Chinese and North Korean State Hacking Groups Target Health Records

Hacking Groups

HHS Report Lists APT41, APT43, and Lazarus Among Top Threat Groups

According to federal officials, Chinese and North Korean cybercriminal groups persist in presenting noteworthy and distinctive risks to the healthcare and public health sector in the United States.  These risks encompass data exfiltration assaults that involve espionage and the theft of intellectual property.

According to a threat brief released on Thursday by the Health Sector Cybersecurity Coordination Center of the Department of Health and Human Services, some of the prominent threat actors include APT41, also referred to as Double Dragon, and Wicked Panda, which is a state-sponsored group associated with China.  Additionally, the Lazarus Group and APT43, known or affiliated with Kimsuky, Velvet Chollima, and Emerald Sleet, are sponsored by North Korea.

According to the statement made by HHS HC3, both China and North Korea hold considerable influence in the realm of cyber power.  China’s influence is notable in absolute terms, while North Korea’s influence is important when considered in relative terms.  The presence of a distinct cybercriminal ecosystem in both countries has been shaped by domestic political factors, resulting in a situation where the primary cybercriminals posing a threat to the health sector of the United States are exclusively supported by governmental entities.

According to a warning issued by HHS HC3, groups originating in North Korea and China possess a level of competence comparable to other cybercriminal organizations.  However, what sets them apart is their access to abundant resources, including technological capabilities, financial backing, and diplomatic support from their respective states.

Several industry experts concur with the assessment of dangers provided by the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center (HHS HC3).  According to Errol Weiss, the Chief Security Officer at the Health Information Sharing and Analysis Center, APT41, APT43, and the Lazarus Group are among the prominent cyber threats originating from China and North Korea that pose significant risks to the healthcare sector.  Weiss made this statement during an interview with the Information Security Media Group.

According to the speaker, these cyber gangs are driven by their respective national interests in order to strengthen and improve healthcare provision for their own populations.  To accomplish this objective, they employ offensive cyber activities, such as the theft of biotech and healthcare research and development.

Threats From China

According to the Department of Health and Human Services (HHS), China is regarded as the predominant cyber power in Asia.  The cybercrime groups originating from China mostly engage in data exfiltration activities, such as espionage and intellectual property theft.  These illicit activities are conducted with the aim of bolstering economic growth across many sectors.

During an industry conference, FBI Director Christopher Wray made a statement indicating that China possesses a hacking program of greater magnitude compared to the combined efforts of other prominent nations, as reported by HHS HC3.

According to Wray, even if every cyber agent and intelligence analyst at the FBI were to concentrate solely on China, the number of Chinese hackers would still surpass our cyber employees by a ratio of at least 50 to 1.

Chinese cyberattacks frequently coincide with a strategic five-year plan, with the ongoing plan spanning the period from 2021 to 2025.  Within the healthcare industry, there has been a notable focus on addressing several domains, such as clinical medicine, genetics, biotechnology, neurology, and research and development.  The Health and Human Services (HHS) department’s Health Care Continuity and Coordination Committee (HC3) authored a document.

According to the HHS HC3, the APT41 group, which is supported by the Chinese government, demonstrates a high level of sophistication and innovation in its approach to targeting the healthcare sector in the United States.  The primary objective of these activities is to enhance China’s own research and development endeavors.

The primary area of interest for the group frequently revolves around supply chain compromises that specifically target individuals, the frequent utilization of compromised digital certificates, and the execution of Bootkit activities.

According to HHS HC3, during a previous APT41 campaign, the organization engaged in persistent and focused cyber assaults on the medical devices division of a prominent firm from July 2014 to May 2016.

The primary focus of their attack was directed at the parent firm, yet a significant number of the compromised systems were found to be linked to the subsidiary specializing in medical devices.  According to HHS HC3, it is widely thought that APT41 has shown a keen interest in the field of information technology and the software employed by the medical device subsidiary.

The medical device firm’s environment was infiltrated by Gearshift, a malicious software known as a keylogger.  As a result of this breach, certificates were illicitly obtained and subsequently exploited in a targeted attack against a biotechnology company.

The biotech company’s operational data of a confidential nature was subjected to deliberate targeting.  According to the HHS HC3, the compromised data encompassed several types of information such as human resources data, tax data, data pertaining to clinical trials of produced pharmaceuticals, academic research, and information linked to funding for research and development activities.

North Korean Threats

The U.S. healthcare and public health sector faces significant concerns due to the threats originating from North Korean state-sponsored cybercrime groups, namely APT43 and Lazarus Group, as stated by HHS HC3.

According to HHS HC3, APT43 possesses a moderate level of sophistication in its skills to engage in social engineering, spear-phishing, credential harvesting, and the creation of faked personae.

The gang demonstrates significant involvement in the process of bitcoin laundering in order to finance cyber operations, seemingly acting upon a directive originating from Pyongyang.  APT43 has demonstrated a particular emphasis on engaging in cyberespionage activities, which encompass targeted assaults on the healthcare industry.  These actions are carried out with the intention of aiding North Korea’s endeavors in responding to the pandemic, as highlighted in the report titled “North Korean Threat Groups Steal Crypto to Pay for Hacking.”

According to HHS HC3, the Lazarus Group has maintained a prominent position as a highly active cyber threat group originating from North Korea for a period exceeding ten years.

The collective’s primary areas of interest encompass covert intelligence operations, illicit acquisition of proprietary knowledge, fraudulent financial activities, and matters pertaining to geopolitical dynamics.  The Lazarus Group has emerged as a prominent actor in significant cyber campaigns across various sectors, notably in healthcare and instances of intellectual property theft, including targeting COVID vaccine-related information.

Taking Action

The Department of Health and Human Services Health Care Cybersecurity Coordination Center (HHS HC3) has compiled an extensive array of suggestions aimed at enhancing the healthcare sector’s ability to protect against and mitigate the many dangers presented by actors such as China, North Korea, and other malicious entities.

The process encompasses the examination of domain controllers, servers, workstations, and active directories to identify any newly added or unfamiliar user accounts.  Additionally, it involves the frequent implementation of data backup procedures and the establishment of safeguards to prevent unauthorized change or deletion of essential data within the system where it is stored.

Additional suggestions encompass the adoption of network segmentation as well as the establishment of a recovery strategy that ensures the preservation and duplication of sensitive or proprietary data and servers in a physically distinct, segregated, and safeguarded facility.

According to Weiss, active engagement in an information-sharing community is a valuable approach to proactively mitigate cyber threats.  I would also recommend a thorough examination of the controls described in the Health Industry Cybersecurity Practices – HICP 2023 version.  The aforementioned document is commendable due to its ability to cater to the specific requirements of enterprises of varying sizes, encompassing both large-scale corporations, medium-sized establishments, as well as tiny organizations.

Other Considerations

In conjunction with the dangers emphasized in the study by HHS HC3, Weiss recommended that healthcare and public sector organizations remain vigilant regarding disinformation tactics originating from Russia and China.

Chinese influencers initiated social media campaigns attributing the destructive fires in Maui to a clandestine weapon possessed by the United States government.  The individual stated that the presence of misinformation and disinformation can have adverse effects on the capacity to deliver healthcare that is both safe and effective.  This occurs when the general public accepts incorrect information on vaccines and medical procedures as truth.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.

Cyber Security Course

Read More Article Here:

A Man got deceived in a “WhatsApp Task Fraud,” causing a loss of 43 Lakh, Navi Mumbai

3 Nigerian Suspects Detained by the Police for Online Fraud Incident in UP.


About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?