Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 422 of 425 (b) IOCs discovered through CSA’s forensic investigations were applied to enterprise-wide scanning, which has been completed. 1214. However, it is possible that not all the IOCs/signatures of the malwares, sleepers and backdoors potentially left in the network by the attacker have already been identified and scanned for. CSA’s own evidence is that the attacker had established multiple footholds in the network. 1215. The Committee agrees with Vivek’s expert recommendation that IHiS should perform a comprehensive forensic review of all workstations and servers to ensure that are no remnants of the attacker. In his opinion, it is not possible to ensure that the network and system is “100% clean, but he has explained what IHiS can do to ensure that the threat is eradicated as far as possible a) Even if certain IOCs/signatures have been missed or lost, there will be enough information about the attacker to piece together the attack pattern and look deeper into the network to find remnants of the attack. It is also possible to use available intelligence on the attacker to look within the environment for artefacts left behind by the attacker. b) Expert investigators will be able to assist IHiS in such a forensic review, using EDR technology which can be licensed for the period of the forensic review. c) Such forensic reviews have been carried out by organisations who have been impacted by a significant cyber attack, and such a review can be done across a large number of endpoints, even in the hundreds of thousands. 1216. Gen. Alexander cautioned that we should “[a]ssume compromised systems are forever compromised”, and that compromised systems should be replaced with new systems if financially feasible. This is an extreme position and we do not expect IHiS and SingHealth to overhaul its current systems. Instead,
