Security experts at Symantec linked the massive Singapore Healthcare breach suffered by SingHealth to the ‘Whitefly’ cyberespionage group.
In 2018, the largest healthcare group in Singapore, SingHealth, has suffered a massive data breach that exposed personal information of 1.5 million patients who visited the clinics of the company between May 2015 and July 2018. Stolen records included patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.
SingHealth has 42 clinical specialties, a network of 2 Hospitals, 5 National Specialty Centres, 9 Polyclinics, and Bright Vision Community Hospital.
Now security experts from Symantec linked the SingHealth massive data breach to the cyberespionage group Whitefly that has been targeting organizations in Singapore since at least 2017.
Singapore official Personal Data Protection Commission, the local privacy watchdog, imposed fines of Sg$1 million ($740,000) on a healthcare provider and an IT agency over the massive security breach.
According to a data breach notification released by Singapore’s Ministry of Health (MOH), hackers stole personal information along with ‘information on the outpatient dispensed medicines’ of about 160,000 patients. Data belonging to Singapore’s Prime Minister Lee Hsien Loong and of other ministers have been exposed in the security breach.
According to Singapore’s authorities, the hackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s data.
MOH explained that the data breach is the result of a targeted attack, local media speculate the involvement of a nation-state actor in the cyber attack.
Symantec believes the attack was carried out by the Whitefly espionage group that targeted in previous attacks organizations in healthcare, media, telecommunications and engineering organizations in Singapore. The group also targeted foreign companies operating in the country.
The Whitefly group used both custom malware and open source hacking tools, and legitimate applications.
“Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.” reads the analysis published by Symantec.
“Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics, such as malicious PowerShell scripts.”
The hackers target the victims with spear-phishing messages using
When attackers deliver a DLL file, the malware leverages a technique known as DLL hijacking to get executed.
“This technique takes advantage of the fact that Windows does not require an application to provide a specific path for a DLL that it wishes to load. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order.” continues the analysis.
The attackers also used tools like the Mimikatz post exploitation tool and an open source tool designed to exploit the CVE-2016-0051Windows vulnerability.
The list of tools used by Whitefly includes a simple remote shell tool, an open-source hacking tool called Termite (Hacktool.Rootkit), and the
Nibatad info stealer.
Some of the tools used by Whitefly were also used in operations targeting organizations outside of Singapore, for example, in attacks aimed at defense, energy and telecoms organizations in Southeast Asia and Russia.
Experts discovered the
“It now appears that the SingHealth breach was not a one-off attack and was instead part of a wider pattern of attacks against organizations in the region.” concludes the experts. “