Ransomware, Threat Intelligence

Change Healthcare hacker may be linked to China espionage gangs

Hacking technology. Network ransomware and cyber crimes concept - 3d illustration.

An ALPHV/BlackCat ransomware gang affiliate that claimed responsibility for last month’s Change Healthcare attack may be linked to state-backed cyberespionage groups in China.

The hacker, who calls themselves “Notchy,” vented on a dark web forum that BlackCat did not pass on their cut of an apparent $22 million extortion payment following the highly disruptive attack.

BlackCat, meanwhile, has gone to ground in what appears to be an exit scam.

In a March 6 post, Menlo Security researchers said they had obtained evidence to back up industry speculation that Chinese state-sponsored entities were involved in the Change Healthcare attack.

“Some of our HUMINT (human intelligence) sources with direct contact to Notchy says it’s high probability that Notchy is associated with China Nation-State groups,” the researchers said.

“However, these allegations of Chinese state-sponsored associations lack validation, and we are closely monitoring developments,” they added.

“While it's plausible that the purported BlackCat affiliate is associated with a Chinese nation-state operation, arriving at a definitive conclusion necessitates substantial evidence from credible sources.”

Change Healthcare has said it's working with cybersecurity firms Palo Alto Networks and Mandiant to investigate the incident. Mandiant did not comment on BlackCat's or Notchy's involvement in the matter when SC Media contacted the firm.

A (Black)Catfight via message board

Menlo Security’s post chronicled dark web forum messages believed to be posted by a member of the BlackCat gang and the disgruntled Notchy.

On March 3, Notchy posted on the Ramp hacker forum that they were a “long time” BlackCat affiliate.

“But after receiving the [Change Healthcare ransom] payment ALPHV team decide to suspend our account and kee[p] lying and delaying when we contacted ALPHV admin on TOX [messaging platform].”

Two days later, a user with the handle “ransom” — believed to be linked to BlackCat — responded in Russian, saying the gang had “decided to completely close the project, we can officially declare that the feds screwed us over. The source code will be sold, negotiations are already underway on this matter.”

Elsewhere on the dark web, the gang posted its malware for sale with an asking price of $5 million.

Clearly not happy with the continued refusal to pay him, Notchy replied on Ramp: “@ransom stop blaming the feds. No one is idiot here to believe what you have said. return what you have stole and be a man with dignity.”

Fears over disgruntled affiliate’s next move

The Menlo Security researchers said Notchy’s next move “is something we all will be watching.”

“There is a risk that the ex-affiliate of ALPHV/BlackCat, who had his portion of the ransom money taken, may attempt to sell the stolen data privately on the darkweb to recoup what he lost.”

That prospect was concerning, with Notchy reportedly having stolen about 4TB of data from an organization whose operations “could affect the healthcare data of nearly every American.”

“The compromised information encompasses a wide array of personal and medical details, notably including data from critical national healthcare programs such as Medicare and TRICARE,” the researchers said.

TRICARE is the healthcare program for members of the U.S. armed forces and their dependents, while Medicare is a government health insurance program for people over the of 65 and people with disabilities.

“The leakage of such sensitive data not only poses a direct threat to the privacy and security of millions of beneficiaries, but also has broader implications for national security.”

The lack of a way to verify anonymous claims made on the dark web was also a concern for cybersecurity researchers.

"This situation highlights the uncertainty surrounding information obtained from such online forums and the need for caution when interpreting them," said Sarah Jones, a cyber threat research analyst at Critical Start.

The prospect of a vengeful Notchy could also be ominous for members of the BlackCat gang, which is likely planning to resurface at the helm of a new cybercriminal operation in due course.

If Notchy was in possession of BlackCat data and intelligence, they could turn the tables on the gang, threatening to release the information if BlackCat did not pay the commission that was being demanded.

“Given the extensive and detailed nature of the information potentially accessed, this incident underscores the vital importance of enhancing cybersecurity measures around critical healthcare infrastructure and data systems,” Menlo Security’s researchers said.

SC Media's Steve Zurier contributed to this report.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.