Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
Executive Summary ii B. THE EVENTS OF THE CYBER ATTACK AND INCIDENT RESPONSE BY IHIS AND SINGHEALTH 4. The Committee’s Terms of Reference (“TORs”) include (i) establishing the events and contributing factors leading to the Cyber Attack and the exfiltration of patient data (“TOR #1”), and (ii) establishing how IHiS and SingHealth responded to the Cyber Attack (“TOR #2”). The Committee’s findings on these TORs are set out in Parts III-VI of the main report. 5. In the present section, the Committee will first provide a summary of the key events of the Cyber Attack and the incident response by IHiS and SingHealth. The Committee will then present five Key Findings in respect of TORs #1 and #2. I. Summary of events 6. The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks. The attacker then lay dormant for several months, before commencing lateral movement in the network between December 2017 and June 2018, compromising a number of endpoints and servers, including the Citrix servers located in SGH, which were connected to the SCM database. Along the way, the attacker also compromised a large number of user and administrator accounts, including domain administrator accounts. 7. Starting from May 2018, the attacker made use of compromised user workstations in the SingHealth IT network and suspected virtual machines to remotely connect to the SGH Citrix servers, and tried unsuccessfully to access the SCM database from the SGH Citrix servers. 8. IHiS’ IT administrators first noticed unauthorised logins to the Citrix servers and failed attempts at accessing the SCM database on 11 June 2018. Similar malicious activities were detected on 12, 13, and 26 June 2018. Unknown to them, the attacker had obtained credentials to the SCM database on 26 June
