• Hackers stole non-medical personal information of over a million patients, including Singapore's Prime Minister Lee Hsien Loong.
  • The targeted attack is believed to be the work of state-sponsored attackers.

Singapore’s biggest healthcare group, SingHealth, was hit by hackers in June who stole the personal information of around 1.5 million patients. The attackers also stole information pertaining to Singapore’s Prime Minister Lee Hsien Loong.

According to a joint statement provided by SingHealth, Singapore’s ministry of health (MoH) and ministry of communications and information (MCI), the data stolen by hackers included non-medical personal information. However, prime minister Loong said in a Facebook post that the hackers targeted his “medication data, specifically and repeatedly.”

“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it,” Loong said.

Specific and repeated attack

According to Singapore’s MoH, the data stolen by the hackers include NRIC (National Registration Identity Card) numbers, names, addresses, gender, date of birth and race.

“The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines,” the MoH said in the joint statement.

The attack occurred just two weeks after Singapore hosted the historic Trump-Kim summit. The attackers were able to steal the data of all patients who visited SingHealth’s clinics and polyclinics for medical services between 2015 and 2018. The hackers breached one of SingHealth’s fornt-end systems, which in turn allowed them to obtain privileged account credentials, which they used to gain access to the targeted data.

The work of state-sponsored hackers

According to Eric Hoh, Asia Pacific president of FireEye, the attack was likely the work of state-sponsored hackers.

Hoh believes the attack is different from ones conducted by a common cybergang who would have either sold the data online or used it as leverage in a ransomware attack. The hackers’ repetitive attempts to access the data of high-ranking government officials might be indicative of the attackers’ desire to use the data as a blackmail tool to force the official into sharing secrets or divulging sensitive credentials, he said.

“This was an advanced persistent threat (APT) and the nature of such attacks are that they are conducted by nation states using very advanced tools,” Hoh said, Channel News Asia reported. “They tend to be well resourced, well-funded and highly sophisticated.”

Beware of scams

It is still unclear which threat actor group is responsible for the attack on SingHealth. However, if the attack was conducted by a nation-backed hacker group, the list of suspects shrinks to a considerably limited number since only a few APT groups are capable of conducting an attack of this caliber.

The attack could also lead to further crimes such as identity theft, phishing scams and more.

SingHealth has uploaded several posts on its Facebook page, warning users to be on the lookout for potential scams posing as legitimate sites, asking for personal information.

Attacks against the global healthcare sector have skyrocketed over the past few months. Cybercriminals gravitate toward healthcare data for several reasons, primarily because of its real-time value.

“As it could contain any amount and level of information, healthcare institutions are among the most sought-after industries by criminals who can be motivated by a multitude of possible reasons,” said Leonard Kleinman, cyber security advisor at RSA Asia Pacific and Japan, Channel News Asia reported.

Cyware Publisher