Nation-state attackers from Russia, Vietnam, and China are increasingly targeting hospitals, pharmaceutical companies, and research universities in search of healthcare data, intellectual property, and medical research, FireEye said.
While the bulk of attacks continue to be financially motivated and opportunistic, a growing number of intelligence operations are stealing medical research and medical data belonging to specific individuals, FireEye said in its Beyond Compliance: Cyber Threats and Healthcare report. Many of the attacks have a physical impact, such as ransomware that attempts to halt hospital operations, or disrupting medical devices to harm patients. Healthcare data continues to be valuable: between the last quarter of 2018 and the first quarter of 2019, FireEye analysts found multiple stolen healthcare databases being sold on online criminal marketplaces.
"Actors buying and selling PII and PHI from healthcare institutions and providers in underground marketplaces is very common, and will almost certainly remain so due to this data's utility in a wide variety of malicious activity ranging from identity theft and financial fraud to crafting of bespoke phishing lures," the report said.
A 4.3 GB file of healthcare records stolen from a U.S.-entity, which included patient data, driver’s license information, and insurance details, was available for $2,000. This kind of a file would be valuable for criminals interested in conducting insurance fraud or for those crafting targeted attacks.
Cure for Cancer
Espionage groups frequently focus on intellectual property and cutting-edge research, Chinese espionage groups may be boosting its companies. China has one of the world's fastest-growing pharmaceutical industries.
“Targeting medical research and data from studies may enable Chinese corporations to bring new drugs to market faster than Western competitors,” FireEye said.
FireEye analysts found that groups linked to China also seem particularly interested in stealing cancer research. A Chinese-espionage group targeted researchers at a US-based cancer research center in April with emails loaded with malware referencing a research conference the organization had hosted. APT41 sent spear phishing emails to that same center a year earlier. APT22 is believed to have targeted a single institution over many years. APT10 launched spear-phishing campaigns in 2017 against Japanese entities, and some of the documents used in those campaigns referenced cancer research conferences.
The focus on cancer-related research may be tied to “China’s growing concern over increasing cancer and mortality rates, and the accompanying national health care costs,” FireEye said.
Intelligence operations collect medical data to find information about specific people of interest. The U.S. Department of Justice unsealed an indictment of a Chinese national for the 2015 attack of health insurance company Anthem where information for nearly 79 million people were stolen.
“One theme FireEye has observed among Chinese cyber espionage actors targeting the healthcare sector is the theft of large sets of PII and PHI, most notably with several high-profile breaches of U.S. organizations in 2015,” FireEye said. “We assess that the theft of bulk data appears to remain a tactic employed by Chinese cyber espionage actors in targeting certain groups of individuals, as evidence by the breach of SingHealth in 2018.”
China isn’t the only country interested in medical data. At least two Russian APT groups and a Vietnam-based group have also targeted healthcare organizations or stolen related data. APT28 (“Fancy Bear” by CrowdStrike) attacked the World Anti-Doping Association (WADA), the global organization that handles testing Olympic athletes for use of banned drugs and supplements. Vietnam’s APT32 targeted a British health care organization, FireEye said in its report.