Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Healthcare

Chinese APT Groups Target Cancer Research Facilities: Report

FireEye Describes How Groups Are Gathering Data
Chinese APT Groups Target Cancer Research Facilities: Report

Chinese advanced persistent threat groups are targeting cancer research organizations across the globe with the goal of stealing their work and using it to help the country address growing cancer rates among its population, according to researchers at cybersecurity company FireEye

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

In a wide-ranging report issued this week about cybersecurity threats in the healthcare industry, FireEye researchers note that as the cancer rate in China rises along with the cost of healthcare, the country may be looking for a fast way to gain access to research that will help it address those concerns.

China also has a fast-growing pharmaceutical market that also may be interested in obtaining information on cancer research in hopes of getting medications to market more quickly, the researchers say.

"It is likely that an area of unique interest is cancer-related research, reflective of China's growing concern over increasing cancer and mortality rates, and the accompanying national healthcare costs," the FireEye researchers write. "Open source reports indicate that cancer mortality rates have increased dramatically in recent decades, making cancer the nation's leading cause of death. As the [People's Republic of China] continues to pursue universal healthcare by 2020, controlling costs and domestic industry will surely affect the PRC’s strategy to maintain political stability."

Meanwhile, the growth in the country's pharmaceutical market creates "lucrative opportunities for domestic firms, especially those that provide oncology treatments or services. Targeting medical research and data from studies may enable Chinese corporations to bring new drugs to market faster than Western competitors," the report states.

Targeting Researchers

The researchers outline several instances over six years when Chinese advanced persistent threat groups have targeted cancer research institutions, at times sending out spear-phishing emails that referred to upcoming conferences in the subject line as a way to entice recipients to click on an attachment or a link to malicious sites through which malware was downloaded.

A Chinese group called APT18 - also known as "Wekby" - has been targeting biotech and pharmaceutical organizations as well as those conducting cancer research, the report notes.

The FireEye researchers say APT18 had been in one medical device manufacturing company’s network for at least 60 days before being detected, accessing about 14 users' accounts and using or installing backdoors on more than 450 systems. The group collected and exfiltrated several gigabytes of medical imaging equipment files.

"Dating back to 2014, we've seen these groups ... active in targeting pharmaceutical companies, academic healthcare, various [organizations] that are all in the research side of healthcare and pharma," Luke McNamara, principal analyst at FireEye, tells Information Security Media Group. "A subset [of Chinese groups] that are targeting researchers seems to be organizations that have a specific focus in cancer research or, in some cases, cancer-related conferences."

Targeted More Than Once

One U.S.-based healthcare center that conducts cancer research - not named in the report - has been the target of multiple Chinese threat groups over the past few years. A Chinese group in April targeted the organization with malware dubbed Evilnugget, the researchers say. One of the documents used by the group to lure unsuspecting victims at the center focused on a conference being hosted by the organization.

In 2018, a threat group dubbed APT41, which researchers believe is backed by China's government, used spear-phishing malware called Crosswalk against staff at the center. Another group, APT22, which has focused on biomedical, pharmaceutical and healthcare organization, also targeted the same organization, the researchers note.

At the Black Hat conference earlier this month, FireEye researchers said they had detected Apt41, noting that the group has had an interest in healthcare-related organizations since 2014. Between 2014 and 2016, the group targeted a medical device subsidiary of a larger company, using password strings, spoofed domains and a keylogger dubbed Gearshift. That operation focused on IT employees and software used by the subsidiary, researchers note.

In addition, a digital certificate from the subsidiary was compromised and used to sign malware that was later used in other attacks in the healthcare sector. Those included an attack on a biotech company in 2015 that was being acquired. Sensitive information about corporate operations - such as HR data and tax information - as well as data from clinical trials for developing drugs and documents related to R&D funding was exfiltrated.

In 2017, Chinese group APT 10 distributed three healthcare-themed documents as part of a spear-phishing campaign against organizations in Japan, the researchers say. Two of the documents were related to cancer research conferences.

The FireEye researchers note that several medical researchers at the MD Anderson Cancer Research Center in Texas were fired in April due to concerns that medical research information was being stolen on behalf of the Chinese government.

About the Author

Jeffrey Burt

Jeffrey Burt

Contributing Editor

Burt is a freelance writer based in Massachusetts. He has been covering the IT industry for almost two decades, including a long stint as a writer and editor for eWEEK. Over the past several years, he also has written and edited for The Next Platform, Channel Partners, Channel Futures, Security Now, Data Center Knowledge, ITPro Today and Channelnomics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.