Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. threat analysis, news and alerts.

How Advanced Persistent Threat (APT) Attacks Work

1/10/2019

0 Comments

 
Advanced Persistent Threat cyber-attack

How Advanced Persistent Threat (APT) Attacks Work

The final report of the Committee of Inquiry (COI), the body tasked to investigate Singapore's worst cyber-attack in its history, concluded that an unnamed Advanced Persistent Threat (APT) group was behind the country’s worst-ever cyber-attack.

“The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group,” COI said in its final report.

COI was tasked with looking into Singapore’s worst-ever cyber-attack: the data breach on Singapore Health Services Private Limited (SingHealth). The COI report(PDF) released to the public last January 10th is a redacted version of the final report, barring sensitive information that could further harm SingHealth.

The unnamed Advanced Persistent Threat group, the COI said, illegally accessed SingHealth’s database and illegally removed personally identifiable information of 1.5 million patients, including their names, addresses, genders, races, and dates of birth between the period of June 27, 2018 to July 4, 2018. Out of the 1.5 million affected patients, nearly 159,000 of these patients also had their outpatient dispensed medication records exfiltrated. The personal and outpatient medication data of Singapore’s Prime Minister were part of the illegally accessed and removed data.

What Is an Advanced Persistent Threat (APT) Attack?

An Advanced Persistent Threat (APT), as the name suggests, is a threat that’s “advanced”, which means that sophisticated hacking techniques are used to gain access to a system, and this threat is “persistent”, which means that the attacker or attackers remain inside the compromised system for a prolonged period of time, resulting in destructive consequences.

APT attacks on nation states, such as the attack on SingHealth, and large corporations are often highlighted. APT attackers are, however, increasingly launching APT attacks on smaller organizations that make up the supply chain in order to gain access to large organizations. APT attackers gain ongoing access to a system through the following series of events:

1. Initial Access

Attackers could gain initial access to a system through various means. It could be through a known software vulnerability that’s left unpatched. In unpatched security vulnerability, a software security update is available but for whatever reasons this update hasn’t been installed.

Attackers could also gain access to a system through phishing attacks – cyber-attacks that use an email as a weapon. In a phishing attack, the victim is tricked into clicking a link or downloading an attachment inside an email masquerading as coming from a legitimate entity.

In the case of the SingHealth cyber-attack, the COI said, “The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks.”

2. Establishing Footholds

Once the attackers gain initial access to the system, they then attempt to establish a foothold or footholds in the system. In establishing a foothold in the system, attackers typically implant a malicious software (malware) into the system to scan and move around the system undetected.

In the case of the SingHealth cyber-attack, the COI said the attacker used a “suite of advanced, customized, and stealthy malware” to stealthy move within the system and to find and exploit various vulnerabilities in SingHealth’s system. According to COI, a number of security vulnerabilities in the SingHealth network were identified in a penetration test in early 2017, which may have been exploited by the attacker. At the time of the cyber-attack, COI said a number of these vulnerabilities remained.

3. Intensifying Access

Attackers intensify their access within a system by gaining administrator rights – the highest level of permission that’s granted to a computer user.

In the case of the SingHealth cyber-attack, the COI said the group responsible for the SingHealth data breach gained administrative access to SingHealth’s servers as the said servers weren’t protected with 2-factor authentication (2FA), enabling the attacker to access the servers through other means that didn’t require 2FA.

4. Stop, Look and Remain

APT attackers are a patient bunch. These attackers are willing to wait for days, months and even years to achieve their goal, for instance, to remove critical data, only at the right moment.

In the case of the SingHealth cyber-attack, the COI said that while the group responsible for the SingHealth data breach was able to infiltrate SingHealth’s servers for months, it was only on June 26, 2018 that the group obtained credentials to the SingHealth’s database containing trove of patients’ data, and then started to remove the trove of data from June 27, 2018 until July 4, 2018.

On July 4, 2018, an administrator at Integrated Health Information Systems Private Limited (IHiS) noticed the suspicious activities and then worked with other IT administrators to terminate the exfiltration of data. IHiS was responsible for implementing cyber security measures and also responsible for security incident response and reporting at SingHealth.

Prior to the July 4, 2018 discovery, COI said, IHiS’ IT administrators first noticed the unauthorized logins into SingHealth’s servers and failed attempts at accessing the patients’ database on June 11, 12, 13, and 26, last year.

Prevention

Two major findings by the COI in the SingHealth cyber-attack stand out:

First, remediating the security vulnerabilities identified in early 2017 penetration test would have made it more difficult for the attacker to achieve its objectives.

Second, while the attacker operated in a stealthy manner, it wasn’t silent as the IHiS’ staff, in fact, noticed unauthorized activities prior to the actual data exfiltration. Recognizing these unauthorized activities as signs that a cyber-attack was going on and taking appropriate action could have prevented the actual data exfiltration.

Contact ustoday if you need assistance in protecting your organization from Advanced Persistent Threat (APT) attacks.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    Social Engineering
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​
Contact us
​
Blog
Resources & Tools
​Incident Management Playbook
Privacy Policy | CASL
Copyright © 2021 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit