Style of SingHealth cyber attack, info targeted point to state-backed hackers, say experts

Those behind the SingHealth attack clearly wanted to remain hidden and took data with no obvious commercial value.
Those behind the SingHealth attack clearly wanted to remain hidden and took data with no obvious commercial value.ST PHOTO: ARIFFIN JAMAR

From the nature of the attack to the information targeted, all signs suggest that the unprecedented cyber attack on the database of SingHealth was the work of state-sponsored hackers, said cyber-security experts.

For instance, where casual hackers might vandalise public-facing websites and criminal gangs might focus on attacks that might make them some money, those behind the SingHealth attack clearly wanted to remain hidden and took data with no obvious commercial value.

Mr Eric Hoh, cyber-security specialist FireEye's Asia-Pacific president, said that health records contain valuable information to governments and are often targeted by nation-state threat actors.

Another telltale sign: The fact that the authorities said the attackers "specifically and repeatedly" targeted the data on Prime Minister Lee Hsien Loong.

Said Mr Joseph Gan, president and co-founder of security solutions firm V-Key: "State-sponsored attackers typically focus on only one or a few targeted individuals, unlike criminals, who would be primarily concerned about gathering data about as many people as possible."

The hackers picked up demographic data on 1.5 million SingHealth patients. These included the outpatient prescription records of PM Lee and 160,000 others.

The authorities had last Friday described the attack as a "deliberate, targeted and well-planned cyber attack".

The hackers had initially entered the system via a malware-infected SingHealth front-end workstation.

 
 
 
 

Upon detection, the hackers had made further unsuccessful attempts to gain access to the database using different approaches to bypass the new security measures.

This type of cyber attack, known as an advanced persistent threat, is another indication to cyber-security experts that nation-state actors were involved.

Mr Gan said that the hackers probably wanted to stay hidden in the network for months, if not years - the kind of timeframe that would require resources and organisation typically unavailable to smaller players.

Others suggest it is also typically only nation-state actors that will persist with a single target even after being discovered. Criminals with financial motivations will likely just move on to another, less well-defended target.

Mr Ondrej Kubovic, ESET's security awareness specialist, said that the attackers were well organised and aware of the structure of the database.

"Otherwise, they would not be able to exfiltrate such a large amount of the data," he said.

And while it is important to establish the identity of the hackers, experts like Gartner research director Sid Deshpande said what may be more crucial now is the response.

"Attribution is really difficult as far as security incidents are concerned, and resources are better utilised in preventing such incidents from happening in the future rather than trying to accurately pinpoint which group did it," said Mr Deshpande.

 
A version of this article appeared in the print edition of The Sunday Times on July 22, 2018, with the headline 'Style of attack, info targeted point to state-backed hackers, say experts'. Print Edition | Subscribe