Security experts at Symantec linked the massive Singapore Healthcare breach suffered by SingHealth to the ‘Whitefly’ cyberespionage group.

In 2018, the largest healthcare group in Singapore, SingHealth, has suffered a massive data breach that exposed personal information of 1.5 million patients who visited the clinics of the company between May 2015 and July 2018. Stolen records included patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.

SingHealth has 42 clinical specialties, a network of 2 Hospitals, 5 National Specialty Centres, 9 Polyclinics, and Bright Vision Community Hospital.

Now security experts from Symantec linked the SingHealth massive data breach to the cyberespionage group Whitefly that has been targeting organizations in Singapore since at least 2017.

Singapore official Personal Data Protection Commission, the local privacy watchdog, imposed fines of Sg$1 million ($740,000) on a healthcare provider and an IT agency over the massive security breach.

According to a data breach notification released by Singapore’s Ministry of Health (MOH), hackers stole personal information along with ‘information on the outpatient dispensed medicines’ of about 160,000 patients. Data belonging to Singapore’s Prime Minister Lee Hsien Loong and of other ministers have been exposed in the security breach.

According to Singapore’s authorities, the hackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s data.

MOH explained that the data breach is the result of a targeted attack, local media speculate the involvement of a nation-state actor in the cyber attack.

Symantec believes the attack was carried out by the Whitefly espionage group that targeted in previous attacks organizations in healthcare, media, telecommunications and engineering organizations in Singapore. The group also targeted foreign companies operating in the country.

The Whitefly group used both custom malware and open source hacking tools, and legitimate applications.

“Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.” reads the analysis published by Symantec.

“Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics, such as malicious PowerShell scripts.”

The hackers target the victims with spear-phishing messages using a .exe or .dll file disguised as documents or images. The files contain a dropper that downloads and execute a loader tracked as Trojan . Vcrodat .

When attackers deliver a DLL file, the malware leverages a technique known as DLL hijacking to get executed.

“This technique takes advantage of the fact that Windows does not require an application to provide a specific path for a DLL that it wishes to load. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order.” continues the analysis.

“Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as a malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors.”

Once loaded, Vcrodat loads an encrypted payload onto the victim’s computer. The payload connects the C2 domain and sends system information about the infected computer to the C&C server and downloads additional tools. Whitefly configures multiple C&C domains for each target.

The attackers also used tools like the Mimikatz post exploitation tool and an open source tool designed to exploit the CVE-2016-0051Windows vulnerability.

The list of tools used by Whitefly includes a simple remote shell tool, an open-source hacking tool called Termite (Hacktool.Rootkit), and the

Nibatad info stealer.

Some of the tools used by Whitefly were also used in operations targeting organizations outside of Singapore, for example, in attacks aimed at defense, energy and telecoms organizations in Southeast Asia and Russia.

Experts discovered the Vcrodat loader being used in an attack targeting a UK-based organization in the hospitality sector. Experts argue that some of these attacks abroad were carried out by other threat actors with access to the same tools.

“It now appears that the SingHealth breach was not a one-off attack and was instead part of a wider pattern of attacks against organizations in the region.” concludes the experts. “ Whitefly is a highly adept group with a large arsenal of tools at its disposal, capable of penetrating targeted organizations and maintaining a long-term presence on their networks. Links with attacks in other regions also present the possibility that it may be part of a broader intelligence gathering operation.”

Pierluigi Paganini