SingHealth Attack Potentially State-Linked

Last month’s cyber-attack on SingHealth, which resulted in the breach of 1.5 million health records, might have been the work of an advanced persistent threat group, according to information disclosed by S. Iswaran, Singapore’s minister for communications and information in Parliament today.

Though reluctant to provide any specifics about which state might be behind the attack, Iswaran said that the detailed analysis of the attack, done by the Cyber Security Agency (CSA) of Singapore, indicated that it was likely a state-linked group because of the level of sophistication used by the attackers.

According to a 20 July press release, "CSA has ascertained that the cyber-attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration." 

When pressed to attribute the attack to a specific state, Iswaran reportedly said,“In this sort of matter, while one can have a high level of confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility, and this is the kind of evidentiary threshold that may not stand up in a court of law. But at the operational level, the agencies that are involved have a high level of confidence,” according to Today Online.

Some of the tools reportedly used to compromise SingHealth included “customized malware that was able to evade SignHealth’s anti-virius software and security tools,” Iswaran told the Associate Press.

Among the millions of records compromised during the attack, which occurred between 27 June and 4 July 2018, were the health records of Singapore’s Prime Minister Lee Hsien Loong. The attack was made public on 20 July, at which point the government established a Committee of Inquiry (COI) to investigate the attack and determine the events leading up to the attack.

In reference to what has been called Singapore’s worst ever data breach, Iswaran told the AP, "Ensuring cybersecurity is a ceaseless battle, like our battle against terrorism. It involves changing technology and sophisticated perpetrators who are constantly developing new techniques and probing for fresh weaknesses.”

What’s Hot on Infosecurity Magazine?