Web service outages of hospitals, polyclinics caused by attacks that are continuing: IT provider

SINGAPORE - The

Web service outages of public hospitals and polyclinics

on Wednesday were caused by a distributed denial-of-service (DDoS) attack, said national healthcare IT provider Synapxe on Friday.

In a DDoS attack, attackers flood servers with Internet traffic to prevent users from accessing online services.

The attacks are continuing, and users may see “occasional disruptions” to Internet services as a result, Synapxe said.

“Synapxe is working with relevant parties to actively defend against the attacks, and expedite the recovery processes. Investigations by Synapxe and the Cyber Security Agency are also ongoing,” the IT provider said.

The Straits Times understands that no ransom demands in relation to the attack on Wednesday had been made by Friday.

Synapxe said it has a “layered defence” designed to detect and respond to cyber threats, including DDoS attacks. This includes system backups, services that block abnormal surges in Internet traffic before they enter the public healthcare network and firewalls.

However, an abnormal surge in network traffic – detected at 9.15am on Wednesday – bypassed the blocking service and overwhelmed Synapxe’s firewall behind the blocks, the IT provider said.

This triggered the firewall to filter out the traffic, and all the websites and Internet-reliant services became inaccessible.

Once the cause was identified, Synapxe said, it immediately worked with its service providers to combat the attack, and Web services were restored progressively from 4.30pm.

The attack did not compromise healthcare data, internal networks or patient care, it added.

Between 9.20am and 4.30pm on Wednesday, public healthcare institutions – such as public hospitals, polyclinics and the Institute of Mental Health – experienced a total outage of all services requiring Internet connectivity, losing access to websites, e-mails and internal productivity tools for staff.

Major hospitals such as Singapore General Hospital, National University Hospital, Khoo Teck Puat Hospital and Changi General Hospital were among the affected institutions.

Throughout the disruption, patient records remained accessible and clinical services were unaffected, said some of the affected hospitals in Facebook posts that day.

Synapxe added: “The incident is a stark reminder that DDoS attacks are on the rise, with changing attack methods.

“DDoS attacks cannot be prevented, and the defences against DDoS attacks will have to constantly evolve to keep up with advancements.”

When contacted, cyber-security experts told The Straits Times that “hacktivists” – or hackers with a cause – may have performed the attacks.

Acronis’ chief information security officer Kevin Reed said those who perform DDoS attacks typically have three motivations – financial, state-backed, or activism.

But he added that it was unlikely that financial motivations were behind the attack on Wednesday because those who do it for money would typically use ransomware these days, instead of DDoS attacks.

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.

Mr Reed also does not think the attack was state-backed, because such attacks tend to happen quietly and by sophisticated hackers.

And DDoS attacks are not performed by sophisticated hackers, he said.

He added: “It requires the lowest amount of skill. The attackers are very noisy, but they’re also not very skilled. If they were more skilful, they would do something else.

“Given the current political climate worldwide, there are a bunch of potential reasons why someone could be angry and would try (DDoS attacks).”

Palo Alto Networks’ regional chief security officer Ian Lim said it is difficult to find out who is behind the attack because the know-how is available online.

“DDoS code and tactics are freely available on the Dark Web and could be leveraged by cyber criminals, hacktivists or lone wolves,” Mr Lim said. The Dark Web is part of the World Wide Web that allows users and operators to remain untraceable, and is accessible only through special software.

“Additionally, there are DDoS bot networks that can be ‘rented’ on the Dark Web. Attribution is difficult for these types of DDoS attacks due to how accessible these capabilities are,” Mr Lim said.

Mr Reed said that there are companies that provide protection against DDoS attacks, and they “usually have lots of scale, and enough technology to protect their customers against very large DDoS attacks”.

But Cloudflare – an American company that also provides DDoS mitigation services – said those behind DDoS attacks have evolved and now use “powerful virtual private servers to perform DDoS attacks with greater volume and faster speeds”.

Mr Lim recommends a “defence in depth” approach against DDoS attacks, by having layers of hardware and software that provide protection against such attacks, as well as strengthening the security of Domain Name Systems (DNS), which translate text-based domain names – such as www.straitstimes.com – to number-based IP addresses. This is because DDoS attackers often target the DNS infrastructure, he said.

Mr Reed added that Synapxe can further strengthen its defence against ongoing DDoS attacks by looking into where its existing protections failed and analysing why the attacks were successful.

He added: “Once they understand why the attack was successful, they can try implementing additional protections. I think it’s totally fine that such attacks happen, this is a learning exercise for everyone. As soon as they go through that process and then implement the protection, that is a more than adequate response.”