Kaspersky Lab’s researchers have discovered evidence of a new trend whereby more advanced cyber threat actors are turning their attention to attacks against the healthcare sector.
As an indication of this, the infamous PlugX malware, which aims to steal drug formulas and business information, has been detected in pharmaceutical organisations in Vietnam.

PlugX malware is a well-known remote access tool (RAT). It is usually spread via spear phishing and has previously been detected in targeted attacks against the military, government and political organisations. The RAT has been used by a number of Chinese-speaking cyber threat actors, including Deep Panda, NetTraveler or Winnti. In 2013, it was discovered that the latter – responsible for attacking companies in the online gaming industry – had been using PlugX since May 2012.

Winnti has also been present in attacks against pharmaceutical companies, where the aim has been to steal digital certificates from medical equipment and software manufacturers.

PlugX RAT allows attackers to perform various malicious operations on a system without the user’s permission or authorisation, including – but not limited to – copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity. PlugX, as with other RATs, is used by cybercriminals to discreetly steal and collect sensitive or profitable information for malicious purposes.

RAT usage in attacks against pharmaceutical organisations indicates that sophisticated APT actors are showing an increased interest in capitalising on the healthcare sector.

“Private and confidential healthcare data is steadily migrating from paper to digital form within medical organisations,” says Yury Namestnikov Makrushin, security researcher at Kaspersky Lab. “While the security of the network infrastructure of this sector is sometimes neglected, the hunt by APTs for information on advancements in drug and equipment innovation is truly worrying.

“Detections of PlugX malware in pharmaceutical organisations demonstrate yet another battle that we need to fight – and win – with cyber criminals.”

The research also found that more than 60% of medical organisations had malware on their servers or computers.

Philippines, Venezuela and Thailand topped the list of countries with attacked devices in medical organisations.