Cyber espionage group Whitefly behind SingHealth hack: Symantec
Between mid-2017 and mid-2018, Whitefly launched targeted attacks against multiple organisations. Many of these were either based in or had a presence in Singapore, says the IT security vendor.
SINGAPORE: For the first time since last July, when the Government made public the cyberattack on SingHealth, a little-known hacking group has been publicly identified to be behind what is considered the most serious breach of personal data in Singapore’s history.
IT security vendor Symantec released a new study on Wednesday (Mar 6) identifying this attack group, which it dubbed Whitefly.
The group has targeted mostly Singapore organisations or multinational companies with a presence in Singapore since at least 2017, and is primarily interested in “stealing large amounts of sensitive information”, the report added.
Mr Brian Fletcher, director of Government Affairs for Australia-Pacific, Singapore, Japan and Korea, told Channel NewsAsia in a phone interview ahead of the report’s release that the group probably comprise “five to 20-odd people”, is “extremely well resourced” and, as such, is likely to be a "state-sponsored espionage group”.
He however declined to name the nation state behind Whitefly.
“Identifying who or what organisation is directing or funding that activity is not in the scope or focus of what we do,” Mr Fletcher said. “This level of attribution requires the substantial resources, time and access to information that is generally available only to law enforcement or government intelligence agencies.”
The report noted that Whitefly usually attempts to remain within a targeted organisation for long periods of time, often months, in order to steal large volumes of information.
It also uses publicly available tools like Mimikatz - something Mr Fletcher said is a common tool for penetration testers to suss out an organisations’ loopholes - to obtain authentication credentials. These credentials allow Whitefly to compromise more machines, and the tactic is repeated again and again until it gains access to the desired data, it added.
“THESE GUYS ARE REALLY GOOD”
“It is our assessment that it is a state-sponsored espionage group. It means that they are trying to stealthily create a presence on the network and over a long period of time, get access to sensitive information,” Mr Fletcher said of Symantec’s ongoing research.
“Exactly what they are using (the data) for really depends on who their sponsor is and how they are planning to operate.”
The way Whitefly operates on the network, the things it is after and the amounts of data point to an espionage group rather than a criminal group trying to steal data for profit, he added.
“They’re not your everyday smash-and-grab group; these guys are really good. They’re using custom tools, a combination of custom tools, commercial hacking tools … it’s not something you’d see in your everyday criminal group,” said the Symantec executive.
These findings appear to corroborate what Minister for Communications and Information S Iswaran said last August in his ministerial statement, when he called the attack the work of an advanced persistent threat (APT) group that is usually state-linked.
He also said the SingHealth cyber attacker had used advanced and sophisticated tools, including customised malware that was able to evade the healthcare provider’s antivirus software and security tools. Once they got into the system, they took steps to remain in the system undetected before stealing patients’ information, including that of Prime Minister Lee Hsien Loong.
WHITEFLY PART OF A BIGGER GROUP?
The report said SingHealth was not the only Singapore-based entity Whitefly attacked as well.
Symantec said the suspected espionage group has attacked organisations in the healthcare, media, telecommunications and engineering sectors here, and Mr Fletcher said the victims numbered “less than 10”.
The report said Whitefly launched targeted attacks against these organisations from mid-2017 to mid-2018. Mr Fletcher declined to share how many of these attacks were successful, other than to say it was a mixed bag with one obvious success in SingHealth.
He also had “no knowledge” as to whether the sensitive information stolen, and specifically information from the SingHealth breach, has been published online or not.
The executive cautioned against thinking Whitefly has stopped its espionage activities since 2018, Rather, they are likely to have "changed their tooling" in terms of how they attack companies, especially after a high-profile incident like that of SingHealth threw a spotlight on its methods, Mr Fletcher said.
The report also said some of the tools that Whitefly used in its attacks have also been deployed in other targeted attacks outside Singapore. For example, between May 2017 and December 2018, a multi-purpose command tool was used by the group in attacks against “defence, telecoms and energy targets in Southeast Asia and Russia".
“The tool appears to be custom-built and, aside from its use by Whitefly, these were the only other attacks where Symantec has observed its use.”
The cybersecurity company said it is possible Whitefly performed these attacks, but it’s more likely that they were carried out by one or more other groups with access to the same tools. This means Whitefly could be just one group in a wider group tasked with carrying out an intelligence-gathering operation, it added.
Asked for comment on the report by Channel NewsAsia, the Cyber Security Agency of Singapore said it had no comment on the report and its contents “given that this was an independent investigation report by a commercial entity”.