Hacker Group Behind SingHealth Data Breach Identified, Targeted Mainly Singapore Firms

Hackers that compromised the data of 1.5 million SingHealth patients has been identified as a group that launched attacks against several businesses based in Singapore, including multinational companies with operations in the city-state. Dubbed Whitefly, the group has attacked organisations in healthcare, media, telecommunications, and engineering, and is likely part of a larger operation targeting other nations, according to a report by Symantec. 

The cybersecurity vendor said it had begun investigating the SingHealth attack since July 2018 and determined, over the course of the investigation, that a previously unknown group was responsible and also had launched other attacks. Operating since at least 2017, the group had targeted mainly organisations in Singapore across various sectors and was primarily focused on stealing large volumes of sensitive data. 

Asked why the group had its eye on Singapore, Dick O'Brien, a researcher at Symantec's Security Response division told ZDNet that its sponsor likely had other teams targeting other countries and regions and it was possible Whitefly was part of a broader intelligence gathering operation in the region. Links with attacks in other regions with the use of similar attack tools posed the possibility that this was the case.

O'Brien was not able to reveal the number of organisations affected by the group's attacks, adding that the vendor's research was ongoing. 

He did say, though, that the attack tool used by Whitefly also was tapped to launch attacks against companies in the defense, telecommunications, and energy sectors operating in Southeast Asia and Russia. However, Whitefly's involvement currently could only be confirmed in attacks that occurred in Singapore. 

The Singapore government had revealed in January that it was able to identify the hackers responsible for the SingHealth attack, and had taken appropriate action, but would not reveal the identity of these perpetrators for "nation security reasons" and that it was "not in our interest to make a public attribution".

ZDNet sent several questions to Cyber Security Agency (CSA), the government agency tasked with overseeing Singapore's cybersecurity operations, including whether Whitefly was the hacker group it had referred to in January and if the government had worked with any organisation to identify the SingHealth hackers. 

A CSA spokesperson did not respond directly to these questions, but replied with this statement: "Cybersecurity companies regularly produce such reports based on their own intel and research for their various stakeholders. As this is an independent investigation report by a commercial entity, we have no comment on its contents."

When asked, Symantec confirmed it had shared its findings with CSA. 

Hacker group aims to stick around in stealth mode

The Symantec report, released late-Wednesday, revealed that Whitefly compromised its targets using custom malware and open source hacking tools as well as land tactics, such as malicious PowerShell scripts. 

Specifically, the group attempts to infect its targets using a dropper in the form of a malicious ".exe" or ".dll" file, which is disguised as a document or image, and likely sent through spear-phishing email. If opened, the dropper runs a loader known as Trojan.Vcrodat on the computer. 

O'Brien noted: "Vcrodat uses a technique known as search order hijacking. In short, this technique uses the fact that, if no path is provided, Windows searches for DLLs in specific locations on the computer in a pre-defined order. Attackers can, therefore, give a malicious DLL the same name as a legitimate DLL, but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it."

Asked why Windows was unable to differentiate between malicious and legitimate DLLs, he explained that Windows only performed a search if no path was provided. So the issue was whether software developers had specified the DLL path. "Vendors will usually patch their software if they find paths that aren't specified, but that may not prevent the attacker from using the technique since they can drop an unpatched version and use that to load the malicious DLL," he said. 

Symantec also noted that Whitefly usually aimed to remain undetected, often for months, within a targeted network with the purpose of stealing large volumes of data. It would do so by deploying several tools, such as open source hacking tool Termite, that facilitated communication between its hackers and the infected computers. 

O'Brien added: "For example, if they're using previously unseen tools, any incursions may not be detected until those tools are identified and flagged. We also observed that Whitefly went to great lengths to steal credentials, such as usernames and passwords from targeted organisations, making it easier for them to maintain a long-term presence on the network."

According to Symantec, the SingHealth breach was unlikely to be a one-off attack and, instead, was part of a series of attacks against organisations in the region. 

"Whitefly is a highly adept group with a large arsenal of tools at its disposal, capable of penetrating targeted organisations and maintaining a long-term presence on their networks," it said. 

RELATED COVERAGE

Firms fined $1M for SingHealth data security breach

SingHealth and Singapore's public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country's personal data protection act. The fines are the highest dished out to date.

SingHealth breach review recommends remedies that should already be basic security policies

The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth's network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.

SingHealth data breach reveals several 'inadequate' security measures

Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.

Singapore must be tougher on firms that treat security as value-add service

Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a "value-add service", and it's time the Singapore government holds those that fail to do so accountable.

Data of 14,200 diagnosed with HIV in Singapore leaked online

Personal information belonging to 14,200 individuals diagnosed with HIV has been leaked online by an American living in Singapore and who had illegally accessed the data, reveals the country's health ministry.