1.888.900.DRIZ (3749)
Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

1/10/2019

0 Comments

How Advanced Persistent Threat (APT) Attacks Work

 
Advanced Persistent Threat cyber-attack

How Advanced Persistent Threat (APT) Attacks Work

The final report of the Committee of Inquiry (COI), the body tasked to investigate Singapore's worst cyber-attack in its history, concluded that an unnamed Advanced Persistent Threat (APT) group was behind the country’s worst-ever cyber-attack.

“The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group,” COI said in its final report.

COI was tasked with looking into Singapore’s worst-ever cyber-attack: the data breach on Singapore Health Services Private Limited (SingHealth). The COI report(PDF) released to the public last January 10th is a redacted version of the final report, barring sensitive information that could further harm SingHealth.

The unnamed Advanced Persistent Threat group, the COI said, illegally accessed SingHealth’s database and illegally removed personally identifiable information of 1.5 million patients, including their names, addresses, genders, races, and dates of birth between the period of June 27, 2018 to July 4, 2018. Out of the 1.5 million affected patients, nearly 159,000 of these patients also had their outpatient dispensed medication records exfiltrated. The personal and outpatient medication data of Singapore’s Prime Minister were part of the illegally accessed and removed data.

What Is an Advanced Persistent Threat (APT) Attack?

An Advanced Persistent Threat (APT), as the name suggests, is a threat that’s “advanced”, which means that sophisticated hacking techniques are used to gain access to a system, and this threat is “persistent”, which means that the attacker or attackers remain inside the compromised system for a prolonged period of time, resulting in destructive consequences.

APT attacks on nation states, such as the attack on SingHealth, and large corporations are often highlighted. APT attackers are, however, increasingly launching APT attacks on smaller organizations that make up the supply chain in order to gain access to large organizations. APT attackers gain ongoing access to a system through the following series of events:

1. Initial Access

Attackers could gain initial access to a system through various means. It could be through a known software vulnerability that’s left unpatched. In unpatched security vulnerability, a software security update is available but for whatever reasons this update hasn’t been installed.

Attackers could also gain access to a system through phishing attacks – cyber-attacks that use an email as a weapon. In a phishing attack, the victim is tricked into clicking a link or downloading an attachment inside an email masquerading as coming from a legitimate entity.

In the case of the SingHealth cyber-attack, the COI said, “The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks.”

2. Establishing Footholds

Once the attackers gain initial access to the system, they then attempt to establish a foothold or footholds in the system. In establishing a foothold in the system, attackers typically implant a malicious software (malware) into the system to scan and move around the system undetected.

In the case of the SingHealth cyber-attack, the COI said the attacker used a “suite of advanced, customized, and stealthy malware” to stealthy move within the system and to find and exploit various vulnerabilities in SingHealth’s system. According to COI, a number of security vulnerabilities in the SingHealth network were identified in a penetration test in early 2017, which may have been exploited by the attacker. At the time of the cyber-attack, COI said a number of these vulnerabilities remained.

3. Intensifying Access

Attackers intensify their access within a system by gaining administrator rights – the highest level of permission that’s granted to a computer user.

In the case of the SingHealth cyber-attack, the COI said the group responsible for the SingHealth data breach gained administrative access to SingHealth’s servers as the said servers weren’t protected with 2-factor authentication (2FA), enabling the attacker to access the servers through other means that didn’t require 2FA.

4. Stop, Look and Remain

APT attackers are a patient bunch. These attackers are willing to wait for days, months and even years to achieve their goal, for instance, to remove critical data, only at the right moment.

In the case of the SingHealth cyber-attack, the COI said that while the group responsible for the SingHealth data breach was able to infiltrate SingHealth’s servers for months, it was only on June 26, 2018 that the group obtained credentials to the SingHealth’s database containing trove of patients’ data, and then started to remove the trove of data from June 27, 2018 until July 4, 2018.

On July 4, 2018, an administrator at Integrated Health Information Systems Private Limited (IHiS) noticed the suspicious activities and then worked with other IT administrators to terminate the exfiltration of data. IHiS was responsible for implementing cyber security measures and also responsible for security incident response and reporting at SingHealth.

Prior to the July 4, 2018 discovery, COI said, IHiS’ IT administrators first noticed the unauthorized logins into SingHealth’s servers and failed attempts at accessing the patients’ database on June 11, 12, 13, and 26, last year.

Prevention

Two major findings by the COI in the SingHealth cyber-attack stand out:

First, remediating the security vulnerabilities identified in early 2017 penetration test would have made it more difficult for the attacker to achieve its objectives.

Second, while the attacker operated in a stealthy manner, it wasn’t silent as the IHiS’ staff, in fact, noticed unauthorized activities prior to the actual data exfiltration. Recognizing these unauthorized activities as signs that a cyber-attack was going on and taking appropriate action could have prevented the actual data exfiltration.

Contact ustoday if you need assistance in protecting your organization from Advanced Persistent Threat (APT) attacks.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
Copyright © 2022 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit