SingHealth Data Breach – An Analytical Perspective

Executive Summary

  • On July 20th 2018, the Singapore authorities announced1 that Singapore's largest healthcare group SingHealth was targeted by a major cyber-attack, resulting in a breach which affected about 1.5 million patients' records. The breach was described as unprecedented in scale and the most serious breach of personal data in the history of Singapore2.
  • The data theft occurred from June 27th 2018 until it was discovered on July 4th 2018 by database administrators from Integrated Health Information Systems (IHiS) whom detected unusual activity on one of SingHealth's IT databases. Further malicious activities were detected with heightened monitoring.
  • This breach affects PII data for patients that visited SingHealth's specialist outpatient clinics and polyclinics from May 1st 2015 to July 4th The stolen records included patient's name, address, gender, race, date of birth and National Registration Identity Card (NRIC) number. The medical prescription records of 160,000 patients were also stolen1.
  • The cyber-attack was reported as deliberate, well-planned, and targeted Singapore's Prime Minister's medical records repeatedly3. Based on SpiderLabs intelligence sources, the Tactics, Techniques and Procedures (TTPs) used in this attack, as well as the persistent targeting suggest a likely association with an advanced adversary operation, in support of the threat actor's tactical and strategic goals.
  • Pending further corroborations with intelligence partners or access to the forensic data, SpiderLabs assess with moderate confidence at this point that the threat group behind the cyber-attack on SingHealth is linked with what is known Advanced Persistent Threats (APT). The assessment is based on the inferred5 TTPs used in the attack.
  • While SpiderLabs cannot fully assess the intent behind this cyber-attack without access to the forensic data, we believe an escalation of cyber espionage threats targeting Singapore is expected as the nation takes over as the chair of the Association of Southeast Asian Nations (ASEAN) in 2018. Espionage groups have historically targeted intergovernmental organizations in support of both tactical and strategic intelligence gathering.
  • More broadly, SpiderLabs assess with high confidence that cyber espionage activities are almost certain to continue to pose a long-term and significant threat to both public and private organizations in Singapore. The adversaries will continue to conduct espionage activities against Singapore with intelligence gathering operations in support of their strategic goals.

Background

On July 20th 2018, Singaporean authorities announced that the country's largest healthcare group, SingHealth, was targeted by a major cyber-attack which resulted in a data breach that affected about 1.5 million patients' records. PII data for patients that visited SingHealth's specialist outpatient clinics and polyclinics between the periods of May 1st 2015 to July 4th 2018 was reportedly stolen in the cyber-attack. The affected records included name, NRIC number, address, gender, race and date of birth. About 160,000 of these patients also had their outpatient prescriptions records stolen1.

The data theft reportedly took place from June 27th, 2018 until July 04th, 2018 where database administrators from Integrated Health Information Systems (IHIS) detected unusual activity on one of SingHealth's IT databases. The media reported that initial investigations indicated one front-end workstation was infected with malware first, the attackers used this workstation as a base to move laterally throughout the network until they gained access to the target database7.

The Singapore authorities described the cyber-attack as "deliberate, targeted and well-planned" where the attackers specifically and repeatedly targeted Singapore Prime Minister Lee's personal health records including medication prescription records3. No record was altered and healthcare services were not disrupted during the cyber-attack. Low-impact tactics are consistent with nation-state APT activity; the attacker's intention was likely to maintain stealthy persistence for a long-term monitoring and data harvesting operation. This motive was disrupted by the relatively rapid discovery of the attacker activity.

Who is behind this Attack?

Attribution of cyber-attacks is often challenging without corroborations from government intelligence partners. Based on SpiderLabs Intelligence sources, we are aware of the use of an attack technique in the actor's TTPs. This technique is not widely used, and is favored by advanced adversarial groups mostly which operates within a region in Asia.

Based on SpiderLabs intelligence sources, the actor behind the cyber-attack on SingHealth has used publicly/commercially available attack tools. While this observation appears to suggest the actor does not possess a high level of technical sophistication, this is not necessarily true. Sophisticated threat actors are known to use publicly available toolkits to facilitate their intrusions while retaining the use of highly customized toolkits for either heavily-defended targets or to stay under the radar. The use of publicly/commercial tools is also highly consistent with a few regional specific threat actor groups. Access to forensic data would be required to warrant a higher level of confidence on the attribution.

What is the Intention of the Attacker?

Based on SpiderLabs intelligence sources, and the victims [3][4] targeted in this attack, SpiderLabs Threat Analysts assessed with moderate confidence that the actor's intent is espionage in nature, carried out to support the strategic goals of intelligence collection. The actor could be pursing patient's personally identifiable information (PII), to facilitate enhanced targeting and phishing email lure creation, and/or assist their sponsors on intelligence collection such as assessing the Singapore Prime Minister's state of health.

Are the stolen healthcare records found in the dark web?

Based on SpiderLabs' telemetry on the dark web, the stolen SingHealth patient records have not been detected on the dark web at the time of this writing. SpiderLabs will however continue to monitor the dark web for the presence of such. If the threat actor behind this attack is nation-state based and for the purposes of espionage, it is unlikely that the data will ever be publicly released in the dark web.

Conclusions and Outlook

The cyber-attack on SingHealth is unprecedented for Singapore in terms of the volume of breached records, and is the most significant cyber incident reported to date in the history of Singapore. It underscores the adversary's interests in targeting the healthcare sector which carries a significant amount of personally identifiable information (PII). PII holds an intrinsic value which potentially can be used for facilitating enhanced targeting and phishing email lure creation.

SpiderLabs assess with moderate confidence that the cyber-attack on SingHealth is likely espionage in nature with a focus on stealing PII and medical records on high-value targets. This assessment is based on SpiderLabs intelligence sources which indicates a high sophistication level of methods leveraged in that cyber-attack, and SpiderLabs's technical analysis on SingHealth breach. A plausible scenario here is that the actor intends to create a dossier of individuals for future social engineering based attacks, and also to assess the targets' state of physical health as part of tactical intelligence gathering operations or to utilize private healthcare records to blackmail victims and convince them to provide confidential data to an adversarial foreign government.

Based on SpiderLabs intelligence, we assessed with moderate confidence that the TTPs reported in the SingHealth breach are not normally associated with individual hackers or cyber-criminal gangs based in Asia Pacific. We believe this work was conducted by a nation-state sponsored intelligence organization, to target High Value Targets (HVTs) in Singapore for future intelligence gathering and/or blackmail purposes. Further corroboration with intelligence partners and access to the forensic data is required to warrant a higher level of confidence on the attribution and intent of this data theft.

While we cannot assess with high confidence on the intent of this cyber-attack without access to the forensic data, SpiderLabs believes the escalation of cyber espionage threats targeting Singapore is expected as the nation takes over as the chair of the Association of Southeast Asian Nations (ASEAN) in 2018. With the upcoming ASEAN meetings5 in 2H 2018, SpiderLabs Analysts assess with moderate confidence that cyber espionage threats to Singapore will continue to remain high. SpiderLabs believe that cyber espionage actors are likely to conduct further espionage attacks against Singapore as well as members of the ASEAN closer to the period of the high level meetings.

Recommendations

Defenders should heighten their cyber posture during and after the period of July 30th 2018 to August 4th 2018 when the foreign ministers from ASEAN and their partners meet in Singapore to discuss regional and international issues6.

Review and implement the security measures described in the SingCERT's technical advisory on measures for protecting customers' personal data7.

**SpiderLabs is continuing research into this incident and may post additional data in upcoming blogs as data becomes available.**

References

  1. https://www.moh.gov.sg/content/moh_web/home/pressRoom/pressRoomItemRelease/2018/singhealth-s-it-system-target-of-cyberattack.html
  2. https://www.channelnewsasia.com/news/singapore/singhealth-health-system-hit-serious-cyberattack-pm-lee-target-10548318
  3. https://www.facebook.com/leehsienloong/posts/1957979740931389
  4. https://www.straitstimes.com/singapore/health/singhealth-data-breach-esm-goh-chok-tong-says-his-personal-data-was-stolen
  5. https://www.straitstimes.com/singapore/method-of-attack-showed-high-level-of-sophistication
  6. https://www.asean2018.sg/Calendar/Events
  7. https://www.csa.gov.sg/singcert/news/advisories-alerts/measures-for-protecting-customers-personal-data

Appendix

Singapore Prime Minister Lee Hsien Loong statement in Facebook:

Footer

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.