HC3 Threat Brief: Iranian Threat Actors Targeting Healthcare

On Nov. 3, the Health Sector Cybersecurity Coordination Center (HC3) issued a threat brief on Iranian threat actors and the healthcare industry. Historically, Iranian threat actors are risk-averse and cyberattacks provide a means to exploit enemy vulnerabilities while minimizing the risk of escalation or relation.

These threat actors are known for wiper malware, website defacement, spear phishing, distributed denial-of-service (DDoS), theft of personally identifiable information (PHI), and social media-focused operations. Iranian threat actors that are known to target healthcare, according to the brief, include groups dubbed Pioneer Kitten; Magic Kitten; Infy; and UNC3890.

In June, we reported that FBI Director Christopher Wray said that a hacker group sponsored by the Iranian government attempted in the summer of 2021 to carry out a cyberattack on the computer system at Boston Children’s Hospital. The brief says that “Iranian hackers exploited a Fortigate appliance to access the environmental control networks of a U.S.-based children’s hospital. [The threat actors] Accessed known user accounts at the hospital from an IP address that the FBI associates with the Iranian government.”

The brief explains that Iranian hackers use fake personas to make their phishing attacks more realistic. In September 2022, the U.S. imposed an additional round of sanctions against Iran for its recent APT activity.

The brief suggests mitigations such as:

• Training users on identifying phishing and how to report it
• Training users on social engineering
• Reviewing Log4j vulnerabilities
• Implementing network segmentation
• Maintaining offline backups of data
• Ensuring backup data is encrypted
• Reviewing antivirus logs
• Auditing user accounts with administrative privileges
• Having a strong incident response plan
• Implementing the use of strong passwords and multifactor authentication
• Requiring administrative privileges to install software