On Sept. 22, the Health Sector Cybersecurity Coordination Center (HC3) published a threat brief on the Chinese state-sponsored threat actor APT41. Members of APT have been actively tracked since 2012, and APT has been tracked as two separate groups, depending on operation. APT41 has a malicious history of targeting healthcare, as well as several other industries including high-tech and telecommunications, and uses methods like spear phishing, water holes, supply chain attacks, and backdoors.
According to the brief, APT 41 has been active in one or more of 14 countries that includes the U.S. Specifically regarding healthcare, the years the industry was targeted beginning in 2014. In 2014 and 2016 APT 41 was interested in IT and medical device software through supply chain attacks and targeting medical device information. In 2016, a biotech company was targeted for HR data, tax information, acquisition information, and clinical trial data. In 2018, the goals of the campaign were unknown. In 2019, APT 41 targeted a U.S. cancer research facility with malware dubbed “EVILNUGGET” and CVE-2019-3396 was exploited.
In January – March of 2020 APT 41 was identified attempting to exploit Citrix, Cisco, and Zoho endpoints as a part of their campaign and attempted to exploit more than 75 customers, several of which targeted sectors in the U.S.
The brief adds that “Attempted exploitation of:
- CVE-2019-19781: Citrix vulnerability which allows directory transversal. Gives the attacker access to areas of a system they would not normally have.
- CVE-2020-10189: Zoho vulnerability which allows for remote code execution that can allow an attacker to deliver malware and advance malicious efforts.
Regarding the healthcare sector more recently, two zero-day attacks were used to exploit the web-based Animal Health Reporting Diagnostic System (USAHERDS) application in May 2021 – February 2022. At least six U.S. state governments were compromised and there are potentially more unknown victims. APT41 was detected relatively quickly and removed in this circumstance but the system was compromised via zero-day CVE-2021-44207 and Log4j attacks. An investigation is still ongoing.
The release adds that “Popular TTPs and Tools [include]:
- Initial Access: Frequent use of spear phishing with malicious attachments, watering holes, and supply chain attacks
- Establish Foothold: The group utilizes a variety of public and private malware
- Escalate Privileges: Usually leverages custom tools to obtain credentials
- Internal Reconnaissance: Performs internal reconnaissance using compromised credentials
- Lateral Movement: Remote Desktop Protocol (RDP), stolen credentials, adding admin groups, and brute forcing utilities
- Maintain Presence: APT41 relies on the use of backdoors
- Mission Complete: Creation of a RAR archive for exfiltration and removal of evidence”
