The attackers behind Singapore's worst data breach were so skilled that they established multiple footholds in SingHealth's network, enabling them to execute commands from another compromised server on July 19, even as investigations into their earlier breach were under way.
The second intrusion attempt took place after SingHealth's IT vendor had discovered the attack on July 4 and shut down the illegal data transfer that had been taking place since June 27.
Staff from Integrated Health Information Systems (IHiS) - an agency which runs the IT systems of public healthcare institutions - had also stepped up network defences by taking steps such as changing passwords, removing compromised accounts and rebooting servers.
The high-level Committee of Inquiry (COI) into SingHealth's cyber attack heard these details yesterday when a second tranche of hearings concluded.
Citing the detailed findings of the Cyber Security Agency of Singapore (CSA), Solicitor-General Kwek Mean Luck said the July 19 attempt was spotted and cut off on the same day due to heightened network monitoring following the discovery of data exfiltration.
Data transfer, which took place from June 27 to July 4, led to the leak of the personal data of 1.5 million SingHealth patients and the medical prescriptions of 160,000 people, including Prime Minister Lee Hsien Loong.
In his closing statement, Mr Kwek, a senior counsel, also summarised how advanced, determined and disciplined the attackers were. "The skill and sophistication used in the SingHealth attack highlights the challenges that cyber defenders face," Mr Kwek said.
Some of the measures taken
•The master key account was reset twice by the IHiS. By doing so, the cyber attackers' full access to the IHiS' domain was invalidated.
•Heightened monitoring: The IHiS Security Operations Centre was placed on high alert to look out for suspicious activity. This step allowed both the CSA and IHiS to detect and respond to fresh login attempts on July 19.
•Passwords were changed at the end-user machine and database application levels of the IHiS to ensure that the attackers could not reuse old passwords to re-enter the network.
•Citrix servers reloaded: Compromised Citrix servers were what led to the attack, and all Citrix servers were refreshed by IHiS by July 16.
•Internet surfing separation (ISS): Due to the attempts at logging in on July 19, ISS was recommended by the CSA to disrupt the attackers' manoeuvring in the network on July 20. ISS was also implemented for the National Healthcare Group and the National University Health System.
•PowerShell disabled: After discovering that the attackers had used PowerShell - a Windows tool used by system administrators to automate tasks that manage operating systems - IHiS disabled it on all end-user machines.
•Critical information infrastructure (CII) sectors alerted: The CSA issued alerts to the CII sectors to be vigilant and look out for signs of the attackers. Information about the attackers' tactics was also given.
For instance, after executing a successful phishing attack on an end-user workstation at Singapore General Hospital on Aug 23 last year, the attackers signalled a server hosted overseas that they had got in.
They then sat back for four months before moving around the network to gather more credentials to execute their next moves. The malware they used was customised for SingHealth's systems and escaped detection by even the world's top anti-virus software makers.
The attackers also used a benign Windows tool called PowerShell - which system administrators use to automate tasks that manage operating systems - to execute malicious commands.
IHiS disabled PowerShell on all end-user workstations on July 13.
COI chairman Richard Magnus said Mr Kwek's summary gave "a balanced perspective" to the evidence presented so far.
Mr Magnus added: "From the evidence, it would appear to the COI, even at this stage, that the attacker had one and only one malicious intent - that of exfiltrating data from the crown jewels of the network, which is the EMR (electronic medical records)."
Therefore, said Mr Kwek, cyber security measures must be commensurate with evolving threats.
"These issues... will be dealt with in the next tranche of the COI hearings," he said, noting that public and private hearings will resume at the end of this month. Senior management officials from various organisations will take the witness stand. They include:
•Mr Bruce Liang, chief executive officer of IHiS and chief information officer at the Ministry of Health;
•Professor Ivy Ng, SingHealth group chief executive officer;
•Mr Benedict Tan, SingHealth group chief information officer;
•Professor Kenneth Kwek, SingHealth deputy group chief executive officer (organisational transformation and informatics);
•Mr Chua Kim Chuan , IHiS director of cyber security governance; and
•Mr David Koh, CSA chief executive officer.
Local and foreign cyber security experts will also be called to the stand to present their recommendations.