A recent cyber attack on European healthcare organizations has been linked to a previously unknown hacking group using spyware associated with Chinese state-backed hackers. The campaign, which occurred in the second half of 2024, targeted vulnerabilities in security products from an Israel-based cybersecurity firm, according to researchers at Orange Cyberdefense.
The hackers exploited a flaw, known as CVE-2024-24919, which allowed them to access sensitive data on Check Point’s Security Gateway. This vulnerability enabled the attackers to steal user credentials and access virtual private networks (VPNs) using legitimate accounts. Although Check Point patched the flaw in May, the devices targeted by the hackers were likely still vulnerable at the time of the compromise.
Orange Cyberdefense stated that they were unable to attribute the campaign to a specific actor, but suggested that the hackers were likely connected to China. The hackers, dubbed Green Nailao, deployed ShadowPad and PlugX malware, both commonly used by Chinese cyber espionage groups, along with a new ransomware strain named NailaoLocker.
ShadowPad and PlugX have been associated with Chinese state-backed hackers for years, with ShadowPad being deployed in cyber espionage campaigns against various sectors. Researchers identified a new version of ShadowPad in the recent campaign, utilizing enhanced techniques to avoid detection. PlugX, first observed in attacks on Japan in 2008, has since been used across Asia and even targeted American computers.
NailaoLocker, the newly discovered ransomware strain, was described as unsophisticated and poorly designed by researchers. It encrypts files and demands payment in Bitcoin via a ProtonMail address. The connection between ShadowPad and ransomware deployment raised questions about the hackers’ motives. While state-sponsored groups typically focus on espionage, some may be using ransomware for additional revenue, or as a diversion to steal sensitive data unnoticed.
Healthcare organizations have been a target for state-backed hackers, including those linked to China, in the past. These campaigns not only provide access to valuable information but also set the stage for future offensive operations. Orange Cyberdefense emphasized that while these attacks may appear opportunistic, they often serve a larger strategic purpose for threat groups.
As cyber attacks become increasingly sophisticated and frequent, it is crucial for organizations to remain vigilant and update their security measures to defend against evolving threats. The interconnected nature of the digital world necessitates a proactive approach to cybersecurity to protect sensitive data and infrastructure from malicious actors.