For four years, a sophisticated group of Chinese cyberspies has cut a digital swath through the health-care industry, stealing everything from trade secrets to trial data, say security firms probing the campaign.
The group infiltrated one U.S. drugmaker by hacking into a company it was about to acquire, said a security consultant who asked not to be identified because of a confidentiality agreement. In other cases, the hackers accessed pharmaceutical labs through their connections with university researchers, scooping up trial data and other trade secrets, said Aaron Shelmire, a threat researcher for Dell SecureWorks.
A newly reported theft of personal data from 4.5 million patients served by Community Health Systems Inc., the second biggest U.S. for-profit hospital chain, may be the first time the Chinese group has targeted consumer data, terrain usually left to cybercriminals in Eastern Europe and elsewhere, say security experts after the break-in.
Usually, the group is “going after the medical engineering side of things,” Shelmire said. “Over the past year, they have hit at least 18 different companies, and have hammered the health-care sector really hard.”
The efforts of the Chinese group has forced medical technology and drug companies to make huge new investments in computer security, and left the $160 billion U.S. medical device market worrying about what may be done down the line with the pilfered data.
It coincides with a boom in China’s medical technology industry driven by a government push to invest in health care. China’s medical device industry is projected to grow 20 percent annually from 2013 through 2017, according to Jim Prutow, a principal in PwC’s health industries practice.
Nation-state actors typically target drug companies and medical device makers for their intellectual property, said JD Sherry, vice president for network security company Trend Micro Inc. They’re “looking for IP, trade secrets, to manufacture these things in China and get the market looking and smelling like the market in the U.S.,” he said.
The Chinese group goes by many names among U.S. security consultants, including Dynamite Panda, APT 18 and TG-0416. It’s most commonly known as Wekby, the group security companies say was responsible for one of the most famous hacks in recent history -- the 2011 breach of the security company RSA. In that incident, hackers stole authentication keys used to protect the secrets of banks and the U.S. government.
Amit Yoran, a senior vice president at RSA, the security division of EMC Corp. said they may not be the same hackers even if their tools are the same. “Different threat actors routinely launch attacks using similar methods and seemingly even the same infrastructure,” Yoran said.
The group has also targeted defense contractors and chemical companies, according to Crowdstrike Inc., an Irvine, California-based security firm, though he said the health sector has remained a key target.
They have also stolen medical records of ethnic Chinese being treated in the U.S., which investigators say might have been used for intelligence recruiting or blackmail, according to Dmitri Alperovitch, chief technology officer of Crowdstrike. Alperovitch declined to provide details on whether the group was a unit of the Chinese army or intelligence, or is a contractor or affiliated group.
“Once I came into the civilian market in 2012, one of the first observations I made was that Big Pharma and medical technology was a major target” and much of the activity was linked to this group, said Jeff Schilling, chief security officer for Firehost Inc., a security company based in Richardson, Texas. “It’s been a very deliberate and very sophisticated operation.”
Boston Scientific Corp. was hacked early in 2013, about the same time as Medtronic Inc. and St. Jude Medical Inc., according to a report in the San Francisco Chronicle, which didn’t identify the hackers. Denise Kaigler, a spokeswoman for Boston Scientific, said the company wasn’t hacked and the article “contained inaccuracies” but declined to specify them.
Medtronic didn’t return to calls requesting comment. Micki Sievwright, a St. Jude spokeswoman, said the company has been investing in security measures.
In another attack on a health company, the hackers weren’t successful in getting the data they were after by breaking in from outside. They implanted a malicious program on a computer inside a target company via a thumb drive, which means someone - - either a trusted insider or someone who broke in -- had to insert it manually, according to SecureWorks. That represented a significant escalation in tactics and highlighted the tools that advanced attackers have at their disposal, including in-person infiltration.
“The allegation is based on unprovable, fabricated evidence,” a spokesman for the Chinese embassy in Washington said in an e-mail. “Cyber-espionage and hacker attack is a global concern which could only be addressed by international cooperation based on mutual trust and mutual respect. We are calling for enhancement of cooperation by the international community, including the U.S., on the issue of cybersecurity.”
The theft of social security numbers and addresses from Community Health marked new terrain for the group because it’s the kind of data that is normally harvested only for identity fraud.
One theory investigators are considering is that a rogue member of the team stole the patient data to sell on the black market and that the operation wasn’t necessarily approved by superiors, according to a person involved in the probe.
That sort of information is among the most commonly disclosed by companies. When it comes to customers’ personal data, health-care companies, in fact, have become the most infiltrated, according to the Identity Theft Resource Center. Of 480 security breaches of consumers’ information recorded so far this year, 43 percent were in health care, surpassing retail as the most targeted industry, the nonprofit center said.
“That data is really a treasure trove for thieves,” Eva Velasquez, the center’s chief executive officer, said of medical records. Such data could be lucrative if used to order medical goods or pharmaceuticals for resale, for example.
Many breaches are disclosed by companies or hospitals only when patient information is taken, and companies don’t always have to say when other information may have been accessed.
As technical details of the Community Health hack spread rapidly among the small group of investigators that trace hackers for companies that market security tools, many said they instantly recognized the perpetrators. Often it was because they had raided their own customers, but the group is so potent that its activities are carefully charted by federal agents and at least a dozen major security companies.
The group is called APT 18 by Mandiant, the security firm Community Health hired to aid in its investigation. The term refers to “advanced persistent threat,” a designator Mandiant uses for hackers linked to state-sponsored espionage.
The breaches have forced companies to boost efforts to protect their computer banks. On average, health-care companies spent $2.2 million on information security in 2013, a more than 20 percent increase from the prior year, according to a PwC, CIO and CSO magazine survey.
“I recently met with three CEOs in health care and in most cases they had come to the conclusion that they definitely did under-invest,” said Mick Coady, a partner at PwC’s health information privacy & security group. “Health care is at least a decade, if not more, behind.”
To contact the reporters on this story: Michael Riley in Washington at email@example.com; Cynthia Koons in New York at firstname.lastname@example.org; Jordan Robertson in San Francisco at email@example.com