Chinese Hacking Groups Are After Medical Data

A report entitled, Beyond Compliance: Cyber Threats and Healthcare, published by cybersecurity firm FireEye shows new evidence Chinese linked cyberespionage groups are targeting medical research data.

FireEye has identified multiple state-sponsored hacking groups from China launching attacks on medical systems and medical databases around the world. The attacks include incidents within 2019 and dating back as far as 2013.

FireEye claims Chinese hackers targeted a U.S. cancer research center in April 2019 using a malware called EVILNUGGET for the attack and that same research center was also the focus of APT41, a Chinese cyber threat group that carries out state-sponsored espionage, back in 2018. APT10 (another Chinese government hacking group) has also targeted people attending cancer-related conferences in Japan with documented attempts at spearphishing to access those attendee’s online accounts.

The report reads in part:

Within any industry, threat actors will often gravitate to the least secured points in the ecosystem to obtain the data or access they are seeking. Beyond insurers, cyber criminals will often gravitate to poorly secured healthcare providers to obtain PII and PHI. Cyber espionage actors can leverage this data for intelligence collection purposes, to further target high-profile individuals or those who may have access to valuable information. Additionally, organizations involved in research and development, whether for treatments, medical devices, biotechnology, or other subsets of the industry, have valuable intellectual property that is a driver for economic espionage. Notably, China’s strategic “Made in China 2025” plan includes a push for increased domestic development of medical technologies and devices, which may drive threat activity against IP holders and producers of these technologies.

It’s worth noting that FireEye isn’t pinning medical hacking solely on Chinese state-sponsored groups. They say APT32, linked to Vietnam, attempted to access an unnamed health organization in the UK and Russia’s APT28 has been linked with hacking global drug testing units for many years.

The report also highlights medical information being sold by hackers. A group called “thedarkoverlord” initially associated with targeting the healthcare sector was selling access to patient records. Although this group later diversified its hacking portfolio to include sectors behind healthcare, “thedarkoverlord” kept healthcare as a primary target through the arrest of several group members in 2017 and sold approximately 10 million health records for hundreds of Bitcoins before the 2016 Bitcoin price spike.

The Chinese state hacking attempts of medical data and cancer studies came at a time when the nation is placing an increased emphasis on creating its own products with the 2015 launch of a “Made in China 2025” campaign. If that sounds uncomfortably similar to “Make America Great Again” it may be because both campaigns share a similarly dim view of international trade. “Made in China 2025” has the goal of replacing most of the foreign technology imported to China with locally-made products, which cannot be accomplished without creating an exceedingly large number of new domestic technologies in a relatively short period of time.

The 2025 plan does stand in interesting contrast with Trump’s tariff war by one metric however, the administrations have vastly different media strategies. As Trump’s bombastic headbutting with a multitude of nations over import/export rates gained a significant level of public attention in the U.S. media, China ordered its state media to play down the “Made in China 2025” goals in their reporting.

Although new information comes to light in this report, theft and attempted theft of technological product plans by Chinese hackers is not a new issue and has been documented extensively in the past. The country illegally purchased plans for the F-35 fighter jet nearly a decade ago and earlier this year, the U.S. DoD published a report saying the Chinese “cyber theft” of documents for military equipment is continuing and ongoing.

“Chinese flags” by ChiralJon


  1. I’m guessing they are looking for some people specifically.

  2. Oh just wait till you find out what the US is doing to its own people.

Comments are closed, but trackbacks and pingbacks are open.