[BreachExchange] Hacker group behind SingHealth data breach identified, targeted mainly Singapore firms

Destry Winant destry at riskbasedsecurity.com
Thu Mar 7 10:38:06 EST 2019


Hackers that compromised the data of 1.5 million healthcare patients
has been identified as a group that launched attacks against several
organisations based in Singapore, including multinational firms with
operations in the country, and is likely part of a larger operation
targeting other countries and regions.

Hackers that compromised the data of 1.5 million SingHealth patients
has been identified as a group that launched attacks against several
businesses based in Singapore, including multinational companies with
operations in the city-state. Dubbed Whitefly, the group has attacked
organisations in healthcare, media, telecommunications, and
engineering, and is likely part of a larger operation targeting other
nations, according to a report by Symantec.

The cybersecurity vendor said it had begun investigating the
SingHealth attack since July 2018 and determined, over the course of
the investigation, that a previously unknown group was responsible and
also had launched other attacks. Operating since at least 2017, the
group had targeted mainly organisations in Singapore across various
sectors and was primarily focused on stealing large volumes of
sensitive data.

Asked why the group had its eye on Singapore, Dick O'Brien, a
researcher at Symantec's Security Response division told ZDNet that
its sponsor likely had other teams targeting other countries and
regions and it was possible Whitefly was part of a broader
intelligence gathering operation in the region. Links with attacks in
other regions with the use of similar attack tools posed the
possibility that this was the case.

O'Brien was not able to reveal the number of organisations affected by
the group's attacks, adding that the vendor's research was ongoing.

He did say, though, that the attack tool used by Whitefly also was
tapped to launch attacks against companies in the defense,
telecommunications, and energy sectors operating in Southeast Asia and
Russia. However, Whitefly's involvement currently could only be
confirmed in attacks that occurred in Singapore.

The Singapore government had revealed in January that it was able to
identify the hackers responsible for the SingHealth attack, and had
taken appropriate action, but would not reveal the identity of these
perpetrators for "nation security reasons" and that it was "not in our
interest to make a public attribution".

ZDNet sent several questions to Cyber Security Agency (CSA), the
government agency tasked with overseeing Singapore's cybersecurity
operations, including whether Whitefly was the hacker group it had
referred to in January and if the government had worked with any
organisation to identify the SingHealth hackers.

A CSA spokesperson did not respond directly to these questions, but
replied with this statement: "Cybersecurity companies regularly
produce such reports based on their own intel and research for their
various stakeholders. As this is an independent investigation report
by a commercial entity, we have no comment on its contents."

When asked, Symantec confirmed it had shared its findings with CSA.


The Symantec report, released late-Wednesday, revealed that Whitefly
compromised its targets using custom malware and open source hacking
tools as well as land tactics, such as malicious PowerShell scripts.

Specifically, the group attempts to infect its targets using a dropper
in the form of a malicious ".exe" or ".dll" file, which is disguised
as a document or image, and likely sent through spear-phishing email.
If opened, the dropper runs a loader known as Trojan.Vcrodat on the

O'Brien noted: "Vcrodat uses a technique known as search order
hijacking. In short, this technique uses the fact that, if no path is
provided, Windows searches for DLLs in specific locations on the
computer in a pre-defined order. Attackers can, therefore, give a
malicious DLL the same name as a legitimate DLL, but place it ahead of
the legitimate version in the search order so that it will be loaded
when Windows searches for it."

Asked why Windows was unable to differentiate between malicious and
legitimate DLLs, he explained that Windows only performed a search if
no path was provided. So the issue was whether software developers had
specified the DLL path. "Vendors will usually patch their software if
they find paths that aren't specified, but that may not prevent the
attacker from using the technique since they can drop an unpatched
version and use that to load the malicious DLL," he said.

Symantec also noted that Whitefly usually aimed to remain undetected,
often for months, within a targeted network with the purpose of
stealing large volumes of data. It would do so by deploying several
tools, such as open source hacking tool Termite, that facilitated
communication between its hackers and the infected computers.

O'Brien added: "For example, if they're using previously unseen tools,
any incursions may not be detected until those tools are identified
and flagged. We also observed that Whitefly went to great lengths to
steal credentials, such as usernames and passwords from targeted
organisations, making it easier for them to maintain a long-term
presence on the network."

According to Symantec, the SingHealth breach was unlikely to be a
one-off attack and, instead, was part of a series of attacks against
organisations in the region.

"Whitefly is a highly adept group with a large arsenal of tools at its
disposal, capable of penetrating targeted organisations and
maintaining a long-term presence on their networks," it said.

SingHealth and Singapore's public healthcare sector IT agency IHIS
have been slapped with S$250,000 and S$750,000 financial penalties,
respectively, for the July 2018 cybersecurity attack that breached the
country's personal data protection act. The fines are the highest
dished out to date.

The review committee also finds IT staff to be lacking in
cybersecurity awareness and resources and SingHealth's network
misconfigured with security vulnerabilities, which helped hackers
succeed in breaching its systems.

Investigation into the July 2018 incident reveals tardiness in raising
the alarm, use of weak administrative passwords, and an unpatched
workstation that enabled hackers to breach the system as early as
August last year.

Businesses that handle customer data should be expected to do so with
all the appropriate cybersecurity systems and polices in place, rather
than provide these as a "value-add service", and it's time the
Singapore government holds those that fail to do so accountable.

Personal information belonging to 14,200 individuals diagnosed with
HIV has been leaked online by an American living in Singapore and who
had illegally accessed the data, reveals the country's health

More information about the BreachExchange mailing list