HC3 threat brief highlights North Korean, Chinese cyber threats targeting healthcare and public health sector

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) published Thursday a threat brief outlining North Korean and Chinese cybercrime threats to the healthcare and public health (HPH) sector. The document identifies China as the ‘most powerful cyber power in the region,’ and provides an overview of common cybercriminal features and characteristics. 

The HC3 said that modern and sophisticated cybercriminal groups are run like companies, with most cybercrime originating from small teams bringing in moderate revenues. They advertise and recruit, track revenues, form partnerships, and track and mimic competition. Larger cybercriminal groups can be organized and operate like a corporation with various departments, staffing challenges, overhead, quality control, etc.

The document detailed that many groups have political connections and are generally aware of their public relations. “They grow capabilities organically/internally and also leverage the black market to bring in new capabilities,” it added.

On Chinese hackers, the HC3 threat brief said that they focus on data exfiltration (espionage and intellectual property theft) to support economic development across sectors. Cyber targeting frequently intersects with the objectives outlined in the Fourteenth Five-Year Plan (2021-2025). This plan encompasses various areas such as clinical medicine, genetics, biotechnology, neuroscience, and general healthcare research and development. The threat brief also pointed out that Chinese cybercrime is growing but still negligible. 

In its analysis of the APT41 group, also known as Double Dragon and Wicked Panda, the HC3 threat brief said that these hackers have been active since 2012. They have been identified as being highly sophisticated and innovative through their supply-chain compromises targeting individuals, frequent use of compromised digital certificates, and Bootkit operations. They are known to target the health sector and U.S. organizations.

The APT41 hackers have engaged in financially-motivated activities in ‘off hours.’ “It is believed that financially-motivated targeting of the video game industry has ultimately supported the group’s state-sponsored activity. Tradecraft developed and practiced in operations driven by personal gain have become pivotal in executing state-sponsored attacks. Accessing and conducting reconnaissance on video game environments has enabled APT41 to develop TTPs leveraged against software companies to inject malicious code into software updates,” the brief added.

The HC3 outlines that healthcare targeting by APT41 began in 2014 and continues to the present day. It is expected to continue for the foreseeable future, and this includes the potential for both state-ordered attacks for political purposes, as well as those for financial gain. 

The document noted that when it comes to North Korea, cyberattacks are used to self-fund cyberwarfare capabilities and provide funding to other aspects of the national government, such as the SWIFT banking network, cryptocurrency exchanges, and ransomware attacks. “Cyberattacks have also been used to retaliate against insults against, and regime and the Supreme Leader. Sony Pictures cyberattack of 2014 in retaliation for unflattering portrayal of Kim Jong-un in the movie ‘The Interview.’”

On the leadership structure of North Korea, the HC3 threat brief said that the Reconnaissance General Bureau is a higher-level organization within the North Korean government that likely includes many of the country’s major cyber capabilities. “It is worth noting for this presentation that APT43 aligns with the mission of the Reconnaissance General Bureau. Also, the Lazarus Group likely falls under Lab 110, formerly known as Bureau 121 prior to reorganization. The People’s Liberation Army also includes cyberwarfare capabilities,” it added. 

Detailing the APT43 group, also known as Kimsuky, Velvet Chollima, and Emerald Sleet (THALLIUM), the HC3 identified it to be considered moderately sophisticated in its capabilities covering social engineering through spoofed personas, spoofed domains (spear phishing), credential harvesting, and cover identities for purchasing tools and infrastructure. So far, the group has not been observed using zero days, though it remains highly collaborative with other North Korean state actors and maintains high-tempo operations. Also, cybercrime is used to fund strategic intelligence. 

The HC3 threat brief identified that APT43 develops and releases highly customized spear phishing emails as an infection vector. It also develops highly detailed and realistic spoofed web pages. “APT43’s cryptocurrency laundering techniques – purchasing mining power – makes on-chain transaction tracing impossible,” it added.

Strangely, there is no significant code sharing between APT43 and other North Korean groups. 

The HC3 threat brief also provided an overview of the Lazarus Group. Its attributed names/affiliated groups were identified as APT38, Guardians of Peace, WhoisTeam, Labyrinth Chollima, Hidden Cobra, NICKEL ACADEMY, Diamond Sleet (ZINC). Active since at least 2009, the purpose of the Lazarus Group was identified as espionage, intellectual property theft, financial fraud, and geopolitical goals, and it aligned under Lab 110 (formerly Bureau 121).

Major cyber operations include Operation Troy, Sony Picture/Operation Blockbuster, GHOSTRAT, Bangladeshi Bank, Wannacry, Various cryptocurrency exchanges/companies, and COVID-19 vaccine data. The major tools and TTPs identified include VSingle, MagicR AT, WannaCry, and other ransomware. 

The HC3 brief detailed ThreadNeedle, a backdoor malware, operated by Lazarus since 2019 and believed to be derived from Manuscrypt. It runs on Windows, and exhibits persistence, file manipulation, and registry modification capabilities, in addition to reconnaissance and phishing.

Some of the sample malware variants leveraged by Lazarus Group include Birtromath, a multi-functional remote access trojan and part of the HotCroissant malware family; Slickshoes, dropper with beaconing, reconnaissance, file transfer and other capabilities; and Crowdedflounder, a remote access trojan capable of receiving and initiating connections. 

Also, it listed Hotcroissant, a remote access trojan that can collect usernames, and administrative and system data, as well as transfer files, execute commands, and capture screens; Artfulpie, an implant that can transfer files and load and execute files into memory, and Buffetline, an implant that can conduct beaconing, file transfers, and execution, as well as Windows command line access, process creation/termination and system enumeration.

Addressing ransomware mitigations and defense, the HC3 brief called for a review of domain controllers, servers, workstations, and active directories for new or unrecognized user accounts. It also recommends regularly backing up of data, air gap, and password-protect backup copies offline, and ensuring copies of critical data are not accessible for modification or deletion from the system where the data resides.

The document also urged healthcare organizations to review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system-defined or -recognized scheduled tasks for unrecognized ‘actions.’ It also suggests a review of anti-virus logs for indications that they were unexpectedly turned off; implements network segmentation; requires administrator credentials to install software; and implements a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.  

Last week, the HC3 issued a cautionary alert to the healthcare industry regarding the emergence of Akira, a Ransomware-as-a-Service (RaaS) group that commenced its activities in March. Since its discovery, the group has claimed over 60 victims, which have typically ranged in the small- to medium-size business scale.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.