SINGAPORE: The cyberattack on SingHealth’s IT database in June, which resulted in the most serious breach of personal data in Singapore’s history, was “the work of an advanced persistent threat (APT) group” that are “usually state-linked”, said Minister for Communications and Information S Iswaran on Monday (Aug 6).

Mr Iswaran, in delivering his ministerial statement on the incident in Parliament, said the Cyber Security Agency of Singapore (CSA) has done a detailed analysis of the cyberattack and determined it is by an APT group, which refers to a class of sophisticated attackers who conduct extended, carefully planned cyber campaigns to steal information or disrupt operations.





The SingHealth incident is not the only APT attack Singapore has seen, the minister said, pointing to the 2017 attack on the National University of Singapore (NUS) and Nanyang Technological University (NTU).

Internationally, APT groups have also hacked the United States (US) Democratic National Committee in 2016 and the US Office of Personal Management (OPM) in 2014, which resulted in more than 20 million personnel records stolen.

Mr Iswaran said the SingHealth cyber attacker had used advanced and sophisticated tools, including customised malware that was able to evade the healthcare provider’s antivirus software and security tools. Once they got into the system, they took steps to remain in the system undetected before stealing patients’ information, which included that of Prime Minister Lee Hsien Loong.



“The attack fits the profile of certain known APT groups, but for national security reasons, we will not be making any specific public attribution,” the minister said.

Cybersecurity experts had earlier made similar observations, with FireEye’s Asia Pacific president Eric Hoh saying the attack was an APT and the nature of such attacks are that they are conducted by nation states using very advanced tools. He added the fact the perpetrator carried on trying to access SingHealth’s network even after detection is the “typical signature” of a nation-state actor.



The minister said the Government has taken additional measures to strengthen cybersecurity defences.

He said CSA's forensic investigation team has analysed the compromised computers in the SingHealth incident and extracted pieces of data used to identify malicious activity on a network. The agency then instructed owners and regulators of critical information infrastructure (CII) to scan for such indicators and advised on possible measures to mitigate a similar incident.



It had also instructed the 11 key sectors to strengthen the security around their networks, the minister added.

Mr Iswaran said the Cybersecurity Act passed in Parliament this February gives the Government "additional levers" to strengthen the protection of such CIIs against cyberattacks, and CSA is currently implementing the provisions of the law. It will designate all CIIs by the end of this year, he said.

COI HAS STARTED WORK

Mr Iswaran also gave an update on the Committee of Inquiry (COI), which he had appointed on Jul 24 and charged to establish the events and contributing factors leading to the cyberattack and the incident response. The COI is headed by Mr Richard Magnus, formerly chief district judge, and includes Mr Lee Fook Sun, Mr T K Udairam and Ms Cham Hui Fong.

He said the committee has started its work, including holding preparatory meetings, and will “soon” hold its first pre-inquiry conference. The minister added the Attorney-General’s Chambers will lead evidence and CSA will lead a team to conduct the investigations.

The COI will conduct inquiry hearings after receiving CSA’s report, he said, adding the committee will decide which parts of the hearings can be held in public as some aspects of the inquiry will have “security implications”.

The minister acknowledged that some Members of Parliament have asked whether the SingHealth cyberattack could have been prevented and what lessons have been learned, but called on their understanding to allow the committee to conduct a thorough investigation without pre-empting its findings.

The committee’s report is expected by Dec 31 this year, he added.



NO PUBLIC ATTRIBUTION, YET

Following the ministerial statements from Mr Iswaran and Health Minister Gan Kim Yong, Workers' Party MP Low Thia Khiang asked if the Government knew who is behind the SingHealth attack and whether it is willing to share the information with Singaporeans.

He also asked if the name of the hacker group, where the attack was launched, and where the overseas servers that the patient records were sent to are located can be revealed.







To these questions, Mr Iswaran reiterated that the attack fits the profile of certain known APT groups, but the Government will not be publicly naming them for national security concerns.

He added that in these matters, "whilst one can have a high level of confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility" and the evidence may not stand up in the court of law.

The agencies involved have a "high level of confidence" of the people behind the hack though, he added.

"Having said that, we don't think it serves our national interest nor is it a productive exercise for us to be making specific public attribution," the minister said.

"What is essential is that we diagnose the problem clearly, and take the appropriate steps and, if in the process of the COI specific attribution can be made in a manner where action can be subsequently taken up in the court of law, we will certainly consider that course of action."