Chinese cyberespionage hackers are now targeting the healthcare and medical/life sciences industries.
CyberSquared confirm at least three advanced persistent threat (APT) groups; one group from Beijing, Sykipot used in various APT-type attacks; and the third, the gang behind the VOHO targeted attack campaign which CyberSquared found targeting the National Institute of Health. There’s one unknown group that could be Russian or Chinese, but we are unable to confirm its origins. These attackers are not just stealing the traditional intellectual property, but instead, they are after information on how these organizations do business. They are taking proprietary data to increase operational efficiency, data to replicate processes, and insider knowledge for how organizations are operating inside China or with the Chinese healthcare industry. The interest in healthcare has to do with the fact that healthcare is listed as one of the China’s priorities in its 15-year science and technology development strategy for 2006-2020.
The gang behind the Sykipot (a k a GetKys) malware used in targeted attack campaigns also went after the healthcare industry. In one case, it used a phony domain called nihnrhealth.com purposely mimicking the National Health Information Network domain name, and in another, the Sykipot command and control domain resolved to an IP address registered by the Asian Pacific AIDS Intervention Team, a real organization. APAIT networks were a previous target of APT, and are being repurposed in subsequent attacks. The malicious domain, nih-gov.darktech.org, is using the same C&C infrastructure as the initial VOHO campaign.
APT1 is the most widespread group in terms of the [various] industries it targets. The APT1 group is also known for gaining a foothold into the victim organization’s network, and coming and going over months or years in order to grab technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact information from top-level officials at the victim organizations.