Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page5/329
Date27.11.2023
Size5.91 Mb.
#62728
1   2   3   4   5   6   7   8   9   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

Executive Summary ii

B. THE EVENTS OF THE CYBER ATTACK AND INCIDENT
RESPONSE BY IHIS AND SINGHEALTH
4. The Committee’s Terms of Reference (“TORs”) include (i) establishing the events and contributing factors leading to the Cyber Attack and the exfiltration of patient data (“TOR #1”), and (ii) establishing how IHiS and
SingHealth responded to the Cyber Attack (“TOR #2”). The Committee’s findings on these TORs are set out in Parts III-VI of the main report.
5. In the present section, the Committee will first provide a summary of the key events of the Cyber Attack and the incident response by IHiS and SingHealth. The Committee will then present five Key Findings in respect of TORs #1 and
#2.
I.
Summary of events
6. The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks. The attacker then lay dormant for several months, before commencing lateral movement in the network between December 2017 and June 2018, compromising a number of endpoints and servers, including the Citrix servers located in SGH, which were connected to the SCM database. Along the way, the attacker also compromised a large number of user and administrator accounts, including domain administrator accounts.
7. Starting from May 2018, the attacker made use of compromised user workstations in the SingHealth IT network and suspected virtual machines to remotely connect to the SGH Citrix servers, and tried unsuccessfully to access the SCM database from the SGH Citrix servers.
8.
IHiS’ IT administrators first noticed unauthorised logins to the Citrix servers and failed attempts at accessing the SCM database on 11 June 2018. Similar malicious activities were detected on 12, 13, and 26 June 2018. Unknown to them, the attacker had obtained credentials to the SCM database on 26 June



Download 5.91 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   329




The database is protected by copyright ©ininet.org 2024
send message

    Main page