SingHealth COI: Hackers tried to attack network again on July 19 amid probe

The second attempt took place after SingHealth's IT vendor had discovered the attack on July 4, 2018, and shut down the illegal data transfer that had been taking place.

SINGAPORE - Attackers behind Singapore's worst data breach were so skilled that they established multiple footholds in SingHealth's network, enabling them to execute commands from yet another compromised server on July 19, amid investigations of their earlier breach.

The second attempt took place after SingHealth's IT vendor had discovered the attack on July 4 and shut down the illegal data transfer that had been taking place since June 27.

Staff from Integrated Health Information Systems (IHiS) - an agency which runs the IT systems of public healthcare institutions - had also stepped up network defences such as the changing of passwords, removal of compromised accounts and the rebooting of servers.

The high-level Committee of Inquiry (COI) into SingHealth's cyber attack heard these details on Friday (Oct 5) when a second tranche of hearings concluded.

Citing the detailed findings of the Cyber Security Agency (CSA) of Singapore, Solicitor-General Kwek Mean Luck said the July 19 attempt was spotted and cut off on the same day due to heightened network monitoring following the discovery of data exfiltration.

Data transfer, which took place from June 27 to July 4, led to the leakage of the personal data of 1.5 million SingHealth patients, and the medical prescriptions of 160,000 people, including Prime Minister Lee Hsien Loong.

In his closing statement, Mr Kwek, a senior counsel, also summarised how advanced, determined and disciplined the attackers were.

"The skill and sophistication used in the SingHealth attack highlights the challenges that cyber defenders face," Mr Kwek said.

For instance, after executing a successful phishing attack on an end-user workstation at Singapore General Hospital on Aug 23 last year (2017), attackers called back to a server hosted overseas.

They then laid low for four months before moving around the network to gather more credentials to execute their next moves.

Malware used was customised for SingHealth's systems and escaped detection from even the world's top anti-virus software makers.

Attackers also used a benign Windows tool called PowerShell - which system administrators use to automate tasks that manage operating systems - to execute malicious commands.

IHiS disabled PowerShell on all end-user workstations on July 13.

In the words of COI chairman Richard Magnus, Mr Kwek's summary gave "a balanced perspective" to the evidence presented so far.

Mr Magnus added: "From the evidence, it would appear to the COI, even at this stage, that the attacker had one and only one malicious intent, and that of exfiltrating data from the crown jewels of the network, which is the EMR (electronic medical records)."

And as such, cyber-security measures must commensurate with evolving threats, said Mr Kwek.

"These issues... will be dealt with in the next tranche of the COI hearings," he said, noting that public and private hearings will resume end-October.

Senior management from various organisations will be taking the witness' stand. They include:

- Mr Bruce Liang, chief executive officer of IHiS and chief information officer of the Ministry of Health

- Professor Ivy Ng, SingHealth group chief executive officer

- Mr Benedict Tan, SingHealth group chief information officer

- Prof Kenneth Kwek, SingHealth deputy group chief executive officer (Organisational Transformation & Informatics)

- Mr Chua Kim Chuan , IHiS director of cyber security governance

- Mr David Koh, CSA chief executive officer

Local and foreign cyber-security experts will also be called to the stand to present their recommendations.

Join ST's WhatsApp Channel and get the latest news and must-reads.