Analysis from Trustwave indicates state-sponsored threat group was behind the attack.

The recent cyber-attack against the largest healthcare group in Singapore was likely conducted by a nation-state actor for espionage purposes, fresh analysis indicates.

On July 20, SingHealth announced it had been the target of a “major cyber-attack” that resulted in the personal information of around 1.5 million individuals being compromised – including that of Prime Minister Lee Hsien Loong.

SingCert (Singapore’s computer emergency response team) said the data breach impacted patients who visited SingHealth’s specialist outpatient clinics between May 1, 2015, and July 4, 2018.

“About 1.5 million patients… have had their non-medical personal particulars illegally accessed and copied,” SingCert confirmed. “The data taken includes name, NRIC [national identity] number, address, gender, race, and date of birth.”

Targeted attack

While forensic investigations are continuing, Singaporean authorities said the breach was the result of a “deliberate, targeted and well-planned cyber-attack”.

In a lengthy Facebook post, the country’s Prime Minister Lee Hsien Loong said the attackers specifically and repeatedly targeted his own medical data.

Following the discovery of unauthorized access to the SingHealth database, several industry experts have said the attack was likely the work of nation-state actors.

These sentiments have been echoed by Trustwave’s SpiderLabs security research division, which last week said it had determined with “moderate confidence” that the actor’s intent is “espionage in nature, carried out to support the strategic goals of intelligence collection”.

“Based on SpiderLabs Intelligence sources, we are aware of the use of an attack technique in the actor’s TTPs [tactics, techniques and procedures],” the group stated. “This technique is not widely used, and is favored by advanced adversarial groups mostly which operates within a region in Asia.”

According to SpiderLabs, the actor behind the cyber-attack on SingHealth appears to have used publicly available attack tools which were “highly consistent with a few regional specific threat actor groups”.

Going deeper?

As authorities in Singapore scramble to identify the attackers, SpiderLabs came forward with additional research findings over the weekend, including the discovery of two separate Pastebin posts that appear to represent database access to SingHealth.

The first post, dated May 24, 2018, listed an exception log from a Java server, while the second, from June 15, 2018, took the form of SQL queries representing both SingHealth and NHG – the Singaporean National Healthcare Group.

While the researchers noted that “these sorts of things are commonly posted to Pastebin as developers often share error logs and queries with each other for troubleshooting purposes”, SpiderLabs said it was also possible that the attackers themselves uploaded the queries “in order to share the code with collaborators”.

“While we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window are highly suspicious,” the researchers said.