HC3 TLP Clear Threat Profile: China-Based Threat Actors - August 16, 2023

Executive Summary

This white paper outlines Chinese cyber threat actors who are known to target the U.S. public health and private health sector entities in cyberspace. The groups outlined within this document represent some of the most capable and deliberate threats to the U.S. healthcare sector, and should be treated with priority when designing and maintaining an appropriate risk posture for a health sector entity.

Overview

The U.S. Healthcare and Public Health (HPH) sector faces significant threats from both state and non-state threat actors in cyberspace. Cybercriminals have proven to be formidable adversries to the health sector in recent years, with digital extortion often in the form of ransomware, as well as data breaches being some of the most common criminal tactics being leveraged by these gangs. State-sponsored threat actors also pose a significant threat, with data exfiltration attacks for the purposes of intellectual property theft and espionage being the primary motivations behind foreign governments targeting the U.S. health sector in cyberspace.

The threat actors in this document consist of groups that have previously and are highly likely to continue to target U.S. healthcare organizations agressively. This very often involves stealing intellectual property related to medical technolgy and medicine, in order to operationalize it and bring it to market. It also involves national security and public health-related cyberattacks, such as the attempts to steal COVID-19 vaccine research in recent years. In the case of at least one threat actor, it can inolve attacks for financial gain.

A note about attribution in this report: For many of the cyber threat groups described within this document, we provide a number of aliases. It is common for cyber threat actors to have many labels, and this is due to the fact that these names are often applied to various intrusion sets as they are discovered, and subsequent to their being linked to other intrusion sets with varying levels of confidence. For this reason, attribution should not be considered 100% for these threat actors, and this includes any name given to them, as well as between the intrusion sets associted with different intrusion sets and labeled by different entities. Additionally, there is no official naming scheme, therefore the same group may be going by various names.

View the detailed report below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Letter/Comment
AHA Responds to CISA Proposed Rule on Cyber Incident Reporting Requirements
Public
Advisory
HHS Issues Alert on Critical Vulnerability in ‘MOVEit,’ File Transfer Platform Used by Health Care Sector
Public
Special Bulletin
AHA Helps Secure New Cybersecurity Resources from Microsoft and Google to Assist Rural Hospitals
Public
Advancing Health Podcast
How to Survive a Cyberattack with Scripps Health: Part Two
Public
Special Bulletin
HHS Authorizes UnitedHealth Group to Make Breach Notifications on Behalf of Providers
Member
Advancing Health Podcast
How to Survive a Cyberattack with Scripps Health: Part One
Public