Cybersecurity researchers have identified a large-scale hacking operation targeting European medical institutions.
Between June and October 2024, several healthcare institutions in Europe were the target of a sophisticated attack campaign. According to Orange Cyberdefense, a hacker group, dubbed "Green Nailao", allegedly exploited security flaws to infiltrate these critical infrastructures. Their arsenal? Two well-known Chinese cyberespionage malware, ShadowPad and PlugX, and a new ransomware strain, NailaoLocker.
Well-honed cyberespionage tools
ShadowPad and PlugX are no strangers to the cyberespionage landscape. ShadowPad, which emerged in 2015, has already been implicated in attacks targeting governments, technology companies, and the energy sector. Its latest version, detected in this campaign, has been modified to enhance its stealth and avoid cybersecurity analysis.
For its part, PlugX, active since 2008, initially targeted entities in Japan before spreading across Asia. Its presence in this European attack marks a notable evolution in its scope of action.
The hackers' modus operandi is based on the exploitation of vulnerabilities present in security software developed by an Israeli firm. Once infiltrated, they deploy this malware to take control of systems and access sensitive databases.
NailaoLocker: an unexpected and clumsy ransomware
The surprising element of this campaign remains the introduction of a new ransomware, called NailaoLocker. Unlike attacks generally attributed to Chinese cyberespionage groups, where the priority is often the discreet gathering of information, this malware has a more direct objective: extorting money.
Its modus operandi is relatively simple: it encrypts victims' files and demands payment in Bitcoin via a ProtonMail address. Despite its effectiveness, experts point to technical inconsistencies in its design, suggesting rushed development or the intervention of less experienced hackers.
Why such ransomware in such a sophisticated attack? Some analysts suggest a dual purpose: espionage and financing. State-sponsored hacker groups are increasingly using ransomware to diversify their revenues and mask certain operations.
A meticulous intrusion and well-oiled execution
The hackers' modus operandi follows a remarkably effective sequence. They begin by exploiting weak passwords and bypassing multi-factor authentication to break into target systems. Once in place, they perform a network mapping, before moving laterally via Remote Desktop Protocol (RDP) to escalate their privileges.
The final step relies on a well-known technique: DLL sideloading. Through an executable signed by Beijing Huorong Network Technology Co., Ltd, they install a loader called NailaoLoader, which triggers the execution of NailaoLocker. To ensure its deployment, they use Windows Management Instrumentation (WMI), a legitimate tool that has been hijacked for malicious purposes.
The healthcare sector, a prime target
This type of attack against the medical sector is not anecdotal. Hospitals and laboratories handle highly sensitive data, making them ideal targets for cybercriminals. The theft of medical information or the paralysis of systems can lead to serious consequences, far beyond financial losses.
Previous cyber espionage campaigns attributed to China, notably those of the APT41 group, had already shown a marked interest in the pharmaceutical sector. In 2020, similar attacks targeted companies working on Covid-19 vaccines.
Cybersecurity experts fear that these offensives will intensify. While the addition of ransomware may seem like a new tactic, the growing use of advanced techniques to bypass protections suggests attacks will become increasingly difficult to counter. A trend that, according to them, is expected to accelerate further in the coming months.
0 Comments