China-linked hackers target European healthcare orgs in suspected espionage campaign

Avatar

A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said.

The campaign, which took place in the second half of 2024, likely exploited a vulnerability in security products from an Israel-based cybersecurity firm, according to researchers at Orange Cyberdefense. 

The flaw, tracked as CVE-2024-24919, allows attackers to access sensitive data on Check Point’s Security Gateway. The vulnerability likely enabled the hackers to steal user credentials and access virtual private networks (VPNs) using legitimate accounts, the researchers said.

Check Point patched the flaw last May, but researchers said the devices targeted by hackers were likely still vulnerable at the time of their compromise.

Orange Cyberdefense said it could not attribute the campaign to a specific actor said the hackers were likely linked to China.

Connection to Chinese cyber groups

The hackers, dubbed Green Nailao, deployed ShadowPad and PlugX malware, both commonly associated with Chinese cyberespionage groups, as well as a previously undocumented ransomware strain called NailaoLocker.

Both ShadowPad and PlugX are widely used by China-aligned hacking groups. ShadowPad, a backdoor suspected to be privately shared or sold among Chinese cyber operators since at least 2015, has been deployed in cyberespionage campaigns against governments, energy firms, think tanks and technology companies.

Researchers identified a new version of ShadowPad in the latest campaign, which they said uses enhanced techniques to evade detection and analysis.

PlugX, another malware frequently used by Chinese state-backed hackers, was first observed in attacks on Japan in 2008 and has since been deployed against targets across Asia. In January, U.S. officials said they had removed PlugX from more than 4,200 American computers.

Ransomware for profit or espionage

NailaoLocker, the new ransomware strain discovered in the campaign, was described by researchers as “relatively unsophisticated and poorly designed.” It encrypts files and leaves a ransom note demanding payment in Bitcoin via a ProtonMail address.

Researchers said it was unusual for ShadowPad to be linked to ransomware deployment, raising questions about the hackers’ motives. While state-sponsored cyber groups typically focus on espionage, some could be using ransomware as a source of additional revenue, they said.

Alternatively, the ransomware may have been a false-flag operation intended to divert attention from the real objective — stealing sensitive data.

State-backed hackers, including those linked to China, have previously targeted healthcare organizations, researchers said.

“While such campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to information systems that can be used later to conduct other offensive operations,” Orange Cyberdefense said.

CybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Cryptominer hidden in pirated games lands mostly on Russian computers

Next Post

Black Basta is latest ransomware group to be hit by leak of chat logs

Related Posts

Inside the Mind of the Adversary: Why More Security Leaders Are Selecting AEV

Cybersecurity involves both playing the good guy and the bad guy. Diving deep into advanced technologies and yet also going rogue in the Dark Web. Defining technical policies and also profiling attacker behavior. Security teams cannot be focused on just ticking boxes, they need to inhabit the attacker’s mindset. This is where AEV comes in. AEV (Adversarial Exposure Validation) is an advanced
Avatar
Read More

Over 600 Laravel Apps Exposed to Remote Code Execution Due to Leaked APP_KEYs on GitHub

Cybersecurity researchers have discovered a serious security issue that allows leaked Laravel APP_KEYs to be weaponized to gain remote code execution capabilities on hundreds of applications. "Laravel's APP_KEY, essential for encrypting sensitive data, is often leaked publicly (e.g., on GitHub)," GitGuardian said. "If attackers get access to this key, they can exploit a deserialization flaw to
Avatar
Read More