“The timeline was very tight and we were racing against time; everyone was looking for answers quickly to address the issue,” said Mr. Ryan Chen, 36, a CSA senior consultant who coordinated operations between various teams during the investigation.
“We also had to provide information promptly to the media and members of the public. The investigation team had to provide the daily update to the stakeholders, even leading up to the Committee of Inquiry.
“They also needed to ensure that the full report was very detailed and accurate because it was a very serious issue. It was quite a stressful period for our guys.”
Not unlike police officers, CSA officers have to visit the “crime” scene, collect evidence and process it, then determine the root cause of the incident, the attacker’s intent, and whether any data was stolen.
CSA officers also use specialized equipment to extract and copy data from storage devices, allowing them to analyze the threat, check for system vulnerabilities and recommend preventive actions.
If an attack is ongoing, as was the case during the SingHealth breach, the priority is to block the attacker from accessing the system and close other potential backdoors that could be exploited.
Mr. Chen said CSA’s primary role in those 10 days was to help contain the cyberattack, reconstruct the attack timeline and assess its impact, including what data was stolen and whether records were modified or deleted.
There was also “pressure” on the authorities to promptly inform affected individuals whose data may have been stolen, he said.
“We were dealing with a skilled and sophisticated threat actor who was also very persistent and well-resourced,” he added.