Whitefly identified as hacker group behind SingHealth cyberattack, says Symantec
According to a blogpost by Symantec, the cybersecurity company’s researchers has identified Whitefly as the hacker group behind what is known as Singapore’s worst case of cyber breach, with more than 1.5 patient million records being stolen over a period of June-July 2018.
The post said that Whitefly has been operating since at least 2017 and has targeted organisations primarily based in Singapore across a wide variety of sectors with the intention of stealing large amounts of sensitive information. To date, Whitefly has attacked organisations in the healthcare, media, telecommunications, and engineering sectors.
The hacker group compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics, such as malicious PowerShell scripts. As described in the findings of the SingHealth COI report published earlier in January this year, “the attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group” and this corroborates with what the blogpost wrote:
“Whitefly usually attempts to remain within a targeted organisation for long periods of time—often months—in order to steal large volumes of information. It keeps the compromise alive by deploying a number of tools that facilitate communication between the attackers and infected computers.”
In addition, it appears that the SingHealth breach was not a one-off attack and was instead part of a wider pattern of attacks against organisations in the region.
There were also more technical details on the malware and methods used by Whitefly revealed in the blogpost- these include Trojan.Vcrodat, Hacktool.Mikikatz and Trojan.Nibatad.
The Singapore government said in January that it was able to identify the hackers behind the SingHealth incident but had declined to reveal the identity of the perpetrators in the interest of “national security”.