Fighting a zero-day attack

The evening of 2 September 2019 had been peaceful and uneventful at the Hospital Authority (HA)Information Technology Operation Centre in Kowloon Bay when an alert on the computer-monitoring dashboard suddenly lit up and jolted employees into urgent action. A network server was running with abnormal high utilisation rose from 10% to 70% for unknown reasons. What followed was a fortnight-long battle to defend the authority’s systems against hackers who tried to break into the HA network with terrifying stealth in an apparent attempt to steal the data of millions of patients.

Malicious attack detected

Server utilisation is the system loading rate measuring the amount of computational work performed. When an incident of any kind is detected, IT team experts handled the IT glitch and restarted the server promptly, so that the server returns to normal. In this case, the IT team discovered hackers had tried to penetrate the HA network in a sophisticated ‘zero-day attack’ that accessed systems without leaving a trace, indicating a particularly ominous threat to patient data. The incident was reported to the Office of the Government Chief Information Officer and the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force.

“The zero-day attack deployed a new malware tailored to HA’s IT system,” explains Chief Information Security Officer Fuller Yu, whose team quickly concluded the attack was the work of an advanced hacking team, making it challenging for the IT team to clean up malware that had not yet been publicly disclosed and patched. “We were at a disadvantage – it was like trying to trace a criminal at a Lunar New Year fair with only the sketchiest details about the criminal’s characteristics,” says Fuller. “The hackers’ activities suggested they were conducting reconnaissance to gather information about the HA network, just like a criminal collecting information on geographical environment, security measures and operations, planning access routes in and out of the premises, and finding ways to bypass controls and open the safe as a final target.”

Attack and counterstrike

The good news was that no patient information had so far been accessed. What lay ahead was a race against time. How long would it take to break in the treasure trove of patient data? How many access and escape routes were being built? Did the hackers have the capacity to bring down the entire HA network? These were the uncertainties and threats swirling around as the battle against the hackers began in earnest. Every second would count.

System Analyst Yiu Wai-keung says the hackers attacked HA network by using compromised computers in Russia, United States and Singapore, and other locations, with stolen remote login accounts. The IT team quickly enhanced security measures and blocked hackers’ access routes detected. Advanced security monitoring sensors were set up to trace the hackers’ activities and the team monitored data traffic within the network day and night to ensure no patient information was breached. Within a few days, however, the hackers fought back and attempted to remove the sensors.

Shutting out the hackers

As the battle of wits between the hackers and the IT team continued, system weaknesses were identified and security measures meticulously stepped up. Two-factor authentication was introduced to remote access the HA system. Cyber security advice was issued to remind HA employees to stay on alert, including reminders not to open any suspicious emails, attachments or links. To make sure the hackers were not hiding in the HA network, the IT team immediately re-examined and cleaned up essential servers over three months to upgrade the IT security system. On 16 September, the cyber war which had lasted for two weeks came to an end.