Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 264 of 425 37.4.2 Modifications to network architecture and/or monitoring of east-west traffic within the network must be undertaken to limit the ability of attackers to move laterally within a network 764. Traditional security thinking prioritises preventing an initial intrusion into a network. However, the initial compromise is often only the beginning. Once an attacker gains a foothold, it would attempt to move around the network and access other systems. This was the casein the Cyber Attack. 765. Once the attacker had established an initial foothold, network logs indicate that the attacker moved laterally in the network between December 2017 and June 2018. Forensic analysis revealed clear indicators that the attacker had moved laterally around the network. For example, the PHI 1 Workstation was compromised and infected with malware on 18 January 2018. This infected workstation was also found to be communicating with foreign C servers. Moving laterally, the attacker also gained access to Workstation Band planted a customised Remote Access Trojan on 17 April 2018. After this workstation was compromised, the attacker was able to remotely login to Citrix Servers 1 and 2 using the LA. account and the SA. account. The attacker had planned its route in the SingHealth network to reach its ultimate objective – the SCM database. 766. Given the risk of lateral movement in a future attack, IHiS must adopt measures to structure the SingHealth network in such away to limit an attacker’s opportunity to move laterally, or implement solutions to monitor, detect, and block lateral movement. 767. Network segmentation. Network segmentation in computer networking is the act of splitting a computer network into sub-networks, each being a network segment. In essence, groups of systems or applications are separated from each other. One of the advantages of splitting a network in this manner is improved security, as it makes it more difficult for an attacker to propagate an attack throughout the entire network. For example, there is a reduced attack
