Singapore Medical Academy hit by Russian ransomware gang: Personal data of 50 doctors exposed

SINGAPORE: In a shocking cybersecurity breach, the personal information of doctors associated with the esteemed Academy of Medicine, Singapore (AMS), has been discovered on the Dark Web.

The personal information of some 50 doctors linked to the AMS, including senior figures in the medical fraternity, has been put up on the Dark Web by a Russian-based ransomware gang since Sunday (10 Sept), according to Singapore state media the Straits Times.

The compromised doctors encompass a diverse group, consisting of both local and foreign professionals.

Among the affected individuals are prominent figures in the medical fraternity, including directors of the academy, faculty members, and even students undergoing advanced specialist training within Singapore.

The leaked database, which amounts to a staggering 13.69 gigabytes of data, contains sensitive personal information such as National Registration Identity Card (NRIC) numbers and home addresses.

Additionally, the hackers gained access to AMS’ social media account login credentials and a comprehensive staff directory complete with mobile phone numbers.

Interestingly, the staff contact list was last updated in May, with an earlier 2019 version located in a folder marked for deletion.

Another folder within the exposed data includes a 2021 contract that reveals recipients’ home addresses.

Furthermore, it contains letters granting a lifetime fellowship to members above the age of 65 who have maintained a minimum of 10 years of membership.

These letters are dated 23 March 2022, with five out of nine containing recipients’ home addresses.

Among the revelations, another folder contains letters from Brunei’s Public Service Department, outlining the allowances granted to seven Bruneian doctors pursuing specialist training in Singapore.

AMS said they first detected the ransomware attack on 13 July

According to the ST, AMS acknowledged that it first detected the ransomware attack on July 13, which compromised its servers.

The Lockbit 3.0 gang subsequently made the stolen data available on the Dark Web for free, releasing it at 4:41 AM on Sunday.

Upon discovering the breach, AMS swiftly took its servers offline.

An AMS spokesperson stated, “The immediate measures included appointing cyber-security and legal experts who were tasked to work with us to review and strengthen the academy’s cyber-security infrastructure while investigations were ongoing.”

In response to the attack, AMS promptly filed reports with the local police, the Cyber Security Agency of Singapore, and the Personal Data Protection Commission (PDPC).

Additionally, they notified both their members and individuals who have engaged with the academy, urging them to take necessary precautions. Subsequent investigations confirmed the data breach.

To enhance their cybersecurity posture, AMS has taken proactive measures, including the implementation of an enhanced firewall and multi-factor authentication.

These steps were recommended by cybersecurity experts to safeguard against future threats.

LockBit 3.0 ransomware emerges as a pervasive cyber threat

LockBit’s origin dates back to September 2019 when it initially surfaced as the ABCD ransomware. Over time, it evolved into one of the most prolific and formidable ransomware families known today.

LockBit operates on a ransomware-as-a-service (RaaS) model, consistently innovating to maintain a competitive edge in the cybercriminal landscape.

In late June 2022, the LockBit ransomware group introduced LockBit 3.0, marking the latest iteration in their ransomware lineage. This successor to LockBit 2.0 is recognized as one of the most formidable and dangerous ransomware strains in existence.

Being a modular ransomware, LockBit 3.0 comprises various customizable components, allowing its operators to continually enhance the malware with new functionalities and capabilities. This adaptability makes it exceptionally challenging to defend against.

LockBit 3.0 has been associated with a minimum of 1,653 ransomware attacks, as evident from the victims listed on its leak site. However, it is strongly suspected that the actual number of attacks is considerably higher, as many victims may choose not to report such incidents.

Prior to its notoriety in June, LockBit had already targeted and exposed sensitive data from luxury retailer Cortina Watch.

Additionally, it breached the security of Taiwan Semiconductor Manufacturing Company, the world’s largest chipmaker, during the same month, further highlighting its audacity and reach in the cybercrime landscape.

According to a report issued by The Cyber Security Agency of Singapore (CSA) in June this year,  the number of reported ransomware cases saw a slight decrease with 132 cases reported to CSA in 2022, compared to the 137 cases reported in 2021.

Ransomware remains a major issue both in Singapore and globally, with cybersecurity vendors reporting a 13 per cent increase in ransomware incidents worldwide in 2022.

Revisiting Singapore’s history of data leaks and Dark Web exposure

The recent data leak at AMS is far from an isolated incident in Singapore. The nation has witnessed a series of significant data breaches in recent history, with personal information from both government and private entities being leaked online or put on the Dark Web.

In 2018, Singapore witnessed the massive SingHealth data breach, one of the largest healthcare data breaches ever recorded, affecting the personal data of over 1.5 million patients.

The following year, in 2019, the Ministry of Health (MOH) confirmed a distressing breach involving confidential information related to 14,200 individuals diagnosed with HIV up to January 2013, along with 2,400 of their contacts. Then-Health Minister Gan Kim Yong publicly apologized for this grave breach of confidentiality.

The data breach was orchestrated by Mikhy Farrera-Brochez, a male US citizen who had been residing in Singapore since 2008. Farrera-Brochez was subsequently incarcerated in 2017 on multiple charges, including fraud, drug-related offences, and deception regarding his own HIV status.

In the same year, 2019, two additional data breach incidents affected the Ministry of Defence (Mindef) and the Singapore Armed Forces (SAF), compromising the personal data of numerous personnel.

March 2019 saw the revelation by Russian cybersecurity company Group-IB that email login credentials of government agency employees and educational institutions, along with details of over 19,000 compromised payment cards from local banks, were available for sale on the Dark Web for an extended period of more than two years.

The affected organizations included the Government Technology Agency (GovTech), the Ministry of Education, the Ministry of Health, the Singapore Police Force, and the National University of Singapore.

In 2022, there were over 182 data incidents reported in the public sector, a 2% increase from the previous year.