[BreachExchange] Singapore: Mindef hit by targeted cyber attack

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 28 18:55:45 EST 2017


http://www.todayonline.com/singapore/mindef-internet-
system-hacked-personal-data-850-personnel-stolen

A cyber attack on the system used at military premises to access the
Internet has resulted in the theft of the personal data of about 850
national servicemen and Ministry of Defence (Mindef) employees.

The unprecedented breach, which took place in early February, was described
by Mindef as appearing to be “targeted and carefully planned”, possibly
with the intention of stealing official secrets. While classified military
information was not compromised — this is stored on a separate and more
secure system which is not connected to the World Wide Web — the personal
data of I-net account holders comprising NRIC numbers, telephone numbers,
and dates of births were stolen, said Mindef on Tuesday (Feb 28), as it
apologised for the “inconvenience and potential harm” caused by the breach.

The I-net system provides Internet access to national servicemen as well as
employees from Mindef and the Singapore Armed Forces for their personal
communications, and allows them to surf the Internet via dedicated I-net
computer terminals in the military premises and camps. Mindef said the
affected personnel will be contacted within the week, and they will be
advised to change their passwords for other systems that may use any of the
stolen information. A special helpdesk will also be set up to assist these
individuals.

“Based on our investigations, (the attack was) not the work of casual
hackers or criminal gangs,” said Mindef’s Deputy Secretary for Technology
David Koh at a press briefing. Investigations are being conducted, and
Mindef said it would not speculate on the origins of the attack and the
possible perpetrators. Nevertheless, it has determined that the attack did
not originate from any of the thousands of I-net computer terminals that
are located across the island.

The affected server was disconnected after the breach was discovered, and
immediate and detailed forensic investigations were conducted on the entire
I-net system to determine the extent of the breach. As a precaution, Mindef
is also doing a thorough security sweep of all its other computer systems.

Mr Koh, who also heads the Government’s Cyber Security Agency (CSA), said
the physical, multi-layered separation of I-net from Mindef’s internal
systems prevented the attackers from penetrating deeper into systems
containing classified military information. Apart from the CSA, the
Government Technology Agency of Singapore (GovTech) has been informed of
the breach, and both agencies are investigating other government systems
for possible breaches. So far, none has been detected.

The affected personnel are all I-net users and they do not come from any
specific military camp. Personal particulars are required for I-net account
management, and these are stored on the I-net system, said Mindef.

On why the cyber attack was not made public earlier, Mindef cited the need
to maintain operational security and conduct its own investigations.

Commenting on the breach, Mr Dan Yock Hau, CSA director of the National
Cyber Incident Response Centre, stressed that “no one is immune to
cyber-attacks”. “It is a matter of when, not if, an organisation is
breached,” he said.

He added: “We have to take steps to build greater security into software
design and strengthen our systems to ensure resilience to cyber attacks. We
also need keen eyes on the ground to closely monitor our systems. Trained
cyber security professionals will have a very important role to play to
keep our cyberspace safe.”

This is not the first time that the Singapore Government has come under a
cyber attack. Other incidents which have been made public in recent years
include the 2014 breach of the Ministry of Foreign Affairs’ information
technology system, which had been described as one of the more serious and
advanced attacks on the Government’s IT systems.

The Ministry of Defence uses three types of computer systems for different
purposes. Each has varying levels of security features, and the systems are
separated from one another:

1. Internet-facing system: Mainly to provide individuals access to the
Internet for research or recreational, personal surfing. The I-net system
is one such example. I-net terminals are similar to public computers found
at airports, hotels, or Internet cafes.

2. Internal system: Separated from I-net, this system is for internal email
and day-to-day administrative work. There is no Web access on this system.

3. Military system: Where classified and top-secret military information
are kept. There is also no Web access on this system and stringent security
features are in place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170228/41e69ac4/attachment.html>


More information about the BreachExchange mailing list