Kaspersky Lab Finds Chinese-speaking APT Actor Spying on Pharmaceutical Organizations

WOBURN, Mass.–(BUSINESS WIRE)–#APT–Kaspersky Lab researchers have discovered evidence of an emerging and
alarming trend: an increasing amount of advanced cyberthreat actors are
turning their attention to attacks
against the healthcare sector
. The infamous PlugX
has been detected in pharmaceutical organizations in
Vietnam, aimed at stealing drug formulas and business information.

PlugX malware is a well-known remote access tool (RAT). It is usually
spread via spear phishing and has previously been detected
in targeted attacks against the military, government and political
organizations. The RAT has been used by a number of Chinese-speaking
cyberthreat actors, including Deep Panda, NetTraveler
or Winnti. In 2013, it was discovered that the latter – responsible for
attacking companies in the online gaming industry – had
been using
PlugX since May 2012. Interestingly, Winnti has also been present
in attacks against pharmaceutical companies, where the aim has been to
steal digital certificates from medical equipment and software

PlugX RAT allows attackers to perform various malicious operations on a
system without the user’s permission or authorization, including (but
not limited to) copying and modifying files, logging keystrokes,
stealing passwords and capturing screenshots of user activity. PlugX, as
with other RATs, is used by cybercriminals to discreetly steal and
collect sensitive or profitable information for malicious purposes.

RAT usage in attacks against pharmaceutical organizations indicates that
sophisticated APT actors are showing an increased interest in
capitalizing on the healthcare sector.

Kaspersky Lab products successfully detect and block the PlugX malware.

“Private and confidential healthcare data is steadily migrating from
paper to digital form within medical organizations,” said Yury
Namestnikov, security researcher, Kaspersky Lab. “While the security of
the network infrastructure of this sector is sometimes neglected, the
hunt by APTs for information on advancements in drug and equipment
innovation is truly worrying. Detections of PlugX malware in
pharmaceutical organizations demonstrate yet another battle that we need
to fight – and win – against cybercriminals.”

Other key findings for 2017 in the research include:

  • More than 60 percent of medical organizations had malware on their
    servers or computers;
  • Philippines, Venezuela and Thailand topped the list of countries with
    attacked devices in medical organizations.

In order to stay protected, Kaspersky Lab experts advise businesses to
take the following measures:

  • Remove all nodes that process medical data from public and secure
    public web portals;
  • Automatically update installed software using patch management systems
    on all nodes, including servers;
  • Perform network segmentation: refrain from connecting expensive
    equipment to the main LAN of your organization;
  • Use a proven corporate grade security solution in combination with
    anti-targeted attack technologies and threat intelligence, such as Kaspersky
    Threat Management and Defense solution
    . These are capable of
    spotting and catching advanced targeted attacks by analyzing network
    anomalies and giving cybersecurity teams full visibility over the
    network and response automation.

To learn more about PlugX attacks and healthcare cybersecurity, read our
blogpost on Securelist.com.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company, which has been
operating in the market for over 20 years. Kaspersky Lab’s deep threat
intelligence and security expertise is constantly transforming into next
generation security solutions and services to protect businesses,
critical infrastructure, governments and consumers around the globe. The
company’s comprehensive security portfolio includes leading endpoint
protection and a number of specialized security solutions and services
to fight sophisticated and evolving digital threats. Over 400 million
users are protected by Kaspersky Lab technologies and we help 270,000
corporate clients protect what matters most to them. Learn more at www.kaspersky.com.


Kaspersky Lab
Jessica Bettencourt, 774-451-5142