singhealth Flashcards
what are the first 3 key events of the singhealth attack
- • The attacker gained initial access to SingHealth’s IT network around
23/8/17, infecting front-end workstations, most likely
through phishing attacks. - Attacker then lay dormant for 4 months, before commencing lateral
movement (6 months) in the network between Dec2017 and Jun2018, compromising many endpoints and servers, including the
Citrix servers located in SGH, which were connected to the SCM
database. - • Along the way, the attacker also compromised a large number of user
and administrator accounts, including domain administrator accounts.
what are the second 2 key events of the singhealth attack
- Starting from May 2018, the attacker made use of compromised user
workstations in the SingHealth IT network and suspected virtual
machines to remotely connect to the SGH Citrix servers - Attacker initially tried unsuccessfully to access the SCM database
from the SGH Citrix servers.
what are the third 3 key events of the singhealth attack
6.IHiS’ IT administrators first noticed unauthorised logins to Citrix
servers & failed attempts at accessing the SCM DB on 11 June 2018.
7. Unknown to them, the attacker had obtained credentials to the SCM
database on 26 June 2018.
8. Next Day 27 June 2018, the attacker began querying the SCM
database, stealing and exfiltrating patient records, and doing so
undetected by IHiS.
what are the fourth 3 key events of the singhealth attack
• 1 Week later, on 4 July 2018, an IHiS administrator for the SCM system
noticed suspicious queries being made on the SCM database.
• Working with other IT administrators, ongoing suspicious queries
were terminated, and measures were put in place to prevent further
queries to the SCM database.
• These measures proved to be successful, and the attacker could not
make any further successful queries to the database after 4 July 2018.
what are the fifth 3 key events of the singhealth attack
Between 11/6 & 9/7/18, the persons who knew of & responded to
the incident were limited to IHiS’ line-staff & middle management
from various IT administration teams, & the security team.
• After 1 month, on 9/7/18, IHiS senior management were finally
informed of the Cyberattack…
• 3 days later, 10/7/18, matter was escalated to Cyber Security Agency
(“CSA”), SingHealth’s senior management, the Ministry of Health
(“MOH”), and the Ministry of Health Holdings (“MOHH”)
what are the sixth 4 key events of the singhealth attack
• Starting from 10 July 2018, IHiS and CSA carried out joint
investigations and remediation.
• Several measures aimed at containing the (a) existing threat, (b)
eliminating the attacker’s footholds, and ©preventing recurrence of
the attack were implemented.
• In view of further malicious activities on 19 July 2018, internet surfing
separation was implemented for SingHealth on 20 July 2018.
• No further suspicious activity was detected after 20 July 2018.
what are the seventh 4 key events of the singhealth attack
• The public announcement was made on 20 July 2018, and patient
outreach and communications commenced immediately thereafter.
SMS messages were used as the primary mode of communication, in
view of the need for quick dissemination of information on a large
scale.
• COI Committee has identified 5 key Findings!
what was a key finding from singhealth attack
IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack.
what was another 1 key finding from singhealth attack
Certain IHiS staff holding key roles in IT
security incident response and reporting
failed to take appropriate, effective, or
timely action, resulting in missed
opportunities to prevent the stealing and
exfiltrating of data in the attack
what was another 2 key finding from singhealth attack
There were a number of vulnerabilities,
weaknesses, and misconfigurations in the
SingHealth network and SCM system that
contributed to the attacker’s success in
obtaining and exfiltrating the data, many of
which could have been remedied before the
attack
what was another 3 key finding from singhealth attack
The attacker was a skilled and
sophisticated actor bearing the
characteristics of an Advanced
Persistent Threat group
what was another 4 key finding from singhealth attack
While our cyber defences will never be
impregnable, and it may be difficult to
prevent an Advanced Persistent Threat from
breaching the perimeter of the network, the
success of the attacker in obtaining and
exfiltrating the data was not inevitable
what did the attack exploit to make queries to the database
- A significant vulnerability was the network connectivity (referred to
in these proceedings as an “open network connection”) between the
SGH Citrix servers and the SCM database
What was the network connectivity maintained for
r the use of
administrative tools and custom applications,
was it necessary to maintain the network connectivity for administrative tools and custom apps?
no
Describe the security of the SGH Citrix servers
not adequately secured against unauthorised access.
Describe the 2fa in the sgh citrix servers
it was not enforced as the exclusive means of loggin in as an admin.
Describe the 2fa in the sgh citrix servers fucked us all
it was not enforced as the exclusive means of loggin in as an admin, therefore the attacker gained entry to server through other routes that did not require 2fa
