of data to within their borders and

control the access to the data.

Examples include China’s new Cyber Security Law

and the EU’s GDPR.

Use of advanced technologies such as Artificial

Intelligence(AI) for cyber attacks will lead to powerful

hacking techniques. With the ability to process large

amounts of data quickly, AI can make attacks on

companies faster and easier to accomplish.

In recent years, large enterprises globally have been

increasing their spending on cyber security. As large

enterprises mature their cyber security capabilities, the

focus of cyber attacks will shift to the SME’s who may

not be ready for advanced cyber attacks.

Political and social uncertainties and policy

disagreements across Asia Pacific and the use of

cyber as an instrument of power will increase threat

profiles for many organisations

With 50 billion devices expected to be

connected to the internet by 2020, new

opportunities will be created for information to

be compromised.

But the security of most IOT devices is not yet

mature, thus many organisations will need to

grapple with new cyber security challenges.

New regulatory requirements such as the

Singapore’s upcoming mandatory breach

notification and its draft cyber security bill will

challenge traditional technical approaches to

cyber security and require organisations to

improve their capabilities.

The ability to launch a cyber attack is becoming

commoditised by the day with readily available

‘Ransomware as a Service’ and ‘Botnet as a

Service’ kits. The capability to carry out cyber

attacks will become accessible to less

technically capable actors.

Cyber attacks used to be mainly intended for

financial gain or general disruption, but are now

becoming life-threating. Cyber attacks on

critical infrastructure have the potential to

damage physical assets – such as utilities and

industrial infrastructure - that are essential to

modern life.

Cyber

threats

Commodisation

of cybercrime

Cyber attacks

using

next-gen

technologies

Data

nationalism

Enhanced

regulatory

requirements

Digital

enablement

threats

Political &

economic

threats

Victimise small

& medium

businesses

Cyber – physical

attacks


More mature countries have a mix of

regulation:

Data breach notifications, almost all

related to personal information, are a

growing trend in the region.

Clear and comprehensive consent

processes for personal information

But developing countries face challenges:

Difficult to find IT expertise with

enterprise-level experience and

capability

Lack of attention to basic cyber security

creates easy targets for attackers

Mobile-first societies mean

vulnerabilities and security weaknesses

may bleed into companies via mobile

and IOT devices

China’s size and political dynamics make it

different:

Beijing’s goal of ‘internet sovereignty’

has created a highly regulated

technology space

Sophisticated criminal operators are

very capable and creative in who they

target and for what assets

Regulation and technology maturity in the region

WHO ARE THE THREAT ACTORS IN ASIA



Asia: nation state threat actors targeting countries and companies

ABOUT NATION STATE CYBER THREAT ACTORS

Cyber activity by nation states, also known as computer network operations

(CNO) is divided into two main categories. Within this category, computer

network exploitation (CNE) or cyber espionage refers to the theft of data from

targeted networks or systems, while computer network attack (CNA) covers

efforts to disrupt, degrade or destroy systems or information. CNA operations

represent a small but increasingly significant portion of CNO activity. These

disruptive operations are generally conducted to achieve political or security

objectives and project political power over rival states, and are often

undertaken under the guise of cyber activist groups to achieve plausible

deniability.

Intent High to

very high

Nation states’ general focus is on gathering

intelligence. For strategic industries,

countries of special interest and involving

regions of heightened concern/interest,

intent is high to very high.

Capability Medium to

very high

Nation states typically have more resources

and patience than cybercriminals to execute

complex cyber operations. Capability varies

in the region, with China the strongest

practitioner.

Sectors targeted How they were attacked Assessment

Relevance for Business

Finland

Sectors targeted

include a range of

government agencies,

think tanks, transport

and shipping

companies and

maritime organisations

A total of 92% of these

targets were based in

China

The operation began through

strategic web compromises

(also known as watering hole

attacks) and later amended to

use spear-phishing emails.

The weaponised attachments

purported to offer news on

terrorist attacks in the Chinese

province of Xinjiang, and

information regarding wage

changes for Chinese civil

servants.

The Ocean Lotus group, also dubbed APT32, reportedly conducted

cyber espionage campaigns against multinational companies

across various sectors operating in China and the Philippines.

The APT campaign was attributed to the Vietnamese government,

with an interest in the South China Sea.

The group reportedly used spear phishing emails embedded with

malicious attachments. Once opened, these attachments execute

malware that creates a backdoor to the victim’s network, allowing

the threat actors to exfiltrate information

Finnish firms active in the

transport and shipping sector

should be aware that they

may be targeted not because

of “who” they are, but

because they may have

information about another

party.


Indonesia: cybercriminals defrauding e-commerce customers

ABOUT CYBERCRIMINAL THREAT ACTORS

The primary motivation for cybercriminal groups is to be able to monetise

crimes committed in the cyber domain. The normal way of achieving this

objective is some form of fraud or extortion, to which the cyber attack,

whichever form it takes, can be seen as preparatory work or a means to an

end. However, there are forms of monetisation available to cybercriminals

that do not directly involve the use of fraud or extortion, such as the ability to

sell data, information or access – most likely on dark and deep web

marketplaces – also known as the “crime as a service” model.

Intent High to

very high

The opportunity for financial gain in a region

with a varied mix of technological maturity,

cyber security awareness, and regulation

presents an inviting target to regional and

international cybercriminals.

Capability Medium to

high

There are very few exceptionally skilled

cybercriminals, but there is a proliferation of

tools and technology that are available

criminals



Finland

Customers of and

country and

regional consumer

e-commerce

platforms that sell

their own goods as

well as provide a

sales platform for

members.

The attackers registered a series of

domain names that contained prominent e-

commerce firm names prefaced by a word

such as “sale” or “Mubarak” (referencing a

Muslim holiday).

They then cloned the content of a section

of the e-commerce provider’s web site,

replacing the payment accounts with their

own. The fake website was hosted in a

neighbouring country.

They then sent out messages over social

media and through blogs promoting sales

of mobile handsets at heavily discounted

prices.

With the expansion of payment systems and steep growth in

online shopping in the region, there are numerous

opportunities to target emerging e-commerce companies

and their customers.

Executing an attack requires little money and relatively low-

level technical skills. Attacks are easy to execute and, with

limited jurisprudence and investigative capability around

cyber attacks, present little risks to the hackers. That attack

domains can be hosted outside the country creates further

ambiguity for law enforcement and lessens the likelihood of

effective action.

No specific organized group has been highlighted as this is

common throughout the region.

Finnish firms should be

aware of the potential

reputational impact of

fraudulent e-commerce sales.

The risk may extend to

Finnish products sold online

in the region. This form of

attack may also be used as a

channel to sell counterfeit

goods, including

pharmaceuticals.


Malaysia: Indonesian hacktivists disrupting web operations

ABOUT HACKTIVIST THREAT ACTORS

Cyber activists are the most ideologically driven of the three broad categories

of threat actors considered in this assessment. Their targeting patterns tend

to be repetitive, meaning sectors or organisations subject to past campaigns

are often targeted again by the same group. The intent to carry out an attack

is often dictated by external events, such as negative press coverage of a

company or sector, the impact of new national legislation, or simply decisions

that run counter to the ideological narrative of these groups.

Intent High to

very high

With a mix of cultures, countries, religions

and politics in the region, there is always

the chance that an individual or group will

take offence and react. The rapid spread of

the internet in the region gives them the

means to draw attention to their grievances

and causes.

Capability Low to medium

There are isolated, highly capable individual

actors and groups. However, most

hacktivists in the region rely on scripted

tools to compromise or disable poorly

protected internet-facing systems.



Finland

Indiscriminate.

Generally attacks are

opportunistic and

target high profile firms

and organizations

associated with a

country or issue the

hacktivists oppose.

The attackers, in response to a

misprint of the Indonesian flag

in the 2017 South East Asia

Games program, found

vulnerabilities in Malaysian web

servers and exploited them to

replace the landing page

content with a protest message.

Activist campaigns primarily focus on damaging the reputation of

target organisations and achieving notoriety for the perpetrator. In

this case websites were defaced, but another common attack is

making the target’s website unavailable via DDoS attacks. In rarer

instances hacktivists have been known to publish data stolen from

databases via SQL injections.

Events may trigger a tit-for-tat series of escalating attacks between

hacktivist groups in contending countries (this often happens

between China and Vietnam). Companies have been caught in the

middle with no recourse other than to invest in further mitigation

tools or, in some cases, may be forced offline.

Finnish firms operating in

countries or sectors may

become targets for web

defacements and/or denial of

service attacks.

While the firm itself may have

nothing to do with the issue, it

could a convenient target to

attract more attention to the

issue.

WHAT KIND OF ATTACKS SHOULD FIRMS BE AWARE OF IN THE REGION?



Ransomware that locks access to computers and information

Countries

affected Sectors targeted Assessment Relevance for Business Finland

Indonesia

Malaysia

Philippines

Singapore

Thailand

Vietnam

Healthcare

Organisations

from other

industries were

also affected

The WCry 2.0 campaign , also known as WanaCrypt0r or

WannaCry campaign infected several companies in South-East

Asia by the second wave of the ransomware.

The ransomware distributed itself within organisations by

leveraging known critical vulnerabilities within their Microsoft

operating systems. A security researcher was able to activate a

so-called ‘kill switch’ that slowed the malware infection. However,

later WCry samples were seen without this kill switch, suggesting

an evolution in the ransomware.

WCry proved destructive capabilities of

ransomware. The Petya ransomware campaign

that targeted organisations around the world

quickly after WCry, originated from ransomware-

as-a-service (RaaS) group Janus.

The global impact of WCry and Petya have

inspired other unsophisticated threat actors to

undertake copycat campaigns. Similarly, it has

encouraged further development of the RaaS

market, with developers looking to replicate the

success of Petya and previous campaign WCry.

WHAT IS IT?

Malware designed to intimidate or force victims to pay a ransom

typically by encrypting victims’ files. It can introduced into a PC via a

website, emails, USB devices, attachments, etc. Once it has infected a

computer, most ransomware looks to further propagate other computers

on the same network.

Industrial control systems can be particularly at risk as they often use

older operating systems with much slower update cycles. They may be

rife with vulnerabilities the ransomware exploits to infect computers.

WHY SHOULD COMPANIES IN ASIA BE CONCERNED?

Ransomware, as a form of extortion, has immediate, tangible financial

benefit which makes it very attractive for the criminal groups.

The rise of Ransomware as a Service has armed cybercriminal groups

that would otherwise lack the capability to launch their own campaigns.

A 2017 survey suggested that one in three small-to-medium enterprises

in Singapore have been the victim of ransomware attacks over the past

year. The survey also suggested that 15% of affected organisations

faced 25 or more hours of downtime as a result of such an attack, and

that 30% were unable to identify how they had been infected.


Distributed denial of service (DDoS) attacks disrupt websites (and hide other attacks)

WHAT IS IT?

DDoS attacks aim to disrupt websites and network systems from

operating normally and preventing legitimate users from accessing

them.

DDoS actors use a collection of co-operating ‘zombie’ computers

(‘botnets’ or ‘bots’) to flood target websites or network systems with data

requests.

Newer form of DDoS attack called ‘pulse attack’ seek to stress networks

and security systems .


DDoS attacks are common in the region and retail and e-commerce

firms are often targeted.

Some criminal groups use DDoS attacks to distract and hide an

information theft or unauthorized transaction as a target’s IT team’s

attention is focused on the DDoS attack.

With millions of IOT devices forming a botnet, cyber criminals can

launch DDoS attacks which generate crippling volumes of requests that

existing defences can’t handle.

With the rise of botnet as a service, even less sophisticated criminal

groups have the ability to launch a very damaging DDoS attack.

Countries

affected

Sectors

targeted Assessment Relevance for Business Finland

Malaysia Financial

services

A DDoS attack attributed to a APT called Armada Collective (a

Russian-based extortion team) or their copycat attackers hit financial

firms in Malaysia. The DDoS attacks were carried out in two phases

targetted several online brokerages and banks.

The attackers demanded a ransom of 10 Bitcoins (worth RM110,500)

or threatened they would attack again.

Separately, there has been an increase in the use of DDoS attacks to

distract and confuse cyber security teams while stealthily carrying

lethal cyber attacks inflicting serious damage on organisations.

Attacks of this nature are increasingly likely to be

directed at companies whose business models

depend on the accessibility of their online

presence, particularly those in the media, online

banking, online entertainment and retail sectors.

The simplicity of DDoS approach, the increasing

availability of online DDoS attack tools, and the

group’s apparent success in extracting ransoms

from their victims all suggest that other groups

replicating these tactics would emerge.


Supply chain attacks that spread through third & fourth party vendors

Countries


South Asia

South East

Asia

Manufacturing

Energy

Healthcare

Information

Technology

Utilities

A backdoor was identified in a legitimate software update for a

NetSarang product. NetSarang is a US and South Korean

company that provides server management software for large

organisations. The backdoor, called ShadowPad, was

downloadable from NetSarang’s website for about a month until

a clean version was released on 5 August.

The malicious payload was hidden under multiple layers of

encryption, suggesting threat actors went to significant lengths to

ensure malicious activity would go unnoticed.

The compromise of legitimate software updates to

deliver malware is an effective infection method,

due to the challenges companies face in

mitigating compromises of their supply chains.

This delivery method closely resembles that used

by the NotPetya infection, indicating the growing

threat posed by such compromises. The two

campaigns do not appear to be linked, which

reinforces our assessment that compromising

legitimate software updates will likely become a

more widespread infection vector

WHAT IS IT?

A type of cyber attack that targets an organisation’s less secure

elements of the supply network such as vendors and vendors of

vendors to ultimately penetrate the organisation through them.

Traditionally, suppliers have been targeted to exploit trusted

connections and credentials between the initial victim and the intended

target.


Compromise of software vendors to infect their products with malicious

code and spread it through software updates have been on the rise.

Example of recent attacks include NotPetya, CCleaner, ShadowPad.

Challenges companies face in mitigating compromises of their supply

chains make it an effective infection method.

We expect a growing use of malicious software updates as a means to

conduct targeted network intrusions.

These attacks easily serve as the launching pad for more advanced

persistent attacks.


Advanced persistent threats (APT) targeting multiple companies in an industry sector

Countries


China

South Asia

South East

Asia

Telecom

Information

Technology

Energy

Insurance

Retail

Pharmaceutical

The Patchwork group (India based espionage group), an

advanced persistent threat (APT) also known as Dropping

Elephant, targeted a range of companies in 2017. Most of the

victims have been in China and South Asia.

The group used spear phishing email containing malicious

attachments, typo squatting, website phishing and drive-by

downloads with a fake Youku Tudou site (China’s equivalent of

YouTube) to gain entry to the targeted organisations.

Having previously used only open source malware, this APT

campaign saw the group now using propriety backdoors and

information stealing programs which indicated that their

capability had been vastly enhanced.

Having previously focused on political targets, as

well as the aviation, broadcasting, energy,

pharmaceutical, publishing and software sectors,

the Patchwork group has expanded its targeting to

include the Chinese and South Asian companies

in the retail, telecommunications, media and

financial sectors.

Although the infection vectors it uses are

common, the diversification of its methods and the

refinement of its capabilities make the group a

viable threat.

WHAT IS IT?

A sophisticated threat actor – usually with a political or business

motivation – able to gain access to a network and stay there undetected

for a long period of time.

APT usually refers to a group, such as a nation state, that has both the

capability and the intent to persistently and effectively target a specific

entity.


Sophisticated nation state cyber threat actors have been known to go

beyond political intelligence gathering to target industries and specific

companies.

Some of these attacks are focused on private sector firms to gather

information on their products, services and business activities.

REGULATORY & THREAT SPOTLIGHT ON CHINA & SINGAPORE



Key China regulation: the 2017 Cyber Security Law (CSL)

China’s

goals

Driven by President Xi Jinping, the

evolving regulatory environment of

China’s cyberspace is rooted in

“national security” and “social

stability” concerns, both of which

being frequently cited and legally

weaponised in order to assert control

over cyberspace.

This has led to a growing number of

laws and administrative regulations

and standards revolving around

content filtering, user monitoring,

identity and transaction control,

security measures, IT localisation,

etc.

The

Cyber

Security

Law

(CSL)

The Cyberspace Administration

of China (CAC), the agency

charged with this effort, seeks to

minimise key risks associated

with the foreign state exploitation

of systems and data; and

domestic cybercrime, terrorism

and dissent.

For all sectors, enforcement

priorities will likely be personal

information collection and use,

cyber security processes and

systems, the use of “secure and

controllable” technology, as well

as data localisation.

Enforcement

The Cybersecurity Law (CSL),

implemented on June 1, 2017, is

the capstone of this effort, with a

plethora of supporting policies,

regulations, and standards

across various ministries and

localities.


The impact of the CSL for Finnish businesses in China

Critical infrastructure operator’s customer

data must stay in China

Data localization

Some data will need review

before transfer outside of China

Data export reviews

Demonstrated security people, process & tools

Security programs

Tighter controls over how the

internet is used

Tighter technology controls

Industries will have further requirements

for data management

Important data

Personal data and

some “important

data” will be subject

to review before

leaving China

The CSL calls for

best practices for

cyber security to be

in place for all

organizations

More internet

services (VPNs, on

premise web

servers) will require

licensing or will be

blocked

Industry regulators

will establish what

information is

sensitive and

requires further

security controls

RAPID REGULATORY CHANGES DIFFICULT TO KEEP UP WITH

The pace of regulatory output, across of range of issues and sectors, is intense.

Several agencies are pushing out rules that are simultaneously vague and

specific, leading to a high risk of non-compliance as businesses try to keep up

with the dizzying array of requirements.

CHALLENGES WITH OVERLAPPING ENFORCEMENT

The Cyberspace Administration of China (CAC) has issued strong warnings and

penalties to companies regarding content.

Local Public Security Bureaus (PSB, the local, tactical policing entities of the

Ministry of Public Security) has carried out several warnings, arrests, and

convictions for domestic companies related to the cyber security non-

compliance.

Ministry of Industry and Information Technology (MIIT) has issued “Critical

Information Infrastructure” (CII) questionnaires to foreign companies and plans

to send out teams to review industrial controls.

Security of Chinese

citizen’s data for

the State is a

fundamental goal


Cyber security & compliance

Companies will need to demonstrate

A suite of policies for cyber security (in

Chinese)

Incident management planning

Mature consent program necessary for

user information

Cyber breaches will now involve the police

(PSB)

Mandatory reporting of data breaches

(but the threshold is unknown)

6 months of logs must be kept (they will

be reviewed in investigations)

Whistleblower provisions expose

companies to malicious reports and

mandated investigations

Key ongoing cyber security threats

Nation state threat actors remain

Cybercriminals are capable and ubiquitous

Fraud of one kind or another online is

very common

Sophisticated cybercriminal groups steal

intellectual property on behalf of

competitors

Ransomware has plagued Chinese

companies big and small, foreign and

domestic

Hacktivists within China

Very little hacking by activists, but

considerable social media activity

(controlled somewhat by the government)

Insiders

While there is no general category of

“insider” threat actors, they remain the

biggest cyber security challenge

China cyber security risks

Counterfeiting is

now digital, with

fake web sites,

payment scams,

etc.

The convergence of

social media and

payment in China is

an opportunity for

innovative frauds

Restrictions on

content and external

connections are

likely to increase

Personal

information theft is

rampant in China


Key regulatory concerns

Personal Data Protection Act (PDPA)

Regularly enforced with fines that may go

up to SG$1 million (typically fines are

~$10,000 with the highest known fine

$50,000)

Will require 72 hour breach notification to

Personal Data Protection Commission

Mature consent program necessary for

user information

Do not call requirement

Singapore Cyber Security Bill

Small number of critical infrastructure

operators in 11 sectors

3rd party provision of services to these

firms likely to meet cyber security

requirements

Commission investigators will have wide

latitude to investigate cyber crimes,

including mandating remediation,

requiring audits and removing systems for

further analysis

Key cyber security threats

As a regional financial hub, Singapore and

Singaporeans are often targeted

High incidence of ransomware,

particularly for smaller firms

At mid-year 2017 reported CEO fraud and

vendor email compromise had already

stolen SG$21 million. Actual totals for

attacks and money are likely much higher

Ongoing activity by regional advanced

persistent threat groups targeting

Singapore government agencies and high

profile firms

Singapore overview

The new cyber

security bill is

presented in

Parliament Jan

2018

The average CEO

fraud email victim

lost SG$136,000

1 in 3 SME

companies were

victims of

ransomware

Breaches of more

than 500 personal

information records

must be reported

MOVING FORWARD AND MANAGING CYBER SECURITY RISKS



Best practices for mitigating cyber security risk

Process

People

Technology

Governance

Align cyber security with business operations:

Establish clear roles and responsibilities for cyber

security activities.

Deliver security awareness training for non-

executive directors to help them ask the right

cyber security questions.

Establish dedicated cyber security liaisons within

each business unit

Follow cyber security best practices:

Implement a defence in depth architecture to minimize

reliance on single security solutions.

Subscribe to cyber security threat intelligence to

understand current attack trends.

Implement strong detection & monitoring controls to

recognise and effectively respond to attacks.

Contract for a forensics capability to analyse and develop

lessons learned from cyber attacks.

Establish clear operational responsibilities for cyber security:

Practice a well defined risk management process.

Develop a practical and tested incident response and crisis

management plan.

Ensure that the business continuity plan is tested regularly.

Implement segregation of duties for critical business activities.

Ensure that all company assets, including data, have been

accounted for, and have an 'owner' who is responsible for their

security.

Ensure executive understanding and oversight:

Establish a cyber security function aligned

to business needs

Ensure cyber security has visibility at the

senior business management and board

level.

Define clear metrics have been defined for

measuring cyber security activities.

Establish accountability for security metrics

for all business units.

Ensure cyber security compliance

requirements, regulatory standards and

expectations have been defined and well

understood by all business units.

Control Risks Pacific Limited

2501-02, The Centrium

60 Wyndham Street

Central, Hong Kong

China

[email protected]

+852 6963 0040
