The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Know Your Adversary: HC3 Shares Details of Chinese APT Groups Targeting the Healthcare Sector

Posted By on Aug 24, 2023

The healthcare industry is actively targeted by financially motivated cybercriminal gangs; however, state-sponsored hacking groups also seek access to healthcare networks and are actively targeting healthcare providers and other entities in the healthcare and public health sector.

In a recently published security advisory, the Health Sector Cybersecurity Coordination Center (HC3) provides a threat profile of some of the most capable Chinese hacking groups that are known to target U.S. healthcare organizations. While at least one Chinese state-sponsored hacking group is known to conduct cyberattacks for financial gain, most groups conduct attacks for espionage purposes and to obtain intellectual property (IP) of interest to the government of the People’s Republic of China, such as IP related to medical technology and medicine. For instance, Chinese hackers targeted pharmaceutical firms during the pandemic seeking COVID-19 vaccine research data.

One of the most active threat groups is known as APT41 (also BARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, and Double Dragon). The group has been active since at least 2007 and is known to target U.S. healthcare organizations, most commonly with the goal of obtaining intellectual property to pass to the Chinese government, which operationalizes the technology to bring it to market. The group also engages in espionage and digital extortion and is known to conduct financially motivated cyberattacks, although those operations may be for personal gain rather than at the request of the Chinese government. APT41 aggressively exploits known vulnerabilities, often within hours after public disclosure, as was the case with the ProxyLogon and Log4J vulnerabilities. Once initial access has been gained, the group moves laterally within networks and establishes persistent access, often remaining in networks undetected for long periods while data of interest is exfiltrated. The group has an extensive arsenal of malware and uses well-known security tools in its attacks, such as a customized version of Cobalt Strike, Acunetix, Nmap, JexBoss, and Sqlmap.

APT10 (also known as Menupass Team, Stone Panda, Red Apollo, Cicada, CVNX, HOGFISH, and Cloud Hopper) engages in cyberespionage and cyberwarfare activities and has a focus on military and intelligence data. The group is known to leverage zero-day vulnerabilities to gain access to the networks of targets of interest and uses a variety of custom and public tools to achieve its aims. APT10 conducts highly targeted attacks, with initial access often achieved through spear phishing. The group is also known to target managed service providers (MSPs) in order to attack their downstream clients. The group often engages in living-of-the-land tactics, using tools already installed in victims’ environments.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

APT18 (also known as Wekby, TA-428, TG-0416, Scandium, and Dynamite Panda) is a little-known APT group that is believed to work closely with the Chinese military and often targets human rights groups, governments, and a range of sectors, including pharmaceutical and biotechnology firms. The group is known to develop its own zero-day exploits, as well as adapt the exploits of others to meet its operational needs, and uses sophisticated malware such as Gh0st RAT, HTTPBrowser, pisloader, and PoisonIvy. APT18 is believed to be behind a 2014 attack on a healthcare provider in which the data of 4.5 million patients was stolen. The group is thought to have exploited the OpenSSL Heartbleed vulnerability to gain access to the network.

APT22 (also known as Barista, Group 46, and Suckfly) appears to be focused on targeting political entities and the healthcare sector, especially biomedical and pharmaceutical firms. The group is known to identify vulnerable public-facing web servers on victim networks and upload web shells, and uses complex malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM.

In addition to outlining some of the tactics, techniques, and procedures used by each group, HC3 has shared mitigations to improve security against the most commonly used infection vectors.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist