Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted
A total of 1.5 million SingHealth patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medicines’ records taken too, according to MCI and MOH.
(Updated: )
Ricky Lim
CSA ascertained the cyberattackers first accessed the network after breaching a front-end workstation, and managed to get privileged access to the database over time while also showing sophistication in cleaning up their digital footprints when doing so.
--
This sounds like an Advanced Persistent Attack (APT) - by hijacking a legitimate workstation through remote access, steal the password (at least the administrator password of the database) and do a sweeping copies of the database for eg. via SQL.
SingHealth network infrastructure that run independently seems to be independent from the Ministry - and may lack the security rigour of the more protected IT infra.
--
This sounds like an Advanced Persistent Attack (APT) - by hijacking a legitimate workstation through remote access, steal the password (at least the administrator password of the database) and do a sweeping copies of the database for eg. via SQL.
SingHealth network infrastructure that run independently seems to be independent from the Ministry - and may lack the security rigour of the more protected IT infra.
Like · Reply · 1m · Edited
Ricky Lim
Cleaning up digital footprint - is a very sophisticated process - and will require specialise knowledge in all the equipment, system software, databse and security equipment.
Minimally, the hackers will need to clean up device logs, system logs, access logs etc of say the routers, firewalls, LAN switches, IPS, OS of servers, databases, apps etc --- along the way as it navigate its way through ---- and the hackers need to know intimately all the devices, system, security, software etc - to be able to clean up all the digital footprint.
To do so, the hackers must be able to steal the administrator or supervisor passwords of all the devices, software etc and know which files, logs etc to clean up.
This sounds like a State-level jobs - not any novice hackers or self-learned hackers can stage such a sophisticated attacks.
Hence such attacks is known as Advanced Persistent Attack or the APT.
Minimally, the hackers will need to clean up device logs, system logs, access logs etc of say the routers, firewalls, LAN switches, IPS, OS of servers, databases, apps etc --- along the way as it navigate its way through ---- and the hackers need to know intimately all the devices, system, security, software etc - to be able to clean up all the digital footprint.
To do so, the hackers must be able to steal the administrator or supervisor passwords of all the devices, software etc and know which files, logs etc to clean up.
This sounds like a State-level jobs - not any novice hackers or self-learned hackers can stage such a sophisticated attacks.
Hence such attacks is known as Advanced Persistent Attack or the APT.
Like · Reply · 1m
Ricky Lim
Also wonder did Singhealth IT system put under the SOC (Security Operation Centre) SIEM CII monitoring - to pick up suspicious hacking attack going on --- where mass copies or manipulation of the database ---- will have been picked up as illegitimate access by the SIEM.
Alarms and alerts will be triggered the moment such illegitimate access are conducted and remedial actions can immediately be taken.
Also notice that "jump host" security via oob mgt - is not implemented - as front-desk workstation can be used to access database as database admin doing administrator function via front end.
In retrospect, if all the equipment, security devices, servers etc uses "jump host" security and oob mgt - the hackers may not be able to do such a front end attack - as device management is separated from front end access.
Also device management can only be access via "dedicated jump host" access only locally - and not accessible by remote management or remote access.
Singhealth should take note.
Alarms and alerts will be triggered the moment such illegitimate access are conducted and remedial actions can immediately be taken.
Also notice that "jump host" security via oob mgt - is not implemented - as front-desk workstation can be used to access database as database admin doing administrator function via front end.
In retrospect, if all the equipment, security devices, servers etc uses "jump host" security and oob mgt - the hackers may not be able to do such a front end attack - as device management is separated from front end access.
Also device management can only be access via "dedicated jump host" access only locally - and not accessible by remote management or remote access.
Singhealth should take note.
Like · Reply · 1m
'Adeeb Ashraf
Can tell it is not as "complex" as it seems if the attacker was already identified. High chance that whatever entry point was used had a weak application
Ricky Lim
Not true that the ability to identify the attackers - means the attacker is not sophisticated or is not conducting a "complex" hacking operation.
(1) Digital footprint can be traced to the attackers (unless all the footprint) are removed - which look like the hackers though sophisticated are not able to fully removed - as they must have left some digital trace and thus subsequently detected.
(2) Doing reconnaissance to identify a weak workstation that able to remotely controlled and compromise or infected with botnets -- without being detected is not easy.
(3) Breaking the workstation password, breaking the database supervisor password to launch SQL mass copies of the database to steal information - are not easy.
(4) Able to penetrate many layers of IT security undetected and did not raise any alerts and alarms - are not easy.
All this require very high skill and sophistication of the hackers.
(1) Digital footprint can be traced to the attackers (unless all the footprint) are removed - which look like the hackers though sophisticated are not able to fully removed - as they must have left some digital trace and thus subsequently detected.
(2) Doing reconnaissance to identify a weak workstation that able to remotely controlled and compromise or infected with botnets -- without being detected is not easy.
(3) Breaking the workstation password, breaking the database supervisor password to launch SQL mass copies of the database to steal information - are not easy.
(4) Able to penetrate many layers of IT security undetected and did not raise any alerts and alarms - are not easy.
All this require very high skill and sophistication of the hackers.
Like · Reply · 1m
Ricky Lim
The hallmark of State sponsored attack - that is the Advanced Persistent Attack are:-
(1) Advanced persistent presence
(2) Remote access and remote management
(3) Abiltiy to avoid detection of its illegal access and evade security measures
(4) Automated data mining to steal data - and pipe back to the hacker server
(5) Connect and disconnect quickly - and remove forensic digital footprint
- The Singhealth attack seems to have all the above features - the hallmark of State sponsor attack.
(1) Advanced persistent presence
(2) Remote access and remote management
(3) Abiltiy to avoid detection of its illegal access and evade security measures
(4) Automated data mining to steal data - and pipe back to the hacker server
(5) Connect and disconnect quickly - and remove forensic digital footprint
- The Singhealth attack seems to have all the above features - the hallmark of State sponsor attack.
Patrick Page
Are you trying to impress us with terms such as Advanced Persistent Attack? Any second year BSc student studying for a computer science degree would be familiar with such a term. You have to try harder, mate.
Reply · 1h
Valen Chen Tany
Patrick Page can Mr Magnus a retired judge who will be chairing the COI fare any better?
Ricky Lim
Valen Chen Tany - Richard Magnus is an ex Senior District Judge that heads the Subordinate Courts.
He is very tech-savvy and certainly very experience in law.
He is certainly attune to many cutting-edge IT technology that he has chaired and implemented in the Subordinate Courts.
He is very tech-savvy and certainly very experience in law.
He is certainly attune to many cutting-edge IT technology that he has chaired and implemented in the Subordinate Courts.
Like · Reply · 1m
Valen Chen Tany
Ricky Lim did I hear ex as like in retired? And IT tech is moving at light speed. Anyway I may very well be wrong becos Judge Magnus I understand is a true gentleman and his personal integrity is not in question here.
Ricky Lim
Valen Chen Tany - He is retired from SubCourts - but he move on to be the Chairman of CRA - who come out with laws to safeguard the casinos operation when the 2 casinos came out. He also came out with social safeguards to deter locals from being addicted gamblers.
Subsequently he move on as Chairman of PTC - looking at transport and transport fares.
Both casinos and transport have IT technologies to support their operations and I believe the Judge will have keep himself up to date.
Subsequently he move on as Chairman of PTC - looking at transport and transport fares.
Both casinos and transport have IT technologies to support their operations and I believe the Judge will have keep himself up to date.
Like · Reply · 1m · Edited
Ang Kam Kwang
I think it is high time SingHealth change IT contractor.
I am not a Computer or IT expert and I may be wrong but if superuser's computer (at the contractor side) is already compromised, then it is like alot of security layers is already broken and hence assess to SingHealth (medical) data is easy?
I am not a Computer or IT expert and I may be wrong but if superuser's computer (at the contractor side) is already compromised, then it is like alot of security layers is already broken and hence assess to SingHealth (medical) data is easy?
Ricky Lim
Ang Kam Kwang - I suggest you should wait for the COI to come out with the findings.
Like · Reply · 1m
Ricky Lim
John Low - It will reduced the chances of being attacked - by doing periodic security patches, vulnerability scanning etc.
Also the overall design of the IT infrastructure is important to minimise attacks.
But almost no one can guarantee zero attacks.
Not US, not China, not Russia, no Countries can guarantee no cyber attacks or breach.
For eg. every computer chips that used Intel and AMDs chips already have known vulnerabilities.
For eg. wireless lan is connectivity in the air, an any determined hackers within range can take their time to identify vulnerabilities in the wireless to break in - the hackers could be your neighbors.
For eg. hackers can do a brute force attack by doing DDOS on any of your IP devices that can be learn by reconnaissance and do a brute force attack on your devices and deny your devices from performing services
There are so many examples ......
Also the overall design of the IT infrastructure is important to minimise attacks.
But almost no one can guarantee zero attacks.
Not US, not China, not Russia, no Countries can guarantee no cyber attacks or breach.
For eg. every computer chips that used Intel and AMDs chips already have known vulnerabilities.
For eg. wireless lan is connectivity in the air, an any determined hackers within range can take their time to identify vulnerabilities in the wireless to break in - the hackers could be your neighbors.
For eg. hackers can do a brute force attack by doing DDOS on any of your IP devices that can be learn by reconnaissance and do a brute force attack on your devices and deny your devices from performing services
There are so many examples ......
Like · Reply · 1m · Edited
Gen Huang
Ricky Lim .. Bro the Gomen should employ you as their SECURITY EXPERT! Seriously bro ..
Ricky Lim
Gen Huang - Ha Ha Ha Ha
(1) I am not a SECURITY EXPERT!
(2) 有缘千里能相会。无缘对面不相逢。
(It means even very far and long distant, when there is fate, it will come together.
If no fate, even if in front or next door, it will not come together.)
(1) I am not a SECURITY EXPERT!
(2) 有缘千里能相会。无缘对面不相逢。
(It means even very far and long distant, when there is fate, it will come together.
If no fate, even if in front or next door, it will not come together.)
Petjay Catarbas
Patrick Page what have you got to offer? Do you have a second opinion or other suggestions on how to prevent it?
WeeSeng Lim
Ang Kam Kwang. The contractor is IHIS, it can't be changed because it is another govt entity
Ozy Lee
Ricky Lim Hey Ricky,
You've done a great job painstakingly explaining why it "took so long for the breach to be detected".
Would also like to add that although many companies are starting to become more proactive with security, the Health Sector is yet to fully embrace this idea, not just in Singapore but in the US as well. You're might be right that the hospitals did not have SIEM running.
The important lesson here is, Security needs to be at the forefront and not an afterthought.
You've done a great job painstakingly explaining why it "took so long for the breach to be detected".
Would also like to add that although many companies are starting to become more proactive with security, the Health Sector is yet to fully embrace this idea, not just in Singapore but in the US as well. You're might be right that the hospitals did not have SIEM running.
The important lesson here is, Security needs to be at the forefront and not an afterthought.
Reply · 1h
Ricky Lim
Ozy Lee - Your assessment of security needs to be at the forefront and not an afterthought is correct from security points of view.
But security is very costly and require talents who are IT tech trained and security savy,
IT are getting increasingly complex - and it cut across every TCP/IP layers.
For IT talents to be trained and conversant in every TCP/IP layers - is a very demanding proposition.
And the quick proliferation of new IT technologies being invented and developed - make IT security scrambling behind.
IT security is always one step behind or even several steps behind - doing catchup.
What is worst, new development like cloud tech, mobile apps, proliferation of wireless tech, IoT, big data, AI, robotics, drones, smartphones etc make IT security all the more challenging to do catchup.
Thus if a State-sponsor attack via APT is launch --- defending it is extremely challenging when facing 1,000 to 100,000 of hackers doing simultaneous attacks.
But security is very costly and require talents who are IT tech trained and security savy,
IT are getting increasingly complex - and it cut across every TCP/IP layers.
For IT talents to be trained and conversant in every TCP/IP layers - is a very demanding proposition.
And the quick proliferation of new IT technologies being invented and developed - make IT security scrambling behind.
IT security is always one step behind or even several steps behind - doing catchup.
What is worst, new development like cloud tech, mobile apps, proliferation of wireless tech, IoT, big data, AI, robotics, drones, smartphones etc make IT security all the more challenging to do catchup.
Thus if a State-sponsor attack via APT is launch --- defending it is extremely challenging when facing 1,000 to 100,000 of hackers doing simultaneous attacks.
Like · Reply · 1m · Edite
Ricky Lim
Ricky Lim
Moreover, deploying SIEMs will require pervasive and extensive knowledge in almost all network, security, servers, OS etc - to deploy agents and agentless to all the IT devices to collect all the respective syslog, security logs, access logs etc via central loggers - to correlate and interpret all security information to pinpoint suspected attacks - which can be known threats or unknown threats or zero day attacks.
So ability to produce sufficient IT security, network, system talents become important - especially facing a massive State sponsor simultaneous attack.
So ability to produce sufficient IT security, network, system talents become important - especially facing a massive State sponsor simultaneous attack.
Like · Reply · 1m · Edited
Freddy Chin
Ricky Lim, agreed with what you have mentioned. To add on, IT security is not purely about IT only. Company policies and the willingness of the senior management to invest and support the IT security implementation is vital. Politics playing (to please someone on a high profile projext and etc) in company and so on might jeopardise the security of the company as well. There are also many restructuring in the healthcare system in the past few years and systems might need to be merged through workaround and etc. Is ihis able to map out all the systems in the public healthcare after all these years and all the restructuring exercises? Hence, COI and investigations are important to have a holistic view of the breach and the remediation and extra controls required. Anyway, in the field of cybersecurity, one can only MITIGATE security threats and will never eliminate them.
Gen Huang
APT... STATE LEVEL JOBS! ... Come on its just BOTS doing their thingy!
Ricky Lim
All the symptoms of attacks does not reveal it is done by a Botnet.
It has all the symptoms of an APT.
In addition, forensics reveal that APT has been identified as the mode of attacks and not a botnet.
It has all the symptoms of an APT.
In addition, forensics reveal that APT has been identified as the mode of attacks and not a botnet.
Like · Reply · 1m
Gen Huang
Ricky Lim ... So let the Gomen reveal the TRUTH as which country is really responsible for the ATTACK! Why so afraid to say out the TRUTH! Produce the EVIDENCE for all to see. We want to know the truth once for all.
The Gomen released the BIG MOUTH GRASS CUTTER KAUSIKAN (because the Gomen dare not or do not want for whatever reason) to ACCUSE China of doing us wrong and our VIVIAN kept on offending China by taking sides (from China's point of view ) in his speeches. Could this be PAYBACK and WARNING. Don't be afraid to tell the truth!
BTW Ricky are the steps taken to identify the attacks 100% FOOLPROOF! Could a THIRD-PARTY COUNTRY be involved to cause MISCHIEF between Singapore and China (I'm saying China by name because fingers are already pointing to China... Am I right Vivian and Kausikan!
The Gomen released the BIG MOUTH GRASS CUTTER KAUSIKAN (because the Gomen dare not or do not want for whatever reason) to ACCUSE China of doing us wrong and our VIVIAN kept on offending China by taking sides (from China's point of view ) in his speeches. Could this be PAYBACK and WARNING. Don't be afraid to tell the truth!
BTW Ricky are the steps taken to identify the attacks 100% FOOLPROOF! Could a THIRD-PARTY COUNTRY be involved to cause MISCHIEF between Singapore and China (I'm saying China by name because fingers are already pointing to China... Am I right Vivian and Kausikan!
Reply · 28m
Ricky Lim
Gen Huang - no official statement is pointing to any Countries.
Why you so agitated?
Also this hacking things will be taken up privately through the diplomatic channels when forensic evidence was found - not for public debate in the social media.
BTW, what make you think that Singapore is having a quarrel with China?
Your comments about Singapore and China story is not true and may cause unnecessary unhappiness with China.
Singapore and China's relationship are in very good terms.
Don't misinterpret any signal that have been otherwise..
Why you so agitated?
Also this hacking things will be taken up privately through the diplomatic channels when forensic evidence was found - not for public debate in the social media.
BTW, what make you think that Singapore is having a quarrel with China?
Your comments about Singapore and China story is not true and may cause unnecessary unhappiness with China.
Singapore and China's relationship are in very good terms.
Don't misinterpret any signal that have been otherwise..
Reply · 1m · Edited
Gen Huang
Adam Png ... Wow bro cool man! This information and any evidence should be shared. This clearly shows EVIL FORCES are at work trying to SOUR Singapore China relationship!
I'm pretty sure in the next few weeks the 3rd rate ex diplomat Bilahari Kausikan will start blaming China for the ATTACK.
I'm pretty sure in the next few weeks the 3rd rate ex diplomat Bilahari Kausikan will start blaming China for the ATTACK.
Like · Reply · 1m
Gen Huang
Adam Png ... Wow bro cool man! This information and any evidence should be shared. This clearly shows EVIL FORCES are at work trying to SOUR Singapore China relationship!
I'm pretty sure in the next few weeks the 3rd rate ex diplomat Bilahari Kausikan will start blaming China for the ATTACK.
I'm pretty sure in the next few weeks the 3rd rate ex diplomat Bilahari Kausikan will start blaming China for the ATTACK.
Ricky Lim
Gen Huang - 激将法对我没有用。
菩提本无树。
明镜已非台。
本来无一物。
何处惹尘埃。
菩提本无树。
明镜已非台。
本来无一物。
何处惹尘埃。
Like · Reply · 1m · Edited
Gen Huang
Ricky Lim ... Bro just because I'm defending China against FALSE ALLEGATIONS doesn't mean I can read and write Chinese. I've three different ASIAN ETHNICITY in my DNA makeup! I've been accused of being a COMMI ... CHINA CHINESE ... RACIST... but I'm none of that. How can I be a racist when I'm made-up of 3 different races! 
:) My kids have 4 different ethnicity! Its just that I hate BULLIES and likes to fight for the UNDERDOG which in this case happens to be China!
:) My kids have 4 different ethnicity! Its just that I hate BULLIES and likes to fight for the UNDERDOG which in this case happens to be China!
Like · Reply · 1h
Ricky Lim
Gen Huang - oh it means no need to probe further - as when the outcome come it will come.
As for the whole poem - it means An Enlightened State of Mind - which cannot or not meaningful to be translated.
Even those who have deep understanding of Chinese words, languages and culture - cannot explain it meaningfully without that State of Mind.
“菩提本无树”是我国佛教禅宗六祖惠能大师著名的四句偈中的一句。意在说明一切有为法皆如梦幻泡影,教人不要妄想执着,才能明心见性,自证菩提。
As for the whole poem - it means An Enlightened State of Mind - which cannot or not meaningful to be translated.
Even those who have deep understanding of Chinese words, languages and culture - cannot explain it meaningfully without that State of Mind.
“菩提本无树”是我国佛教禅宗六祖惠能大师著名的四句偈中的一句。意在说明一切有为法皆如梦幻泡影,教人不要妄想执着,才能明心见性,自证菩提。
Adam Png
Apologies and promise to get to the bottom of the issue are too superficial to shoulder the responsibility.
Both the Health Minister and his Deputy MUST step down and step out! It is the only way to show that you are sincere and serious in shouldering your responsibilities.
You are drawing millions of dollars of taxpayers' money every year.
Each day you continue in your present position means you continue to be highly rewarded for your complacency, incompetency and irresponsibility. This must not be allowed.
Both the Health Minister and the Information Minister must resign to take full responsibility. You have made the Smart Nation become the Stupid Nation!
Both the Health Minister and his Deputy MUST step down and step out! It is the only way to show that you are sincere and serious in shouldering your responsibilities.
You are drawing millions of dollars of taxpayers' money every year.
Each day you continue in your present position means you continue to be highly rewarded for your complacency, incompetency and irresponsibility. This must not be allowed.
Both the Health Minister and the Information Minister must resign to take full responsibility. You have made the Smart Nation become the Stupid Nation!
Ricky Lim
Put things in proper perspective,
- even China with 100,000 cyber army (the largest in the World) also faces their fair share of cyber attack.
- even Russia with their thousands of cyber army also got cyber attack.
- even US with their sophisticated and advanced IT and security defense - also got cyber breach.
So don't over-react.
Unless you are experts in IT - and is able to guarantee IT security can be invincible - then you can make the above statement.
Otherwise you will be laugh at by the IT world.
- even China with 100,000 cyber army (the largest in the World) also faces their fair share of cyber attack.
- even Russia with their thousands of cyber army also got cyber attack.
- even US with their sophisticated and advanced IT and security defense - also got cyber breach.
So don't over-react.
Unless you are experts in IT - and is able to guarantee IT security can be invincible - then you can make the above statement.
Otherwise you will be laugh at by the IT world.
Like · Reply · 1m
John Low
Ricky Lim Does that mean, we must sit back and wait for the next attack and do nothing?
Though technology is sophiscated and it is not attack proof, the question is how much have we invested to prevent this from happening and how much are we investing to keep our data as save as possible?
For a start, can we implement rules for those organization which store public data by having a third party to come in to check on the security structure of their deplored system. Give rating on their system and alert them of possible weakness.
That way we can have a sector that constantly upgrade themselves to oversee system weakness instead of the organization having to depend on vendor whose skillset is not that relevant to shielding us from intruder's attack.
Though technology is sophiscated and it is not attack proof, the question is how much have we invested to prevent this from happening and how much are we investing to keep our data as save as possible?
For a start, can we implement rules for those organization which store public data by having a third party to come in to check on the security structure of their deplored system. Give rating on their system and alert them of possible weakness.
That way we can have a sector that constantly upgrade themselves to oversee system weakness instead of the organization having to depend on vendor whose skillset is not that relevant to shielding us from intruder's attack.
Reply · 1h
Ricky Lim
John Low - There are already efforts doing all these.
The setting up of CII SOC to cover 11 sectors is set in motion years ago.
Except I think SingHealth have not come on board yet.
These are very massive operation, it takes time for all 11 CII to come on board.
Priority are given to those sectors that have massive financial implications or those that areas that have great impact to the Country.
The setting up of CII SOC to cover 11 sectors is set in motion years ago.
Except I think SingHealth have not come on board yet.
These are very massive operation, it takes time for all 11 CII to come on board.
Priority are given to those sectors that have massive financial implications or those that areas that have great impact to the Country.
Reply · 8m
John Low
Ricky Lim Thanks for the valuable and insightful information. CII SOC covers critical services and definitely healthcare is also one of the designated service. They are also required to audit their cybersecurity system periodically directed by the commissioner.
Slowly idenitifying who should come under the act is not on the ball. All services including private companies of certain size must conduct in house audit on a yearly basis to be submitted to designated authority. This will create a boon for auditor of cybersecurity. Which is good so that they can update their skill in quicker time. We can start by working with Isreal which I think is one of the more advance player in this field.
Beside hacking a computer for data, this day using a handphone some of these hacker can turn on or off the engine of a modern day car within range.
Slowly idenitifying who should come under the act is not on the ball. All services including private companies of certain size must conduct in house audit on a yearly basis to be submitted to designated authority. This will create a boon for auditor of cybersecurity. Which is good so that they can update their skill in quicker time. We can start by working with Isreal which I think is one of the more advance player in this field.
Beside hacking a computer for data, this day using a handphone some of these hacker can turn on or off the engine of a modern day car within range.
Like · Reply · 1h
Unker Will
Hundreds if not thousands of personal data also can be 'stolen' by other means not necessarily be cyberattacks. You signed up a lucky draw form with all your details, you filled up a form in order to get a refund from some closed down entities, you felt obliged to complete some surveys handed out to you by some innocent and pity looking teens on the streets, you so willing to give your medical history to some university students doing research in order to get a shopping voucher and so on. You never know where will all these data that you have provided would eventually landed on whose hands.
No comments:
Post a Comment