Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 277 of 425 painful way in the Cyber Attack. The attacker was sophisticated but was not silent – signs of the Cyber Attack were seen by a number of IHiS staff over a substantial duration of time. Unfortunately, these were not correctly recognised assigns of malicious activity. The experiences of Katherine, Lum and Sze Chun are most illustrative – each of them observed these signs at various times, but each of them assumed these signs to be indicative of operational issues, rather than evidence of a security incident. Katherine, for example, thought that the failed logins to the SCM database were an indication of IHiS staff “testing the system”. She similarly thought that the active queries to the SCM database on 4 July 2018 were queries being run by other IHiS staff. Sze Chun, who first caught the unusual queries to the SCM database on 4 July 2018, also did not think them suspicious initially – he thought that these were legitimate queries that were being run fora number of other operational reasons. Lum, too was unable to perceive the signs he observed in June 2018 as evidence of a cyber attack. Having observed the use of multiple suspicious login-IDs to attempt access to the SCM database, he initially thought that there was some sort of auditor penetration testing that was being conducted on the SCM database. These IHiS staff were unable to ascertain from the evidence before them that they were observing a cyber attack in motion. The consequence was indeed dire – an unprecedented amount of data was exfiltrated from the SCM database by the attacker. 808. The capability of employees to detect, alert and respond to indicators of system compromise must therefore be enhanced – the only thing worse than having your network penetrated is having it penetrated and not knowing it. Early identification of a security incident is paramount at all levels and across the various divisions and groupings in IHiS – operational staff, IT security staff, senior management etc. 809. All staff must be trained to recognise suspicious activity that may point to a cyber breach. Suspicious activity can include a number of different observables such as abnormal access patterns, database activities, file changes, and other out- of-the-ordinary events that can indicate an attack. Being able to recognise these activities is important. Employees should be trained to recognise common examples of suspicious activity
