Medical Industry Under Attack By Chinese Hackers

Sykipot, VOHO targeted attack campaigns hit medical industry, and cyberspies also after business-process intel

Multiple gangs of Chinese cyberespionage hackers are now targeting the healthcare and medical/life sciences industries.

Most every industry is fair game for cyberespionage these days -- so it's no surprise that the healthcare and medical industry would come up on the list -- but, to date, it has been a field more abused by cybercriminals motivated by medical identity theft and other financial fraud.

Rich Barger, chief intelligence officer with CyberSquared, says his firm can confirm at least three advanced persistent threat (APT) groups out of China who have targeted organizations in the medical field, including one group that posed as a life sciences and drug discovery company out of Beijing to lure and drop drive-by malware on related companies from that industry. The second was the group behind the well-known malware Sykipot used in various APT-type attacks; the third, the gang behind the VOHO targeted attack campaign -- which CyberSquared found targeting the National Institute of Health.

"Many of these victims have technology or drugs that are a monopoly. If you are the first to market with some great new technology breakthrough or drug, and you get a profit from that research ... it would definitely be an issue for the Chinese to target some of these" firms to gain a competitive advantage, Barger says.

Cyberspying against medical firms, while not as prevalent as attacks on industries like the defense contractor industry or information technology firms, isn't new, but it appears to be growing, security experts say.

Richard Bejtlich, CSO for Mandiant, says his firm has had "double-digit" numbers of forensic engagements with healthcare organization cyberespionage victims, mainly in the insurance, provider, and infrastructure sectors. Mandiant has identified at least five active Chinese hacker groups targeting this industry, he says. "There's one unknown group that could be Russian or Chinese," but Mandiant has been unable to confirm its origins, he says.

Interestingly, the attackers Mandiant are witnessing are not just stealing the traditional intellectual property so coveted by Chinese hackers, but, instead, they are after information on how these organizations do business. "They are taking proprietary data to increase operational efficiency, data to replicate processes, and insider knowledge for how organizations are operating inside China or with the Chinese healthcare industry," Bejtlich says.

Why the interest in business process? Mandiant believes the interest has to do with the fact that healthcare is listed as one of China's priorities in its 15-year science and technology development strategy for 2006 to 2020.

"This reminds us of what we see in aerospace: [The Chinese] are very interested in learning how to provide a quality service and how to save money -- very standard business-type stuff," Bejtlich says.

[Mandiant calls out People's Liberation Army Unit 61398 as the APT1 group responsible for cyberspying against multiple industries; Dell SecureWorks discovers new victims of APT1/a.k.a. the "Comment Crew," "Comment Group." See Chinese Military Tied To Major Cyberespionage Operation.]

Neither CyberSquared's Barger nor Mandiant's Bejtlich have seen a Chinese hacker group focused solely on the healthcare/medical arena; most of the hacker groups they've seen hitting these firms are working alone, and not collaborating with one another.

CyberSquared today published a white paper (PDF) that includes case studies of the three APT attack campaigns on the medical industry it studied.

The first occurred in October 2012, when the attackers set up phony websites with domain names similar to real firms in the medical field:,, and They were meant to fool users into visiting what they thought were the sites of the legitimate GenOptix, BioDuro, and Accenture life sciences firms.

The attackers planted an Internet Explorer zero-day exploit (CVE-2012-4969) in this waterhole campaign, hoping to lure unsuspecting users with ties to firms in that industry, or via spearphishing attacks, according to CyberSquared.

In the case of BioDuro, CyberSquared confirmed that the attackers used a malicious iFrame that redirected users to the IE exploit and then downloaded a variant of the Destroy Remote Access Trojan (RAT) that gave them a foothold into the user's network.

CyberSquared says it discovered that the gang behind the Sykipot (a.k.a. GetKys) malware used in targeted attack campaigns also went after the healthcare industry. In one case, it used a phony domain called purposely mimicking the National Health Information Network domain name; in another, the Sykipot command-and-control (C&C) domain resolved to an IP address registered by the Asian Pacific AIDS Intervention Team (APAIT), a real organization. "It is likely that APAIT networks were a previous target of threat actors, and are being repurposed in subsequent attacks," CyberSquared's report says.

The researchers also tied the Chinese hackers behind the VOHO cyberespionage campaign to an attack that targeted the National Institute of Health. VOHO over several months last year victimized around 900 organizations across a wide base of industries, including international financial services firms, tech firms, utilities, government, education, corporate, and the defense industrial base. It also targeted users in Boston and the Washington, D.C. area and suburbs, including those associated with the defense industrial base, education, and political activism.

Cyber Squared found the malicious domain,, using the same C&C infrastructure as the initial VOHO campaign. "This likely indicates an infrastructure management technique on the part of the VOHO actors in targeting the National Institute of Health (NIH) as part of the VOHO campaign," according to the report.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights