Menu
Browse

Cyber Threat Actor: Whitefly

Actor Type Location Known Incidents
 Icon
Nation State
Singapore
1 incident
Profile

Whitefly is thealias used for a threat actor that has been observed operating from at least 2017 and is known to be based in Singapore. The group is described by Symantec as a state‑sponsored espionage entity, although the specific state providing direction or funding has not been publicly identified. Analysts characterize Whitefly as a small‑ to medium‑sized team, indicating a limited number of operators rather than a large hierarchical organization. The actor’s primary motivation, as inferred from its targeting and methods, is the collection of sensitive information for intelligence purposes.

Whitefly’s activities have been concentrated on organizations located within Singapore, with a clear focus on four sectors: healthcare, media, telecommunications, and engineering. The most publicized incident involved the illegal access and copying of personal data from a national health database, affecting roughly 1.5 million individuals who had visited clinics between May 2015 and July 2018. Among the compromised records were those of prominent government figures, including the Prime Minister and an Emeritus Senior Minister. Symantec concluded that this breach was not an isolated event but part of a broader espionage campaign aimed at gathering large volumes of sensitive information from Singaporean targets.

Beyond the health database intrusion, Symantec reported that Whitefly has conducted a wider pattern of attacks against multiple organizations in the same sectors, suggesting a sustained effort to infiltrate and exfiltrate data over time. The group’s operational timeline, as noted in the Reuters piece, spans at least from 2017 through the period covered by the health database incident, indicating continuity of activity. No additional distinct campaigns have been detailed in the publicly available sources, so the health database breach serves as the representative example of Whitefly’s methodology. The actor’s consistent selection of Singapore‑based targets underscores a geographic focus that aligns with its state‑sponsored espionage objective.

The source material does not specify particular malware families, initial access vectors, or custom tooling employed by Whitefly; it only references the group’s tactics in general terms. Attribution to a state sponsor is asserted by Symantec, but the exact nation or agency behind the activity remains undisclosed in the public reporting. No connections to criminal consortia or financially motivated actors have been mentioned, reinforcing the characterization of Whitefly as an espionage‑focused actor. Consequently, the profile is limited to the confirmed facts of its alias, location, sectoral targeting, espionage motive, and the notable health database compromise.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source