SINGAPORE (Oct 5): Malware used to penetrate Singapore Health Services’ patient database system in June was so sophisticated that it tricked even experts at a top anti-virus firm, Solicitor-General Kwek Mean Luck revealed today at a public hearing convened by the Committee of Inquiry (COI) into the SingHealth cyberattack.

According to Kwek, investigations by the Cyber Security Agency of Singapore (CSA) found that the hacker – who was described as “an advanced, sophisticated threat actor” – used a combination of customised malware and open-source tools that evaded anti-virus software and were difficult to detect.

When the malware sample was passed to a “leading anti-virus company” for analysis, the company initially indicated that the malware was benign, the Solicitor-General told the COI on Friday. The anti-virus firm was not identified.

It was only when CSA provided technical information on the malware to the anti-virus company that anti-virus signatures for the malware could be developed, Kwek added.

The COI also heard today that the attacker was stealthy and disciplined. After gaining initial entry to the SingHealth network in August 2017, he stayed dormant for four months, before starting his exploitation in December 2017.

According to CSA’s public incident response report, the hacker’s actions were “targeted and specific”.

“He avoided secondary targets that might have drawn attention to his presence. He was also careful and deliberate in erasing traces of his activities,” Kwek said, citing the report.

“The tools, techniques, and procedures, as well as some of the malware that the attacker used, fit the profile of an Advanced Persistent Threat (APT) group that CSA had previously encountered in other investigations,” the report added.

An APT refers to a class of sophisticated, usually state-linked, cyber attackers who conduct extended, carefully planned cyber campaigns to steal information or disrupt operations. However, no further details on the identity of the hacker was revealed, including whether he is indeed a state-sponsored actor as has been widely speculated.

“From the evidence, it would appear to the COI, even at this stage, that the attacker had one and only one malicious intent – that of exfiltrating data from the crown jewels of the network, which is EMR (electronic medical records),” said COI chairman Richard Magnus.

Magnus added that, at this stage of the hearings, the COI is “inclined to accept the CSA’s assessment”.

In CSA’s assessment, there were three key factors that led to the cyberattack: that the attacker was a skilled and sophisticated threat actor, and used an advanced modus operandi to effectively overcome enterprise security measures implemented by Integrated Health Information Systems (IHiS), the IT arm of the Ministry of Health; that he exploited vulnerabilities in SingHealth's IT network; and that it is highly probable that he had exploited an existing coding vulnerability in the off-the-shelf Sunrise Clinical Manager (SCM) software solution from Allscript Healthcare Solutions.

The next tranche of the hearings will resume end-October, when the COI will hear from senior executives of IHiS and SingHealth, including IHiS’s director of cyber security governance Chua Kim Chuan, IHiS CEO Bruce Liang, SingHealth Group CEO Ivy Ng, SingHealth’s group chief information officer Benedict Tan, and SingHealth’s deputy group CEO Kenneth Kwek.

They will give evidence on areas including the cybersecurity measures in place at the time of the attack, IT governance frameworks, and steps taken to strengthen cybersecurity in the public healthcare sector.

The COI will also be hearing from CSA chief executive David Koh as well as the Ministry of Health and local and foreign cybersecurity experts on measures to enhance the incident response plans for similar incidents, and measures to reduce the risk of such cybersecurity attacks on public sector IT systems.

The SingHealth cyberattack resulted in the worst data breach in Singapore’s history. It involved the personal data of 1.5 million patients and outpatient prescription records of 160,000 people, including Prime Minister Lee Hsien Loong.

Subscribers may read more about the “culture of complacency” that is plaguing Singapore's battle against cyberattacks, in The Edge Singapore this week (Issue 851, week of Oct 8) which is available at newsstands now.

Or subscribe here.