Cybersecurity News

HC3 Details APT41 Cyberattack Tactics, Risks to Healthcare Cybersecurity

APT41 poses a threat to healthcare cybersecurity and has been observed targeting the healthcare and pharmaceutical sectors in the past.

HC3 Details APT41 Cyberattack Tactics, Risks to Healthcare Cybersecurity

Source: Getty Images

By Jill McKeon

- Long-running Chinese state-sponsored threat group APT41 continues to pose a danger to healthcare cybersecurity, the HHS Health Sector Cybersecurity Coordination Center (HC3) suggested in a recent brief.

The group has been active since at least 2012. In the past decade, APT41 has repeatedly gone after healthcare and pharmaceutical organizations, along with a variety of other sectors across 14 countries.

In 2014 and 2016, HC3 explained, APT41 took interest in IT and medical device software, executing supply chain attacks to target medical device information. In 2016, the group went after a biotech company’s HR data, tax information, and clinical trial data.

Even after two high-profile indictments against members of the group in 2019 and 2020, the group “did not appear to slow down any operations,” HC3 noted.

In 2019, the group was observed targeting a US cancer research facility. APT41 has attempted to exploit Citrix, Zoho, and Cisco endpoints, leveraging remote code execution and directory traversal in the past.

In 2020, HC3 issued a white paper with information about a campaign of cyberattacks carried out by APT41 in which the group leveraged two critical vulnerabilities (CVE-2019-19781 and CVE2020-10189) in Citrix and Zoho.

“APT41 is known to conduct ‘off-duty’ cyber operations, likely for the direct personal benefit of its individual members, motivated by financial gain, rather than for the sake of the Chinese Government,” HC3 stated at the time.  

“Given its criticality to our communities, perceived availability of financial resources and highly valuable quantities of protected health information (PHI), and relatively unprepared IT infrastructures, the healthcare industry is historically susceptible to ransomware attacks; an appealing target to APT41.”

In 2021, the group used new techniques such as SQL injections and spear phishing to target malicious campaigns against political groups, airlines, and military organizations.

Additionally, the group used two zero-day attacks in 2021 and 2022 to exploit the web-based Animal Health Reporting Diagnostic System (USAHERDS) application, compromising at least six US state governments in the process.

Although the investigation is still ongoing, experts determined that the group compromised the system using Log4j attacks and zero-day CVE-2021-44207.

As the group continues to advance, experts have observed APT41 leveraging a host of tools to take advantage of victim organizations. APT41 frequently relies on the use of backdoors, stolen credentials, spear phishing, supply chain attacks, and internal reconnaissance.

Employing enterprise-wide mitigations and accounting for the latest vulnerabilities and threat groups is crucial to maintaining healthcare cybersecurity.