Cyber Incident Victim: Huiying Medical Technology
Date:
Apr 2020
Location:
China
Summary
A threat actor known as 'THE0TIME' breached Huiying Medical Technology, stealing source code and experimental data for an AI-assisted COVID-19 detection system used to analyze chest CT scans. The stolen assets, including proprietary algorithms and pandemic-related research, were offered for sale at 4 Bitcoin. The compromised technology, developed to identify pneumonia patterns indicative of COVID-19, was commercially distributed through a partnership with Huawei at $50,000 monthly. Cybersecurity firm Cyble validated the attacker's claims, confirming unauthorized access to sensitive medical intellectual property and diagnostic data. The incident exposed critical healthcare infrastructure vulnerabilities during a global health crisis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 25, 2020, researchers from data breach notification firm Cyble identified a threat actor using the moniker 'THE0TIME' claiming unauthorized access to systems belonging to Huiying Medical Technology (Beijing) Co., Ltd. The actor advertised the sale of source code for Huiying's AI-assisted COVID-19 detection technology and related experimental data through underground channels, pricing the stolen materials at 4 Bitcoin (BTC). Cyble publicly disclosed this finding via a Medium post, noting the actor's specific claims of compromising both proprietary code and COVID-19 research datasets. Huiying Medical Technology specialized in developing medical imaging devices, including an AI system designed to analyze chest CT scans in DICOM format to identify pneumonia contours and potential COVID-19 infections. Huawei, a named partner of Huiying, commercially offered this detection system to customers at a rate of $50,000 per month.
The breach exposed critical intellectual property central to pandemic response efforts, with threat actors marketing the stolen assets as containing functional AI source code and experimental medical data. No information regarding Huiying's internal detection mechanisms, containment procedures, or remediation efforts was disclosed in available sources. The incident highlighted risks to healthcare technology providers during global health emergencies, given the system's operational role in diagnosing COVID-19 and its high commercial valuation. Cyble referenced its data breach monitoring platform, AmIBreached.com, though no additional details about victim notification or third-party impacts were provided. The attacker's post did not specify intrusion methods, data exfiltration timelines, or evidence validating the stolen materials' authenticity beyond the initial sales claim.