Skip Navigation
BlackBerry Blog

Protecting the Sick: Cyberattacks Targeting the Healthcare Industry

Medical records, social security numbers, credit card details, and more; these valuable data points are catnip for online criminals, and healthcare organizations are basically bursting at the seams with them. Another reason the healthcare industry presents such an attractive target for cyber marauders is that it is often poorly defended relative to other fields of commercial enterprise that typically invest more heavily in cyber defense.

To help healthcare IT and cybersecurity teams take proactive steps toward protecting their patients’ information, BlackBerry shares insights from its Threat Research and Intelligence team covering highlights of the Jan. 2023 Threat Intelligence Report.

Qakbot: A Favored Trojan Against Healthcare

BlackBerry threat researchers believe that Qakbot, also known as Qbot or Pinkslipbot, continues to be the most active Trojan facilitating healthcare network access for RaaS (ransomware-as-a-service) affiliates and IABs (initial access brokers). Originally emerging as a banking Trojan, Qbot has since evolved its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. Qbot is modular in nature, enabling malicious cyber actors to configure it to their specific needs. In 2022, Qbot was mostly used by affiliates deploying Black Basta ransomware.

Qbot has been around for years, but it’s nothing to be complacent about. This malware is well-known for its ability to steal credentials and quickly spread through an enterprise over network shares. Given its age, it might seem logical that security controls would already have this threat on lockdown. However, the periodic functional enhancements made by its operators, combined with its multiple layers of obfuscation and server-side polymorphism, continually breathe new life into this seemingly immortal malware.

Additional Attacks of Note

Meterpreter and BloodHound

Meterpreter — a Metasploit payload that provides an interactive shell for the attacker — and BloodHound were also active during the timeframe we analyzed and have been used in attacks on the healthcare industry. BlackBerry threat researchers detected an attack that used Meterpreter alongside the execution of SharpHound, a collector for BloodHound that is commonly used for lateral movement inside a network after a successful intrusion takes place. CISA (Cybersecurity and Infrastructure Security Agency) has warned that these threats pose a significant risk to all sectors, including the healthcare industry. CISA also recommends that network and system administrators intentionally execute BloodHound, an open-source tool for enumerating and visualizing a domain’s devices and other resources, to understand possible attack paths in their environments.


We also observed TinyNuke, also known as Nuclear Bot, dropping the NetWire RAT (remote access Trojan) during attacks on the healthcare sector. Originally a banking Trojan with similar functions to ZeuS, TinyNuke is a full-featured Trojan that includes a VNC server device controller, as well as reverse SOCKS functionality. VNC, also known as Virtual Network Computing, is a screen sharing system that remotely controls other computers and consists of a server and a client. TinyNuke installs the VNC server on the control target system, and the malicious user who wishes to control the system remotely uses the VNC client. It gains control of the VNC client by going through the VNC server installed on the remote-control target system. Being able to remotely access and control other systems means it can be used to search for and exfiltrate sensitive data, such as healthcare information from patient databases and other such portals.

TinyNuke has also been used by Kimsuky Group and publicly attributed to the DPRK (Democratic People’s Republic of Korea). While examining this attack, BlackBerry threat researchers found TinyNuke downloading and executing NetWire RATs and connecting to a domain hosted on Duck DNS, a service often used by remote access Trojans.

Previously Unknown Threat Actor

BlackBerry researchers also found an instance where a previously unknown threat actor deployed the PlugX RAT, commonly used by multiple nation-state threat actors including Mustang Panda. By delving into the associated network infrastructure and pivoting off related network artifacts, additional files and infrastructure were uncovered. These conformed to similar TTPs (Tactics, Techniques, and Procedures) and appeared to be part of a larger campaign from this same threat actor targeting multiple entities, both Government and Private. The groups primarily target government and military organizations, as well as corporations in the technology, healthcare, and telecommunications sectors.

Mustang Panda has a history of targeting many different entities across the globe, but their targets tend to align with the interests of the Chinese government. This indicates that cybercriminals may be interested in attacking the healthcare industry for reasons other than strictly financial benefit, such as to undermine public trust in a country’s infrastructure.


As well as learning to identify IoC (indicators of compromise) and the various techniques used by threat actors, both CISA and the FBI strongly advise industry sectors at risk from the above threat groups and associated malware deploy mitigations to keep their networks secure and protect them from becoming compromised.

In an advisory, it is recommended that critical infrastructure industries including healthcare organizations require MFA (multifactor authentication), set up and maintain a working recovery plan, and ensure that all operating systems, including firmware and software are kept up to date. The advisory notes that multifactor authentication alone blocks nearly all automated cyberattacks, and most compromised accounts don’t use the technology.

These federal bodies additionally urged healthcare organizations to stay in compliance with NIST (National Institute for Standards and Technology) when putting in place password policies.


The healthcare industry has long been an irresistible target for cybercrime — particularly for ransomware, as restoring access to data and systems can literally be a life-or-death situation. Compounding the threat is the issue that many such organizations are in the public sector, or operated on a nonprofit basis, which can make investing in security challenging. However, healthcare plays a critical role in society — and even in national security — so defending it must remain a top priority.

Regardless of industry sectors, defending your organization against malware and cyberattacks requires in-depth knowledge of how and why threat actors are targeting your environment. This detailed knowledge requires access to contextual, anticipative, and actionable cyber threat intelligence, which can reduce the impact of threats on your organization.

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.

Natasha Rohner

About Natasha Rohner

Principal Threat Research Publisher, BlackBerry

Natasha Rohner is Principal Threat Research Publisher of the BlackBerry Blog, BlackBerry’s cybersecurity publication.

As an internationally published author, writer, and editor, Natasha has 25 years of experience in both traditional and digital publishing. An avid science fiction fan, she's published 8 novels for large media companies such as Rebellion and New Line Cinema, including the official book adaptations of Hollywood movie franchises such as Blade, Final Destination, and Nightmare on Elm Street. Her original horror trilogy Dante’s Girl was published by Solaris, a division of gaming giant Games Workshop.

Natasha’s books have been translated into 9 languages including French, Polish, and Italian, and she's appeared as a guest speaker on author panels at Comic-Con in California. She has a BA Honors degree in Film Production from the University of Wales that she has literally never used.