COI Report – Part IV
Page
109 of
425 19 EVENTS OF JANUARY 2018 19.1 Detecting malware on the PHI 1 Workstation and callbacks to suspicious IP addresses – 18 January 2018 302. On 18 January 2018, Benjamin Lee (“
Benjamin”), a System Engineer from the IHiS Security Management Department (“
SMD”), was performing a routine check and noticed an alert about suspicious activity detected on a workstation located in a SingHealth public healthcare institution (referred to earlier as “
PHI 1” and the “
PHI 1 Workstation”). The alert provided him with the filename of the suspected malware found on the workstation, and the date of infection was stated to be 18 January 2018. Benjamin decided
to investigate the matter, and informed Tan Choon Kiat Ernest (“
Ernest”), Senior Manager of the
SMD, of the same.
303. In
the course of investigations, Benjamin determined that the PHI 1 Workstation was a) attempting to communicate with what he understood to be ab foreign IP address and an associated URL and b) sending commands to two other IP addresses.
304. The foreign IP address was in fact one of the key C servers used by the attacker throughout the entire period of the Cyber Attack.
305. As
for the other two IP addresses, Benjamin found that public IP addresses beginning with those numbers were associated with a different foreign country, and thus believed that the commands were being sent to IP addresses in another country. This view would subsequently be proved to have been erroneous.
306. While the filename of the suspected malware was
that of a legitimate program, the program should not be located in the file path where it was found.
