Symantec blames espionage group for SingHealth breach

Believed that Whitefly targeted mostly Singapore-based organisations since at least 2017

Symantec researchers have discovered a new cyber espionage group dubbed Whitefly, which the vendor believes is responsible for a string of cyber attacks targeting Singapore-based organisations, including the highly publicised SingHealth data breach.

It is believed Whitefly has been active in the region since at least 2017, as well as targeting multi-national organisations with a presence in the city state.

When the attack on SingHealth was made public in July 2018, little was known about who was responsible for the largest data breach in Singapore’s history that saw 1.5 million patient records compromised.

It appears this new group is mostly interested in stealing large amounts of sensitive information, with Singapore as its main target.

Whitefly does this by employing custom malware alongside open-source hacking tools and living off the land tactics, such as malicious PowerShell scripts.

The main targets for the attacks appear to be organisations in the healthcare, media, telecommunications, and engineering sectors.

An IT system is first infected using a “dropper” in the form of a malicious .exe or .dll file that is disguised as a document or image. These files frequently purport to offer information on job openings or appear to be documents sent from another organisation operating in the same industry as the victim.

Given the nature of disguise, however, it is highly likely that they are sent to the victim using spear-phishing emails.

If the file is opened, the system is infected using malware know as Trojan.Vcrodat. This malware is designed to go undetected for long periods of time for the purpose of stealing large volumes of information.

According to Symantec, it does this by deploying a number of tools that facilitate communication between the attackers and infected computers.

Such tools include a simple remote shell tool that will call back to the C&C server and wait for commands, and an open-source hacking tool called Termite, which allows Whitefly to perform more complex actions such as controlling multiple compromised machines at a time.

However, it appears that in some attacks the group used a second piece of custom malware, known as Trojan.Nibatad.

Like Vcrodat, Nibatad is also a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer. And similar to Vcrodat, the Nibatad payload is designed to facilitate information theft from an infected computer.

However, while Vcrodat is delivered via the malicious dropper, the security vendor has yet to discover how Nibatad is delivered to the infected computer. Why Whitefly uses these two different loaders in some of its attacks remains unknown.

There is no evidence, however, that both Vcrodat and Nibatad have been used simultaneously on a single computer.

Outside Singapore

Symantec found some evidence that the tools Whitefly has employed have also been used outside Singapore against defence, telecoms, and energy targets in Southeast Asia and Russia.

The tool appears to be custom-built and, aside from its use by Whitefly, these were the only other attacks where Symantec has observed its use.

In another case, Vcrodat was also used in an attack on a UK-based organisation in the hospitality sector.

While not certain, the security vendor believes it is possible Whitefly itself performed these attacks but it is more likely that they were carried out by one or more other groups with access to the same tools.

Based on the evidence, it appears the SingHealth breach was not a one-off attack and was instead part of a wider pattern of attacks against organisations in the region concluded Symantec.

Furthermore, links with attacks in other regions also present the possibility that it may be part of a broader intelligence gathering operation.