The healthcare sector has been a favorite target for cybercriminals, especially since the pandemic struck. The Department of Health and Human Services has been releasing alerts for healthcare entities to follow to stay safe from damaging cyberattacks. In one such latest alert, the department warns against attacks by a Chinese state-sponsored threat actor.

Diving into details

APT41 is the Chinese threat actor known for targeting pharmaceuticals and high-tech industries, alongside healthcare.
  • The group leverages spear-phishing, watering holes, backdoors, and supply chain attacks to gain network access.
  • The alert, furthermore, states that the group has been using keylogging screenshots, code injection, connecting to and querying SQL databases, stealing clipboard data, and downloading files. 
  • APT41 deploys multiple private and public malware to establish a foothold and custom tools to escalate privileges. 

TTPs

  • In 2020, a campaign by the group was found targeting popular networking equipment, IT management tools, and cloud software by abusing vulnerabilities in them. More than 75 customers were affected.
  • In 2021, APT41 added new TTPs to its arsenal and conducted four distinct campaigns against the private sector and government entities. It used SQL injections as the initial attack vector. It attacked at least 13 victims.
  • The latest campaigns leverage UEFI firmware implant. It is embedded in the SPI flash motherboard memory to deliver further malware.

The bottom line

The white paper released by the HC3 contains detailed techniques and tools used by APT41, including the Mitre ID for security analysts. This can provide them with the proper defense strategies to put against this group. APT41 is, moreover, known for cyberespionage operations, which calls for proactive cybersecurity defenses.
Cyware Publisher

Publisher

Cyware