Attack on SingHealth network traced back to Aug 2017: COI hearing

SINGHEALTH'S cyber attacker first gained entry into the healthcare group's network as early as August last year by infecting workstations, the four-member Committee of Inquiry (COI) heard on Friday.

Solicitor-General Kwek Mean Luck, who kicked off the first public hearing to investigate SingHealth's massive data breach, said the attacker then moved laterally in the network from December last year to May this year.

"He made use of malware planted in one of the initially infected workstations to gain remote access to and control of that workstation, and then used commands to distribute malware to infect other computers," said Mr Kwek.

The ultimate target was to reach SingHealth's electronic medical records (EMR) system, a critical information infrastructure (CII) in Singapore.

From May to June this year, the attacker exploited an inactive administrator account to remotely log into a server containing the EMR records. The server should have been decommissioned but was not.

The Cyber Security Agency (CSA), which investigated the attack, also found one administrator account to have contained a weak password, which could be easily decrypted.

Mr Kwek has been designated by the Attorney-General to lead evidence in the inquiry into Singapore's worst cyber breach. The Attorney-General's Chambers has led evidence in past COI hearings, such as the probe into the riot in Little India in December 2013.

Mr Kwek added that the attacker used the compromised administrator accounts to steal more credentials, which were then used to access the database.

Data exfiltration, or the unauthorised transfer of sensitive data, took place between June 27 and July 4 this year and involved 1.5 million SingHealth patients.

The SingHealth attack also led to the leakage of outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

On July 4, the unauthorised data exfiltration attempts were terminated by Ms Katherine Tan, a database administrator at SingHealth's technology outsourcing vendor Integrated Health Information Systems (iHiS), an agency which runs the IT systems of public healthcare institutions.

She will be taking the witness stand on Friday morning in Court 5A of the Supreme Court.

Mr Lum Yuan Woh, assistant director (Infra Services - Systems Management) will also on Friday provide an account of what happened.

The proceedings following them are private, as information affecting national security is expected to be shared.

Mr Kwek said that inadequate situational awareness and response to red flags contributed to the data breach.

Specifically, iHiS staff became aware of unauthorised access attempts on SingHealth's network from mid-June this year. But they did not report the incidents to iHiS senior management until the night of July 9.

Subsequently, SingHealth, the Ministry of Health and CSA were informed on July 10.

CSA then looked into the SingHealth attack with support from the Criminal Investigation Department. Singaporeans were told about the breach on July 20.

"The evidence will show that, notwithstanding what the iHiS staff knew from mid-June 2018, they did not fully appreciate that multiple cyber security incidents culminating in a breach of the database were occurring," said Mr Kwek.

As a result, there was no timely reporting of the incident as required under CSA's National Cyber Incident Response Framework, which has been effective since Feb 2016 and requires CSA to be alerted within two hours.

Friday's COI hearing comes after the committee convened in private on July 24 to inquire into the events contributing to the breach. The first hearing by the high-level panel took place behind closed doors on Aug 28.

The committee, which is headed by former chief district judge Richard Magnus, is expected to shed light on what led to the data leak, and how the public healthcare sector can strengthen its responses and defences in future.

Other members are Mr Lee Fook Sun, executive chairman of cyber-security solutions firm Quann World; Mr T.K. Udairam, group chief operating officer of healthcare technology firm Sheares Healthcare Management; and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress.

Other witnesses expected to appear in Friday's hearing include:

- IHis Director (Delivery Group) Ong Leong Seng

- CSA Director Dan Yock Hau

- CSA Deputy Director Douglas Mun

- Ex-employee of IHiS Zhao Hainan

- IHiS Group Chief Information Officer Benedict Tan

-IHiS CEO Bruce Liang

-IHis Director CSG Chua Kim Chuan

- SingHealth Cluster Group CEO (Organisational Transformation and Informatics) Professor Kenneth Kwek

THE STRAITS TIMES

BT is now on Telegram!

For daily updates on weekdays and specially selected content for the weekend. Subscribe to t.me/BizTimes