SINGAPORE: Even though the attacker was extremely skilled, the attack on SingHealth’s patient database was “not inevitable”, said the Committee of Inquiry (COI) into the cyberattack in a report published on Thursday (Jan 10).
This was one of the five key findings of the COI in its assessment of what happened.
“While our cyber defences will never be impregnable and it may be difficult to prevent an Advanced Persistent Threat (APT) from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable,” the report said.
A number of vulnerabilities, weaknesses and misconfigurations could have been remedied before the attack. Doing so would have made it more difficult for the attacker to achieve its objectives.
But while the attacker was stealthy, signs of the attack were observed by IHiS staff.
“Had IHiS’ staff been able to recognise that an attack was ongoing and take appropriate action, the attacker could have been stopped before it achieved its objectives,” the report said.
The attack saw the records of 1.5 million patients, including their names, NRIC numbers and addresses, along with other information accessed from Jun 28 to Jul 4 last year. Among the data taken were the medication records of close to 160,000 patients.
NOT CASUAL HACKERS BUT SKILLED ATTACKERS
A second key finding was that the attacker was a skilled and sophisticated actor bearing the characteristics of an APT group.
The COI found that the attacker had a “clear goal” in mind, namely the personal and outpatient medication data of Prime Minister Lee Hsien Loong. His data, in particular, was “specifically targeted and repeatedly accessed”.
The attacker employed advanced tactics, techniques and procedures (TTPs) of advanced attacks such as customised malware, and displayed the ability to exploit vulnerabilities in SingHealth’s IT network and patient database.
READ: SingHealth cyberattack likely by nation state, medical data ‘can fetch a high price’, say experts
The attacker lay dormant and waited more than 10 months to carry out the attack, showing its persistence. It also established multiple footholds and backdoors to allow itself several pathways to access SingHealth’s network.
The COI also found that the attacker was a “well-resourced group” with an extensive command and control network. It also had the capability to develop numerous customised tools and a wide range of technical expertise.
IHiS STAFF LACKED SKILLS, RESOURCES TO RESPOND TO THREAT
The COI also said that IHiS staff did not have “adequate levels” of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack.
This included teams directly involved in cybersecurity like the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management.
A number of IHiS IT administrators were commended in the report for their vigilance in noticing suspicious activity, such as unauthorised logins and requests for information into compromised servers as well as the patient database.
“However, these same IT administrators could not fully appreciate the security implications of their findings, and were unable to correlate these findings with the TTPs of an advanced cyber attacker,” the report said.
“They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA. There was also no incident reporting framework in place for the IT administrators,” it added.
KEY EMPLOYEES FAILED TO TAKE APPROPRIATE, TIMELY STEPS TO ADDRESS THE ATTACK
The COI report said that failure to take appropriate, effective or timely action resulted in “missed opportunities” to prevent the stealing and exfiltration of data in the attack.
The Security Incident Response Manager (SIRM) and Cluster Information Security Officer (ISO) for SingHealth, who were responsible for incident response and reporting, held “mistaken understandings” of what constituted a security incident, and whether it should be reported.
The SIRM was also said to have delayed reporting because he felt that “additional pressure would be put on him and his team once the situation became known to management”.
“The evidence also suggests that the reluctance to escalate the matter may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm,” the report said.
The Cluster ISO also did not understand the significance of the information provided to him and failed to take any steps to better understand the information.
“Instead, he effectively abdicated to the SIRM the responsibility of deciding whether to escalate the incident,” the report said.
ATTACKERS TOOK ADVANTAGE OF LOOPHOLES IN SINGHEALTH SYSTEM
A number of ‘vulnerabilities, weaknesses, and misconfigurations” in the SingHealth network and patient database contributed to the attacker’s success in obtaining and exfiltrating the data, the COI found.
A “significant vulnerability” was the open network connection between the patient database and Citrix servers.
These servers serve as a bridging system to communicate between front-end workstations and the patient database. The network connection played a “critical role” in the cyberattack that allowed the attacker to retrieve data from the patient records database.
While having an open network connection allowed for the use of administrative tools and custom applications, the COI found that there was no necessity to do so.
The Citrix servers were also not accorded sufficient security measures against unauthorised access such as the lack of 2-factor authentication (2FA). This allowed the attacker to access the server through routes that did not require 2FA.
Separately, a coding vulnerability in the patient database programme was found to be “likely exploited” by the attacker to obtain credentials for accessing the database.
Other vulnerabilities, which were identified in a penetration test in early 2017 before the cyberattack, may also have been exploited by the attacker. They include weak administrator passwords, and the need to improve network segregation for administrative access such as the domain controller and Citrix servers.
“Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the cyberattack,” the report said.