SingHealth hacker's 'sophisticated' malware fooled even top anti-virus experts

SingHealth hacker's 'sophisticated' malware fooled even top anti-virus experts

Stanislaus Jude Chan
05/10/18, 05:41 pm

SINGAPORE (Oct 5): Malware used to penetrate Singapore Health Services’ patient database system in June was so sophisticated that it tricked even experts at a top anti-virus firm, Solicitor-General Kwek Mean Luck revealed today at a public hearing convened by the Committee of Inquiry (COI) into the SingHealth cyberattack.

According to Kwek, investigations by the Cyber Security Agency of Singapore (CSA) found that the hacker – who was described as “an advanced, sophisticated threat actor” – used a combination of customised malware and open-source tools that evaded anti-virus software and were difficult to detect.

When the malware sample was passed to a “leading anti-virus company” for analysis, the company initially indicated that the malware was benign, the Solicitor-General told the COI on Friday. The anti-virus firm was not identified.

It was only when CSA provided technical information on the malware to the anti-virus company that anti-virus signatures for the malware could be developed, Kwek added.

The COI also heard today that the attacker was stealthy and disciplined. After gaining initial entry to the SingHealth network in August 2017, he stayed dormant for four months, before starting his exploitation in December 2017.

According to CSA’s public incident response report, the hacker’s actions were “targeted and specific”.

“He avoided secondary targets that might have drawn attention to his presence. He was also careful and deliberate in erasing traces of his activities,” Kwek said, citing the report.

“The tools, techniques, and procedures, as well as some of the malware that the attacker used, fit the profile of an Advanced Persistent Threat (APT) group that CSA had previously encountered in other investigations,” the report added.

An APT refers to a class of sophisticated, usually state-linked, cyber attackers who conduct extended, carefully planned cyber campaigns to steal information or disrupt operations. However, no further details on the identity of the hacker was revealed, including whether he is indeed a state-sponsored actor as has been widely speculated.

“From the evidence, it would appear to the COI, even at this stage, that the attacker had one and only one malicious intent – that of exfiltrating data from the crown jewels of the network, which is EMR (electronic medical records),” said COI chairman Richard Magnus.

Magnus added that, at this stage of the hearings, the COI is “inclined to accept the CSA’s assessment”.

In CSA’s assessment, there were three key factors that led to the cyberattack: that the attacker was a skilled and sophisticated threat actor, and used an advanced modus operandi to effectively overcome enterprise security measures implemented by Integrated Health Information Systems (IHiS), the IT arm of the Ministry of Health; that he exploited vulnerabilities in SingHealth's IT network; and that it is highly probable that he had exploited an existing coding vulnerability in the off-the-shelf Sunrise Clinical Manager (SCM) software solution from Allscript Healthcare Solutions.

The next tranche of the hearings will resume end-October, when the COI will hear from senior executives of IHiS and SingHealth, including IHiS’s director of cyber security governance Chua Kim Chuan, IHiS CEO Bruce Liang, SingHealth Group CEO Ivy Ng, SingHealth’s group chief information officer Benedict Tan, and SingHealth’s deputy group CEO Kenneth Kwek.

They will give evidence on areas including the cybersecurity measures in place at the time of the attack, IT governance frameworks, and steps taken to strengthen cybersecurity in the public healthcare sector.

The COI will also be hearing from CSA chief executive David Koh as well as the Ministry of Health and local and foreign cybersecurity experts on measures to enhance the incident response plans for similar incidents, and measures to reduce the risk of such cybersecurity attacks on public sector IT systems.

The SingHealth cyberattack resulted in the worst data breach in Singapore’s history. It involved the personal data of 1.5 million patients and outpatient prescription records of 160,000 people, including Prime Minister Lee Hsien Loong.

Subscribers may read more about the “culture of complacency” that is plaguing Singapore's battle against cyberattacks, in The Edge Singapore this week (Issue 851, week of Oct 8) which is available at newsstands now.

Or subscribe here.

US sanctions on Huawei could backfire

SINGAPORE (May 27): It was only to have been expected. After nearly a year of pressure that failed to stop Huawei Technologies Co’s expansion -- especially in the rollout of the next generation 5G wireless network globally -- in its tracks, US President Donald Trump signed an executive order effectively barring American firms from doing business with the Chinese telecommunications equipment company. The inclusion of Huawei on the US Department of Commerce’s Bureau of Industry and Security’s (BIS) Entity List means that companies would need to apply for a waiver to supply goods with 25....

Annica chairman Ong quits just as $33 mil goes missing at his law firm JLC

SINGAPORE (May 27): Jeffrey Ong, managing partner of law firm JLC Advisors, may have given instructions to pay out a sum of $33.2 million held in escrow by his firm for a client, Allied Technologies. According to Allied’s statement filed with Singapore Exchange on May 23, the payment may have been “unauthorised”, citing a letter it received from JLC on May 22. Allied’s statement did not specify who the payment was made to. Ong also abruptly resigned as non-executive chairman of Annica Holdings on May 20. In a May 22 filing with SGX, Annica CEO Sandra Liz Hon Ai Ling said Ong resigne....

SGX RegCo sees targeted approach in enforcement, more powerful market discipline

SINGAPORE (May 27): Tan Boon Gin, CEO of stock exchange regulator Singapore Exchange Regulation, says the market can expect a stronger regulatory presence. “You will see a series of enforcement cases coming up quite soon,” he tells The Edge Singapore. Tan’s assertion comes amid significant changes in the market as sentiment remains lacklustre and investors’ expectations change. The local stock market has gone through significant upheaval, not least because of the penny stock crash in 2013 that wiped out some $8 billion in value from the market. The event dented investor sentiment, a....