Researchers have come across two Pastebin posts that could shed more light on the data breach that resulted in the health records of 1.5 million Singaporeans getting stolen by hackers.
Authorities in Singapore announced on July 20 that a sophisticated threat actor had gained unauthorized access to a database of SingHealth, the city-state’s largest group of healthcare institutions.
The incident, described as Singapore’s biggest ever data breach, resulted in personal information and details on medication becoming compromised, but authorities said medical records, clinical notes and financial information were not affected.
The attackers are said to have used a malware-infected computer to access a SingHealth database between June 27 and July 4.
Singapore officials suggested – and independent cybersecurity experts confirmed – that the attack was likely carried out by a state-sponsored threat group, but they have refrained from publicly speculating on who might be behind the operation.
Trustwave has been monitoring the incident and the security firm is also convinced that the attack was launched by a nation-state actor.
“At this point, Trustwave SpiderLabs is not assigning attribution to a specific threat actor. We have strong suspicion but do not feel we have enough information to confirm attribution,” the company said.
Over the weekend, Trustwave published a blog post detailing its analysis of two files published by unknown individuals on code and text storage website Pastebin. While they have not been able to confirm it, researchers believe these files are somehow linked to the SingHealth breach and noted that they could provide important clues about how the attackers gained access to the data.
One of the files, an exception log from a Java server, posted to Pastebin on May 24, shows a query for delegating access to a SingHealth Headquarters (SHHQ) database from a senior manager in the Medical Technology Office of Singapore’s Health Services to an employee of CTC, a major IT contractor.
The delegation request was set for June 9 – 17 and it could mean that the attacker had hijacked the contractor’s user account and leveraged it to manipulate the SingHealth database. These dates show that the hackers may have conducted at least some reconnaissance activities weeks earlier than what Singapore officials reported.
The log file also shows that the target was a database named portaldev. “It is conceivable that the development environment server was not as well protected as the production server and therefore was an easier target,” Trustwave researchers said.
The security firm also discovered a series of SQL queries, targeting SingHealth medical data, uploaded to Pastebin on June 15. These queries suggest that whoever executed them was looking for sensitive information.
While it’s possible that the files were uploaded to Pastebin by developers working on the SingHealth database, they may have also been posted by the attacker, possibly to share code with collaborators for troubleshooting purposes, Trustwave explained.
“While we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window are highly suspicious,” researchers said.