COI Report – Part III
Page
53 of
425 14 THE CYBER ATTACK 14.1 CSA’s reconstruction of events 142. CSA’s National Cyber Incident Response Team (“
NCIRT”) was able to substantially reconstruct the events of the Cyber Attack through thorough forensic analysis of machines suspected to have been compromised, network traffic flow data, and systems logs. The initial batch of data was collected based on
information provided by IHiS, and included forensic images provided by IHiS of some machines. As more information was revealed in the course of investigations, more forensic images and memory dumps of workstations and servers were collected. Proxy and network logs from various network segments, such as
login logs and firewall logs, were also collected.
143. The NCIRT has provided a graphical summary of its findings:
Figure 7: Key events of the Cyber Attack 144. Having considered the evidence before it, the Committee accepts CSA’s reconstruction
of the sequence of the attack, and presents its findings below.
COI Report – Part III
Page
54 of
425 14.2 First evidence of breach and establishing control over Workstation A – August to December 2017 145. Forensic investigations uncovered signs of callbacks to an overseas
command and control server13
(“
C2 server”) from 23 August 2017. Callbacks refer to communications between malware and C servers, to either fetch updates and instructions, or send back stolen information. The computer that these callbacks originated from had been decommissioned in October 2017, and was not available for forensic analysis.
146.
A different workstation,
Workstation A began calling-back to the same C server on 24 August 2017, one day after the earliest-detected callback.
147. As will be shown subsequently, Workstation A went onto play a critical role in the Cyber Attack as a key pivoting point through which the attacker entered the network, and was also used for the exfiltration of the stolen patient and medical data between 27 June and 4 July 2018. In the course of investigations by the Criminal Investigation Department (“
CID”)
of the Singapore Police Force, the user of Workstation A denied being involved in anyway in the unlawful access of the SCM system in 2018. Investigations by the CID also did not reveal any evidence of the user’s involvement in the Cyber Attack.
148. While not conclusive, there is some evidence to suggest that the initial intrusion was through a successful phishing attack, which led to malware being installed and executed on the workstation C servers are centralised devices operated by attackers to maintain communications with compromised computers within a target network. Phishing refers to a common technique used by hackers to trick people (typically through emails) into
divulging personal information, transferring money, or installing malware.