Cyber Espionage Group behind SingHealth Breach Identified

Towards the end of July 2018, it was reported that SingHealth, a medical services provider in Singapore, suffered a major data breach where approximately 1.5 million patients had their records exposed. At the time AFP that the initial analysis was done by Singapore's Cyber Security Agency and that the attack indicated “a deliberate, targeted, and well-planned cyber-attack and not the work of casual hackers or criminal gangs,” No one was directly attributed to the attack and officials declined to comment on whom they believed to be responsible. However, one of the victims of the breach was Prime Minister Lee Hsien Loong illustrating that nobody is immune to being targeted by a sufficiently motivated hacker group.

At the time of the data breach, authorities and security firms were hesitant to attribute the attack to a particular group or individual, and perhaps rightly so as hasty conclusions regarding attributing the attack could lead numerous headaches. While no group was directly named it was believed state actors may have been responsible given the nature of the breach. That did not mean that authorities and security firms were resigned to not prove who was behind the attack. According to a report published by Symantec, the attack can be attributed to a group codenamed Whitefly. IN the past the group has attacked organizations in healthcare, media, telecommunications, and engineering, and is likely part of a larger operation targeting other nations. The report which was published on Wednesday, March 6, 2019, details how the previously unknown group was determined to be Whitefly. The group appears to have been operating since 2017 and primarily targeted organizations in Singapore. The group appears to be focussed on stealing massive amounts of data including large volumes of sensitive data.

Dick O'Brien, a researcher at Symantec's Security Response division, is of the belief that those operating under the Whitefly banner may be part of a broader intelligence-gathering operation in the region. Links with attacks in other regions with the use of similar attack tools posed the possibility that this was the case. The report does not reveal the number of organizations affected by the group's attacks, adding that the vendor's research was ongoing. However, in an interview with ZDNet, he did reveal that the attack tool used by Whitefly also was tapped to launch attacks against companies in the defense, telecommunications, and energy sectors operating in Southeast Asia and Russia. However, Whitefly's involvement currently could only be confirmed in attacks that occurred in Singapore.

singhealth breatch identified - whitefly hackers group

Symantec’s report follows from statements made by the Singaporean Government in January 2019 that it was able to identify the hackers responsible for the SingHealth attack, and had taken appropriate action. It was not willing to reveal those exact details to the public and listed “national security” as one of the reasons it did not want to make a public attribution as it was not deemed to be in the public’s interest. Symantec has confirmed that it has shared its findings with all the appropriate authorities including the Cyber Security Agency (CSA), the government agency tasked with overseeing Singapore's cybersecurity operations.

Insight into how Whitefly Operates

Upon reading Symantec’s report it wasn’t the attributing of the attack to Whitefly that some will find interesting. Rather it is how the group operates. Whitefly deploys custom malware to compromise targets. The custom malware is used in conjunction with other open source hacking tools and employing PowerShell scripts as well in campaigns. More specifically the group attempts to infect its targets using a dropper in the form of a malicious ".exe" or ".dll" file, which is disguised as a document or image and likely sent through spear-phishing email. If opened, the dropper runs a loader known as Trojan.Vcrodat on the computer. O’Brien further noted,

“Vcrodat uses a technique known as search order hijacking. In short, this technique uses the fact that, if no path is provided, Windows searches for DLLs in specific locations on the computer in a pre-defined order. Attackers can, therefore, give a malicious DLL the same name as a legitimate DLL, but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it.”

Such attacks can be very effective as Windows does not distinguish between legitimate and illegitimate DLLs. Windows will only scrutinize the DLL if no path is provided. Software providers will often patch software to prevent such attacks but it is no guarantee as O’Brien notes “…that may not prevent the attacker from using the technique since they can drop an unpatched version and use that to load the malicious DLL,” Whitefly’s main goal is often to remain undetected for extended periods of time. Malware can remain undetected for months all with the purpose of stealing large volumes of data. This is done by deploying several tools, such as the open source hacking tool called Termite that facilitated communication between its hackers and the infected computers.

Further, the group would go to great measures to secure credentials for targeted networks in order to maintain persistence on the networks. All this indicates that attack campaigns initiated by the group are in all likelihood not one-off attacks and part of a wider cyber espionage effort. This effort may extend beyond Singapore's borders as well as South East Asia as it appears certain previous targets were Russian companies. O’Brien concluded,

“Whitefly is a highly adept group with a large arsenal of tools at its disposal, capable of penetrating targeted organizations and maintaining a long-term presence on their networks,”