SingHealth database hackers have targeted other systems here since at least 2017: Symantec

Singapore was hit by its worst cyber attack in June last year when hackers went into the database of public healthcare cluster SingHealth and stole the personal data of 1.5 million patients. PHOTO: ST FILE

SINGAPORE - The hackers who breached the SingHealth database are from a group which has also targeted other organisations in Singapore for at least the past two years, cyber security company Symantec said.

But while the United States-based company mentioned that the group is state-sponsored, it did not identify the country.

In a statement on Wednesday (March 6), Symantec said: "Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017. It has targeted organisations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information."

The research was carried out independently by Symantec and was not commissioned by the authorities.

Singapore was hit by its worst cyber attack in June last year when hackers went into the database of public healthcare cluster SingHealth and stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.

A Committee of Inquiry (COI) set up to look into the attack recommended a raft of measures to beef up cyber security, such as improving incident response processes.

Responding to queries from The Straits Times about who Whitefly is and where its members are from, Symantec said: "Identifying who or what organisation is directing or funding that activity is not in the scope or focus of what we do.

"This level of attribution requires the substantial resources, time and access to information that is generally available only to law enforcement or government intelligence agencies."

In response to the information from Symantec, the Cyber Security Agency of Singapore said: "Cyber security companies regularly produce such reports based on their own intel and research for their various stakeholders. As this is an independent investigation report by a commercial entity, we have no comment on its contents."

In the statement, Symantec said the group attacks its victims using custom malware and misleading files in phishing e-mails.

These files, which run malicious programs in the victim's computers, are usually disguised as documents offering information on job openings or sent from another organisation in the same industry as the victim's.

The COI heard last year that hackers used a phishing ploy to enter SingHealth's network and mount their attack.

"Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics, such as malicious PowerShell scripts," said Symantec.

PowerShell scripts are tools in computer systems that run commands to change its settings and automate tasks.

"Living off the land tactics" refers to stealthy cyber attack methods that use tools already installed in the system, which minimises the risk of an attack being blocked or discovered.

According to Symantec, the group launched targeted attacks against multiple organisations, most of which are based here. These include companies in the healthcare, media, telecommunications and engineering sectors. But it stopped short of naming these organisations.

Responding to ST's request for more details, Symantec said that it does not disclose the identity of cyber attack victims and that in most cases, victims are identified due to the evidence of the attacker's activity in their networks.

The company added that the group's tight focus on a limited number of targets here means that it is "likely a small to medium-sized team", although Symantec did not give any specifics.

While the focus of the group seems to be on Singapore, Symantec warned that the group's sponsors, whom it did not name, are likely targeting other countries as well.

"It is possible that the group is part of a broader intelligence-gathering operation in the region," it said.

Join ST's Telegram channel and get the latest breaking news delivered to you.