SINGAPORE: A distributed denial-of-service (DDoS) on Wednesday (Nov 1) took out the websites of Singapore’s public healthcare institutions, causing an hours-long outage.
While critical healthcare services were unaffected, services that required internet connectivity, including websites, emails and productivity tools for staff, were inaccessible during the disruption.
Singapore health tech agency Synapxe, which supports the operations of 46 public healthcare institutions, said in a statement on Friday that there was no evidence to show that healthcare data and internal networks had been compromised.
The DDoS attacks are continuing, and occasional disruptions to internet services may still occur, it added.
Experts told CNA that given the critical nature of public healthcare systems, it is important to have essential services uninterrupted even in the face of cyberattacks.
They also stressed the importance of having internal healthcare systems segregated from the internet and web-facing services.
WHAT IS A DDOS ATTACK?
One of the most common cyberattacks, a distributed denial of service (DDoS) attack is a malicious attempt to disrupt an online service or site by flooding it with unusually high volumes of data traffic.
“Cyber criminals flood a network with so much traffic that it cannot operate (communicate) as it usually would,” National University of Singapore’s Atreyi Kankanhalli said.
The Provost’s Chair Professor in NUS’ Department of Information Systems and Analytics at the School of Computing said this would disrupt traffic, or requests, from legitimate users. Users would then be unable to load content.
Prof Kankanhalli gave the example of a group of people crowding the entry door of a shop, so that legitimate customers find it difficult to enter.
With a DDoS attack, the attacker coordinates multiple attack streams such that numerous devices are attacking the target system concurrently, said the Singapore University of Social Sciences’ (SUSS) Ng Boon Yuen.
The senior lecturer of business programme at SUSS’ School of Business said these devices are often those that have been compromised by malware and are “remotely controlled” by the attacker.
A DDoS attack is typically orchestrated in three steps, said cybersecurity company Palo Alto Networks.
Its Field Chief Security Officer of Japan and Asia Pacific Ian Lim said that the first step is typically reconnaissance to locate a specific target.
“Weaponisation is the second step where the attacker will either build or rent a bot network to launch the attack. The third step is to launch the attack and potentially adapt to the defenses to sustain the attack,” said Mr Lim.
Further steps will depend on the motive or intent of the attack, he added.
According to the Cybersecurity Agency of Singapore (CSA), possible signs of a DDoS attack include sluggish application performance, prolonged inability to access websites or system files, high processor and memory usage, frequent disconnection from wireless or wired internet connection and an increased volume of spam emails.
HOW CAN CYBER CRIMINALS FLOOD WEBSITES WITH TRAFFIC EVEN WITH FIREWALLS IN PLACE?
Synapxe said it subscribed to services which block abnormal surges in internet traffic before they enter the public healthcare network.
Even when traffic is cleared by the blocking service, firewalls are in place to allow only legitimate traffic into the network, Synapxe added in its statement.
However on Nov 1, an abnormal surge in network traffic, detected at about 9.15am, managed to circumvent the blocking service and overwhelm the firewalls.
Prof Kankanhalli pointed out that DDoS blocking services have capacity limits.
“Attacks larger than 2 terabits per second (Tbps) have occurred, and attack sizes keep increasing. Huge attacks can overwhelm blocking services and firewalls.”
Mr Lim noted that the threat landscape for DDoS has evolved and attackers are now able to perform attacks with greater volume and faster speeds.
“In a network-based DDoS, any internet-facing device, be it a firewall or a router, has bandwidth limitations that can be overwhelmed. In an application-based attack … the application is overwhelmed and can no longer respond to legitimate requests,” said Mr Lim.
WHY WOULD CYBER CRIMINALS TARGET WEBSITES OF PUBLIC HEALTHCARE SYSTEMS?
Healthcare is one of the 11 sectors identified to have critical information infrastructure, according to CSA.
“It is an essential service and hence an attractive target for cyber criminals, who want to create disruption,” said Prof Kankanhalli.
“The attackers may have activist motives where they want to cause disruption and also financial motives. For example, steal data to sell or ask ransom from the organisation.”
Mr Lim said that large institutions are usually the target of such attacks due to the profile of the organisation and the media attention it will generate. “Hacktivism” or “hacking for a cause” is a common motive behind DDoS attacks that have no financial gain, he said.
“Another potential motive could be to use DDoS as a diversion technique to mask another attack in a different part of the organisation,” Mr Lim added.
HOW DO PUBLIC HEALTHCARE INSTITUTIONS ENSURE THAT KEY OPERATIONS AND SERVICES ARE NOT AFFECTED?
Experts agreed that key operational systems in a hospital would be susceptible to DDoS attacks if they are accessible from the internet.
Nanyang Business School’s (NBS) Goh Kim Huat said that most hospitals have separate systems when it comes to hosting online web pages and running their internal healthcare systems.
Internal healthcare systems have files such as electronic medical records, which are “mission critical, confidential, time-sensitive and need to be continuously available for patient safety”, said Prof Goh, who is from NBS’ Division of Information Technology and Operations Management.
“Presently, such segregation is being adhered to in our healthcare system. Typically, mission-critical healthcare systems are compartmentalised and have redundancy (backup) built into them.”
Concurring, Prof Kankanhalli said: “Services connecting to the internet have many advantages, but also increases risks straight away. Yet it is not possible to prohibit all such services – instead need to put in as much protective measures as you can.”
HOW CRITICAL ARE THE WEBSITES OF PUBLIC HEALTHCARE INSTITUTIONS?
Even if there was no data breach and operations were largely unaffected, the issue is whether it is critical to maintain the availability of healthcare institution websites, said Dr Ng. She said the availability of websites that provide e-services to the public would be considered critical.
“Even if the purpose of healthcare institution websites is mainly to provide information to the public, a disruption can cause other problems,” Dr Ng said.
For example, a user who is unable to find the contact number of a specialist clinic or ward on the hospital’s website would turn to the hospital’s phone number for general enquiries. A large volume of calls might overwhelm the contact centre, said Dr Ng.
“In the recent disruption, a spokesperson from NUHS (National University Health System) also added that their contact centre and emails were also temporarily unavailable.
“When different (or all) channels of information and communication are affected, this may cause concern or even anxiety for those who are urgently seeking help,” the senior lecturer said.
HOW SHOULD COMPANIES PROTECT THEMSELVES FROM DDOS ATTACKS?
Companies can utilise specially designed network equipment or a cloud-based protection service to mitigate the threat, according to internet protection company Cloudfare.
The process of successfully protecting a targeted server or network from a DDoS attack is known as DDoS mitigation, which takes place across several stages using a cloud-based provider.
A website must first be able to distinguish an attack from a high volume of normal traffic and respond by intelligently dropping malicious bot traffic, and absorbing the rest of the traffic.
A good network should intelligently route traffic and analyse for patterns such as particular attacks coming from certain countries, or particular protocols being used improperly.
Mr Lim said early detection of the DDoS attack would allow the organisation to pull experts in early to drop or divert these attacks.
“Proper analysis of the attack will also allow for the right course of mitigation to be prepped and deployed. Keep in mind that the attacker may be anticipating your defences and adjusting their attack vectors.
“This is a dynamic situation, so continuous vigilance is needed to fully address the ongoing attack. It is necessary to have a team (internal or partners) that is ready to respond to DDoS incidents and exercise drills to improve response time.”
CSA recommends using strong passwords and enabling two-factor authentication (2FA) as an additional layer of security to prevent unauthorised access and takeover of your network devices and routers.
It also advises implementing protections at the network perimeter, such as firewalls between internal networks and external connectivity points.
HOW COMMON ARE THESE ATTACKS?
DDoS attacks are one of the most common forms of cyberattacks.
In 2016, DDoS attacks crippled StarHub’s broadband network twice in three days, in what the CSA and the Infocomm Media Development Authority (IMDA) said were unprecedented DDoS attacks on telco infrastructure.
Internet-connected devices in the homes of subscribers which were infected were then hijacked for use in the cyberattacks. Hackers who controlled the devices were able to send traffic to their target.