Sophisticated, ‘typically state-linked’ attackers behind SingHealth cyber breach: Iswaran

SINGAPORE — Sophisticated cyber attackers who are “typically state-linked” were behind the unprecedented cyber attack on Singapore’s largest public healthcare group SingHealth, Communications and Information Minister S Iswaran disclosed in Parliament on Monday (Aug 6).

This is the first time the authorities have identified the suspects as being potentially state-linked.

Delivering a ministerial statement on the cyber attack — the most serious yet to hit Singapore — Mr Iswaran said that the Cyber Security Agency of Singapore (CSA) had determined, after a detailed analysis, that an “advanced-persistent-threat group” was behind the breach.

“An advanced-persistent-threat group refers to a class of sophisticated, usually state-linked, cyber attackers who conduct extended and carefully planned cyber campaigns to steal information or disrupt operations,” Mr Iswaran, who is also the Minister-in-charge of Cyber Security, said.

While the attack squares with the profile of some of these known groups, the Government will not be making a “specific public attribution” for reasons related to national security, the minister said.

On July 20, news emerged that hackers had broken into SingHealth's IT systems between June 27 and July 4. They stole the non-medical personal particulars of 1.5 million patients, copying them to servers hosted overseas.

About 160,000 of the affected group — including Prime Minister Lee Hsien Loong and several government ministers — also had their outpatient medication data stolen.

The hackers took data such as the names, national registration identity card (NRIC) numbers, addresses, birth dates and information on gender and race belonging to patients who had visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015 to July 4 this year.

CUSTOMISED MALWARE

Mr Iswaran said that the breach had the characteristics typical of an advanced-persistent-threat attack, and the attacker used sophisticated tools, including customised malware that evaded SingHealth’s anti-virus software and security tools.

This is not the first time Singapore has been targeted by an attack of such nature.

Last April, sophisticated cyber attacks aimed at stealing research and government-related information hit the National University of Singapore and Nanyang Technological University, Singapore's top universities. The breaches were the work of advanced-persistent-threat actors using stealthier methods which were therefore harder to detect.

Mr Iswaran noted that entities overseas have been hit by similar attacks, including the United States Democratic National Committee in 2016. Two years before, a cyber attack saw more than 20 million personnel records stolen from the US Office of Personnel Management.

Cyber-security experts told TODAY previously that the SingHealth cyber attack could have been state-sponsored, given the type of data stolen and the amount of resources needed to execute it.

In the wake of the attack, Mr Iswaran convened a four-member Committee of Inquiry (COI) to establish the events and contributing factors leading to the cyber attack. The committee, chaired by former senior district judge Richard Magnus, has had preparatory meetings and will soon hold its first pre-inquiry conference, Mr Iswaran said. The CSA will lead a team to carry out the investigations and the Attorney-General’s Chambers will take charge of evidence.

The COI, which will hold inquiry hearings after it receives the CSA’s investigation report, will submit its report by year’s end.

NOT YET TIME TO NAME ATTACKERS SPECIFICALLY

After Mr Iswaran and Health Minister Gan Kim Yong delivered their ministerial statements on the cyber attack, 13 Members of Parliament (MPs) rose to speak on the matter.

Former Workers’ Party (WP) chief Low Thia Khiang asked if the Government could disclose the state that was linked to the cyber attack, and if the CSA knew the name of the group behind the attack and from where it was launched.

The MP for Aljunied Group Representation Constituency (GRC) also asked about the whereabouts of the overseas servers to which the patient data was copied.

Mr Iswaran reiterated that the Government will not attribute the attack specifically. “In this sort of matter, while one can have a high level of confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility, and this is the kind of evidentiary threshold that may not stand up in a court of law,” he explained.

“But at the operational level, the agencies that are involved have a high level of confidence.”

For now, it does not serve Singapore’s interests and is not a “productive exercise” to make a specific public attribution, Mr Iswaran said.

“What is essential is that we diagnose the problem clearly and take the appropriate steps,” he added. “And if, in the course of the COI’s deliberations, specific attribution can be made in a manner where action can subsequently be taken up in a court of law, we will certainly consider that course of action.”

DELAY IN INFORMING THE PUBLIC

WP chairman Sylvia Lim, also MP for Aljunied GRC, asked why there was a delay from the time the attack was confirmed on July 10 until the Government went public with details of the attack on July 20 at a press conference.

Mr Gan explained that many things were happening and the authorities were engaged in multiple and concurrent “streams of work”.

“Our priority at that time was to ensure that our systems were protected, our data would not be subject to further losses or exfiltration and that took a while.”

The authorities had to trace the attack to its source so that the database could be protected. They also had to determine whether other data had been compromised beyond those they  were aware of, and who the affected patients were. At the same time, SingHealth had begun its preparations to inform patients, which also required time.

By July 20, when the press conference was called, Mr Gan said that the authorities were quite confident the system had stabilised, after computers and devices for Internet surfing were separated from workstations the previous evening.

“At the same time, we had sufficient information to share with the public (on) how the incident happened, what was the data that was compromised, who were the patients affected… It was important for us to ensure that the information given to the public was accurate as far as we were able to ascertain,” Mr Gan added.

TAKING CYBER SECURITY SERIOUSLY

Taking a question from MP Denise Phua (Jalan Besar GRC), Mr Iswaran made it clear that the challenges of cyber-security work were no different from that in countering terrorism.

He reiterated that the SingHealth breach showed the importance for the top management of public and private organisations to take cyber security seriously, and put in place systems and devote resources to the effort. “Often, the investment in cyber security is seen as a cost without an obvious payoff (and) value,” Mr Iswaran said.

Other MPs, such as Nee Soon GRC MP Lee Bee Wah, raised concerns on behalf of their residents, who were worried that their data could be used fraudulently, among other things. Ms Lee asked what else the Government could do to assuage the concerns of those whose data was stolen.

While stressing that bank and sensitive government transactions, for instance, are backed by the two-factor authentication process, Mr Iswaran noted that there may be an opportunity to review instances where NRIC numbers are used as a form of identification (ID), whether other IDs that are more robust can be used.

He urged members of the public who use their NRIC numbers as a password or ID to reset them.