Throwback Attack: Dynamite Panda breaches Community Health Systems

Equipment at a health care facility
Courtesy: CFE Media and Technology

What makes a successful cyberattack? According to a BeyondTrust post, there are seven steps to a successful cyberattack: reconnaissance, scanning, access and escalation, exfiltration, sustainment, assault (this assault step isn’t always taken during an attack) and obfuscation. However, if the attackers are after specific private product information and end up with other private data, can it still be considered a successful attack? In 2014, ATP group Dynamite Panda successfully breached Community Health Systems. And the answer was yes. While this group may have been after medical device information, their cyberattack was still successful in stealing other private data.

Who is the Dynamite Panda group?

The first time Dynamite Panda was seen was in 2009. Since then, they have targeted a range of industries. The group has been referred to as APT 18 by Mandiant, Dynamite Panda by CrowdStrike, TG-0416 by SecureWorks, Wekby by Palo Alto and Scandium by Microsoft. The group’s main motivation is information theft and espionage.

According to a BrandDefense post, Dynamite Panda is a Chinese state-sponsored group, which means their operations were supported by the People’s Liberation Army Navy (PLA Navy). Their focus has mainly been on the United States’ critical infrastructure in areas such as health, telecommunications, defense, high technology and human rights. According to the same BrandDefense post, this group may be related to other ATP groups, such as Night Dragon, Nitro or Covert Grove.

Dynamite Panda exploits

Dynamite Panda has performed several campaigns against the U.S. The first notable attack that resulted in a data breach occurred in August of 2014. Dynamite Panda ended up stealing 4.5 million patient records from Community Health Systems, one of the largest hospital operators in the U.S., with 206 facilities across 29 states.

According to cybersecurity experts, the original breach happened in April 2014, but Community Health Systems was hit again in June of that same year. Charles Carmakal, managing director with FireEye Inc.’s Mandiant forensics unit, which led the investigation into the attacks on Community Health, said, “They have fairly advanced techniques for breaking into organizations as well as maintaining access for fairly long periods of time without getting detected.”

Dynamite Panda successfully breached Community Health Systems by exploiting the OpenSSL “Heartbleed” vulnerability. This vulnerability affected more than 60% of the Internet at one time. According to a Kaspersky daily article, “[Heartbleed] could be the first real-world, widely publicized instance of criminals or state actors exploiting the nearly Internet-wide vulnerability for personal gain.”

While the hackers ended up stealing patient data, cybersecurity experts believe they meant to target intelligence on medical device development. According to an article in The World, “It’s also conceivable the hackers sought to steal all the data they could from Community Health Systems’ databases, and simply ended up with the personal data.”

In the following year, the Dynamite Panda group performed a phishing campaign on organizations in the United States. In these attacks, they used the Flash zero-day exploit and HTTPBrowser malware, which was developed by the HackingTeam technology company. Users who clicked on the link from a fake Adobe email were taken to a malicious website. Once on the website, the chosen malware, Gh0st, which is a remote access trojan (RAT), was sent to the user’s computer.

Because of cyber campaigns that took place after the attack on Community Health Systems, it makes sense that cybersecurity experts believe Dynamite Panda’s goal for their attack on Community Health Systems would have been more focused on the intellectual property of medical devices rather than private patient information.

Where does that leave us?

Critical infrastructure has been at the forefront of U.S. security interests for years now, especially because of the COVID-19 pandemic. Health care, for example, is an industry that has been a constant target for cyberattacks, such as the more recent attack on the Parkview Medical Center in 2020, but there are hundreds of other health care facilities that have been impacted, as well.

Critical infrastructure, by definition, is comprised of assets that are essential for a society to function, so they are a perfect target for hackers to lock on. How organizations respond and prepare are the most important defense mechanisms to keep in mind. The size of a company, big or small, doesn’t shield against cyberattacks when hackers are constantly pushing the envelope on health care attacks.

YOU MAY ALSO LIKE

GET ON THE BEAT

 

Keep your finger on the pulse of top industry news

RECENT NEWS
HACKS & ATTACKS
RESOURCES