SINGAPORE (Mar 6): The perpetrators of the cyber attack on SingHealth in July 2018, which saw 1.5 million patient records being stolen has been identified in a new research report by cyber security company, Symantec.

The attack group, identified as Whitefly, has been launching targeted attacks against many organisations in the healthcare, media, telecommunications and engineering sectors. Most of the organisations attacked were based in Singapore and some were multinational companies with a presence in Singapore.

The tools Whitefly uses have also been deployed in other targeted attacks outside of Singapore. For example a multi-purpose command tool has been used in attacks against defense, telecoms and energy industries in Southeast Asia and Russia. The tool appears to be custom-built and were the only other attacks where Symantec had seen its use.

Symantec researchers have noted that the SingHealth breach was not a one-off but part of a wider pattern of attacks against organisations in the region.

“The wider pattern of attacks refers to the fact that we now know multiple organisations in Singapore were targeted by Whitefly. There is some evidence linking Whitefly to attacks in South East Asia, Russia, and the UK. It is possible that Whitefly could be one team in a broader organisation. In terms of damage, the group’s main purpose appears to be stealing data from targeted organisations,” said Dick O’Brien, principal editor, Symantec’s Security Response division.

Symantec uncovered the attack group as part of analysing its data from its threat collection network. The origins of the group also appear to be from a state-sponsored actor.

“Based on its tactics and targets, our best assessment is that Whitefly is a state-sponsored espionage group. Generally speaking, these kinds of groups mount attacks for the purposes of intelligence gathering and will focus on sensitive data that will be of interest to another nation state,” says O’Brien.

Organisations need to have a multi-layered approach to cyber security to ensure that there is no single point of failure according to O’Brien. This ensures that any point of failure is mitigated by other defensive practices.

“That should include not only regularly patching vulnerabilities, but also employing multiple, overlapping, and mutually supportive defensive systems to guard against single point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls as well as gateway antivirus, intrusion detection or protection systems (IPS), website vulnerability with malware protection, and web security gateway solutions throughout the network,” says O’Brien.