On July 20th 2018, Singaporean authorities announced that the country's largest healthcare group, SingHealth, was targeted by a major cyber-attack which resulted in a data breach that affected about 1.5 million patients' records. PII data for patients that visited SingHealth's specialist outpatient clinics and polyclinics between the periods of May 1st 2015 to July 4th 2018 was reportedly stolen in the cyber-attack. The affected records included name, NRIC number, address, gender, race and date of birth. About 160,000 of these patients also had their outpatient prescriptions records stolen1.
The data theft reportedly took place from June 27th, 2018 until July 04th, 2018 where database administrators from Integrated Health Information Systems (IHIS) detected unusual activity on one of SingHealth's IT databases. The media reported that initial investigations indicated one front-end workstation was infected with malware first, the attackers used this workstation as a base to move laterally throughout the network until they gained access to the target database7.
The Singapore authorities described the cyber-attack as "deliberate, targeted and well-planned" where the attackers specifically and repeatedly targeted Singapore Prime Minister Lee's personal health records including medication prescription records3. No record was altered and healthcare services were not disrupted during the cyber-attack. Low-impact tactics are consistent with nation-state APT activity; the attacker's intention was likely to maintain stealthy persistence for a long-term monitoring and data harvesting operation. This motive was disrupted by the relatively rapid discovery of the attacker activity.
Attribution of cyber-attacks is often challenging without corroborations from government intelligence partners. Based on SpiderLabs Intelligence sources, we are aware of the use of an attack technique in the actor's TTPs. This technique is not widely used, and is favored by advanced adversarial groups mostly which operates within a region in Asia.
Based on SpiderLabs intelligence sources, the actor behind the cyber-attack on SingHealth has used publicly/commercially available attack tools. While this observation appears to suggest the actor does not possess a high level of technical sophistication, this is not necessarily true. Sophisticated threat actors are known to use publicly available toolkits to facilitate their intrusions while retaining the use of highly customized toolkits for either heavily-defended targets or to stay under the radar. The use of publicly/commercial tools is also highly consistent with a few regional specific threat actor groups. Access to forensic data would be required to warrant a higher level of confidence on the attribution.
Based on SpiderLabs intelligence sources, and the victims [3][4] targeted in this attack, SpiderLabs Threat Analysts assessed with moderate confidence that the actor's intent is espionage in nature, carried out to support the strategic goals of intelligence collection. The actor could be pursing patient's personally identifiable information (PII), to facilitate enhanced targeting and phishing email lure creation, and/or assist their sponsors on intelligence collection such as assessing the Singapore Prime Minister's state of health.
Based on SpiderLabs' telemetry on the dark web, the stolen SingHealth patient records have not been detected on the dark web at the time of this writing. SpiderLabs will however continue to monitor the dark web for the presence of such. If the threat actor behind this attack is nation-state based and for the purposes of espionage, it is unlikely that the data will ever be publicly released in the dark web.
The cyber-attack on SingHealth is unprecedented for Singapore in terms of the volume of breached records, and is the most significant cyber incident reported to date in the history of Singapore. It underscores the adversary's interests in targeting the healthcare sector which carries a significant amount of personally identifiable information (PII). PII holds an intrinsic value which potentially can be used for facilitating enhanced targeting and phishing email lure creation.
SpiderLabs assess with moderate confidence that the cyber-attack on SingHealth is likely espionage in nature with a focus on stealing PII and medical records on high-value targets. This assessment is based on SpiderLabs intelligence sources which indicates a high sophistication level of methods leveraged in that cyber-attack, and SpiderLabs's technical analysis on SingHealth breach. A plausible scenario here is that the actor intends to create a dossier of individuals for future social engineering based attacks, and also to assess the targets' state of physical health as part of tactical intelligence gathering operations or to utilize private healthcare records to blackmail victims and convince them to provide confidential data to an adversarial foreign government.
Based on SpiderLabs intelligence, we assessed with moderate confidence that the TTPs reported in the SingHealth breach are not normally associated with individual hackers or cyber-criminal gangs based in Asia Pacific. We believe this work was conducted by a nation-state sponsored intelligence organization, to target High Value Targets (HVTs) in Singapore for future intelligence gathering and/or blackmail purposes. Further corroboration with intelligence partners and access to the forensic data is required to warrant a higher level of confidence on the attribution and intent of this data theft.
While we cannot assess with high confidence on the intent of this cyber-attack without access to the forensic data, SpiderLabs believes the escalation of cyber espionage threats targeting Singapore is expected as the nation takes over as the chair of the Association of Southeast Asian Nations (ASEAN) in 2018. With the upcoming ASEAN meetings5 in 2H 2018, SpiderLabs Analysts assess with moderate confidence that cyber espionage threats to Singapore will continue to remain high. SpiderLabs believe that cyber espionage actors are likely to conduct further espionage attacks against Singapore as well as members of the ASEAN closer to the period of the high level meetings.
Defenders should heighten their cyber posture during and after the period of July 30th 2018 to August 4th 2018 when the foreign ministers from ASEAN and their partners meet in Singapore to discuss regional and international issues6.
Review and implement the security measures described in the SingCERT's technical advisory on measures for protecting customers' personal data7.
**SpiderLabs is continuing research into this incident and may post additional data in upcoming blogs as data becomes available.**
Singapore Prime Minister Lee Hsien Loong statement in Facebook: