Everyone wants to be special. When I’m chatting with a company that doesn’t fit the typical profile for a state-sponsored attacker target, sometimes they seem disappointed. I certainly don’t mean to hurt their self-esteem, but the reality is that most businesses just don’t have anything of interest to a nation state.

For the most part, I would have included healthcare in that group. It’s hard to see how Beijing could use the flu diagnosis of John Doe. Although that’s a pretty myopic view – healthcare shops hold a lot of personal data. You know, Social Security numbers, addresses, birth dates, and other stuff useful for identity theft.

Reuters is reporting on the Community Health breach, which impacted 4.5 million patients. Both Mandiant and Crowdstrike traced the attack back to a specific nation-state affiliated hacker group. The sexily named “APT 18” has been in action for a while, usually targeting human rights groups and chemical companies.

On the surface an advanced attacker targeting a healthcare shop is counter-intuitive, but given the multi-phase and staged attacks used by nation-states it makes sense. The attackers can use this information to more effectively target employees with phishing messages to gain a foothold in their real target.

So the moral of the story is that you need to think three or four steps ahead to understand the real mission behind many of these attacks. Odds are Community Health was a means to an end, so they could target a big company or ten with information gleaned from the hospital. Though the only way you will be able to really connect the dots is through a forensic view of the eventual data breach.

Have we talked about incident response lately? Yeah, maybe it’s time to make sure your IR/M process is where it needs to be.

Photo credit: “Emergency room” originally uploaded by KOMUnews