APT heist of Singapore health data exploited Microsoft Outlook
Attivo Networks Blogs

APT heist of Singapore health data exploited Microsoft Outlook, inquiry finds


An advanced hacking operation that last year stole personal data on 1.5 million health care patients in Singapore, including the prime minister, targeted an unpatched version of Microsoft Outlook, an official inquiry has found.

The hackers exploited a known vulnerability in Outlook using “a publicly available hacking tool, which allowed the attacker to install malware on compromised workstations,” says a more than 400 page report published Thursday by a government-backed commission.

The investigation evoked advice that cybersecurity professionals often give clients: hackers will take the easiest way into a network – without using their top-shelf tools.

Although the software upgrade for Outlook was slated to be applied through a regular patching cycle, the workstation was still vulnerable when it was compromised in December 2017, investigators said.

The malicious cyber campaign, which lasted more than 10 months, compromised the personal data, including addresses and national identity numbers, of one of four people living in Singapore, a wealthy city-state in Southeast Asia where tech giants like Microsoft have opened cybersecurity centers. About 159,000 people had their outpatient medication records exfiltrated, according to the investigation.

The report also confirmed what a Singaporean official had said in August: that the hacking campaign bore the hallmarks of a nation-state-backed group.

“The attacker had a clear goal in mind, namely the personal and outpatient medication data” of Singapore Prime Minister Lee Hsien Loong and other patients, the report said.

While the hackers exploited known vulnerabilities, they also used customized malware, retained persistent access via multiple backdoors to the health database, and exhibited other traits of advanced persistent threat groups, which are often associated with nation-states, investigators said. They did not name the culprit.

“The attacker was a well-resourced group, having an extensive command and control network, the capability to develop numerous customized tools, and a wide range of technical expertise,” the report said.

The health of Lee, 66, who has battled prostate cancer, would be of interest to foreign spies. He is expected to step down as prime minister before he turns 70.

Experts have warned of the value of health data to espionage operations in the wake of other large-scale breaches. Chinese hackers, for example, are suspected to be behind the 2015 breach of U.S.-based insurer Anthem Inc., which involved data on nearly 79 million people.

“Health care organizations have always had a wealth of sensitive data on individuals that is important to protect,” Tony Cole, CTO of cybersecurity company Attivo Networks, told CyberScoop. “Organizations must understand the importance of the information with which they’re entrusted and act accordingly to protect it.”


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published. Required fields are marked *

4 + nineteen =

Ready to find out what’s lurking in your network?

Scroll to Top