Symantec researchers have identified a cyber espionage group as the perpetrators behind the unprecedented attack on Singapore public healthcare provider SingHealth in 2018 that led to the theft of more than 1.5 million patient records.

Dubbed Whitefly by Symantec, the group – believed to have been operating since at least 2017 – has targeted organisations based mostly in Singapore across industries including healthcare, media and telecoms, and is primarily interested in stealing large amounts of sensitive information.

According to Symantec, Whitefly’s modus operandi involved the use of malicious files disguised as documents or images, often offering information on job openings or appearing to be documents sent from another organisation operating in the same industry as the victim.

Given the nature of disguise, it was highly likely that they were sent to the victim using spear phishing emails, Symantec said.

The sophistication with which Whitefly carried out the attacks was demonstrated in their ability to spoof legitimate software components known as dynamic link libraries (DLLs).

When the malicious files contained in the phishing emails were opened by victims, a loader known as Vcrodat would run on the computer using a technique known as search order hijacking.

According to Symantec, this technique takes advantage of the fact that Windows does not require an application to provide a specific path for a DLL that it wishes to load. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order.

Attackers can therefore give a malicious DLL the same name as a legitimate DLL, but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as a malicious DLL that has the same the same name as DLLs used by security applications.

Symantec said by targeting security applications, the attackers would be able to gain higher privileges for the malware, since the malicious DLLs could be run with elevated privileges.

And once executed, Vcrodat loads an encrypted payload on to the victim’s computer. The payload contacts a command and control (C&C) server, before sending system information about the infected machine to the server and downloading additional tools.

Once the initial computer on the targeted organisation’s network is infected with Vcrodat, Whitefly begins mapping the network and infecting other machines.

Whitefly usually attempts to remain within a targeted organisation for long periods of time – often months – to steal large volumes of information. It keeps the compromise alive by deploying a number of tools that facilitate communication between the attackers and infected computers.

Symantec’s findings mirrored early descriptions of the attack, which Singapore’s health ministry said was deliberate, targeted and well-planned. Besides Singapore, Symantec said Whitefly has also deployed its tools against organisations in the defence, telecoms, and energy sectors in Southeast Asia and Russia.