Mindef hit by targeted cyber attack
SINGAPORE — A cyber attack on the system used at military premises to access the Internet has resulted in the theft of the personal data of about 850 national servicemen and Ministry of Defence (Mindef) employees.
The unprecedented breach, which took place in early February, was described by Mindef as appearing to be “targeted and carefully planned”, possibly with the intention of stealing official secrets. While classified military information was not compromised — this is stored on a separate and more secure system which is not connected to the World Wide Web — the personal data of I-net account holders comprising NRIC numbers, telephone numbers, and dates of births were stolen, said Mindef on Tuesday (Feb 28), as it apologised for the “inconvenience and potential harm” caused by the breach.
The I-net system provides Internet access to national servicemen as well as employees from Mindef and the Singapore Armed Forces for their personal communications, and allows them to surf the Internet via dedicated I-net computer terminals in the military premises and camps. Mindef said the affected personnel will be contacted within the week, and they will be advised to change their passwords for other systems that may use any of the stolen information. A special helpdesk will also be set up to assist these individuals.
“Based on our investigations, (the attack was) not the work of casual hackers or criminal gangs,” said Mindef’s Deputy Secretary for Technology David Koh at a press briefing. Investigations are being conducted, and Mindef said it would not speculate on the origins of the attack and the possible perpetrators. Nevertheless, it has determined that the attack did not originate from any of the thousands of I-net computer terminals that are located across the island.
The affected server was disconnected after the breach was discovered, and immediate and detailed forensic investigations were conducted on the entire I-net system to determine the extent of the breach. As a precaution, Mindef is also doing a thorough security sweep of all its other computer systems.
Mr Koh, who also heads the Government’s Cyber Security Agency (CSA), said the physical, multi-layered separation of I-net from Mindef’s internal systems prevented the attackers from penetrating deeper into systems containing classified military information. Apart from the CSA, the Government Technology Agency of Singapore (GovTech) has been informed of the breach, and both agencies are investigating other government systems for possible breaches. So far, none has been detected.
The affected personnel are all I-net users and they do not come from any specific military camp. Personal particulars are required for I-net account management, and these are stored on the I-net system, said Mindef.
On why the cyber attack was not made public earlier, Mindef cited the need to maintain operational security and conduct its own investigations.
Commenting on the breach, Mr Dan Yock Hau, CSA director of the National Cyber Incident Response Centre, stressed that “no one is immune to cyber-attacks”. “It is a matter of when, not if, an organisation is breached,” he said.
He added: “We have to take steps to build greater security into software design and strengthen our systems to ensure resilience to cyber attacks. We also need keen eyes on the ground to closely monitor our systems. Trained cyber security professionals will have a very important role to play to keep our cyberspace safe.”
This is not the first time that the Singapore Government has come under a cyber attack. Other incidents which have been made public in recent years include the 2014 breach of the Ministry of Foreign Affairs’ information technology system, which had been described as one of the more serious and advanced attacks on the Government’s IT systems.
The Ministry of Defence uses three types of computer systems for different purposes. Each has varying levels of security features, and the systems are separated from one another:
1. Internet-facing system: Mainly to provide individuals access to the Internet for research or recreational, personal surfing. The I-net system is one such example. I-net terminals are similar to public computers found at airports, hotels, or Internet cafes.
2. Internal system: Separated from I-net, this system is for internal email and day-to-day administrative work. There is no Web access on this system.
3. Military system: Where classified and top-secret military information are kept. There is also no Web access on this system and stringent security features are in place.