APT heist of Singapore health data exploited Microsoft Outlook, inquiry finds

Hackers will always take the path of least resistance.

An advanced hacking operation that last year stole personal data on 1.5 million health care patients in Singapore, including the prime minister, targeted an unpatched version of Microsoft Outlook, an official inquiry has found.

The hackers exploited a known vulnerability in Outlook using “a publicly available hacking tool, which allowed the attacker to install malware on compromised workstations,” says a more than 400 page report published Thursday by a government-backed commission.

The investigation evoked advice that cybersecurity professionals often give clients: hackers will take the easiest way into a network – without using their top-shelf tools.

Although the software upgrade for Outlook was slated to be applied through a regular patching cycle, the workstation was still vulnerable when it was compromised in December 2017, investigators said.


The malicious cyber campaign, which lasted more than 10 months, compromised the personal data, including addresses and national identity numbers, of one of four people living in Singapore, a wealthy city-state in Southeast Asia where tech giants like Microsoft have opened cybersecurity centers. About 159,000 people had their outpatient medication records exfiltrated, according to the investigation.

The report also confirmed what a Singaporean official had said in August: that the hacking campaign bore the hallmarks of a nation-state-backed group.

“The attacker had a clear goal in mind, namely the personal and outpatient medication data” of Singapore Prime Minister Lee Hsien Loong and other patients, the report said.

While the hackers exploited known vulnerabilities, they also used customized malware, retained persistent access via multiple backdoors to the health database, and exhibited other traits of advanced persistent threat groups, which are often associated with nation-states, investigators said. They did not name the culprit.

“The attacker was a well-resourced group, having an extensive command and control network, the capability to develop numerous customized tools, and a wide range of technical expertise,” the report said.


The health of Lee, 66, who has battled prostate cancer, would be of interest to foreign spies. He is expected to step down as prime minister before he turns 70.

Experts have warned of the value of health data to espionage operations in the wake of other large-scale breaches. Chinese hackers, for example, are suspected to be behind the 2015 breach of U.S.-based insurer Anthem Inc., which involved data on nearly 79 million people.

“Health care organizations have always had a wealth of sensitive data on individuals that is important to protect,” Tony Cole, CTO of cybersecurity company Attivo Networks, told CyberScoop. “Organizations must understand the importance of the information with which they’re entrusted and act accordingly to protect it.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts