Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page83/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   79   80   81   82   83   84   85   86   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part III
Page 94 of 425

16.2 Extensive C infrastructure
283. CSA’s forensic analysis of the exhibits revealed a number of network Indicators of Compromise (“IOCs”) which appeared to be overseas C servers.
CSA has explained that generally, the C servers were used fora) Infection where the server is used as a means of dropping malware into the system it is trying to infect b) Data exfiltration: there were indications of technical data (and not medical records) being sent to the servers and c) Beacon infected machines may have connected to C servers to establish a heartbeat, which refers to a slow, rhythmic communication meant just to sustain communications.
284. The CSA furnished the details of a number of overseas network IOCs to the CID for followup to determine if the subscribers information could be ascertained. Direct requests were made to foreign law enforcement agencies for the relevant information.

17 PROFILING THE ATTACKER
285. CSA has assessed that the attacker was a “skilled and sophisticated” threat actor, that had “characteristics that are typical of an Advanced Persistent Threat
(“APT”) attack”. CSA has also provided the following description of an APT APT refers to a class of sophisticated, usually state-linked, cyber attackers who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations. APT attackers are known to be extremely persistent in finding ways to get into a network/system once a target had been identified.


COI Report – Part III
Page 95 of 425

286. The Committee agrees with CSA’s assessment of the attacker as skilled and sophisticated attacker bearing the characteristics of an APT group, having regard in particular to the following attributes seen from the evidence presented before the Committee ab The attacker had a clear goal in mind, namely the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients. CSA has assessed that the attacker’s actions were targeted and specific, conducting reconnaissance in the network targeted at reaching the SCM database, and compromising only selected computers necessary to access, copy, and transfer data from the SCM database. The attacker also avoided secondary targets that might have drawn attention to its presence. The attacker also effected a quick turnaround time between access to the SCM database and exfiltration of data from the SCM database, showing both technical competence and mission- orientation. b)

Download 5.91 Mb.

Share with your friends:
1   ...   79   80   81   82   83   84   85   86   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy