A rare peek into Cyber Security Agency's nerve centre as it probes SingHealth breach

CSA National Cyber Incident Response Centre director Dan Yock Hau (right) and Senior Consultant Lin Wei Qiang with the equipment they use for their work in the CSA Lab.
CSA National Cyber Incident Response Centre director Dan Yock Hau (right) and Senior Consultant Lin Wei Qiang with the equipment they use for their work in the CSA Lab.ST PHOTO: GAVIN FOO
The Forensic Outfield Kit (left) and other equipment which the CSA officers use for their work.
The Forensic Outfield Kit (left) and other equipment which the CSA officers use for their work.ST PHOTO: GAVIN FOO

SINGAPORE - When SingHealth's technology service provider informed the Cyber Security Agency (CSA) that the healthcare group had been attacked on July 10, CSA's investigators sprang into action to determine what went wrong.

That meant that the CSA's 370 sq metre Cyber Forensics Laboratory was buzzing, with up to 80 analysts using 40 dual-screen workstations to analyse the network log files captured from the infected systems.

On Wednesday (July 25), the agency offered reporters a rare glimpse into its nerve centre in the Ministry of National Development building on Maxwell Road.

And though it is an agency focused on cyber security, its in-depth forensics work is similar to that of criminal investigators - reconstructing the crime scene after having gathered the necessary evidence.

"When a major incident is reported, CSA will deploy its national cyber incident response team onsite to investigate and determine the nature of the intrusion," said Mr Dan Yock Hau, CSA's National Cyber Incident Response Centre director.

"After investigation, CSA will determine the appropriate measures that need to be taken to enhance the protection of the affected systems."

And just like criminal investigation units, it also sent agents to the scene armed with toolkits.

Without divulging details, CSA said its crime scene investigators lugged boxes of forensic outfield kit, each weighing 20 kg, for evidence gathering at SingHealth's premises on the day the attack was discovered.

The equipment allows investigators to clone images of the compromised hard disk and extract system log files which were then brought back to its laboratory for more in-depth analysis to nail down the modus operandi and source of the attacker.

For more complex cases, CSA's investigators may even need to do on-site "triage" or system analysis. Similar to triage in the hospital emergency room, cyber security triage assigns degrees of urgency to the infection to decide the order of treatment for infected systems.

The CSA is now working with the Integrated Health Information Systems (IHiS), the technology outsourcing arm of public hospitals here, in an investigation into the SingHealth breach which could take up to the end of this year.

The SingHealth breach compromised the personal information of around 1.5 million patients in the worst cyber attack here, and cyber security experts say it fits the bill of "war time".

Of these 1.5 million patients, 160,000 people, including Prime Minister Lee Hsien Loong and other ministers, had their outpatient prescription information stolen. The attack was made public last Friday.

Although SingHealth's attack took place between June 27 and July 4 after which no further leaks took place, digital forensic work is still expected to carry on at the CSA's laboratory.

Singapore's privacy watchdog, the Personal Data Protection Commission (PDPC), is looking into whether there were security lapses in the IHiS and SingHealth and whether they are liable for a fine of up to $1 million under the Personal Data Protection Act.

A four-man Committee of Inquiry (COI) headed by former chief district judge and current Public Service Commission member Richard Magnus has also convened to look at how the attack was mitigated to draw lessons on ways to better protect public-sector IT systems which contain large databases.

The committee will also submit a report of its proceedings, findings and recommendations to Minister for Communications and Information S. Iswaran, who is also Minister-in-charge of Cyber Security, by Dec 31.

CSA senior consultant Mr Lin Weiqiang, who was in the thick of the action following the revelation that SingHealth had been attacked, said: "It was hard work. We had to piece all the clues together like crime scene investigators. We were under immense pressure; we had to succeed."