SingHealth AddOn Flashcards
From 26 June 2018, the attacker began querying the database from
Citrix Server 2 using the A.A. account.
3 types of “SQL” queries which the attacker ran:
- (i) reconnaissance on the schema of the SCM database,
- (ii) direct queries relating to particular individuals, and
- (iii) bulk queries on patients in general.
The attacker was able to retrieve the following information from the
SQL queries:
- The Prime Minister’s personal and outpatient medication data;
- The demographic records of 1,495,364 patients, including their
names, NRIC numbers, addresses, gender, race, and dates of birth; - The outpatient dispensed medication records of about 159,000 of
the 1,495,364 patients mentioned in sub-paragraph (b) above
• The copying and exfiltration of data from the SCM database was
stopped on 4 July 2018, after staff from IHiS discovered ____
d the unusual
queries and took steps to prevent any similar queries from being run
against the SCM database.
Although no data queries to the SCM database or exfiltration of patient
records were detected after 4 July 2018, there was malicious activity in
the SingHealth network on 18 and 19 July 2018, which suggested that:
• the attacker was trying to establish a fresh pathway into the network;
and
• the attacker had established multiple footholds in the network and
had re-entered the network through one of these hitherto unknown
footholds
On 18 July 2018, phishing emails were sent to a number of recipients in
various SingHealth institutions.
• One of the recipients of the email was the user of a previously
infected workstation – the PHI 1 Workstation.
• The email contained content similar to the earlier mentioned publicly
available hacking tool, and would run automatically when the mail
was previewed or read.
• It was also configured to lead to callbacks to a C2 (command&control)
server.
• After detection of malware on and communications from the S.P.
server
CSA recommended that internet surfing separation should be
implemented, to prevent the attacker from exercising command and
control over any remaining footholds it may have in the network.
• Internet surfing separation was implemented on 20 July 2018.
• No further signs of malicious activity were detected thereafter
CONTRIBUTING FACTORS
LEADING TO THE CYBER ATTACK
Network connections between the SGH Citrix
servers & SCM database were allowed
Lack of monitoring at the SCM database for
unusual queries and access
SGH Citrix servers were not adequately
secured against unauthorised access
Weak controls over and inadequate
monitoring of local administrator accounts
Lack of sight over and mismanagement of the
S.A. service account
Internet connectivity in the SingHealth IT
network increased the attack surface
Versions of Outlook used by IHiS were not patched
against a publicly available hacking tool
Coding vulnerability in the SCM application
1
Network connections between the SGH Citrix
servers & SCM database were allowed
2
Lack of monitoring at the SCM database for
unusual queries and access
3
SGH Citrix servers were not adequately
secured against unauthorised access
4
Weak controls over and inadequate
monitoring of local administrator accounts
5
Lack of sight over and mismanagement of the
S.A. service account
6
Internet connectivity in the SingHealth IT
network increased the attack surface
7
Versions of Outlook used by IHiS were not patched
against a publicly available hacking tool
8
Coding vulnerability in the SCM application
r1
enhanced security structure and readiness must be adopted by IHIS and Public Health Institutions
r2
the cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats
r3
staff awareness on cybersecurity must be impvoed, to ehance capacity to prevent, detect and respond to security incidents
r4
ehanced security checks must be performed especailly on CII systems
r5
Priviledged admin accounts must be subject to tighter control and greater monitoring
r6
incident response process must be improved for more effective response to cyber attacks
r7
partnerships between industry and government to achieve a higher level of collective security
Network connections between the SGH Citrix
servers & SCM database were allowed
1
• The network connection was a critical pathway to the SCM database,
over which the attacker was able to make SQL queries to and retrieve
data from the SCM database.
• but for this open network connection, the SCM database was
adequately protected within the H-Cloud perimeter defences, and the
attacker would not have been able to access the SCM database as
easily.
• This open connection not necessary, more for convenience to
administer database
Network connections between the SGH Citrix
servers & SCM database were allowed
2
• A basic security review of the network architecture and connectivity
between the SGH Citrix servers and the SCM database could have
shown that the open network connection created a security
vulnerability.
• However, no such review was carried out.