The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Sector Warned About Cyberattacks by Iranian State-Sponsored Threat Actors

Posted By on Nov 9, 2022

The federal government has issued a warning to the healthcare sector about the threat of cyberattacks by Iranian threat actors. Iranian state-sponsored actors lack the sophisticated technical capabilities of Russian and Chinese threat actors, but still pose a significant threat to the sector. The threat actors mostly use social engineering in their attacks to gain access to healthcare networks and are known to conduct sophisticated spear-phishing campaigns.

Spear phishing campaigns often involve healthcare-related lures with the threat actors using fake personas and social media platforms to interact with their targets, often impersonating doctors, researchers, and think tanks to trick targets into disclosing their credentials or downloading and installing malware. The Tortoiseshell Facebook campaign saw threat actors claim to be recruiters in hospitality, medicine, journalism, NGOs, and aviation. Fake accounts were used to trick targets into opening malware-infected files or to lure them onto phishing URLs to steal credentials. The threat actors often use LinkedIn for contacting targets and sending fake job offers headhunting individuals of interest. Popular online platforms such as Google, Microsoft, and Yahoo are also impersonated to steal credentials.

One notable campaign involved the impersonation of the Director of Research at the Foreign Policy Research Institute (FRPI), with the email appearing to CC the Director of Global Attitudes Research at the Pew Research Center. The emails sought input for an article about Iraq’s position in the world. Spear phishing emails can be realistic and convincing and may involve multiple messages to engage targets in conversation to build trust before tricking them into installing malware or disclosing their credentials. Considerable time and effort are put into creating convincing social media profiles and Internet footprints to make the scams seem more credible and to survive attempts to verify the authenticity of the profile and request.

While spear phishing is the most common initial access vector, the Iranian state-sponsored hacking group known as Pioneer Kitten (aka NC757, Parisite, & Fox Kitten) is known to exploit vulnerabilities in VPNs and other network appliances, such as CVE-2020-5902 (BIG-IP), CVE-2019-19781 (Citrix), & CVE-2019-11510 (Pulse Connect Secure). Other vulnerabilities exploited for initial access include the Log4j vulnerabilities, the Microsoft Exchange ProxyShell and other Exchange vulnerabilities, and Fortinet FortiOS vulnerabilities. One attack that was thwarted involved exploiting a vulnerability in a Fortigate appliance to gain access to the environmental control networks of a U.S. children’s hospital.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Iranian threat actors are known to conduct attacks to gain access to sensitive personally identifiable information; however, the attacks tend to be more destructive than other state-sponsored hacking groups. Cyberattacks often exploit cyber vulnerabilities to attack Iran’s adversaries to retaliate for sanctions while minimizing the risk of retaliation. Attacks have been conducted where websites have been defaced, DDoS attacks employed to damage reputations, and the country is infamous for using wiper malware in attacks. Once access is gained to networks, the threat actors move laterally and are known to install a PowerShell backdoor called POWERSTATS for persistence.

Improving resilience to attacks requires a focus on anti-phishing strategies such as implementing a robust email security solution, multi-factor authentication, and engaging in end-user training., Employees should receive regular training and be taught how to recognize and report phishing and social engineering attacks. Reviews should be conducted of all internet-accessible systems, vulnerabilities should be patched promptly, networks segmented to limit the ability of the threat actors to move laterally, user accounts should be regularly audited, especially those with administrative privileges. and strong passwords should also be set to improve resilience to brute force attacks. Further mitigations have been suggested by the Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center in its threat brief.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist