In the end, what will surely catch the eye is how an administrator password could have been set as P@ssw0rd. Or how a network connection that should have been cut remained online to let in a hacker.
Like any investigation into a high-profile data breach, the first day of the Committee of Inquiry (COI) hearings on the SingHealth hack in July brought up embarrassing details of the lapses and software vulnerabilities that led to Singapore’s worst cyber attack.
The hackers were stopped, fortunately, by a database administrator, just as they started to steal the medical data they sought, the committee heard from Solicitor-General Kwek Mean Luck today.
Still, the hackers made away with the outpatient prescription data of 160,000 patients, including Prime Minister Lee Hsien Loong. Also stolen was the personal data of 1.5 million people.
The attackers had gained a virtual foothold in SingHealth as far back as August 2017, the commitee heard today. They had infected frontline workstations that ran a version of Microsoft Outlook that was not up to date with software patches.
Up until May 2018, the hackers only moved “sideways” as they introduced more malware to other machines to gain access to them. This was a common tactic for such stealthy attacks.
What allowed the hackers to make an important leap was access to some local administrator accounts to Citrix servers in Singapore General Hospital (SGH), the committee was told.
It is not exactly clear how the hackers jumped from the workstations to the Citrix servers, which are commonly used to offer remote access to other machines, but the committee heard today that one of the admin accounts had a weak password. Yes, this was P@ssw0rd.
From here, the hackers still had some way to go to access the health records database, which had been migrated from the SGH servers to a private cloud for the healthcare industry in June 2017.
So, the system at SGH was to have been decommissioned, reported the Channel NewsAsia news website. However, there remained an open network connection from the Citrix server farm at SGH to the database servers on the cloud. The hackers exploited this.
They did not immediately get into the database servers holding the medical records because this required another level of access, which they did not have initially, said the Solicitor-General.
Through its investigations, the Cyber Security Agency (CSA) believe there was a high probability that a vulnerability in the database software allowed the attackers to steal the credentials needed to access the data.
The vulnerability was known as far back as 2014 to the Integrated Health Information System (IHIS), a company that manages the IT systems for the sector, according to the Solicitor-General. However, no action was taken, he added.
On June 26 this year, the hackers finally managed to get hold of the credentials to the database. The next day, they started stealing the data by running bulk “queries” on the database server.
This happened until July 4, when a database administrator noticed the activity and started to terminate it. On July 10, the senior management of IHIS, SingHealth, the Health Ministry and CSA came onboard. Ten days later, the news of the breach was told to a shocked public.
Did the teams at IHIS and SingHealth respond fast enough? The Solicitor-General said the staff did not appreciate the culmination of events, such as the unauthorised attempts to log in to the database, that eventually led to a breach.
They also did not report the incident in a timely manner, which is required because the database system is part of Singapore’s critical infrastructure, according to the Channel NewsAsia report.
Though the Solicitor-General said the focus of the COI was not to find fault, the various lapses are a sobering reminder of how difficult it is to keep out a well-planned attack.
It is easy to say now that the series of errors that led to the data breach can be avoided. On hindsight, everything is clear.
However, the lack of awareness that SingHealth is said to have suffered from is a common issue with many large organisations today. The IT systems they run are growing too complex to manage well.
It doesn’t help that they have multiple cyber security solutions onboard – too many of these solutions don’t work together coherently today and add to the confusion.
The lessons here, however, are valuable for other organisations faced with such advanced persistent threats on a daily basis. There will be more to learn, as the COI is expected to carry on until October 5.