SINGAPORE: A “well resourced, well-funded and highly sophisticated” nation-state actor is likely behind the unprecedented cyberattack on SingHealth’s database, which targeted Prime Minister Lee Hsien Loong’s personal and medical records, and made away with 1.5 million patients' details, according to one cybersecurity expert.
On Friday, the Ministry of Communications and Information and Ministry of Health announced that 1.5 million SingHealth patients’ demographic data were stolen, while 160,000 of them had their outpatient dispensed medicine records taken too.
Mr Lee was “specifically and repeatedly” targeted during the attack that took place last month, and hackers managed to steal his personal particulars and medication information.
Emeritus Senior Minister Goh Chok Tong also revealed in a Facebook post that his "non-medical personal particulars" with SingHealth had been stolen.
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) subsequently found the breach to be a “deliberate, targeted and well-planned cyberattack” and not the work of casual hackers or criminal gangs.
Mr Eric Hoh, Asia Pacific president of cybersecurity firm FireEye, said the cyberattack was “very different” from those by typical cybercriminals who generally sell the stolen data or use it for ransomware.
This has yet to happen in SingHealth's case since the breach was detected and thwarted on Jul 4.
Stealing the medical records of a high-ranking official, for example, would give hackers the opportunity to use the data to “coerce” that person into revealing secrets or giving access to otherwise unattainable resources, Mr Hoh said.
Acronis’ lead security researcher Ravikant Tiwari agreed, saying that stolen medical records are most commonly used for aiding in spying if the target is a high-ranking official.
Mr Lee said on Friday that he did not know what the people behind the cyberattack were hoping to find from his medication data, but that if they were looking to embarrass him, "they would have been disappointed".
"Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed," Mr Lee said in a Facebook post.
"My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it," Mr Lee added.
THE HAND OF A NATION-STATE ACTOR
Asked why he thought the SingHealth cyberattack could be the work of a nation-state actor, Mr Hoh said: “This was an advanced persistent threat (APT) and the nature of such attacks are that they are conducted by nation states using very advanced tools.
“They tend to be well resourced, well-funded and highly sophisticated,” he explained.
Additionally, the perpetrator carried on trying to access SingHealth’s network even after detection, which is the “typical signature” of a nation-state actor, the FireEye executive pointed out.
Channel NewsAsia understands that the authorities have established who might be behind such an attack. There are only a few countries in the world who have the level of sophistication shown during the cyberattack campaign.
CSA could not reveal more details due to operational security reasons, said its chief executive David Koh during Friday’s press conference.
MEDICAL DATA IS LUCRATIVE BUSINESS
Another cybersecurity expert, Mr Leonard Kleinman, pointed out that medical data contains a trove of information – from personally identifiable data to financial details – “that can be used to create a highly sought-after composite of an individual”.
Such pilfered data can fetch a high price on the dark Web, with each entry potentially selling for US$50 to US$100 more than stolen credit card data, said Mr Kleinman, who is the chief Cyber Security Advisor at RSA Asia Pacific and Japan.
“As it could contain any amount and level of information, healthcare institutions are among the most sought-after industries by criminals who can be motivated by a multitude of possible reasons,” he said.
The executive also cautioned that the fallout of such a hack may not be immediately felt either, as it could “take months” for the data to be first sold, then used.
“Given the nature of this attack, it is hard to say exactly what the end game is, especially when the attackers haven’t identified themselves,” Mr Kleinman added.
Darktrace Asia Pacific managing director Sanjay Aurora told Channel NewsAsia in an email that it can only speculate on the hacker's motives, but medical information, like other kinds of personal data, can be easily monetised.
That said, beyond making a quick buck, Mr Aurora said a more "sinister reason" could be to cause widespread disruption and systemic damage to the healthcare service or to undermine trust in a nation's competency to keep personal data safe.
WHAT CAN AFFECTED SINGAPOREANS DO?
As for next steps, FireEye’s Hoh suggested that the 1.5 million affected SingHealth users be on “heightened alert” and be extra vigilant over things such as phone calls from unknown numbers or emails that purport to be from legitimate organisations.
He also said that these users should change their online passwords linked to the compromised IT systems.
Sophos senior technologist Paul Ducklin, meanwhile, recommends those affected to keep a careful watch over their financial statements and report any suspicious activity immediately.
“Be especially suspicious of unsolicited communications that arrive in the wake of this breach offering any sort of help or asking for further details to assist in the investigation,” Mr Ducklin warned.
“Social engineers and scammers are experts at preying on people's fears (and their willingness to help) after security incidents of this sort.”
He added: “Whether this was a lone hacker who got lucky, a well-oiled cybercrime gang or a state-sponsored attack team won't get your personal data back, and it won't change the fact that you can't control who gets it next.
“Keep your own eyes open for any attempt to abuse your personal data in the future."
Mr Hoh also hopes that Singaporeans will see this incident as a timely reminder that cyberattacks, big or small, will happen and that the key is for all parties - government, businesses and citizens - to respond quickly to such breaches.
"Somebody can launch a cyberattack against you, but if they didn't get away with anything, then you'd have successfully defended yourself."
This, he reckoned, is the mindset people should adopt going forward.