Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1003 - OS Credential Dumping||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.||DTE0012 - Decoy Credentials||A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.|
|T1027 - Obfuscated Files or Information||In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task.||DTE0017 - Decoy System||A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.|
|T1036 - Masquerading||There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.||DTE0007 - Behavioral Analytics||A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.|
|T1059 - Command and Scripting Interpreter||DTE0036 - Software Manipulation||A defender can manipulate the output of system commands issued to alter information the adversary might use during their activity.|
|T1059 - Command and Scripting Interpreter||DTE0036 - Software Manipulation||A defender can modify the functionality of commands used to delete files so that the files are copied to a safe location before they are deleted.|
|T1059 - Command and Scripting Interpreter||DTE0034 - System Activity Monitoring||A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.|
|T1068 - Exploitation for Privilege Escalation||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0001 - Admin Access||A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation.|
|T1105 - Ingress Tool Transfer||There is an opportunity to collect network data and analyze the adversary activity it contains.||DTE0028 - PCAP Collection||Collecting full packet capture of all network traffic allows you to review what happened over the connection and identify command and control traffic and/or exfiltration activity.|
|T1204 - User Execution||DTE0018 - Detonate Malware||A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.|
|T1574 - Hijack Execution Flow||There is an opportunity to use security controls to stop or allow an adversary's activity.||DTE0032 - Security Controls||A defender can block execution of untrusted software.|