HC3 Warns Health Sector Of Iranian Threat Campaigns

The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center (HC3) has released a threat brief to raise awareness about the threat of cyberattacks by Iranian threat actors. While Iranian state-sponsored cyber attackers are not equipped with the same advanced technical skills of Chinese and Russian threat actors, they still pose a substantial danger to health organizations using sophisticated spear-phishing and social engineering campaigns to breach healthcare networks. 

Healthcare-related baits are frequently used in spear phishing attacks, and threat actors frequently pose as physicians, researchers, or think tanks to communicate with their targets on social media and deceive them into exposing their credentials or downloading and installing malware. For example, during the Tortoiseshell Facebook campaign, Iranian cyberattackers posed as recruiters for various industries including hospitality, medicine, and journalism. Targets were drawn to phishing URLs or malware-infected files by using fake accounts to deceive them into giving up their credentials. The threat actors frequently utilize LinkedIn to get in touch with targets and make fraudulent job offers to those they’re interested in headhunting. Although spear phishing is the most frequent initial access method, the Iranian state-sponsored hacking group Pioneer Kitten is known to take advantage of security flaws in VPNs and other network devices, including BIG-IP, Citrix, and Pulse Connect Secure. Threat actors have also been found to exploit the Fortinet FortiOS vulnerabilities, the Log4j vulnerabilities, the Microsoft Exchange ProxyShell and other Exchange vulnerabilities to initially gain access. 

Iranian threat actors are known to launch threat campaigns to obtain sensitive information, however, these attacks are typically more damaging than those launched by other state-sponsored hacking organizations. In order to respond to sanctions on Iran while reducing the danger of retaliation, cyberattacks frequently take advantage of cyber vulnerabilities to target its rivals. The nation is well-known for utilizing wiper malware in campaigns and to employ DDoS attacks to damage its victims reputation. The threat actors migrate laterally after gaining access to networks and are reported to install a PowerShell backdoor named POWERSTATS for persistence.

The HC3 has recommended a number of mitigations health organizations can take to better defend against Iranian threat campaigns. These include developing a comprehensive email security solution, multi-factor authentication, and operating end-user training. Organizations have also been advised to regularly review all internet-accessible systems and to implement strong passwords to improve resilience against brute force attacks.