While showing initiative, the initial response to the largest cyberattack in Singapore was “piecemeal and inadequate”, said Solicitor-General Kwek Mean Luck in his opening statement to the Committee of Inquiry (COI) looking into the SingHealth cyberattacks.
Speaking on the first day of hearings on Friday (21 September), Kwek noted that Integrated Health Information Systems (IHiS) staff “did not fully appreciate that multiple cyber security incidents were happening” in the software system SingHealth utilises for its electronic medical records (EMR).
He also highlighted several inadequacies amid the SingHealth IT network which were exploited by the attacker, who gained an initial presence in the system by infecting workstations as early as August 2017.
“As the evidence is presented to the COI, it will be apparent that more could have been done to deter the cyber attack,” concluded Kwek, who is also a Senior Counsel. “At the same time, it is also important to bear in mind that this was a highly sophisticated and persistent attack, planned and executed with patience.
“In the spirit of the inquiry of this COI, the focus is not on fault finding, but on probing and learning, so that we can identify areas that would strength the defences of our organisations against future cyber attacks.”
The personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong’s – were stolen from SingHealth’s database during the cyber attack, which occurred between 27 June and 4 July this year. The data comprises the patients’ demographic records and the dispensed medication records of about 159,000 of them.
Advanced Persistent Threat attack
The COI heard on Friday that after the attacker began infecting SingHealth’s workstations with malware in August last year, he planned his route in the network to reach the database between December 2017 and May 2018.
From May to June, he tried to gain access to the database after logging in to the servers via some local administration accounts at Singapore General Hospital. One of the accounts had a common and weak password – P@ssw0rd – which “could have been easily cracked by the attacker to gain the credentials to the account”.
The attacker was also able to gain access to an end-user workstation via a publicly available hacking tool because it was running on a version of Microsoft Outlook that was not patched to address the use of that hacking tool.
After multiple failed attempts to gain access, the attacker finally succeeded on 26 June. The Cyber Security Agency of Singapore (CSA) said it is probable that the attacker stole the proper access credentials via a server on the Healthcare-Cloud cloud computing platform at the Healthcare Data Centre (HDC).
Solicitor-General Kwek told the COI that there is evidence of an insecure coding vulnerability in the software system that could have allowed the attacker to retrieve access credentials from the HDC server. The vulnerability was in fact made known to IHiS in 2014 by an ex-employee, Zhao Hainan, but IHiS management took no action. Zhao will also be called to testify before the COI.
Response to the attack
IHiS staff first became aware of attempts at unauthorised access to the database on 11 June. They attempted to counter it by changing passwords and shutting down a server – measures which while showing initiative, were piecemeal and inadequate, said Kwek.
Furthermore, after the IHiS staff terminated the attacker’s infiltration into the patients’ records on 4 July, they waited until the night of 9 July to inform IHiS’s senior management, as well as SingHealth’s Group Chief Information Officer Benedict Tan.
The COI was convened in July by Minister-in-charge of Cybersecurity S Iswaran following the cyberattack “to inquire into the events and contributing factors leading to the cybersecurity attack” and “to recommend measures to reduce the risk of such attacks in the future”.
The four-member committee is chaired by retired chief district judge Richard Magnus. The other three members on the committee are Lee Fook Sun, Executive Chairman of Ensign InfoSecurity; T K Udairam, Group Chief Operating Officer of Sheares Healthcare Management; and Cham Hui Fong, Assistant Secretary-General of the National Trades Union Congress.
Two witnesses from IHiS will take the stand on Friday: Lum Yuan Woh, assistant director (Infra Services – Systems Management), who first discovered on 11 June that certain accounts had been compromised; and Katherine Tan, a database administrator who terminated the multiple attempts to access the database on 4 July.
It will hear from at least nine witnesses from the Ministry of Health, Ministry of Health Holdings, SingHealth, IHiS and the CSA during a series of public and private hearings until 5 October. It is then expected to submit a report on its findings and recommendations to Minister Iswaran by 31 December.