Top Cyber Threats to Healthcare Organizations

5 minute read

The healthcare industry is one of the world’s largest and fastest-growing critical industries. Amid the Coronavirus pandemic, the healthcare industry endured a rapid digital transformation. Sensitive information from healthcare companies, such as personally identifiable information (PII), personal health information (PHI), personal health record (PHR), lab results, test reports, and research data are extremely valuable to cybercriminals. Due to the value of such data, cyber threats to healthcare are now targeting scientists, researchers, business logistics firms, and distribution networks using a variety of threat tactics, like disrupting vaccine supplies, for economic gain or geopolitical advantage.

Top Cyber Threats to Healthcare Organizations

One of the top cyber threats to healthcare was in 2020 against the British drugmaker, AstraZeneca. AstraZeneca was in the race to deploy a COVID-19 vaccine when threat actors targeted AstraZeneca employees working on COVID-19 research. The attackers used social engineering tactics to break into the drug manufacturer’s network, where they impersonated recruiters and approached AstraZeneca employees with fake job offers via social networking platforms like LinkedIn and WhatsApp. Security researchers suspect the involvement of the North Korean threat actors based on the tactics, techniques, and procedures (TTPs) used in the attack. According to reports, the attackers were not thought to have been successful.

In December 2020, cybersecurity researchers uncovered a spear-phishing campaign targeting executives at organizations that support the Cold Chain Equipment Optimization Platform (CCEOP) program started by Gavi, the vaccine Alliance, which assists vaccine distribution around the globe. The attackers impersonated business executives from Haier Biomedical, a Chinese company, serving as a qualified supplier for the CCEOP program, in coordination with the World Health Organization (WHO), UNICEF, and other U.N. agencies. It remains unclear to the researchers whether the phishing campaign was successful.

In March 2021, a Chinese-state-sponsored actor group, APT10, also known as Stone Panda, targeted the IT systems of two Indian COVID-19 vaccine makers: Bharat Biotech and Serum Institute of India (SII). The attackers discovered security vulnerabilities in the IT infrastructure and supply chain software used by these vaccine makers. Security researchers revealed that the motivation was to steal the intellectual property, which could have helped the threat actors get a competitive advantage over Indian pharmaceutical companies.

Another attack was against the US pharmaceutical giant, ExecuPharm. The pharmaceutical firm suffered a data breach and ransomware attack after being targeted by phishing emails sent to employees. The attackers encrypted the ExecuPharm servers, stole corporate and employee data, and sought payment in return for a decryption key.

Top Vulnerabilities

Critical vulnerabilities in various technologies pose a severe threat to the healthcare industry. According to research conducted by the Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), critical vulnerabilities in VPN products from Citrix, Pulse Secure, Fortinet, and Palo Alto are widely used by various APT groups against medical industries. The details are listed below:


  • CVE-2019-19781: Citrix Application Delivery Controller And Gateway Code Execution

Pulse Connect Secure:

  • CVE-2019-11510: Pulse Connect Secure Information Disclosure
  • CVE-2019-11539: Pulse Connect Secure And Pulse Policy Secure Command Execution


  • CVE-2018-13379: FortiOS Vpn Web Portal Directory Traversal
  • CVE-2018-13382: FortiOS Security Bypass
  • CVE-2018-13383: FortiOS Denial of Service

Palo Alto:

  • CVE-2019-1579: PAN-OS Code Execution

The Chinese-state-sponsored threat actor group APT10 was observed attempting to exploit Windows Zerologon vulnerability in attacks. Tracked as CVE-2020-1472, Zerologon is a critical vulnerability that allows attackers to execute arbitrary code with escalated privileges on a vulnerable system.

Top Threat Actors and Groups

Several threat actor groups have targeted healthcare industries in the past. Some of the well-known groups are listed below along with their known or suspected country of origin and attack methods.

APT10 (Stone Panda):

  • Country: China (State-sponsored)
  • Attack Methods: Malware, Exploiting vulnerabilities in the web applications/systems.

APT1 (PLA Unit 61398):

  • Country: China
  • Attack Methods: Malware, Exploiting vulnerabilities in the web applications/systems.

APT41 (Double Dragon):

  • Country: China
  • Attack Methods: Malware, Passive backdoor, Exploiting vulnerabilities in the web applications/systems.

APT35 (Charming Kitten):

  • Country: Iran
  • Attack Methods: Malware, Exploiting vulnerabilities in the web applications/systems.

APT28 (Fancy Bear):

  • Country: Russian Federation
  • Attack Methods: Malware, Spear-phishing, Mimikatz, Core-shell.

Other than APT groups, some data brokers sold remote access exploits in various cybercriminal underground networks and forums, which can be utilized by threat actor groups or attackers to get access into a network. ZeroFox Threat Intelligence observed one example of an actor on a Russian-speaking cybercriminal forum advertising the sale of remote access exploits, targeting pharmaceutical companies, among other industries.

Cyber threats to healthcare, data broker selling exploit kits
Figure 1: A data broker selling exploit kits of pharmaceutical companies on a Russian-speaking forum
Source: ZeroFox Threat Intelligence


Over the last year, due to the COVID-19 pandemic, a significant rise in cyberattacks has been observed against healthcare industries, specifically the vaccines manufacturers and pharmaceutical companies. Vaccine manufacturers across the globe were in a race to develop a vaccine for the COVID-19 virus, giving threat actors opportunities to leverage cyber threats against targets. Threat actors quickly utilized the pandemic and related fears to lure victims into phishing and malware attacks. In the middle of July 2020, there were multiple reports of cyberattacks to steal COVID-19 vaccine data from the organizations that were involved in vaccine development. The motive behind most of the attacks was financial gain. However, some of the state-sponsored targeted attacks against vaccine manufacturers was to steal intellectual property and slow down vaccine distribution, indicating that financial gain was not the only motive behind the attack.

Intended Effect of Cyber Threats to Healthcare

According to security researchers, the primary target of these attackers is the intellectual properties of organizations. It can harm the competitive advantage andthe financial foundation of businesses. Apart from the financial gain, some targeted attacks focus on slowing down or disrupting vaccine distribution.

Credential harvesting is also one of the goals of attackers. Stolen credentials allow threat actors to move laterally through a network, conducting surveillance and accumulating additional confidential information from the victim’s environment for future operations.


With the rapid pace of digital transformation and the effects of the Coronavirus pandemic still greatly felt, the healthcare industry is a prime target for threat actors today. Security teams must ensure that the health records, PII and research data collected and produced by their institutions are secure against data breaches, ransomware and other top cyber threats. Ensuring security controls are in place and that teams have visibility into the networks where much of this threat activity takes place such as the dark web are critical. Learn  more about how ZeroFox protects healthcare organizations here.

See ZeroFox in action