How CSA dissect cyberattacks using sophisticated gadgets
On July 20, 2018, the government held a news conference to reveal that Singapore had been the victim of its worst cyberattack. Hackers had hacked the servers of SingHealth, Singapore’s largest healthcare institution group, and acquired the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.
“CSA’s (Cyber Security Agency of Singapore) forensics investigation indicates that this is a deliberate, targeted and well-planned cyberattack, and not the work of casual hackers or criminal gangs,” then-Health Minister Gan Kim Yong said.
But what many people didn’t realize at the time was how hard the CSA had worked to provide this material in just 10 days from the time it was initially notified of the incident.
A portion of the inquiry had taken place at the CSA’s forensics lab, a sparsely furnished room no larger than a two-room HDB flat in the Ministry of National Development building on Maxwell Road. In December, CNA was given a tour of the lab.
“The timeline was very tight, and we were racing against time; everyone was looking for answers quickly to address the issue,” said Mr. Ryan Chen, CSA senior consultant.
“We also had to provide information in a timely manner to the media and members of the public. The investigation team had to provide the daily update to the stakeholders, even leading up to the Committee of Inquiry. They also needed to ensure that the full report was very detailed and accurate because it was a very serious issue. It was quite a stressful period for our guys.”
CSA officers, like police officers, must attend the “crime” scene, gather and process evidence, and then establish the underlying cause of the incident, the attacker’s intent, and whether any data was stolen. CSA officials also employ specialized equipment to extract and copy data from storage devices, which allows them to analyze the threat, check for system weaknesses, and offer preventive measures.
If an attack is underway, as was the case with the SingHealth breach, the goal is to prevent the attacker from gaining access to the system and closing any potential backdoors that could be exploited.
Mr. Chen stated that the CSA’s major mission over those ten days was to assist in the containment of the cyberattack, recreate the attack timeline, and analyze the impact of the attack, including what data was stolen and whether records were modified or destroyed.
There was also “pressure” on the authorities to notify impacted persons whose data may have been taken as soon as possible, he said.
The SingHealth attack was most likely carried out by a type of advanced persistent threat group that is normally state-linked, according to then-Minister for Communications and Information S Iswaran, though he declined to identify the country for national security considerations.
Mr. Chen stated that the incident taxed the CSA’s resources as officers worked long hours for several days, often under pressure from stakeholders such as high officials from several ministries and the press.
Other circumstances, such as ransomware assaults, necessitate a quick response because victims have lost their data due to encryption and must pay hackers to recover it, according to CSA senior consultant Adam Ho.
Before choosing what to do next, CSA officials will try to identify the ransomware version in order to understand its behavior, such as if it encrypts specific file types or disk devices. They will also search the internet for potential decryption keys.
“We do not recommend paying the ransom. Doing so does not guarantee that the data will be decrypted or that the data will not be published by threat actors.”
“It also encourages the threat actors to continue their criminal activities and target more victims. Threat actors may also see organizations who pay the ransom as a soft target and may strike again in the future,” said Mr. Ho.
According to Mr. Ho, organizations should take preemptive efforts to secure their computer infrastructure and systems and develop a backup and recovery strategy for mission-critical data. Critical Information Infrastructure (CII) sectors, such as healthcare, government, banking, and finance, are required by law to report cybersecurity incidents to CSA.
The information will be forwarded to a CSA manning team, which also monitors global and local cybersecurity incident reports. The crew works in a big operations center next to the forensics lab, which has multiple workstations and TV screens.
Any incident response will be coordinated by CSA in collaboration with CII sector leads and owners. The Ministry of Health was the sector in charge of the SingHealth breach. The manning officer and an incident response team leader will conduct an initial triage and deploy officers based on the scope and severity of the situation.
Officers on the scene will request important information, such as when employees discovered harmful or suspicious behavior on their devices and the number and type of devices affected. They will also collect digital evidence using specialized technologies such as storage devices, network logs, and other material pertinent to the case.
This evidence, known as “artifacts,” will be returned to the forensics lab and cloned. The original evidence is known as the “golden image,” and it will be preserved while officers work on the cloned duplicate.
“Making a copy of a hard disk is an essential step to making sure that we retain the integrity of the evidence,” Mr. Ho explained.
“There are chances the data stored in the hard disk may be affected during our processing. Thus, it is essential to make a clone copy of the original in the event we need to retrace our investigation process.”
While the CSA forensics lab appears to be a typical computer lab at first glance, a closer study uncovers fancy-looking gear, some packed in enormous hard case field kits and sitting on rows of tables. These industry-standard devices can rapidly extract data from storage systems such as hard disks and mobile phone chips.
One of the devices appears to be a large handheld gaming device, but it is actually a forensic cloner. It is directly attached to a hard disk to copy enormous volumes of data quickly. A larger cloner, which resembles a tablet strapped to a piece of luggage, comes with dedicated hard disk slots.
The cloners provide basic built-in forensic examination software to determine whether or not the storage device is tainted.
Officers can also retrieve data from mobile phones by disassembling the phone and placing the phone’s storage chip into a slot on another device. Authorities can use a soldering station to remove the chip if the phone is broken. There is more commonplace equipment, such as cable adaptors for earlier phone models and a tent that prevents a phone’s data from being remotely deleted.
Mr. Ho stated that knowing which tool to use and how to use it during investigations takes practice, especially since technology is constantly improving.
“That’s why we need to pass down our knowledge. We also need to build upon new technologies to ensure our officers’ skillsets are up-to-date,” he added.
Also Read: January 2022 PDPC Incidents and Undertaking