The Committee of Inquiry hearings into the SingHealth cyberattacks were held from 21 September till 5 October 2018. PHOTO: Nicholas Yong/Yahoo News Singapore

A “uniquely tailored” malware used by the attacker behind the SingHealth cyberattack was so sophisticated that a leading anti-virus (AV) company could not immediately tell that it was malicious, a Committee of Inquiry (COI) was told on Friday (5 October).

In a public incident response report by a team from the Cyber Security Agency (CSA), it was noted that, during investigations into the incident, a malware sample given to the AV company was initially thought by the latter to be benign.

“It was only when CSA provided technical information on the malware to the AV company that AV signatures for the (neutralisation of the) malware could be developed,” said the report. The name of the company was not revealed during the hearing.

On the final day of the first tranche of hearings into Singapore’s largest ever cyberattack, much was made of “the skilled and sophisticated threat actor” behind the attack, which took place between 27 June and 4 July.

The personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s database. The data comprises the patients’ demographic records and the dispensed medication records of about 159,000 of them. “The amount of data compromised is unprecedented in Singapore,” said the CSA report.

The attacker was “skilful and disciplined”, establishing “multiple footholds” for re-entry to the system and remaining dormant after initially breaching the system in August 2017. He only began moving laterally in the system in order to gain access to the database four months later.

The CSA report noted that the attacker’s modus operandi and techniques “fit the profile of an Advanced Persistent Threat group that CSA has previously encountered in other investigations”. Authorities have thus far declined to reveal the identity of the attacker.

However, CSA said that forensic investigations have uncovered signs of call-backs to an overseas command and control server. The dispensed medication records that were stolen were also copied out to servers hosted overseas.

Three key factors in the cyberattack

Besides the prowess of the attacker, the CSA noted that two other key factors contributed to the breach. Firstly, the attacker exploited vulnerabilities in the SingHealth network.

For example, there were dormant administrative accounts that were not disabled, allowing the attacker to activate and use them to log in to SingHealth servers. Investigations also showed that the password to one of the local administrator accounts was “P@ssw0rd”.

Secondly, the attacker also exploited an existing coding vulnerability in the off-the-shelf Allscripts Sunrise Clinical Manager software. This enabled him to go the last mile and log in to the SingHealth database.

In an earlier hearing, the COI was told that a former employee of the Integrated Health Information Systems (IHiS), the central IT agency for the healthcare sector, had highlighted this vulnerability to IHiS management in 2014. The employee, Zhao Hainan, was dismissed for alerting a rival vendor to it, but the flaw remained.

The CSA concluded, “The impact could have been worse. CSA’s assessment is that IHiS managed to detect and stop the attacker before he could do more damage.”

In the wake of the attack, CSA and IHiS put in place several measures to counter the immediate threat. For example, the KRBTGT account – a master key account that encrypts all other authentication tokens – was reset twice in succession. This was to invalidate any existing full-access authentication tokens that the attacker might have.

On 19 July, after suspicious activity was again detected in the SingHealth network, a temporary measure for cutting Internet access from work computers was implemented the following day.

The COI continues

Retired chief district judge Richard Magnus, who is chairing the COI, told the hearing that the committee was “inclined to accept” the CSA’s assessment of the three factors that led to the attack.

“From the evidence, it would appear to the COI, even at this stage, that the attacker had one and only one malicious intent, and that of exfiltrating data from the crown jewels of the network, which is the Electronic Medical Records,” said Magnus.

The COI hearings resume in late October, when senior executives from IHiS and SingHealth will give testimony. They include IHiS CEO Bruce Liang, and SingHealth’s Group Chief Information Officer Benedict Tan and its Deputy Group CEO Professor Kenneth Kwek.