Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part III Page 58 of 425 the attack, uses of the the NCC server included use as a distribution point for malware, where malware was stored temporarily before being copied to other workstations or servers in the network. 160. Forensic analysis of the NCC server revealed the presence of malicious artefacts from as early as 29 September 2017. Malicious PowerShell scripts were also found to have been created on the server in January 2018, and it is likely that these malicious scripts were executed as part of the process through which the attacker strengthened its control over the server. 161. The NCC server was an IHiS asset. However, investigations have revealed that it was not in fact being managed by IHiS. Instead, it was managed locally by an NCC employee, Tan Aik Chin, since January 2016. This was a result of happenstance, and Aik Chin did not possess the necessary knowledge to administer the server. As a result, patches that would ordinarily be rolled out automatically for other servers under IHiS’ care were not similarly rolled out to the NCC server. In fact, the server did not have an updated version of the antivirus program installed. 14.4.2 Callbacks to a foreign IP address in January 2018 from Workstation A and the PHI 1 Workstation 162. In January 2018, (i) a workstation from a SingHealth public health institution (in this report, this specific institution is referred to as “PHI 1”, and the workstation is referred to as the “PHI 1 Workstation”), and (ii) Workstation A from SGH, were separately making callbacks to a foreign IP address. As will be shown in section 19 (pg 109) below, while IHiS staff were aware of callbacks from both workstations on 19 January 2018, action was taken only to block connections to the address from PHI 1, and not SGH. CSA’s investigations have revealed that this foreign IP address was that of one of the key C servers used by the attacker throughout the entire period of the Cyber Attack. When CSA’s incident response team was onsite at IHiS after 10 July 2018, there was still ongoing communications with this C server from compromised computers.
