1 STAFF LACKED TRAINING IN CYBER SECURITY
Staff of Integrated Health Information Systems (IHiS) lacked cyber-security awareness, training and resources to respond effectively to the attack.
But several of its junior staff - including system engineer Benjamin Lee - showed considerable initiative in spotting and reporting suspicious network activities.
They, however, could not identify that a sophisticated cyber attack was under way and were not familiar with IT security policies.
2 KEY STAFF FAILED TO TAKE REQUIRED ACTION
Key cyber-security staff at IHiS failed to take necessary action to prevent the data breach. Cluster information security officer Wee Jia Huo learnt of the suspicious network activities in June. But the key technology "risk man" did not take steps to understand them. The report said he showed "an alarming lack of concern" although by July 4, it was clear a critical system had potentially been breached.
Mr Wee's job was to decide if upper management should be alerted about incidents, but he abdicated this responsibility to Mr Tan in this case. Mr Tan delayed reporting it, fearing extra pressure on his team.
3 WEAKNESSES IN NETWORK, SYSTEMS NOT FIXED
Vulnerabilities and misconfigurations in SingHealth's network and systems contributed to the data breach. The attacker exploited an open link between servers in Singapore General Hospital and the electronic medical records (EMR) system.
The temporary link for database migration to a new cloud-based system was not shut down after the migration was completed.
An unaddressed coding vulnerability in the EMR software supplied by Allscripts Healthcare Solutions was likely exploited by the attacker to obtain credentials "and cross the last mile" to access patient records, said the report.
4 ATTACKERS SKILLED AND WELL EQUIPPED
The attackers were skilled, sophisticated and likely to be state-sponsored.
They established multiple footholds in SingHealth's network, enabling them to execute commands from another compromised server on July 19, even as investigations into their earlier breach were under way.
The earlier breach was carried out over 10 months, primarily targeting the personal and outpatient medication data of Prime Minister Lee Hsien Loong.
5 LET DOWN BY VULNERABLE SYSTEMS, UNTRAINED STAFF
While systems will never be breach-proof, the attackers would have found it harder to achieve success had the identified vulnerabilities and misconfigurations been fixed, the report said.
Also, if IHiS had trained its staff to take appropriate action, the attackers could have been stopped and the breach averted, it added.
Profile of the attacker
The Committee of Inquiry agrees with the Cyber Security Agency's assessment that the cyber breach was carried out by a skilled and sophisticated attacker bearing the characteristics of an Advanced Persistent Threat (APT) group, based on evidence during the hearings. APT refers to a class of sophisticated, usually state-linked, cyber attackers who conduct extended, carefully planned cyber campaigns to steal data or disrupt operations. They are known to be extremely persistent in finding ways to get into a network or system once a target has been identified.
THE ATTACKER HAD A CLEAR GOAL
- The attacker was focused on accessing and stealing the personal and outpatient medication data of Prime Minister Lee Hsien Loong and other patients.
- Its actions were targeted and specific, and they compromised only selected computers needed to access, copy and transfer data.
THE ATTACKER EMPLOYED ADVANCED TACTICS, TECHNIQUES AND PROCEDURES
- Techniques used by the attacker include customised and stealthy malware. It also found and exploited various vulnerabilities in SingHealth's IT network and electronic medical records system.
- Apart from evading detection for nearly 10 months, the attacker also covered its tracks by deleting logs in compromised workstations and servers.
THE ATTACKER WAS PERSISTENT
- The attack was carried out over more than 10 months, involving multiple attempts at accessing patients' records using various methods.
- Even after the attack was stopped on July 4, the attacker re-entered the system on July 19 through an earlier established foothold and tried to regain control over the network.
THE ATTACKER WAS A WELL-RESOURCED GROUP
- It had the capability to develop customised tools and showed a wide range of technical expertise.