Nation State Cyber Thieves Target Healthcare and Patient Data

Nation State Cyber Thieves Target Healthcare and Patient Data

Richard Staynings
By Richard Staynings, Chief Security Strategist and Cybersecurity Evangelist

State sponsored cyber attacks against healthcare and the widescale theft of PHI, PII, and IP are escalating, putting the whole sector at increased risk. 

Not Petya (Nyetya), WannaCry, Stuxnet, Sony Pictures, Yahoo, US Office of Personnel Management (OPM), SingHealth, and Anthem breaches are all recent examples of nation state attacks. They all have one thing in common, a well-funded and well-trained team of cyber warriors with the patience of saints, and the tenacity to get the job done. These are the advanced persistent threats (APTs) that mark a nation state adversary. They are usually stealthy and stay hidden till the last moment, or go unnoticed entirely as Yahoo eventually discovered after a subsequent attack.

Some of these attacks are indiscriminate in regards to their target while others attack other nation states specifically. The attacks can be geared towards intelligence gathering of mass or targeted individuals. Many are thinly disguised attempts at theft of intellectual property and trade secrets, or monetary theft and extortion to supplement what hackers get get paid by their government puppet-masters for 'official business'. 

Although WannaCry took out a large number of healthcare systems around the world, including a significant number of UK NHS hospitals and healthcare trusts, it was by and large a broadcast extortion attack to generate foreign exchange for the highly sanctioned government of North Korea (DPRK) to pay for it's missile program and nuclear weapons development. The SingHealth and Anthem breaches were, however, highly targeted at healthcare institutions, and these are just the tip of the iceberg. Like the OPM breach, these attacks are thought to have originated from Peoples Republic of China (PRC).

Photo: Markus Spiske

Nation State Attacks

These nation state sponsored cyberattacks have been on a sharp rise over recent years as exemplified with North Korean attacks against Sony Pictures in 2014 in retribution for its movie “The Interview,” followed by the ‘WannaCry’ ransomware attacks of 2017, designed to generate foreign currency for the hermit kingdom.

Also of grave public concern were Iran’s DDOS attacks against the US banking sector between 2011 and 2013, and an attempted hijacking of the Bowman Ave. Dam in New York, thought to be in retaliation for the US Stuxnet attack against Iranian uranium enrichment centrifuges.

Russian based Nation State Attacks

Russia too has been a major perpetrator in direct cyber-warfare attacks going back as far as the first Chechnya War in 1996. From literally hundreds of attacks against its neighbors from the cyber attack against the Turkish-Georgian-Kazakh BTC oil pipeline in 2008, to a recent attack against the Ukrainian power grid.

However, it is the ‘Not Petya’ wiperware attacks of 2017 attributed to the Russian GRU that currently takes the prize as being the most destructive and most expensive cyberattack in history. Not Petya targeted companies doing business with Ukraine and is thought to have resulted in between $8 billion and $12 billion in damages to multi-national corporations alone. Not Petya destroyed tens of thousands of computer systems across the globe and shut down hundreds of companies, including some in Russia itself. Not only did the GRU open Pandora's box, but the GRU accidentally let Pandora out to run amok!

Russian state actors are also at least partly attributed to a succession of breaches at Yahoo totaling 3 billion accounts all of which were compromised between 2014 and 2016 in overlapping attacks. This represents the largest data breach in history. 

Finally Russia is known to work via a network of criminal proxies that are periodically hired to do dirty work that the Russian State wants to distance itself from, so as to claim plausible deniability. These organized crime groups while working for the state will usually continue to ply their craft in retail and financial services attacks, credit card theft, extortion and ransomware.

China based Nation State Attacks

Over the past decade and a half, the Peoples Republic of China’s has demonstrated an insatiable appetite for commercial intellectual property and trade secrets, as well as state, defense and military supply chain espionage. This has included the wholesale theft of research, designs, formulations, test results, and a heap of other information needed to copy western goods and services. This has been obtained via a combination of cyber attack from Chinese Peoples Liberation Army groups from their bases in China, and from the inside by visiting Chinese professors and graduate students, or screened Chinese Americans working for defense contractors. The Chinese J-20 stealth fighter is an almost exact copy of the American F-35 whose plans were obtained in this way. The same is true for pharmaceuticals and thousands of other commercial products.

China has also targeted the theft of massive levels of PII on Americans and other nationals. The OPM breach of 21.5 million federal employee records between 2013 and 2014, and the 2015 Anthem Health breach that resulted in the theft of PII of 79 million US, UK, and Canadian citizens – healthcare’s largest – are indicative of PRC attacks. While cyber espionage against military-defense secrets appears to be common across all states today, what differentiates China is its cyberespionage activities that plainly target non-military-defense commercial organizations, research universities and their trade secrets.

In China everything of significance is owned by or beholden to the state, and after 70 years of communist isolation, the RPC has had a long way to catch up and surpass with the rest of the world. In China, that ambition is abbreviated as 赶超 or "ganchao" in Chinese. What's more, China intends to overtake the west within the next five years under the central government’s ‘Made in China 2025’ initiative. Unfortunately, given the tight schedule, that may involve the theft of ideas and trade secrets from nearly every major company on the planet in short order.

Chinese fingerprints are all over many recent healthcare attacks

Healthcare Specific Attacks

A recent report by FireEye has indicated that state-sponsored attackers from the PRC have for some time been targeting medical data from the healthcare industry. This includes not only PII, PHI and in some cases even the prescription information of patients, but also a broader focus upon the theft of academic and clinical research, drug and clinical trial data, research studies, formulary and procedural data, as well as plans for medical devices.

Pharmaceutical companies, universities, hospitals and biotech / biomedical engineering companies have all been targeted according to FireEye’s “Beyond Compliance: Cyber Threats and Healthcare report”. In particular there has been a strong focus on the theft of research data into cancer treatments and artificial intelligence, both of which are top priorities for Chinese manufacturers the report adds.

FireEye has seen a “prevalence of multiple Chinese groups over the last several years, and continuing in what we see today, targeting medical researchers in particular," says Luke McNamara, a principle analyst at FireEye who worked on the research.

The company says the Chinese-linked APT41, APT22, APT10 and APT18 have all been seen trying to obtain medical data in recent years. Additionally a group linked to Vietnam (APT32) and a group linked to Russia (APT28) also dabble in healthcare, the latter of which has so far targeted sports medicine providers responsible for ant-doping tests of Russian athletes.

Targeting medical research and data from studies may enable Chinese corporations to [patent and] bring new drugs to market faster than Western competitors,” FireEye said.

The country’s ‘Made in China 2025’ campaign intends to replace all imports from multi-nationals with locally produced products. In particular, the report added, China has exhibited:

“a growing concern over increasing cancer and mortality rates, and the accompanying national health care costs.”

With massive levels of ground and water pollution in China poisoning the food supply with dangerous levels of cancer-causing heavy metals, and air pollution which in some cities is hundreds or thousands of times WHO safety limits, it’s no wonder that the costs of treating cancer is such a growing concern for a country which plans to have universal healthcare coverage for all of its 1.5 billion citizens by 2025.

As if things weren't bad enough already for hospitals and health systems outside of China, they just got a whole lot worse. 

Read more blog articles from Cylera about cyber threats from Nation States.


Get Updates

Sign up to receive the
latest news from Cylera.

window.lintrk('track', { conversion_id: 14567298 });