HC3 Threat Brief: Chinese State-Sponsored Threat Actor

Sept. 28, 2022
The Health Sector Cybersecurity Coordination Center recently published a threat brief on the Chinese state-sponsored threat actor dubbed APT 41 that has a history of attacking the healthcare industry

On Sept. 22, the Health Sector Cybersecurity Coordination Center (HC3) published a threat brief on the Chinese state-sponsored threat actor APT41. Members of APT have been actively tracked since 2012, and APT has been tracked as two separate groups, depending on operation. APT41 has a malicious history of targeting healthcare, as well as several other industries including high-tech and telecommunications, and uses methods like spear phishing, water holes, supply chain attacks, and backdoors.

According to the brief, APT 41 has been active in one or more of 14 countries that includes the U.S. Specifically regarding healthcare, the years the industry was targeted beginning in 2014. In 2014 and 2016 APT 41 was interested in IT and medical device software through supply chain attacks and targeting medical device information. In 2016, a biotech company was targeted for HR data, tax information, acquisition information, and clinical trial data. In 2018, the goals of the campaign were unknown. In 2019, APT 41 targeted a U.S. cancer research facility with malware dubbed “EVILNUGGET” and CVE-2019-3396 was exploited.

In January – March of 2020 APT 41 was identified attempting to exploit Citrix, Cisco, and Zoho endpoints as a part of their campaign and attempted to exploit more than 75 customers, several of which targeted sectors in the U.S.

The brief adds that “Attempted exploitation of:

  • CVE-2019-19781: Citrix vulnerability which allows directory transversal. Gives the attacker access to areas of a system they would not normally have.
  • CVE-2020-10189: Zoho vulnerability which allows for remote code execution that can allow an attacker to deliver malware and advance malicious efforts.

Regarding the healthcare sector more recently, two zero-day attacks were used to exploit the web-based Animal Health Reporting Diagnostic System (USAHERDS) application in May 2021 – February 2022. At least six U.S. state governments were compromised and there are potentially more unknown victims. APT41 was detected relatively quickly and removed in this circumstance but the system was compromised via zero-day CVE-2021-44207 and Log4j attacks. An investigation is still ongoing.

The release adds that “Popular TTPs and Tools [include]:

  • Initial Access: Frequent use of spear phishing with malicious attachments, watering holes, and supply chain attacks
  • Establish Foothold: The group utilizes a variety of public and private malware
  • Escalate Privileges: Usually leverages custom tools to obtain credentials
  • Internal Reconnaissance: Performs internal reconnaissance using compromised credentials
  • Lateral Movement: Remote Desktop Protocol (RDP), stolen credentials, adding admin groups, and brute forcing utilities
  • Maintain Presence: APT41 relies on the use of backdoors
  • Mission Complete: Creation of a RAR archive for exfiltration and removal of evidence”

Sponsored Recommendations

Clinical Evaluation: An AI Assistant for Primary Care

The AAFP's clinical evaluation offers a detailed analysis of how an innovative AI solution can help relieve physicians' administrative burden and aid them in improving health ...

From Chaos to Clarity: How AI Is Making Sense of Clinical Documentation

From Chaos to Clarity dives deep into how AI Is making sense of disorganized patient data and turning it into evidence-based diagnosis suggestions that physicians can trust, leading...

Bridging the Health Plan/Provider Gap: Data-Driven Collaboration for a Value-Based Future

Download the findings report to understand the current perspective of provider and health plan leaders’ shift to value-based care—with a focus on the gaps holding them back and...

Exploring the future of healthcare with Advanced Practice Providers

Discover how Advanced Practice Providers are transforming healthcare: boosting efficiency, cutting wait times and enhancing patient care through strategic integration and digital...