Threat Management

Iranian actors targeting healthcare via spear-phishing, vulnerability exploit

The headquarters building of the U.S. Department of Health and Human Services is the Hubert H. Humphrey Building, located at the foot of Capitol Hill. (Photo credit: Library of Congress Prints and Photographs Division Washington, D.C.)

The Department of Health and Human Services Cybersecurity Coordination Center released an alert detailing the threat of Iranian nation state actors against the healthcare sector. The FBI thwarted an Iranian-backed cyberattack against Boston Children’s Hospital in June 2021.

The white paper details the groups with a primary focus on the healthcare sector, as well as crucial mitigation factors and common exploits. Provider entities should review the insights to ensure they’re employing the necessary security measures.

And China and Russia aren’t the only nation states exhibiting malicious behavior on the international stage. Iran and North Korea also continue to carry out sophisticated intrusions targeting U.S. victims.

Last year, FBI Director Christopher Wray detailed the agency’s efforts against what he called “one of the most despicable cyberattacks I’ve seen.” Actors sponsored by the Iran government attempted to exploit the Boston Children’s Hospital. The attack was blocked after an intelligence partner alerted the FBI to an impending target, prompting the deployment of its cyber squad.

It was those quick actions that enabled the hospital to identify and mitigate the threat, spotlighting the importance of threat sharing and collaboration in the health sector.

Fueled by past efforts, the HC3 report notes Iranian threat actors are historically risk-averse and “infamous for wiper malware as well as retaliatory attack strategies.” These actors commonly engage in spear phishing, DDoS attacks, theft of sensitive data, website defacement, and social media-driven operations.

What’s more, these groups have signed agreements with both Russia and China on cybersecurity and information tech, furthering their cyber capabilities and possible impacts.

Four groups are known to heavily target the healthcare sector and medical researchers, with spear phishing as the most common initial intrusion vector. One group frequently leverages lures tied to the healthcare sector, as well as job postings, password policies, or resumes. 

HC3 is most concerned by the ability of these groups to use fake personas that realistically mimic legitimate entities, including believable CC’d email addresses, which make it difficult for users to detect. The use of email as a pivot point is a common tactic used in healthcare, but also one of its biggest challenges in terms of defense. Providers should use the HC3 white paper to review current processes to gauge the current posture of their email program.

The insights detail the three phases of an attack, as well as the aftermath for providers to review. The report also contains a list of commonly exploited vulnerabilities that should be immediately patched or segmented from the network.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.