HC3 Details North Korean, Chinese Cyber Threats to Healthcare Sector

September 25, 2023 - The US healthcare sector has long faced cyber threats from all directions, from insider threats to foreign state-sponsored adversaries. In its latest threat brief, the HHS Health Sector Cybersecurity Coordination Center (HC3) narrowed its focus to North Korean and Chinese cyber threats, exploring the ways in which cyber criminals from these countries target healthcare.

“Chinese and North Korean ‘cybercriminal groups’ act as unique threats to the U.S. health sector,” the threat brief stated.

“China and North Korea are both significant cyber powers – China in absolute terms and North Korea in relative terms. Domestic politics in both nations has created a unique cybercriminal ecosystem, where the only significant cybercriminals that exist as a threat to the U.S. health sector are state-sponsored.”

HC3 described China as “the most powerful cyber power in the region.” These threat actors often focus on data exfiltration, espionage, and intellectual property theft. One Chinese advanced persistent threat (APT) actor, known as APT41, has been known to target the healthcare sector and the US in particular.

Also known as Double Dragon and Wicked Panda, APT41 has been active since 2012 and frequently leverages supply chain compromises and bootkit operations. Since 2014, APT41 has been observed targeting healthcare.

“It is expected to continue for the foreseeable future, and this includes the potential for both state-ordered attacks for political purposes, as well as those for financial gain,” the threat brief noted.

Specifically, from July 2014 to May 2016, APT41 targeted sustained cyberattacks against a medical devices subsidiary of a large corporation, going after human resources information, clinical trial data, and academic research.

While Chinese threat actors are formidable, North Korea as a cyber threat cannot be ignored either. North Korea’s Communist government has prompted notable sanctions from the US, Australia, Japan, and other countries.

North Korean cyberattacks are known to fund cyberwarfare capabilities and bolster funding for other parts of the national government. APT43, also known as Kimsuky, Velvet Chollima, and Emerald Sleet, is a significant threat from North Korea.

APT43 is known to leverage social engineering and credential harvesting to launch attacks and frequently collaborates with other North Korean state actors. Meanwhile, Lazarus Group remains another notorious threat stemming from North Korea. HC3 recently issued a sector alert about Lazarus Group’s exploitation of a critical vulnerability in ManageEngine products.

Lazarus has been active since 2009 and has used a host of malware variants to target victims for years. Both Chinese and North Korean cyber threat actors pose significant threats to the healthcare sector, largely due to their vast array of resources.

“The most significant point is that groups originating in North Korea and China that act as cyber criminal gangs (i.e. are financially motivated) have all the sophistication of many other cybercriminal gangs, but also have the resources (technological, financial and diplomatic) of a state behind them,” HC3 noted.

“They are state-backed criminals and they target a number of industries, including the U.S. health sector.”

As always, healthcare organizations should take steps to mitigate risk. Leveraging free government resources and implementing key technical safeguards such as network segmentation and multifactor authentication can help reduce risk.