News center
Driven by advanced processing technology

Know Your Adversary: HC3 Shares Details of Chinese APT Groups Targeting the Healthcare Sector

Jun 03, 2023

Posted By Steve Alder on Aug 24, 2023

The healthcare industry is actively targeted by financially motivated cybercriminal gangs; however, state-sponsored hacking groups also seek access to healthcare networks and are actively targeting healthcare providers and other entities in the healthcare and public health sector.

In a recently published security advisory, the Health Sector Cybersecurity Coordination Center (HC3) provides a threat profile of some of the most capable Chinese hacking groups that are known to target U.S. healthcare organizations. While at least one Chinese state-sponsored hacking group is known to conduct cyberattacks for financial gain, most groups conduct attacks for espionage purposes and to obtain intellectual property (IP) of interest to the government of the People’s Republic of China, such as IP related to medical technology and medicine. For instance, Chinese hackers targeted pharmaceutical firms during the pandemic seeking COVID-19 vaccine research data.

One of the most active threat groups is known as APT41 (also BARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, and Double Dragon). The group has been active since at least 2007 and is known to target U.S. healthcare organizations, most commonly with the goal of obtaining intellectual property to pass to the Chinese government, which operationalizes the technology to bring it to market. The group also engages in espionage and digital extortion and is known to conduct financially motivated cyberattacks, although those operations may be for personal gain rather than at the request of the Chinese government. APT41 aggressively exploits known vulnerabilities, often within hours after public disclosure, as was the case with the ProxyLogon and Log4J vulnerabilities. Once initial access has been gained, the group moves laterally within networks and establishes persistent access, often remaining in networks undetected for long periods while data of interest is exfiltrated. The group has an extensive arsenal of malware and uses well-known security tools in its attacks, such as a customized version of Cobalt Strike, Acunetix, Nmap, JexBoss, and Sqlmap.

APT10 (also known as Menupass Team, Stone Panda, Red Apollo, Cicada, CVNX, HOGFISH, and Cloud Hopper) engages in cyberespionage and cyberwarfare activities and has a focus on military and intelligence data. The group is known to leverage zero-day vulnerabilities to gain access to the networks of targets of interest and uses a variety of custom and public tools to achieve its aims. APT10 conducts highly targeted attacks, with initial access often achieved through spear phishing. The group is also known to target managed service providers (MSPs) in order to attack their downstream clients. The group often engages in living-of-the-land tactics, using tools already installed in victims’ environments.

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

APT18 (also known as Wekby, TA-428, TG-0416, Scandium, and Dynamite Panda) is a little-known APT group that is believed to work closely with the Chinese military and often targets human rights groups, governments, and a range of sectors, including pharmaceutical and biotechnology firms. The group is known to develop its own zero-day exploits, as well as adapt the exploits of others to meet its operational needs, and uses sophisticated malware such as Gh0st RAT, HTTPBrowser, pisloader, and PoisonIvy. APT18 is believed to be behind a 2014 attack on a healthcare provider in which the data of 4.5 million patients was stolen. The group is thought to have exploited the OpenSSL Heartbleed vulnerability to gain access to the network.

APT22 (also known as Barista, Group 46, and Suckfly) appears to be focused on targeting political entities and the healthcare sector, especially biomedical and pharmaceutical firms. The group is known to identify vulnerable public-facing web servers on victim networks and upload web shells, and uses complex malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM.

In addition to outlining some of the tactics, techniques, and procedures used by each group, HC3 has shared mitigations to improve security against the most commonly used infection vectors.