Threat Management, Risk Assessments/Management

APT41 spear-phishing, supply chain campaigns target pharma, healthcare

A person holds a small Chinese flag.
An alert from the Department of Health and Human Services is warning the healthcare sector of the continuing threat by APT41, a Chinese state-sponsored threat group that has been active since 2012. (Photo by Ryan Pierse/Getty Images)

A new Department of Health and Human Services Cybersecurity Coordination Center alert warns the healthcare sector is continuing to be targeted by APT41, a Chinese state-sponsored threat actor group actively tracked by researchers since 2012.

APT41 has a history of targeting the healthcare sector, as well as the pharmaceuticals and high-tech industries, among others.

The group makes frequent use of spear-phishing, water holes, supply chain attacks, and backdoors to gain access to the network for learning insights into the specific industry and gathering data to inform future attacks. There’s evidence to believe the group has also been using keylogging screenshots, connecting to and querying SQL databases, code injection, downloading files, and stealing clipboard data.

To establish a foothold, APT41 uses various public and private malware and escalates privileges through custom tools to steal credentials. Once obtained, the actors use the credentials to perform internal reconnaissance then move laterally through stolen credentials, weak RDP, adding admin groups, and brute-forcing utilities.

By relying on backdoors, the group is able to maintain its presence on the victim’s network and is known to create a RAR archive for exfiltration and removal of evidence.

Chinese-backed threat group's activity increased over recent years

Despite indictments of multiple group members in 2019 and 2020, the group’s activities don’t appear to have been slowed down by the actions as APT41 was highly active last year.

Notably, in 2020 amid the height of the pandemic, the healthcare sector faced unprecedented sophisticated campaigns from both domestic and foreign threat actors. At the time, Congress asked the Cybersecurity and Infrastructure Security Agency to develop guidance to support HHS with guidance, naming APT41 as the actors behind the largest campaigns.

The campaign was targeting vulnerabilities in popular networking equipment, cloud software, and IT management tools, given the over-reliance on the tech for telehealth and telework during the COVID-19 response. The “Chinese espionage campaign” targeted nonprofit healthcare and pharmaceutical companies, as well as other organizations responding to the pandemic.

At the time, the letter to CISA warned the APT41 campaign also appeared to reflect a broader escalation from Chinese groups.

By 2021, APT41 added new tactics to its arsenal that were conducted in four different campaigns against private sector and government entities. Specifically, the group began using SQL injections for the initial attack vector, in addition to uploading Cobalt Strike beacons in smaller portions. A total of 13 organizations were confirmed victims of APT41 last year.

Previous campaigns launched against healthcare between 2014 to 2019 included IT and medical device software, medical device information, a biotech company, and a cancer research facility. In 2020, the campaigns worked to exploit Citrix, Cisco, and Zoho endpoints. More than 75 customers were targeted through these methods.

The most recent campaigns leverage the Unified Extensible Firmware Interface (UEFI) firmware implant, or the “most advanced implant found ‘in the wild.’” It’s implanted on the SPI flash motherboard memory to deploy additional malware with highly sophisticated methods.

APT41 also successfully exploited the web-based Animal Health Reporting Diagnostic System (USAHERDS) application via a zero-day vulnerability found in the app and via Log4j attacks. The app is designed to solicit and manage animal health and disease data to influence the health status of animal populations.

Two zero-day attacks were used to exploit the USAHERDS app between May 2021 and February 2022. The alert notes that “one CVE was accessed by using a MachineKey and the other was from Log4Shell.” The investigation is ongoing, but at least six U.S. state governments were compromised. It’s believed there are more unknown victims.

The HC3 white paper contains detailed tactics and popular tools used by APT41, which includes the Mitre ID for security leaders to review. Given the high success rate and longevity of the group, the insights can support effective mitigation strategies.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.