China-linked hackers target European healthcare orgs in suspected espionage campaign

A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said.

The campaign, which took place in the second half of 2024, likely exploited a vulnerability in security products from an Israel-based cybersecurity firm, according to researchers at Orange Cyberdefense. 

The flaw, tracked as CVE-2024-24919, allows attackers to access sensitive data on Check Point’s Security Gateway. The vulnerability likely enabled the hackers to steal user credentials and access virtual private networks (VPNs) using legitimate accounts, the researchers said.

Check Point patched the flaw last May, but researchers said the devices targeted by hackers were likely still vulnerable at the time of their compromise.

Orange Cyberdefense said it could not attribute the campaign to a specific actor said the hackers were likely linked to China.

Connection to Chinese cyber groups

The hackers, dubbed Green Nailao, deployed ShadowPad and PlugX malware, both commonly associated with Chinese cyberespionage groups, as well as a previously undocumented ransomware strain called NailaoLocker.

Both ShadowPad and PlugX are widely used by China-aligned hacking groups. ShadowPad, a backdoor suspected to be privately shared or sold among Chinese cyber operators since at least 2015, has been deployed in cyberespionage campaigns against governments, energy firms, think tanks and technology companies.

Researchers identified a new version of ShadowPad in the latest campaign, which they said uses enhanced techniques to evade detection and analysis.

PlugX, another malware frequently used by Chinese state-backed hackers, was first observed in attacks on Japan in 2008 and has since been deployed against targets across Asia. In January, U.S. officials said they had removed PlugX from more than 4,200 American computers.

Ransomware for profit or espionage

NailaoLocker, the new ransomware strain discovered in the campaign, was described by researchers as “relatively unsophisticated and poorly designed.” It encrypts files and leaves a ransom note demanding payment in Bitcoin via a ProtonMail address.

Researchers said it was unusual for ShadowPad to be linked to ransomware deployment, raising questions about the hackers’ motives. While state-sponsored cyber groups typically focus on espionage, some could be using ransomware as a source of additional revenue, they said.

Alternatively, the ransomware may have been a false-flag operation intended to divert attention from the real objective — stealing sensitive data.

State-backed hackers, including those linked to China, have previously targeted healthcare organizations, researchers said.

“While such campaigns can sometimes be conducted opportunistically, they often allow threat groups to gain access to information systems that can be used later to conduct other offensive operations,” Orange Cyberdefense said.