According to a blog post by Symantec on Wednesday (March.6th), the cybersecurity company’s researchers linked the major Singapore Healthcare cyberattack suffered by SingHealth last year, to the ‘Whitefly’ hackers.
The post said that the SingHealth attack, the worst cyber case in the country’s history, resulted in the theft of the personal data of 1.5m people, including the records of prime minister, Lee Hsien Loong, and emeritus senior minister, Goh Chok Tong.
Weeks after the attack, the SIA government attributed the data breach to the Chinese state-linked group Advanced Persistent Threat 10 (APT10).
“This (APT) refers to a class of sophisticated cyber attackers, typically state-linked, who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations,” Singapore’s minister for communications and information said last year.
At the time of the attack, the minister said the attacks fit the profile of APT10, but for national security reasons, will not disclose the attackers’ identity.
But now, according to researchers at Symantec, the group behind the attack was a cyber group called Whitefly.
In addition, it appears that the breach was not a one-off attack and was instead part of a wider pattern of attacks by Whitefly against organisations in Asia.
Symantec said the group has attacked organisations in the healthcare, media, telecoms, and engineering sectors.
Whitefly compromises its victims using custom malware alongside open-source hacking tools and Living Off Land Tactics (LotL) tactics, such as malicious PowerShell scripts, Symantec said.
According to Symantec, Whitefly first infects its victims using a dropper in the form of a malicious .exe or. dill file that is disguised as a document or image, such as a job opening. Symantec said that given the nature of disguise, it highly likely that they are sent to the victim using spear-phishing emails.
The report noted that Whitefly usually tries to remain within a targeted organisation for a long period of time, often months, in order to steal large volumes of information.
“In July 2018, an attack on Singapore’s largest public health organisation, SingHealth, resulted in a reported 1.5 million patient records being stolen,” wrote Symantec in its blog. “Until now, nothing was known about who was responsible for this attack.”
“Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, and has targeted organisations, based mostly in Singapore, across a wide variety of sectors and is primarily interested in stealing large amounts of sensitive information,” said Symantec.
Researchers agreed with the Singapore government that the attack was carried out by a nation-state actor.
“Whitefly is a highly adept group with a large arsenal of tools at its disposal, capable of penetrating targeted organisations and maintaining a long-term presence on their networks,” said Symantec.
“Links with attacks in other regions also present the possibility that it may be part of a broader intelligence-gathering operation,” it added.