HC3 Warns Health Sector Of Threat Actor Group APT41

The United States Health Sector Cybersecurity Coordination Center (HC3) has warned the health sector of a Chinese state-sponsored threat actor named APT41. The U.S. government has been tracking the group since 2012 and has been known to target various organizations in healthcare, high-tech, telecommunications, higher education, video gaming, travel, media, virtual currencies, retail, and pharmaceuticals in multiple countries such as the U.S. Myanmar, the UK, Netherlands, Singapore, South Korea, France, Switzerland, India, Italy, Turkey, and Japan. 

APT41, which has several aliases such as Double Dragon, Barium, Winnti, Wicked Panda, has conducted 6 campaigns against the United States healthcare industry. Initially, APT41 first targeted IT and medical device software firms, but it has since turned its attention to biotech companies and US cancer research centers. The gang used the Atlassian Confluence Server vulnerability to gain access to networks during the attacks on cancer research centers and then released the EVILNUGGET malware. Between 2021 and 2022, the organization successfully hacked at least six US state governments in two zero-day assaults on the Animal Health Reporting Diagnostic System (USAHERDS) web-based application. The gang was able to circumvent authentication by exploiting the zero-day hard-coded credentials vulnerability and the remote code execution vulnerability in Log4j. 

APT41 typically uses backdoors to grant continuous access to victims’ networks and is known to perform spear phishing, watering hole, and supply chain attacks. To gain initial access, the threat group has recently been shown to employ SQL injections and Cobalt strike beacons. Once access is gained, APT41 collects information which can be exploited for use in further attacks. The gang increases privileges, uses stolen credentials to conduct internal reconnaissance, travels laterally across networks using Remote Desktop Protocol (RDP), creates admin groups, and employs brute force tools. The gang employs both public and private malware and utilizes backdoors to maintain access. The gang is known to employ the ShadowPad backdoor, the BLACK COFFEE reverse shell, the China Chopper web shell, the Cobalt Strike, Gh0st Rat, and PlugX remote access tools, as well as Mimikatz for credential theft. For the purpose of exfiltration, relevant data is put to a RAR file, and the group remains anonymous by erasing traces of their access to the sensitive information.  

Although members of the group have been named in two indictments in 2019 and 2020 by the Federal Bureau of Investigations, the group’s operations have not been impeded. The group is part of China’s 14th 5-year Plan which was employed to encourage significant technological advancements in AI, quantum information, clinical medicine, and much more.