COI Report –
Part IIIPage
70 of
425 14.7 Attempts to reenter the SingHealth Network on 18 and 19 July 2018 205. Although no data queries to the SCM database or exfiltration of patient records were detected after 4 July 2018, there
was malicious activity in the SingHealth network on 18 and 19 July 2018, which suggested that (a) that the attacker was trying to establish afresh pathway into the network and (b) that the attacker had established multiple footholds in the network and had reentered the network through one of these hitherto unknown footholds.
206. On 18 July 2018, phishing emails were sent to a number of recipients in various SingHealth institutions. One of the recipients of the email was the user of a previously infected workstation – the PHI 1 Workstation. The email contained content similar to the earlier mentioned publicly
available hacking tool,
and would run automatically when the mail was previewed or read. It was also configured to lead to callbacks to a C server.
IHiS discovered and informed CSA of the phishing emails on 1 August 2018, and
the emails were assessed by CSA to be a possible attempt by the attacker to reenter the network. The form and content of the emails also support the hypothesis that the initial breach could have been executed through a phishing email.
207. On 19 July 2018, IHiS
informed CSA that a server, referred to in this report as the “
S.P. server”, was detected trying
to connect to a C server, but the attempts were blocked by the firewall. On the SP. server, malicious files were discovered.
208. There is no evidence of any callbacks to any known C servers from the SP. server before 19 July 2018. The malicious files were created on the SP. server on 19 July 2018, and the attacker would have required remote access to the SingHealth network in order to create these files. These facts indicated two things a) First, the attacker had established
multiple footholds in the SingHealth network, and had reentered
the system undetected 
