Chinese APT Takes Aim at Pharma

A Chinese advanced persistent threat (APT) actor has been spotted using the infamous PlugX malware to target pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.

Kaspersky Lab uncovered the campaign, noting that PlugX, a remote access Traojan (RAT), allows attackers to perform various malicious operations on a system without the user’s permission or authorization, including copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity.

RAT usage in attacks against pharmaceutical organizations indicates that sophisticated APT actors are showing an increased interest in capitalizing on the healthcare sector, Kaspersky Lab said.

“Private and confidential healthcare data is steadily migrating from paper to digital form within medical organizations,” said Yury Namestnikov, security researcher, Kaspersky Lab. “While the security of the network infrastructure of this sector is sometimes neglected, the hunt by APTs for information on advancements in drug and equipment innovation is truly worrying. Detections of PlugX malware in pharmaceutical organizations demonstrate yet another battle that we need to fight – and win – against cybercriminals.”

PlugX malware is usually spread via spear phishing and has previously been detected in targeted attacks against the military, government and political organizations. The RAT has been used by a number of Chinese-speaking cyber-threat actors, including Deep Panda, NetTraveler and Winnti.

In 2013, it was discovered that the last one, which is responsible for attacking companies in the online gaming industry, had been using PlugX since May 2012. Interestingly, Winnti has also been present in attacks against pharmaceutical companies, where the aim has been to steal digital certificates from medical equipment and software manufacturers.

The news comes on the heels of a Kaspersky Lab report that found that more than 60% of medical organizations have had malware on their servers or computers. Philippines, Venezuela and Thailand topped the list of countries with attacked devices in medical organizations. A separate report also found that a full 62% of 627 healthcare executives surveyed in a recent poll admitted to experiencing an attack in the past 12 months – with more than half losing patient data as a result.

What’s Hot on Infosecurity Magazine?