The SingHealth network’s data breach last month was characteristic of a “class of sophisticated cyberattackers” deploying what was known as an “advanced persistent threat” (APT) attack, said Minister for Communications and Information S. Iswaran in Parliament on Monday (6 August).
“The attack fits the profile of certain known APT groups”, which are “typically state-linked” and conduct extended cyber campaigns to steal information and disrupt operations, said Iswaran, who was delivering his Ministerial Statement on the SingHealth cyberattack.
“But for national security reasons, we will not be making any specific public attribution,” he added. The 4 July cyberattack saw perpetrators accessing the personal data of 1.5 million patients, including that of Prime Minister Lee Hsien Loong.
While SingHealth and Integrated Health Information Systems (Ihis) are private companies, their information databases are part of Singapore’s critical information infrastructure (CII), said Iswaran.
“A cyberattack on any CII can disrupt essential services and affect public welfare and confidence,” he added.
Iswaran noted recent examples of attacks by APT groups, including the hacking of the Democratic National Committee in the US in 2016 and the theft of more than 20 million personnel records from the US Office of Personnel Management in 2014.
“Singapore has also been the target of APT attacks, such as those on NUS and NTU last year,” added the 56-year-old West Coast GRC Member of Parliament (MP).
Based on detailed analysis by Singapore’s Cyber Security Agency (CSA), the SingHealth hackers used “advanced and sophisticated tools, including customised malware that was able to evade SingHealth’s anti-virus software and security tools”.
“After establishing a foothold in the network, the attacker took steps to remain in the system undetected before stealing the patients’ information,” he added.
COI report by end-year
Asked by Non-Constituency MP Daniel Goh if the government would be looking into whether there was any negligence on SingHealth’s part, Iswaran said that the Committee of Inquiry (COI) convened would look into the factors behind the attack as well as what could have been done.
“I would urge members to refrain from going down the path of allocating blame at this point,” added Iswaran.
He said the COI, chaired by former senior district judge Richard Magnus, will submit its report by 31 December. “As some aspects of the inquiry have security implications, the COI will decide which part of its hearings can be held in public,” he noted.
In the meantime, the government has also taken steps to bolster Singapore’s cybersecurity defences.
For instance, the CSA has examined computers affected by last month’s attack and identified indicators of compromise – pieces of forensic data used to identify malicious activity on a network.
Owners and regulators of CII have been instructed to scan for such indicators and have been advised on measures to prevent a similar incident.