Chinese state-backed hackers accidentally infected a European hospital with malware

A cybersecurity incident at a European hospital highlights the uncontrolled spread of malware by hackers connected to the Chinese military, researchers have found.

Experts from the cybersecurity company Check Point responded to an incident earlier this year involving a hospital that was inadvertently affected by a self-propagating malware infection introduced to the healthcare institution’s network.

Check Point researchers traced an infected USB drive back to Camaro Dragon — a China-based espionage threat actor whose operations focus on Southeast Asian governments and institutions.

"This stood out to us because we observed an uncontrolled propagation of a known Chinese espionage threat actor via USB devices,” Sergey Shykevich, threat intelligence group manager at Check Point Research, told Recorded Future News.

“Our research disclosed that although it originated in Southeast Asia, infections have already been detected in various regions worldwide. This was concerning as one of the primary objectives of this actor is likely to infiltrate segmented or limited connectivity networks using this method."

Incident responders discovered that an employee of the hospital attended a conference in Asia and conducted a presentation with another attendee. That person’s laptop was infected with WispRider — a powerful malware that can not only bypass antivirus solutions and establish backdoors into a system but also spread itself to newly connected removable drives.

When the hospital employee shared their USB with the person they were presenting with, it became infected. The employee returned to their hospital in Europe, plugged in the USB, and spread the infection to the hospital’s computer system.

Researchers were alarmed by the malware’s ability to propagate autonomously and uncontrollably across multiple devices.

“This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted,” they said.

“The Camaro Dragon APT group continues to employ USB devices as a method for infecting targeted systems, effectively combining this technique with other established tactics.”

The group, also known by researchers as Mustang Panda and LuminousMoth, has long been accused of using infected USB drives as a way to launch attacks — particularly against governments in Southeast Asia and Africa.

Gabor Szappanos, threat research director at Sophos, said researchers found that last November government organizations across Southeast Asia were being targeted with USB drives that had the PlugX malware — a malicious tool developed in 2008 by Mustang Panda.

That campaign targeted government organizations in Mongolia, Papua New Guinea, Ghana, Zimbabwe, and Nigeria.

Another Chinese USB campaign in Southeast Asia potentially began as far back as September 2021, according to a Mandiant blog from November.

Check Point said the version of the WispRider malware they saw in this attack had been refined, with improved backdoor functionalities and better propagation tactics.

The incident “underscores the urgent need for organizations to be vigilant and take steps to protect their assets.”

The researchers suggested organizations discourage the use of unfamiliar drives on corporate devices, including outright bans on their use except when obtained from trusted sources and scanned for malware or alternative solutions like cloud storages or encrypted filesharing platforms.

Mustang Panda has previously been accused of targeting prime ministers and leaders across Southeast Asia – including Myanmar – as well as Indonesia’s intelligence agency, and even the Russian government. It has also targeted telecoms worldwide.

The group has used lures tied to COVID-19 and Russia’s invasion of Ukraine to spread malware like PlugX over several years.

A report from Reuters found that Mustang Panda was accused of breaching the IT systems of the African Union – going so far as to monitor the security camera feeds.