SingHealth Data Breach

Question 1

What are the key events of the cyber attack?

Answer 1

1) Attacker infect front-end workstations using phishing attacks
2) Lay low for 4months, then did lateral movement across network to compromise endpoints and servers, including Citrix Server, user and admin accounts
3) Uses those accounts to access the SGH Citrix servers
4) Query SCM Database through Citrix, stealing and exfiltrating patient records

Question 2

5 Key findings

Answer 2

1) IHiS staff did not have adequate levels of cybersecurity awarness, training and resources
2) Certain staff failed to take appropriate, effective or timely action
3) No. of vulnerabilities, weaknesses and misconfiguration in system.
4) Skilled attacker
5) Defence not impregnable, but success of attacker was not inevitable

Question 3

What are the key events of the investigation and remediation?

Answer 3

1) IHiS admin noticed suspicious queries made to SCM database
2) contained exisiting threats
3) eliminate attacker’s footholds
4) prevent recurrence of the attacks

Question 4

What are the contributing factors to the cyberattack?

Answer 4

1) Connection between SGH Citrix and SCM database
2) Lack of monitoring SCM database
3) SGH Citrix server was not secured
4) IT network connected to the internet
5) Version of outlook not patched properly