SingHealth cyber attack the work of group typically linked to foreign governments: S. Iswaran

SINGAPORE - The cyber attack in Singapore that led to the leak of 1.5 million SingHealth patients' personal data was the work of an "advanced persistent threat" group typically linked to foreign governments, Parliament heard on Monday (Aug 6).

Advanced persistent threats (APTs) are stealthy and continuous computer hacking processes to gain intelligence or steal information.

"This refers to a class of sophisticated cyber attackers, typically state-linked, who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations," said Minister for Communications and Information S. Iswaran in response to a record 19 questions filed by MPs, the highest in this term of Parliament on a single issue.

"The APT group that attacked SingHealth was persistent in its efforts to penetrate and anchor itself in the network, bypass the security measures, and illegally access and exfiltrate data," said Mr Iswaran, who is also Minister-in-charge of Cyber Security.

"The attack fits the profile of certain known APT groups, but for national security reasons we will not be making any specific public attribution," said Mr Iswaran.

The Government had previously said the attack was "deliberate, targeted and well-planned". It had ruled out casual hackers and criminal gangs but refused to be drawn on who might be behind it.

Speaking in Parliament, Mr Iswaran said he has already convened a Committee of Inquiry to get to the bottom of what went wrong. Lessons will be drawn from the incident to strengthen the safeguards of Singapore's critical information infrastructure (CII) including those in healthcare, banking, land transport and telecommunications.

On Friday (Aug 3), 11 critical services sectors in Singapore were told to review their cyber security readiness, even as the Government lifted the pause on new Smart Nation projects that was imposed after the recent data breach at SingHealth.

Health Minister Gan Kim Yong noted that many healthcare systems in other countries have found it difficult to implement Internet surfing separation for practical and operational reasons.

Specifically, they were instructed to strengthen the security around their network connectivity gateways to prevent data leakage.

ALSO READ: SingHealth cyber attack: Some patients receive SMSes addressed to others

Mr Iswaran said that the Cyber Security Agency's (CSA) forensic investigations team has extracted the "indicators of compromise", or pieces of forensic data used to identify malicious activity on a network, from the infected computers.

"CSA then instructed owners and regulators of CII to scan for these indicators, and advised on possible measures to mitigate a similar incident," he added.

The 11 sectors that are affected are aviation, healthcare, land transport, maritime, media, security and emergency, water, banking and finance, energy, infocomm and the Government itself.

Of the compromised database of 1.5 million SingHealth patients, 160,000 patients had their prescription data stolen, including Prime Minister Lee Hsien Loong, who was the primary target of the hackers.

Workers' Party MP Low Thia Khiang asked for the identity of the state and hacker group behind the attack, saying: "I'll take it that it is not a normal kind of cyber attack and Singapore is being targeted by another state and thereby this attack is state-linked."

But Mr Iswaran would not elaborate, saying: "We don't think it serves our national interests, nor is it a productive exercise for us to be making specific public attribution... specific attribution can be made in a manner where action can subsequently be taken up in a court of law, we will certainly consider that course of action."

There is heightened interest in the cyber attack, said Ms Joan Pereira (Tanjong Pagar GRC), because it came after the Wannacry ransomware attack last year, which affected hundreds of thousands of computers worldwide.

Questions from MPs include whether the culprit will be taken to task, and how the Government plans to restore public confidence in the Smart Nation project following such an attack.

Attacks by hackers on National University of Singapore and Nanyang Technological University, discovered in April last year (2017), were also performed by APT groups aimed at stealing government and research data.

NTU and NUS are involved in government-linked projects for the defence, foreign affairs and transport sectors.

This article was first published in The Straits Times. Permission required for reproduction.