SingHealth Cyberattack Allegedly the Work of Sophisticated APT Group

The SingHealth cyberattack, which resulted in personal data of about 1.5 million patients getting stolen from SingHealth’s IT database, was the work of a sophisticated APT (Advanced Persistent Threat) group, which could be state-sponsored, reports quoting Singapore’s Minister for Communication and Information S Iswaran said.

Channel NewsAsia reports- “The cyber attack on SingHealth’s IT database in June, which resulted in the most serious breach of personal data in Singapore’s history, was “the work of an advanced persistent threat (APT) group” that is “usually state-linked”, said Minister for Communications and Information S Iswaran on Monday (Aug 6)…Mr Iswaran, in delivering his ministerial statement on the incident in Parliament, said the Cyber Security Agency of Singapore (CSA) has done a detailed analysis of the cyber attack and determined it is by an APT group, which refers to a class of sophisticated attackers who conduct extended, carefully planned cyber campaigns to steal information or disrupt operations.”

The report refers to the minister pointing out that Singapore had witnessed APT attacks earlier also, like for example the 2017 attack on the National University of Singapore (NUS) and Nanyang Technological University (NTU). There are also references to APT attacks on the international level, including the attacks that shattered the United States (US) Democratic National Committee in 2016 and the US Office of Personnel Management (OPM) in 2014.

The Singapore Minister, as per reports, have explained that the APT group behind the SignHealth attack had used sophisticated, advanced tools to evade the antivirus programs installed. The malware that the hackers had used remained undetected in the system and stole personal data belonging to the patients, including the Prime Minister of the country.

Channel NewsAsia quotes the minister as saying- “The attack fits the profile of certain known APT groups, but for national security reasons, we will not be making any specific public attribution.”

The Government, according to the minister, has already started adopting measures to strengthen cybersecurity defenses. The CSA has already started its forensic investigation and is focused on mitigating similar incidents.

The Channel NewsAsia report states- “Mr. Iswaran said the Cybersecurity Act passed in Parliament this February gives the Government “additional levers” to strengthen the protection of such CIIs against cyber attacks, and CSA is currently implementing the provisions of the law. It will designate all CIIs by the end of this year, he said. ”

The Committee of Inquiry (COI), which has been appointed on July 24 to assess the events and factors that led to the cyber attack, has also started its work.

In response to questions from within the parliament regarding the identity of the hackers and location from where the attack was launched, the minister has stated that though the attack fits the profile of certain known APT groups, the government wouldn’t name them, for obvious reasons relating to national security. Channel NewsAsia says- “He (the minister) added that in these matters, “whilst once can have a high level of confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility” and the evidence may not stand up in the court of law. The agencies involved have a “high level of confidence” of the people behind the hack though, he added. “.

The report further quotes the minister as saying- “Having said that, we don’t think it serves our national interest nor is it a productive exercise for us to be making specific public attribution…What is essential is that we diagnose the problem clearly, and take the appropriate steps and, if in the process of the COI specific attribution can be made in a manner where action can be subsequently taken up in the court of law, we will certainly consider that course of action.”