[BreachExchange] SingHealth cyberattack: Malware used was initially thought 'benign' by antiviral experts

Destry Winant destry at riskbasedsecurity.com
Fri Oct 5 18:56:19 EDT 2018


A “uniquely tailored” malware used by the attacker behind the
SingHealth cyberattack was so sophisticated that a leading anti-virus
(AV) company could not immediately tell that it was malicious, a
Committee of Inquiry (COI) was told on Friday (5 October).

In a public incident response report by a team from the Cyber Security
Agency (CSA), it was noted that, during investigations into the
incident, a malware sample given to the AV company was initially
thought by the latter to be benign.

“It was only when CSA provided technical information on the malware to
the AV company that AV signatures for the (neutralisation of the)
malware could be developed,” said the report. The name of the company
was not revealed during the hearing.

On the final day of the first tranche of hearings into Singapore’s
largest ever cyberattack, much was made of “the skilled and
sophisticated threat actor” behind the attack, which took place
between 27 June and 4 July.

The personal particulars of 1,495,364 unique patients – including that
of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s
database. The data comprises the patients’ demographic records and the
dispensed medication records of about 159,000 of them. “The amount of
data compromised is unprecedented in Singapore,” said the CSA report.

The attacker was “skilful and disciplined”, establishing “multiple
footholds” for re-entry to the system and remaining dormant after
initially breaching the system in August 2017. He only began moving
laterally in the system in order to gain access to the database four
months later.

The CSA report noted that the attacker’s modus operandi and techniques
“fit the profile of an Advanced Persistent Threat group that CSA has
previously encountered in other investigations”. Authorities have thus
far declined to reveal the identity of the attacker.

However, CSA said that forensic investigations have uncovered signs of
call-backs to an overseas command and control server. The dispensed
medication records that were stolen were also copied out to servers
hosted overseas.

Three key factors in the cyberattack

Besides the prowess of the attacker, the CSA noted that two other key
factors contributed to the breach. Firstly, the attacker exploited
vulnerabilities in the SingHealth network.

For example, there were dormant administrative accounts that were not
disabled, allowing the attacker to activate and use them to log in to
SingHealth servers. Investigations also showed that the password to
one of the local administrator accounts was “P at ssw0rd”.

Secondly, the attacker also exploited an existing coding vulnerability
in the off-the-shelf Allscripts Sunrise Clinical Manager software.
This enabled him to go the last mile and log in to the SingHealth

In an earlier hearing, the COI was told that a former employee of the
Integrated Health Information Systems (IHiS), the central IT agency
for the healthcare sector, had highlighted this vulnerability to IHiS
management in 2014. The employee, Zhao Hainan, was dismissed for
alerting a rival vendor to it, but the flaw remained.

The CSA concluded, “The impact could have been worse. CSA’s assessment
is that IHiS managed to detect and stop the attacker before he could
do more damage.”

In the wake of the attack, CSA and IHiS put in place several measures
to counter the immediate threat. For example, the KRBTGT account – a
master key account that encrypts all other authentication tokens – was
reset twice in succession. This was to invalidate any existing
full-access authentication tokens that the attacker might have.

On 19 July, after suspicious activity was again detected in the
SingHealth network, a temporary measure for cutting Internet access
from work computers was implemented the following day.

The COI continues

Retired chief district judge Richard Magnus, who is chairing the COI,
told the hearing that the committee was “inclined to accept” the CSA’s
assessment of the three factors that led to the attack.

“From the evidence, it would appear to the COI, even at this stage,
that the attacker had one and only one malicious intent, and that of
exfiltrating data from the crown jewels of the network, which is the
Electronic Medical Records,” said Magnus.

The COI hearings resume in late October, when senior executives from
IHiS and SingHealth will give testimony. They include IHiS CEO Bruce
Liang, and SingHealth’s Group Chief Information Officer Benedict Tan
and its Deputy Group CEO Professor Kenneth Kwek.

More information about the BreachExchange mailing list