FacebookTwitterLinkedIn

Singapore suffers major Healthcare Data Breach

On July 20, Singapore officials announced that hackers managed to steal the health records of 1.5 million Singaporeans including Prime Minister Lee Hsien Loong. Since authorities revealed the breach there have been a number of developments into who may have been behind the attack and how the attack was perpetrated. The article which follows summarises these developments in an attempt to make sense of the entire affair. AFP initially reported that the initial analysis was done by Singapore's Cyber Security Agency “indicates this is a deliberate, targeted, and well-planned cyber-attack and not the work of casual hackers or criminal gangs,” No one was directly attributed to the attack and officials declined to comment on whom they believed to be responsible. “Operational security,” was the reason given for the no comment approach. Officials did, however, confirm that the prime minister's data has not shown up anywhere on the internet.

The prime minister took to Facebook in an attempt to alleviate some fears. In a statement, he made on the social media platform the prime minister said that:

“I don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me…My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it…those trying to break into our data systems are extremely skilled and determined. They have huge resources, and never give up trying.”

While much of what happened will not be revealed to the public what was revealed was that the hackers used a computer infected with malware to gain access to the database between June 27 and July 4 before administrators spotted “unusual activity.” The compromised data includes personal information and medication dispensed to patients, but medical records and clinical notes have not been affected, the health and communications ministries said in response to the hack.

 singapore healthcare data breach

Up until the hack Singapore had adopted various policies in an attempt to digitize government records and essential services, including medical records which public hospitals and clinics can share via a centralized database. Once the hack was revealed to the public authorities suspended many of these policies until the investigation into the breach has been concluded. The government has gone so far as to appoint a former judge to head a committee responsible for looking into the incident. While the city-state has some of the most advanced military weaponry in the region, the government says it fends off thousands of cyber attacks every day and has long warned of breaches by actors as varied as high-school students in their basements to nation-states.

Experts believe it be the work of a State-Actor

Three days after authorities revealed information about the hack AFP published another article which dealt with expert opinion surrounding the hack. According to the article, many of the experts asked believed the hack to be the work of a state-actor. Two of the main reasons for this view was the sheer complexity of the attack and its focus on high-profile targets like the prime minister pointed to the hand of a state-actor. One of the experts cited in the article was Eric Hoh, the Asia-Pacific president of cybersecurity firm FireEye, who said that, “A cyber espionage threat actor could leverage disclosure of sensitive health information... to coerce an individual in (a) position of interest to conduct espionage.” Further, he is of the opinion that the hackers should be qualified under the advanced persistent threat definition as these groups tend to be well resourced, well-funded and highly sophisticated. This conclusion could be inferred based on the sophisticated tools that would be required to carry out such an attack.

Targeting healthcare systems in order to steal data may also be an indication that an advanced persistent threat (APT). Information such as outpatient, or inpatient records, could be leveraged to make blackmail a possibility. While information regarding those considered to be of the regular populace would be of little use, information regarding a prime minister would be seen as far more valuable. Thus making extortion a possibility. This is further a likely scenario when one sees how difficult it attributes such attacks let alone hold anybody responsible via a justice system.

The breach may have involved a Contractor

Trustwave, a security firm monitoring the incident, published a report on July 24. In it, researchers discussed the possibility of the attack involving a contractor. Researchers pointed to a few bits on information which may prove this. The first bit concerns a delegation request made on the targeted system. This request was set for June 9 - 17 and it could mean that the attacker had hijacked the contractor’s user account and leveraged it to manipulate the targeted database. These dates show that the hackers may have conducted at least some reconnaissance activities weeks earlier than what Singapore officials reported.  

The log file also shows that the target was a database named “portaldev”. This led researchers to perceive that the development environment server was not as well protected as the production server and therefore was an easier target. Further, it was also discovered that a series of SQL queries were made, targeting medical data, uploaded to Pastebin on June 15. These queries suggest that whoever executed them was looking for sensitive information. Trustwave explained that while it was possible that the files were uploaded to Pastebin by developers working on the database, they may have also been posted by the attacker, possibly to share code with collaborators for troubleshooting purposes or for numerous other reasons.

All this combined led researchers to conclude:

“While we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window is highly suspicious,”

And

“SpiderLabs believes the escalation of cyber espionage threats targeting Singapore is expected as the nation takes over as the chair of the Association of Southeast Asian Nations (ASEAN) in 2018. With the upcoming ASEAN meetings5 in 2H 2018, SpiderLabs Analysts assess with moderate confidence that cyber espionage threats to Singapore will continue to remain high. SpiderLabs believe that cyber espionage actors are likely to conduct further espionage attacks against Singapore as well as members of the ASEAN closer to the period of the high-level meetings.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal