HHS Report Lists APT41, APT43 and Lazarus Among Top Threat Groups
Chinese and North Korean cybercriminal groups continue to pose significant “unique threats” to the U.S. healthcare and public health sector, including data exfiltration attacks involving espionage and intellectual property theft, federal authorities warn.
Among the top threat actors are the China state-sponsored group APT41, also known as Double Dragon and Wicked Panda; the North Korea-sponsored Lazarus Group and APT43, also known as or affiliated with Kimsuky, Velvet Chollima and Emerald Sleet; and Thallium, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center said in a threat brief issued Thursday.
“China and North Korea are both significant cyber powers – China in absolute terms and North Korea in relative terms,” HHS HC3 said. “Domestic politics in both nations has created a unique cybercriminal ecosystem, where the only significant cybercriminals that exist as a threat to the U.S. health sector are state-sponsored.”
Most significantly, financially motivated groups originating in North Korea and China “have all the sophistication of many other cybercriminal gangs but also have the resources – technological, financial and diplomatic – of a state behind them,” HHS HC3 warned.
Some industry experts agree with HHS HC3’s assessment of the threats. “APT41, APT43 and the Lazarus Group represent some of the top cyberthreats from China and North Korea for the healthcare sector,” Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, told Information Security Media Group.
“These cyber gangs are motivated by their own national interests to bolster and enhance the delivery of healthcare to their own populations and actively use offensive cyber operations to achieve those goals by stealing biotech and healthcare R&D,” he said.
Threats From China
HHS said China “is the most powerful cyber power” in Asia, and its cybercrime groups often focus on data exfiltration – including espionage and intellectual property theft – to support economic development across sectors.
At an industry conference on Monday, FBI Director Christopher Wray said that China has a bigger hacking program than every other major nation combined, HHS HC3 wrote.
“If each one of the FBI’s cyber agents and intelligence analysts focused on China exclusively, Chinese hackers would still outnumber our cyber personnel by at least 50 to 1,” Wray said.
Chinese cyberattacks are often aligned with a five-year plan, and the current plan runs from 2021 to 2025. In the healthcare sectors, these attacks are targeting clinical medicine, genetics, biotechnology, neuroscience and research and development, HHS HC3 wrote.
In particular, the China-state sponsored APT41, “is highly sophisticated and innovative” at targeting the U.S. health sector to specifically augment China’s own R&D efforts, HHS HC3 said.
The group’s focus is often on supply chain compromises targeting individuals, frequent use of compromised digital certificates, and Bootkit operations.
In an earlier APT41 campaign, the group conducted sustained and targeted cyberattacks from July 2014 through May 2016 on the medical devices subsidiary of a large corporation, HHS HC3 said.
“Their target was the parent company, however many of the compromised systems were associated with the medical device subsidiary. It is believed that APT41 was interested in information technology and software used by the medical device subsidiary,” HHS HC3 said.
Gearshift, a keylogger, was deployed in the medical device company’s environment; certificates were stolen and later used to target a biotech company.
“Sensitive information about the biotech company’s operations was targeted. This included human resources information, tax data, data related to developed drugs clinical trials, academic research, and R&D funding-related information,” HHS HC3 said.
North Korean Threats
Meanwhile, threats stemming from North Korean state-sponsored cybercrime groups, including APT43 and Lazarus Group, also pose considerable concerns for the U.S. healthcare and public health sector, HHS HC3 wrote.
APT43 is considered moderately sophisticated in its capabilities for social engineering, spear-phishing, credential harvesting and spoofed personae, HHS HC3 said.
The group is heavily active in cryptocurrency laundering to fund hacking operations under an apparent mandate from Pyongyang. APT43 also has focused on cyberespionage, including attacks on the health-related sectors in support of North Korea’s pandemic response efforts (see: North Korean Threat Groups Steal Crypto to Pay for Hacking).
Lazarus Group has been one of the most active North Korean cyberthreat groups for over a decade, HHS HC3 said.
The group focuses on espionage, intellectual property theft, financial fraud and geopolitical issues. Lazarus Group has been at the center of major cyber operations in a number of industries, including healthcare and intellectual theft attacks involving COVID vaccine data.
HHS HC3 has a long list of recommendations for how the healthcare sector can better defend against and mitigate the threats posed by Chinese, North Korean and other bad actors.
It includes reviewing domain controllers, servers, workstations and active directories for new or unrecognized user accounts; regularly backing up data; and ensuring copies of critical data are not accessible for modification or deletion from the system where the data resides.
Other recommendations include implementing network segmentation and having a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location.
H-ISAC’s Weiss said that active participation in an information-sharing community is a valuable way to stay ahead of cyberthreats. “I’d also suggest reviewing the controls outlined in the Health Industry Cybersecurity Practices – HICP 2023 edition. That paper is great because it’s tailored to meet the needs of large-, medium- and small-sized businesses.”
In addition to the threats spotlighted by HHS HC3’s report, Weiss advised healthcare and public sector entities to keep a close eye on disinformation campaigns coming from Russia and China.
“Chinese influencers launched social media campaigns that blamed the devastating fires in Maui on a secret U.S. government weapon. ‘Mis-‘ and ‘dis-‘ information can negatively impact the ability to provide safe and effective healthcare when the public accepts unreliable information about vaccines and medical procedures as fact,” he said.