Whitefly Espionage Hackers Group Behind the SingHealth Attacks

• Symantec identifies Whitefly as the hacking group behind multiple attacks in Singapore.
• The group is using freely available remote administration tools to infiltrate deeper into organization networks.
• The group has customized the tools and used in more attacks outside Singapore as well.

As reported by Symantec, the hackers responsible for last summer’s attack against Singapore’s largest public health organization is the espionage group known as “Whitefly”. The breach resulted in the compromise of the personal patient profiles of 1.5 million citizens, and the organization responsible for the incident was fined with a $1 million penalty for their negligence and weak response this January. Whitefly has been active since 2017, targeting and infecting neuralgic organizations that are based mainly in Singapore. As their goal is to steal large volumes of information, they go for long-term infiltration instead of following “hit and run” methods.

Whitefly infects a single computer on the organization’s network and then maps that network to figure out how to proceed further (propagate the infection). Their payload galore includes the “Trojan.Vcrodat”, a fairly recent trojan that disguises itself as a Windows DLL file to connect with the msvcr110 runtime library and decrypt the encrypted malicious code. From then on, PowerShell and commonly available remote administration tools are deployed to enable them to tap to data in the compromised network. Alienvault has just published a detailed piece on how such tools like Termite work, shedding more light on Whitefly’s preferable remote connection tools.

REVEALED: Whitefly, the group behind the SingHealth breach, is also responsible for a string of other attacks in Singapore. https://t.co/dv3TBL4NSJ #whitefly pic.twitter.com/qIZWIrMhe0

— Threat Intelligence (@threatintel) March 6, 2019

Another custom trojan that Symantec researchers attribute to Whitefly is “Trojan.Nibatad”, although they point out that they are yet to discover exactly how Vcrodat and Nibatad are combined in the infected machine, from an operational perspective. What is evident from the above is that Whitefly utilized an extensive toolset and follows differentiated patterns of attack to penetrate corporate and public organization networks, as this provides them both versatility and protection. Still, Symantec was able to connect the pieces and ascribe more past attacks to the Whitefly group.

For example, Symantec observed the same custom tools to have been used in attacks against telecom and energy industry organizations in Southeast Asia and Russia between May 2017 and December 2018. Another example comes from a Vcrodat utilization in an attack conducted against an organization that is engaged in the hospitality sector, and based in the United Kingdom. Whether Whitefly hackers actually carried out these attacks or they just “lent” their toolset to others remains unknown at this time. What is also unknown is who Whitefly is working for, with Singapore’s foreign relations pointing to the possibility of Malaysia, but that’s just a hypothesis and nothing more. As Singapore’s influence in the Asia-Pacific region continues to grow, cyber-espionage groups will also have an increasing number of reasons to target the country’s most critical networks.

Care to share your thoughts on the above? Feel free to do so in the comments section beneath, and don’t forget that you can always get more news through our socials, on Facebook and Twitter.