Full Report
A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said.
Analysis Summary
# Threat Actor: Green Nailao (Attribution Pending)
## Attribution & Identity
* **Identification:** A previously unknown hacking group.
* **Attribution:** Researchers suggest the group is likely linked to **China-backed hackers/Chinese state-backed groups**.
* **Associated Groups/Tools:** Deployed malware (ShadowPad, PlugX) commonly associated with established Chinese cyberespionage groups.
## Activity Summary
* **Campaign Period:** Second half of 2024.
* **Operation:** Targeted **European healthcare organizations**.
* **Initial Access:** Likely exploited the vulnerability **CVE-2024-24919** in Check Point Security Gateway products, allowing access to sensitive data and VPNs via legitimate credentials.
* **Action on Objectives:** Deployed ShadowPad, PlugX, and a new ransomware strain, **NailaoLocker**. The combination of espionage tools and ransomware deployment suggests potential motives spanning espionage and financial gain, or a possible false-flag operation.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of vulnerability **CVE-2024-24919** (Check Point Security Gateway flaw).
* **Persistence/Command and Control:** Deployment of **ShadowPad** (new, enhanced version observed) and **PlugX** backdoors.
* **Impact:** Deployment of **NailaoLocker** ransomware, encrypting files and demanding payment via Bitcoin through a ProtonMail address.
* *MITRE ATT&CK IDs were not explicitly listed in the source text.*
## Targeting
* **Sectors:** Healthcare organizations.
* **Geography:** Europe (targeted).
* **Victims:** European healthcare organizations (Specific organizations not named).
## Tools & Infrastructure
* **Malware families used:**
* ShadowPad (Backdoor, suspected private sharing among Chinese operators since 2015)
* PlugX (Backdoor, frequently used by state-backed Chinese hackers)
* NailaoLocker (New, "relatively unsophisticated" ransomware strain)
* **Infrastructure:** Ransom note demanded payment via a **ProtonMail address**.
## Implications
The linkage of established Chinese state-sponsored espionage tooling (ShadowPad, PlugX) with a new ransomware strain suggests a potential evolution in Chinese group operations, possibly diversifying into financially motivated activity or using ransomware as a diversion for data theft. Targeting healthcare in Europe raises significant security concerns given the sensitivity of the data typically held by such organizations.
## Mitigations
* Patching systems promptly, especially known vulnerabilities like CVE-2024-24919, even if patching occurred after the initial window of exposure.
* Enhance monitoring for the presence of long-standing C2 backdoors like ShadowPad and PlugX within the network perimeter.
* Review VPN and credential management processes, as exploitation led to the theft of user credentials and access to VPNs.