Menu
Browse

Cyber Threat Actor: Twister Canyon

Actor Type Location Known Incidents
 Icon
Criminal
China
1 incident
Profile

Twister Canyon is an alias usedby a threat actor that has been linked to a data breach affecting MCG Health and several of its healthcare provider clients. The actor’s location is noted as China, although this information is presented as known if available. Public references to Twister Canyon emerged in connection with claims that the actor possessed stolen patient data and attempted to extort money from the victim organization. The alias appears in breach notification updates where the actor is described as an unknown third party that contacted MCG Health in late 2021 and early 2022. No other aliases or alternative names for this actor are provided in the source material.

The actor’s observed activity focuses on the healthcare sector, specifically targeting organizations that rely on MCG Health for services such as patient data management. The strategic objective demonstrated in the incident is financial gain, as the actor demanded payment in exchange for the return of the compromised data. Technical details about the intrusion are limited, but the actor is described as having gained unauthorized access to MCG Health systems and exfiltrated sensitive patient information including names, Social Security numbers, medical codes, addresses, phone numbers, email addresses, dates of birth and gender. The actor subsequently offered the stolen records for sale on the dark web and used this possession as leverage in extortion negotiations. No specific malware families, exploit tools, or initial access vectors are mentioned in the available reports. The most significant publicly reported operation attributed to Twister Canyon is the MCG Health breach that was first disclosed in February 2020 and later revealed to have involved unauthorized access dating back to at least December 2021 according to the actor’s own claims. This incident impacted over 1.1 million individuals across multiple healthcare entities including Avera Health, Catholic Health Initiatives, Copley Hospital, Indiana University Health Affiliated Covered Entity, Newman Regional Health, Phelps Care Regional Medical Center, Jefferson County Health Center, UNC Lenoir Health Care, Henry County Medical Center, Saint Mary’s Health Network and Lafayette Surgical Specialty Hospital. While the actor’s location is cited as China, no definitive link to a state sponsor or criminal consortium has been established in the source material. The breach prompted FBI involvement, forensic investigation, and notification to affected patients and regulators. The case remains an example of a financially motivated data theft operation targeting the healthcare industry.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source