Security Experts:

Chinese Cyberspies Continue Targeting Medical Research Organizations

Chinese cyberspies continue targeting medical research organizations in the U.S. and elsewhere, and cancer-related research appears to be of particular interest, FireEye said in a report published on Wednesday.

According to FireEye, multiple China-linked advanced persistent threat (APT) groups have targeted entities involved in healthcare research and the focus on cancer-related research is likely a result of “China’s growing concern over increasing cancer and mortality rates, and the accompanying national health care costs.” Some reports say cancer is the leading cause of death in China.

These threat actors are likely also financially motivated considering that China has one of the world’s fastest-growing pharmaceutical industries. “Targeting medical research and data from studies may enable Chinese corporations to bring new drugs to market faster than Western competitors,” FireEye said in its report.

The cybersecurity firm has provided several examples of Chinese cyberspy groups targeting healthcare organizations.

One of the most recent attacks was observed in April 2019, when a threat actor delivered a piece of malware tracked as EVILNUGGET to a U.S.-based health center that conducts cancer research. The organization was also targeted by other Chinese groups in the past, including by APT41, whose attack on a U.S. research university was described by FireEye in a blog post published this week.

APT41 also targeted, between 2014 and 2016, a medical devices subsidiary of a large corporation. While the parent company was targeted initially, some evidence suggests that the hackers were more interested in the subsidiary.

In 2015, APT41 was spotted targeting a biotech company that was in the process of being acquired. The attackers were after HR data, tax information and documents related to the acquisition.

In addition to APT41, the APT10 group was spotted targeting the healthcare sector. The threat actor launched spear-phishing campaigns in 2017 that were aimed at entities in Japan. Two of the three documents delivered in the spear-phishing attacks referenced cancer research conferences, FireEye said.

APT18, also known as Wekby, has also been seen targeting biotech, pharmaceutical and cancer research organizations.

“One theme FireEye has observed among Chinese cyber espionage actors targeting the healthcare sector is the theft of large sets of PII and PHI, most notably with several high-profile breaches of U.S. organizations in 2015,” FireEye wrote in its report. “We assess that the theft of bulk data appears to remain a tactic employed by Chinese cyber espionage actors in targeting certain groups of individuals, as evidence by the breach of SingHealth in 2018.”

FireEye says the healthcare industry has been targeted by state-sponsored and cyber espionage groups from countries other than China, including Russia (APT28, APT29 and CyberBerkut) and Vietnam (APT32).

APT attacks on healthcare industry

The FireEye report covers healthcare threats in general. In addition to the Chinese APT attacks, the report also looks at financially-motivated cybercrime and the potential impact of malware and vulnerabilities on medical facilities and systems.

Related: Feeling the Pulse of Cyber Security in Healthcare

Related: AMCA Breach: Many More Impacted Healthcare Firms Come Forward

Related: Healthcare Firm EmCare Says 60,000 Employees and Patients Exposed in Breach

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.