Parliament: Cyber breach of Mindef's IT system occurred weeks before it was detected

A simulated cyber attack at Mindef’s Cyber Test and Evaluation Centre on Feb 27, 2017.
A simulated cyber attack at Mindef’s Cyber Test and Evaluation Centre on Feb 27, 2017.ST PHOTO: SEAH KWANG PENG

SINGAPORE - The breach of the Defence Ministry's IT system, which resulted in the theft of the personal details of 850 personnel, occurred weeks before it was detected, investigations have showed.

The modus operandi of the cyber attack, which was discovered on Feb 1, was also "consistent with a covert attack, with means used to mask the perpetrator's actions and intent", Second Minister for Defence Ong Ye Kung said on Monday (April 3).

Giving an update of the incident in Parliament, Mr Ong said the ministry is reviewing the storage of personal data on its Internet systems to minimise the risks of cyber theft.

While the cyber attack in Mindef's case went undiscovered for weeks, the time before a breach is detected in other IT systems elsewhere tends to be longer.

Referring to industry reports, Mr Ong said that it takes an average of about 150 days, or five months, before a breach is discovered in any computer system.

He cited examples such as the breaching of the e-mail servers of the US Democratic National Committee in mid-2015, and which was only detected in April 2016. By that time, all e-mails and chats had been stolen, he added.

He said investigations into the cyber attack on the Defence Ministry are still ongoing but "findings will be kept confidential for security reasons". Mr Ong was replying to questions from MPs Lim Wee Kiak (Sembawang GRC) and Vikram Nair (Sembawang GRC).

In February, Mindef revealed that hackers had stolen NRIC numbers, telephone numbers and birth dates of 850 personnel, through a breach of the Ministry's I-Net system.

The I-Net system provides Internet access on thousands of dedicated terminals to national servicemen and other staff working in Mindef's offices and Singapore Armed Forces premises, such as army camps.

The affected server was taken offline after the discovery of the attack, which Mindef called "targeted and carefully planned", and the affected personnel were contacted to take the necessary precautions.

Mr Ong said on Monday that Mindef's IT systems are "no different" from others, and like them, experience "hundreds of thousands" of cyber intrusion attempts, ranging from simple probes to sophisticated cyber-espionage efforts.

"Mindef/Singapore Armed Forces adopts a multi-layered, risk-based approach to cyber defence which balances between connectivity and speed on one hand, and security on the other," he said.

He told the House that the I-Net system contains no classified information, and that networks which contain sensitive military information are physically separated from the Internet, and further protected with encryption and access controls.

Mr Ong added that as part of its ongoing initiatives to strengthen cyber systems, "Mindef/SAF will develop better assessment tools, data analytics and content scanning engines to enhance our response to cyberattacks".