The hackers who breached the SingHealth database are from a group which has also targeted other organisations in Singapore for at least the past two years, said cyber security company Symantec.
The US-based company said the group is state-sponsored, but it did not identify the country.
It said in a statement yesterday: "Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017. It has targeted organisations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information."
The research was carried out independently by Symantec.
Singapore was hit by its worst cyber attack in June last year, when hackers went into the database of public healthcare cluster Sing-Health and stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.
A Committee of Inquiry (COI) set up to look into the attack recommended a raft of measures to beef up cyber security.
Responding to queries from The Straits Times on Whitefly, Symantec said: "Identifying who or what organisation is directing or funding that activity is not in the scope or focus of what we do.
"This level of attribution requires the substantial resources, time and access to information that is generally available only to law enforcement or government intelligence agencies."
In response to the information from Symantec, the Cyber Security Agency of Singapore said: "Cyber security companies regularly produce such reports based on their own intel and research for their various stakeholders. As this is an independent investigation report by a commercial entity, we have no comment on its contents."
In the statement, Symantec said the group attacks its victims using custom malware and misleading files in phishing e-mails. These files, which run malicious programs in the victim's computers, are usually disguised as documents offering information on job openings or sent from another organisation in the same industry as the victim.
The COI heard last year that hackers used a phishing ploy to enter SingHealth's network and mount their attack.
Symantec said: "Whitefly compromises its victims using custom malware alongside open-source hacking tools and living off the land tactics, such as malicious PowerShell scripts." PowerShell scripts are tools in computer systems that run commands to change its settings and automate tasks.
"Living off the land tactics" refer to stealthy cyber attack methods that use tools already in the system, which minimises the risk of an attack being blocked or discovered.
According to Symantec, the group launched targeted attacks against multiple organisations, most of which are based here. These include firms in the healthcare, media, telecommunications, and engineering sectors. But it stopped short of naming them.
Responding to ST's request for more details, Symantec said it does not disclose the identity of cyber attack victims and that, in most cases, victims are identified due to the evidence of the attacker's activity in their networks.
It added that the group's tight focus on a limited number of targets here means that it is "likely a small to medium-sized team".