In the wake of the SingHealth hack, Symantec published a report titled "Whitefly: Espionage Group has Singapore in Its Sights". The report was carried by the Straits Times in an article titled "SingHealth hackers 'have targeted others here too'". On the surface, it seems perfectly normal. However, the Symantec report is a falsehood aimed at manipulating the public into believing that Singapore is under targeted attack and that Symantec can protect them from these attacks. The Straits Times is complicit in spreading the falsehood. Will the Straits Times be taken to task for violating POFMA?
Under S7 of the POFMA act, There are two main tests for POFMA.
a. it is a false statement of fact; and
b. the communication of the statement in Singapore is likely to
(i) be prejudicial to the security of Singapore or any part of Singapore;
(ii) be prejudicial to public health, public safety, public tranquillity or public finances;
According to Symantec, the group launched targeted attacks against multiple organisations, most of which are based here. These include firms in the healthcare, media, telecommunications, and engineering sectors. But it stopped short of naming them.
Let us satisfy the second condition first as it is much easier. Quoting directly from the Straits Times article, multiple organizations in the healthcare, media, telecommunications and engineering sector in Singapore are allegedly targeted by the attacker. Of course, the statement is prejudical to public safety and security. It has seeded fear, uncertainty and doubt into the minds of our citizens and business owners, casting doubts on public safety and security of the country as a whole.
The first condition is more difficult to satisfy, proving that the statement is false requires technical knowledge of cybersecurity.
1 2 3 4 5 6 7 8
a196dfe4ef7d422aadf1709b12511ae82cb96aad030422b00a9c91fb60a12f17 - Trojan.Vcrodat 6e874ac92c7061300b402dc616a1095fa7d13c8a18c8a3ea5b30ffa832a7372c - Trojan.Nibatad 9d9a6337c486738edf4e5d1790c023ba172ce9b039df1b7b9720ed4c4c9ade90 - DLL Shellcode Loader 93c9310f3984d96f53f226f5177918c4ca78b2070d5843f08d2cf351e8c239d5 - Mimikatz 263dc5a8121d20403beeeea452b6f33d51d41c6842d9d19919def1f1cb13226c - CVE-2016-0051 privilege escalation dda22de8ad7d807cdac8c269b7e3b35a3021dcbff722b3d333f2a12d45d9908d - Simple command line remote access tool f562e9270098851dc716e3f17dbacc7f9e2f98f03ec5f1242b341baf1f7d544c - Simple command line remote access tool 7de8b8b314f2d2fb54f8f8ad4bba435e8fc58b894b1680e5028c90c0a524ccd9 - Multi-purpose command tool
At the time of writing, the following hashes are among those listed as Indicators of Compromise in the report. However, all of these hashes have no hits on virustotal. If this is indeed malware used by an APT attacker, why are there no antivirus engines (including Symantec's own engine) detecting any of these binaries? Are these hashes of actual binaries or did the author of the report make them up?
I have read the entire COI report on the SingHealth hack. The COI report mentions the use of a VM deployed on a workstation to RDP into the Citrix server. A database client was used to connect to the SCM database to perform the dump. The description of the hack is completely different from what Symantec reported. The COI report contains zero mentions of the words "DLL Hijacking", "rootkit", "termite" or "mimikatz". It is as if the author of the Symantec report was describing a completely different hack, probably one that happened in his dreams.
"Cyber security companies regularly produce such reports based on their own intel and research for their various stakeholders. As this is an independent investigation report by a commercial entity, we have no comment on its contents."
Lastly, let us look at CSA's comments on the Symantec report. CSA, having investigated the attack, should know exactly what happened. If you read between the lines, CSA is trying to distance itself from the report, claiming that Symantec has the right to produce their own report, and declined to comment on the contents. CSA has to be diplomatic and cannot directly accuse Symantec of falsifying the report. Unfortunately, the Straits Times reporter did not pick up on the hint.
To sum up, we can ask the following questions with clear yes or no answers to determine if the report is a falsehood. I am pretty sure that the answer is no for all of them.
1. Was a binary with hash a196dfe4ef7d422aadf1709b12511ae82cb96aad030422b00a9c91fb60a12f17 used in the SingHealth attack? Yes/No
2. Was DLL Hijacking one of the techniques used in the SingHealth attack? Yes/No
3. Was the open-source hacking tool, termite used in the SingHealth attack? Yes/No
Since the report is evidentially false and is prejudicial to public safety and security, the Straits Times is indeed propagating online falsehoods.