{ "id": "facfafd0-e033-4ffd-bfa9-a5344eb97c2f", "created_at": "2026-04-06T01:30:49.171632Z", "updated_at": "2026-04-10T03:25:21.277662Z", "deleted_at": null, "sha1_hash": "5ec4826b8168e8dbbfe26a5e60123b3009770978", "title": "APT Gang Branches Out to Medical Espionage in Community Health Breach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37766, "plain_text": "APT Gang Branches Out to Medical Espionage in Community\r\nHealth Breach\r\nBy Michael Mimoso\r\nPublished: 2014-08-19 · Archived: 2026-04-06 00:36:09 UTC\r\nThe Community Health Systems data breach has been tied to a Chinese APT gang that has branched out to\r\nmedical espionage, stealing patient data in an effort to target intelligence on medical device development.\r\nAt first blush, the Community Health Systems data breach by Chinese hackers seems to be an anomaly. State-sponsored attackers generally target intellectual property for the purposes of military or economic gain; stealing\r\nhealthcare credentials and personal patient records seems incongruous.\r\nBut experts say the breach is a perfect storm of poorly secured health systems, desperately trying to catch up to the\r\nsecurity standards imposed in other critical industries, and a bevy of exposed information that can be leveraged for\r\nChina’s gain.\r\n“This is done for the purposes of both economic espionage—stealing valuable intellectual property from\r\nhealthcare and pharmaceutical companies that is critical for enhancing healthcare services in China for their aging\r\npopulation—as well as national security,” said CrowdStrike cofounder Dmitri Alperovitch. “Collecting\r\nintelligence on key persons of interest, such as government officials and individuals that may be targeted for\r\nhuman recruitment, so PII data and medical records could be of great use there.”\r\nThe breach surfaced yesterday when Reuters reported that the attackers had made off with Social Security\r\nnumbers and personal data of 4.5 million patients. Community Health Systems said in an 8-K filing with the\r\nSecurities and Exchange Commission that its network was breached in and April and again in June. The filing\r\npinned the hack on an APT group from China adept in using “highly sophisticated malware and technology” to\r\ntarget its network.\r\n“The attacker was able to bypass the company’s security measures and successfully copy and transfer certain data\r\noutside the company,” the 8-K filing said.\r\nMandiant, hired by Community Health Systems to investigate the breach and remediate the damage, told\r\nThreatpost via email that the group responsible is known to them as APT 18.\r\n“This group typically targets companies in the aerospace and defense, construction and engineering, technology,\r\nfinancial services, and healthcare industry verticals,” said Charles Carmakal, managing director at Mandiant,\r\nwhich was acquired by FireEye earlier this year. “The attacker has been known to steal intellectual property\r\nrelated to medical technology and pharmaceutical manufacturing processes.”\r\nCarmakal refused to answer questions about how the attackers breached the victim’s network, what type of\r\nmalware was used, or how Community Health Systems learned of the attack, citing its and law enforcement’s\r\nongoing investigation.\r\nhttps://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/\r\nPage 1 of 2\n\nCrowdStrike’s Alperovitch confirmed the APT 18 connection, though CrowdStrike calls the gang Dynamite\r\nPanda.\r\nCommunity Health Systems said the data lost in the breach included non-medical patient identification data\r\nrelated to its physician practice operations. The 4.5 million victims were patients who were referred to or received\r\nservices from physicians tied to Community Health Systems, the company said in its SEC filing. No credit card,\r\nmedical or clinical information was lost, the company said, adding that the data is considered protected under the\r\nHealth Insurance Portability and Accountability Act (HIPAA). HIPAA requires breach victims to notify affected\r\npatients; it said it carries cyber and privacy liability insurance protecting it from losses.\r\nWhile the loss of patient data is significant, experts speculate the hackers may have been after intellectual property\r\ntied to medical device development. Hospital networks have also been under intense scrutiny from the security\r\nresearch community. Hackers have demonstrated serious vulnerabilities in medical devices, and network security\r\nat health care facilities has been exploited in other high profile attacks.\r\n“For cyber security professionals, healthcare environments are riddled with challenges and are perhaps one of the\r\nmost difficult industries to protect,” said Trey Ford, global security strategist at Rapid7. “For example, you have a\r\ngreat deal of personally identifiable information (PII) that achieves high values on the black market; healthcare\r\npractitioners often sharing workstations and passwords, coming and going on shifts or in emergencies; and\r\nmedical devices and systems that are highly regulated and certified for set configurations, so they cannot easily be\r\npatched. For these reasons, standard industry practices like network segmentation and scanning are often\r\nprohibited.”\r\nSource: https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/\r\nhttps://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/" ], "report_names": [ "107828" ], "threat_actors": [ { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439049, "ts_updated_at": 1775791521, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ec4826b8168e8dbbfe26a5e60123b3009770978.pdf", "text": "https://archive.orkl.eu/5ec4826b8168e8dbbfe26a5e60123b3009770978.txt", "img": "https://archive.orkl.eu/5ec4826b8168e8dbbfe26a5e60123b3009770978.jpg" } }