SingHealth cyber breach

SingHealth cyber attack: Method of attack showed high level of sophistication

(From far left) Cyber Security Agency chief executive David Koh; MCI Permanent Secretary Gabriel Lim; Minister for Communications and Information S. Iswaran; Health Minister Gan Kim Yong; MOH Permanent Secretary Chan Heng Kee; and SingHealth CEO Ivy
(From left) Cyber Security Agency chief executive David Koh; MCI Permanent Secretary Gabriel Lim; Minister for Communications and Information S. Iswaran; Health Minister Gan Kim Yong; MOH Permanent Secretary Chan Heng Kee; and SingHealth CEO Ivy Ng at the press conference.ST PHOTO: MARK CHEONG
A​bout 1.5 million patients, including Prime Minister Lee Hsien Loong​ ​and a ​few ministers, ​have had their personal data stolen. Some 160,000 people also had their outpatient prescriptions stolen.​

Hackers did not just look for data to steal, but also planned ahead by probing for more entry points

Like thieves breaking into a house through a window, cyber attackers entered SingHealth's IT system through an Internet-facing workstation.

Their top goal: Prime Minister Lee Hsien Loong's medical details.

As they ransacked the system for data on PM Lee, the thieves also stole the personal data of some 1.5 million patients.

What aided the hackers' plans was that they did not just look for things to steal once they entered the system - they also planned ahead. In the week prior to being discovered on July 4, they had stolen log-in credentials, covered their tracks and probed for more entry points.

These entry points became windows through which other attackers could enter. These meant that when the initial attack was detected and halted, the threat did not stop.

Using the analogy of thieves breaking into a house, Cyber Security Agency of Singapore (CSA) chief executive David Koh said yesterday: "The first time they got in through the window of the storeroom, they managed to get their way upstairs and they managed to steal things.

"So, we threw them out and locked the window in the storeroom. Then the next moment, we found them in the kitchen. If you put this into perspective, this is the level of sophistication we are dealing with."

ENTRY POINT

An Internet-facing computer is first breached, and then used as a launchpad to gain deeper access into the network.

MR JOSEPH GAN, president and co-founder of security solutions firm V-Key.

Mr Joseph Gan, president and co-founder of security solutions firm V-Key, said that this was the work of a dedicated cyber attacker.

"An Internet-facing computer is first breached, and then used as a launchpad to gain deeper access into the network," said Mr Gan.

Giving details about the breach at a press conference yesterday, the CSA said unusual activity was first detected on July 4. By then, the hackers had stolen log-in credentials, covered their tracks and probed for more entry points.

VALUABLE INFORMATION

Health records contain information that is valuable to governments, and they are often targeted by nation-state threat actors.

MR ERIC HOH, cyber security specialist FireEye's Asia-Pacific president.

Upon detection, security measures such as the blocking of dubious connections and the changing of passwords were taken to thwart the hackers.

Even though the hackers continued to make repeated attacks on different fronts to gain access to the database, increased monitoring and stepped-up precautionary action resulted in no further data leak from July 4.

For instance, SingHealth reset its network servers and forced all employees to reset their passwords.

All patient records in Sing-Health's IT system remain intact, and there has been no disruption of healthcare services.

No record was tampered with and no other patient records such as diagnosis, test results and doctors' notes were breached.

VALUABLE INFORMATION

Health records contain information that is valuable to governments, and they are often targeted by nation-state threat actors.

MR ERIC HOH, cyber security specialist FireEye's Asia-Pacific president.

On July 10, the Health Ministry, SingHealth and CSA were informed after forensic investigations confirmed that it was a cyber attack.

A police report was made on July 12, and investigations are ongoing.

Experts largely agree the attack was likely state-sponsored.

"Health records contain information that is valuable to governments, and they are often targeted by nation-state threat actors," said Mr Eric Hoh, cyber-security specialist FireEye's Asia-Pacific president.

"Nation-states increasingly collect intelligence through cyber espionage operations which exploit the very technology we rely upon in our daily lives," he added.

HOW DATA CAN BE USED

They can be used to create a highly sought-after composite of an individual.

MR LEONARD KLEINMAN, cyber-security firm RSA's Asia-Pacific chief cyber security adviser, saying that medical data contains a trove of information from personally identifiable data to financial details.

Mr Leonard Kleinman, cyber-security firm RSA's Asia-Pacific chief cyber security adviser, said that medical data contains a trove of information from personally identifiable data to financial details.

"They can be used to create a highly sought-after composite of an individual," he added.

In the wake of the breach, SingHealth yesterday started to impose a temporary Internet surfing separation on all of its 28,000 staff's work computers.

Other public healthcare institutions are expected to do the same at the weekend.

 
A version of this article appeared in the print edition of The Straits Times on July 21, 2018, with the headline 'Method of attack showed high level of sophistication'. Print Edition | Subscribe