Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page96/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   92   93   94   95   96   97   98   99   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part IV
Page 110 of 425

However, it appears that Benjamin or other members of the SMD did not notice this fact.
19.2 Blocking and monitoring of suspicious IP addresses and re-
imaging the PHI 1 Workstation – 18 January 2018
307. Acting on his findings above, Benjamin blocked network traffic between the PHI 1 network and all three IP addresses on 18 January 2018. However, he did not take any action to block network traffic to those IP addresses from the rest of the SingHealth network.
308. Benjamin then informed the site engineer to disconnect the PHI 1 Workstation from the SingHealth network. Checks with the user of the workstation did not reveal any useful information.
309. Benjamin then quarantined the suspicious file, and reconnected the machine to the SingHealth network. He then confirmed that the workstation was no longer attempting to connect to the foreign IP address. However, commands were still being broadcast to the other two IP addresses.
310. Benjamin then instructed the site engineer to re-image the PHI 1 Workstation to eradicate any malware, and this was done overnight. He also recorded the suspected malicious IP addresses and URL and asked IHiS’ outsourced vendor for MSS (Managed Security Services) to continue monitoring network traffic to the suspicious IP addresses and URL, in all the public healthcare clusters.
19.3 Discovering multiple attempts from Workstation A to
communicate with the same suspicious foreign IP address – 19
January 2018
311. On 19 January 2018, Benjamin obtained a set of network logs comprising proxy logs and firewall logs. The search range for both the proxy logs and the firewall logs was from 1 to 19 January 2018.


COI Report – Part IV
Page 111 of 425

312. On reviewing the network logs, Benjamin noticed that there were many instances of access to the foreign IP address. All the successful instances of access were from a single IP address, and involved either a particular SGH user-
ID, or the hostname of a SGH workstation. The IP address and hostname were in fact that of Workstation A, and the user-ID was that of the user of Workstation A. As discussed in Part III above, Workstation A played a significant role in the
Cyber Attack.
313. In the afternoon of 19 January 2018, Benjamin sent an email to the SMD, including Ernest, titled “Hits to IOCs” (‘IOCs’ refer to indicators of compromise, attaching the network logs. In this email, Benjamin informed his colleagues that he had arranged for scans for hits involving the malicious IPs and URLs that he was aware of at that time.
314. There was no immediate reply to Benjamin’s 19 January 2018 email. Ernest stated that he glanced at the logs when he received the email. He could see that there were multiple attempts to communicate with the foreign IP address from one or more workstations in SGH and PHI 1. However, no steps were taken by Ernest or Benjamin to (i) identify the owner of the user-ID shown in the logs
(i.e. the user of Workstation A (ii) identify the physical location of Workstation A (iii) investigate into the callbacks from Workstation A, including whether it was infected with malware or (iv) to block connections to the suspicious IP address from SGH or the rest of the SingHealth network. There is also no indication that there was any followup from any other members of the SMD.
315. Apart from the URL related to the foreign IP address, Benjamin’s email also mentioned another URL. Benjamin has explained that this URL was also flagged up as having been accessed by the PHI 1 Workstation, but he had inadvertently forgotten to include this URL in his subsequent reports on the matter. Although Benjamin had flagged this other URL in his email, no further action was taken by Benjamin or Ernest to block the domain name for the
SingHealth network. This URL was in fact one of the attacker’s C servers.


Download 5.91 Mb.

Share with your friends:
1   ...   92   93   94   95   96   97   98   99   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy