The cyber breach on the Defence Ministry's I-Net system was "consistent with a covert attack, with means used to mask the perpetrator's actions and intent", Second Minister for Defence Ong Ye Kung said yesterday.
Investigations into the attack, which was discovered on Feb 1 and revealed on Feb 28, are ongoing, but "findings will be kept confidential for security reasons", he added.
Mr Ong was giving an update of the incident in Parliament, in response to questions from MPs Lim Wee Kiak and Vikram Nair, both from Sembawang GRC, and Non-Constituency MP Dennis Tan.
Asked by Mr Tan if the culprit had been identified, Mr Ong said that he was unable to comment because it concerned a "security issue".
But the minister said the information loss is basic and no passwords were lost. "I do not think that, with this information, they can conduct further hacking," he added.
The Ministry of Defence (Mindef) said on Feb 28 that the hackers had stolen NRIC numbers, telephone numbers and birth dates of 854 personnel, through a breach of its I-Net system.
The system provides Internet access on thousands of dedicated terminals to national servicemen and other staff working in Mindef's offices and Singapore Armed Forces (SAF) premises.
Mindef also said it had ruled out casual hackers, criminal gangs and an inside job, leading experts to believe that foreign governments could be behind the attack.
The affected server was taken offline after the attack was discovered. Affected personnel were asked to change passwords and report any unusual activities relating to the use of their personal data.
Mr Ong said Mindef's IT systems are "no different" from others and, like them, experience "hundreds of thousands" of cyber-intrusion attempts, ranging from simple probes to cyber-espionage efforts.
But he said the I-Net system contains no classified information, and that networks which contain sensitive military information are physically separated from the Internet and protected with encryption and access controls.
This separation is critical, said Mr Ong, adding that the perpetrators in this breach "went through the window but couldn't access the house because the house is separate".
He also revealed that the breach occurred "weeks before detection" as he cited how the time taken before a breach is detected in other IT systems tends to be longer.
Referring to industry reports, Mr Ong said it takes an average of about 150 days, or five months, before a breach is discovered.
He listed examples such as the attack on the e-mail servers of the US Democratic National Committee in mid-2015, which was detected in April 2016, by which time all e-mails and chats had been stolen.
Mr Ong said Mindef and SAF will develop better assessment tools, data analytics and content scanning engines to fend off cyber attacks. "We will also review the storage of personal data on our Internet systems to minimise risks of cybertheft," he told the House.