An inquiry has found that hackers resembling state-sponsored actors were responsible for the biggest cyber attack in Singapore’s history, which targeted the healthcare details of Prime Minister Lee Hsien Loong and accessed the data of a quarter of the population.
A report published on Thursday described the hackers involved in last year’s attack as “skilled and sophisticated,” with characteristics matching “state-linked cyber attackers who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations”.
The findings come as state-backed cyber crime across Asia Pacific proliferates and as Singapore has tried to ramp up its defence against digital attacks, most recently with a new cyber security act passed in February 2018.
The attackers’ identity remains undisclosed. Singaporean officials have said they would not name suspects, citing national security concerns.
Russia, China and North Korea are among the countries blamed for recent high-profile cyber attacks, including alleged Russian meddling in the 2016 US presidential elections and alleged Chinese interference in Cambodia’s 2018 elections.
The breach at SingHealth, Singapore’s largest healthcare group, involved the acquisition of Mr Lee’s personal and outpatient medication data; the illegal copying of demographic data belonging to 1.5m patients; as well as leaking the details of the medicine dispensed to about 160,000 people.
“The attacker had a clear goal in mind, namely the personal and outpatient medication data of the Prime Minister . . . and also that of other patients,” the report said.
Mr Lee, who was diagnosed with lymphoma in 1992 and had surgery for prostate cancer in 2015, has pledged to step down before turning 70 and could call elections as early as this year, after naming Heng Swee Keat, finance minister of Singapore, his de facto successor in the ruling party.
“My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it,” Mr Lee said after the attack.
The report pointed to gaps in cyber security ahead of the incident, including technical vulnerabilities at SingHealth and IT administrators lacking “adequate levels of cyber security awareness, training, and resources”.
The attackers had access to the healthcare group’s servers for 11 months and stole patient records even after IT administrators first noticed unauthorised logins to SingHealth servers in June 2018, according to the report.
While preventing a state-sponsored cyber crime remains difficult, the hackers’ success in “obtaining and exfiltrating the data in this attack was not inevitable,” the report said.
“Breaches like this show that compliance alone is not enough. Today most organisations in Asia would fall victim to a similar attack,” said Vivek Chudgar, senior director for consulting, Asia Pacific at FireEye. “Organisations need to reprioritise their security investments to quickly detect and respond to advanced attacks.”