Security Experts:

Connect with us

Hi, what are you looking for?



Massive Singapore Healthcare Breach Possibly Involved Contractor

Researchers have come across two Pastebin posts that could shed more light on the data breach that resulted in the health records of 1.5 million Singaporeans getting stolen by hackers.

Researchers have come across two Pastebin posts that could shed more light on the data breach that resulted in the health records of 1.5 million Singaporeans getting stolen by hackers.

Authorities in Singapore announced on July 20 that a sophisticated threat actor had gained unauthorized access to a database of SingHealth, the city-state’s largest group of healthcare institutions.

The incident, described as Singapore’s biggest ever data breach, resulted in personal information and details on medication becoming compromised, but authorities said medical records, clinical notes and financial information were not affected.

The attackers are said to have used a malware-infected computer to access a SingHealth database between June 27 and July 4.

Singapore officials suggested – and independent cybersecurity experts confirmed – that the attack was likely carried out by a state-sponsored threat group, but they have refrained from publicly speculating on who might be behind the operation.

Trustwave has been monitoring the incident and the security firm is also convinced that the attack was launched by a nation-state actor.

“At this point, Trustwave SpiderLabs is not assigning attribution to a specific threat actor. We have strong suspicion but do not feel we have enough information to confirm attribution,” the company said.

Over the weekend, Trustwave published a blog post detailing its analysis of two files published by unknown individuals on code and text storage website Pastebin. While they have not been able to confirm it, researchers believe these files are somehow linked to the SingHealth breach and noted that they could provide important clues about how the attackers gained access to the data.

One of the files, an exception log from a Java server, posted to Pastebin on May 24, shows a query for delegating access to a SingHealth Headquarters (SHHQ) database from a senior manager in the Medical Technology Office of Singapore’s Health Services to an employee of CTC, a major IT contractor.

The delegation request was set for June 9 – 17 and it could mean that the attacker had hijacked the contractor’s user account and leveraged it to manipulate the SingHealth database. These dates show that the hackers may have conducted at least some reconnaissance activities weeks earlier than what Singapore officials reported.

The log file also shows that the target was a database named portaldev. “It is conceivable that the development environment server was not as well protected as the production server and therefore was an easier target,” Trustwave researchers said.

The security firm also discovered a series of SQL queries, targeting SingHealth medical data, uploaded to Pastebin on June 15. These queries suggest that whoever executed them was looking for sensitive information.

While it’s possible that the files were uploaded to Pastebin by developers working on the SingHealth database, they may have also been posted by the attacker, possibly to share code with collaborators for troubleshooting purposes, Trustwave explained.

“While we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window are highly suspicious,” researchers said.

Related: Hackers Breached Non-Classified System at Singapore’s Ministry of Defence

Related: Singapore Ministry of Defence Announces Bug Bounty Program

Related: Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet