Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Cyberspies Continue Targeting Medical Research Organizations

Chinese cyberspies continue targeting medical research organizations in the U.S. and elsewhere, and cancer-related research appears to be of particular interest, FireEye said in a report published on Wednesday.

Chinese cyberspies continue targeting medical research organizations in the U.S. and elsewhere, and cancer-related research appears to be of particular interest, FireEye said in a report published on Wednesday.

According to FireEye, multiple China-linked advanced persistent threat (APT) groups have targeted entities involved in healthcare research and the focus on cancer-related research is likely a result of “China’s growing concern over increasing cancer and mortality rates, and the accompanying national health care costs.” Some reports say cancer is the leading cause of death in China.

These threat actors are likely also financially motivated considering that China has one of the world’s fastest-growing pharmaceutical industries. “Targeting medical research and data from studies may enable Chinese corporations to bring new drugs to market faster than Western competitors,” FireEye said in its report.

The cybersecurity firm has provided several examples of Chinese cyberspy groups targeting healthcare organizations.

One of the most recent attacks was observed in April 2019, when a threat actor delivered a piece of malware tracked as EVILNUGGET to a U.S.-based health center that conducts cancer research. The organization was also targeted by other Chinese groups in the past, including by APT41, whose attack on a U.S. research university was described by FireEye in a blog post published this week.

APT41 also targeted, between 2014 and 2016, a medical devices subsidiary of a large corporation. While the parent company was targeted initially, some evidence suggests that the hackers were more interested in the subsidiary.

In 2015, APT41 was spotted targeting a biotech company that was in the process of being acquired. The attackers were after HR data, tax information and documents related to the acquisition.

In addition to APT41, the APT10 group was spotted targeting the healthcare sector. The threat actor launched spear-phishing campaigns in 2017 that were aimed at entities in Japan. Two of the three documents delivered in the spear-phishing attacks referenced cancer research conferences, FireEye said.

APT18, also known as Wekby, has also been seen targeting biotech, pharmaceutical and cancer research organizations.

“One theme FireEye has observed among Chinese cyber espionage actors targeting the healthcare sector is the theft of large sets of PII and PHI, most notably with several high-profile breaches of U.S. organizations in 2015,” FireEye wrote in its report. “We assess that the theft of bulk data appears to remain a tactic employed by Chinese cyber espionage actors in targeting certain groups of individuals, as evidence by the breach of SingHealth in 2018.”

FireEye says the healthcare industry has been targeted by state-sponsored and cyber espionage groups from countries other than China, including Russia (APT28, APT29 and CyberBerkut) and Vietnam (APT32).

APT attacks on healthcare industry

The FireEye report covers healthcare threats in general. In addition to the Chinese APT attacks, the report also looks at financially-motivated cybercrime and the potential impact of malware and vulnerabilities on medical facilities and systems.

Related: Feeling the Pulse of Cyber Security in Healthcare

Related: AMCA Breach: Many More Impacted Healthcare Firms Come Forward

Related: Healthcare Firm EmCare Says 60,000 Employees and Patients Exposed in Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.