COI Report – Part V
Page
195 of
425 32.4 Heightened monitoring of IT network and implementation of Internet Surfing Separation on 20 July 2018 619. From 11 July 2018, IHiS was placed on heightened alert for any sign of the attacker in the network. IHiS actively monitored the network for security events from the active directory,
internet proxy, and firewall, to detect signs of compromise or failed login attempts. They also actively reviewed network flow logs to determine if there were further signs of mass data exfiltration.
620. As a result
of the active monitoring, IHiS detected on 19 July 2018 the attempts being made from the SP. server to connect to a known C server that same day, enabling IHiS and CSA to respond quickly to investigate.
621. As explained in paragraph 207 (pg 70) above, the attempted callbacks indicated that the attacker still had access to SingHealth’s
network even while IHiS was actively implementing measures to contain the incident, and that the attacker was still active and trying to regain a foothold in the network.
In these circumstances, CSA strongly advised IHiS to implement ISS, on the basis that ISS would be effective against this particular attack because it fully blocked the callbacks and disrupted the attacker’s command and control in the network.
622.
IHiS acted decisively, and on am of 20 July 2018, cutoff user internet surfing and internal server access to the internet for the SingHealth Cluster. On 22 Jul 2018, IHiS also cutoff user internet surfing and internal server access to the internet for the NHG and NUHS Clusters.
623. No further suspicious activity was detected after ISS was implemented.
