A report from a private cybersecurity vendor has identified the hackers who compromised the data of 1.5 million SingHealth patients in Singapore, as the same group that has launched an attack against several businesses in the country including multinational corporations with headquarters in Singapore.
The group of hackers is called Whitefly and have previously infiltrated data systems of organizations in healthcare, media, telecommunication, and engineering and are most likely part of more extensive operations targeting other countries in the region.
The report was published by noted cybersecurity vendor, Symantec, who said that they had started their investigation of the SingHealth attack as early as July 2018. They said that the group which was previously unknown have been operating at least since 2017 and are involved in multiple cyber attacks aimed to steal large volumes of sensitive data.
According to Dick O’Brien, a researcher at Symantec’s Security Response division, when asked why the group has set its eyes on Singapore and not other countries, he postulates that the group’s sponsors likely has other teams in other countries to carry out a massive scale attack. He reveals that the SingHealth attack is part of broader intelligence operations around the world. He noted that links with the attack in other regions that have used similar attack tools were drawn through their study.
O’Brien did not reveal the number of organizations that were affected by the series of cyber attacks, citing that the company’s investigation is still ongoing. However, he announced that attack tools similar to the SingHealth attack were tapped to launch cyber attacks in telecommunications, defense, and energy in the Southeast Asian and Russian territories. O’Brien confirmed no involvement of Whitefly to these attacks.
In January, the Singapore government announced that they were able to identify SingHealth attackers and they have already taken appropriate actions against the perpetrators. When asked to name the attacker, they dismissed the question citing ‘nation security reasons’ and that it is ‘not in our interest to male public attribution.’
The Cyber Security Agency (CSS), the government’s official cyber security department, was asked to confirm if Whitefly is indeed the identified hackers they have previously announced and whether the agency has worked with other organization to help them with the identification.
However, CSA circumvented the question and responded that they could not comment on the matter since a private organization conducted the investigation on Whitefly.
“Cybersecurity companies regularly produce such reports based on their intel and research for their various stakeholders. As this is an independent investigation report by a commercial entity, we have no comment on its contents.”
When asked, Symantec confirmed it had shared its findings with CSA.
On a report published on Wednesday, Symantec said that Whitefly used custom malware and open source hacking tools as well as land tactics such as malicious PowerShell scripts to infiltrate SingHealth’s system.
Specifically, the group attempts to infect its targets using a dropper in the form of a malicious “.exe” or “.dll” file, which is disguised as a document or image and likely sent through spear-phishing email. If opened, the dropper runs a loader known as Trojan.
O’Brien noted: “Vcrodat uses a technique known as search order hijacking. In short, this technique uses the fact that, if no path is provided, Windows searches for DLLs in specific locations on the computer in a pre-defined order. Attackers can, therefore, give a malicious DLL the same name as a legitimate DLL, but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it.”
According to Symantec, the SingHealth breach was unlikely to be a one-off attack and, instead, was part of a series of attacks against organizations in the region.
“Whitefly is a highly adept group with a large arsenal of tools at its disposal, capable of penetrating targeted organizations and maintaining a long-term presence on their networks,” it said.
Just recently, another data breach affected Singapore’s healthcare industry after a deported American leaked data of thousands of HIV positive patients.
According to the Health Ministry of Singapore, Farrera-Brochez, angered by his deportation had disclosed the personal information from names and identity numbers to addresses, of 5,400 citizens diagnosed with HIV up to January 2013, and of 8,800 foreigners diagnosed up to December 2011, on his Facebook account. /apr