Over but not forgotten – lessons from SingHealth APT cyber-attack

On 20 July 2018, it was revealed that Singapore’s health system was hit by the nation’s ‘most serious breach of personal data’ cyber-attack. A total of 1.5 million SingHealth patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medication records taken as well.

On 3 August 2018, the Singapore government disclosed that the attack was the work of an advanced persistent threat (APT) group, possible state-sponsored. Such a group refers to a class of sophisticated attackers who conduct extended, carefully planned cyber campaigns to steal information or disrupt operations.

The attackers had used advanced and sophisticated tools, including customized malware that was able to evade the healthcare provider’s anti-malware and security tools. Once they got into the system, they took steps to remain in the system undetected before stealing patients’ information.

Tim Liu, CTO of Hillstone Networks, sheds more light on APT and lessons learnt:

In light of the recent SingHealth cyber-attack, what do organizations in Asia need to know about APT?

Liu: APTs continue to be one of the top threats faced by government agencies, healthcare institutions and large enterprises. 

These institutions have valuable assets that attracts attention of cybercrime organization and nation states players. These institutions should continue to invest in APT detection and breach detection technology to guard against data breaches.

How well defended is Singapore? Are we on the cutting edge or are there still lessons to be learnt?

Liu: On average, Singapore cyber security status is on the leading edge, among the countries in the APAC region. But the security readiness of different systems in Singapore is not on the same level. We need to identify critical data and be vigilant in guarding these data from hackers.

Cyber security is a cat-and-mouse game and we will need to learn from this and other cases to continue build up defense and early detection mechanism.

While the data breach at SingHealth resulted in data loss, one of the silver lining is the speed at which the breach was detected.

This points to a good implementation of breach detection and incident response process.

On APT defense, right now the detail on how the breach occurred is not available. it is important to find out the root cause and plug holes in the security framework.

In recent years, cyber-attacks have been increasingly attributed to state actors rather than criminal or hackivist groups. Is because state-sponsored attacks are more prevalent or is it just better attribution?

Liu: Advances in cyber-defense technology allow better attribution of previous unknown hacks.

Advancement in early breach detection and APT detection is essential so that traces of attacks can be retained before they are lost with time. In the meantime, we have better forensics collection to retain the crime scene for a larger area and for a longer time, and better data analysis technology to sieve through the data.

Last but not least, better threat intelligence allows for matching characteristics of attacks to existing databases of known actors. These advancements have a larger effect on attacks by nation-states, because these attacks are usually more sophisticated and previously hard to trace.

We are still seeing great volumes of hacks of a criminal nature, such as the recent ransomware attack on Taiwan Semiconductor Manufacturing Company (TSMC), which forced the exclusive foundry for iPhone processors to shut down several factories.

Moving forward, what are some top tips you would suggest for government, healthcare and other organizations in the region that are targets of such attacks?

Liu: Most of the recent high-profile security incidents resulted in data loss. High-value data assets are the premium targets for the hackers these days.

Organizations should consider their cyber-defense framework from another view: data-centric view. Start from inventory of the sensitive data and determine how that data is used through its life cycle, and determine risk exposures and defense mechanisms needed. This data-centric angle can complement the existing framework and provide added layers of security against data loss.

For more perspectives: