Federal government warns of Iranian threats to health sector
Cyberwar / Attacks on Nation States , Fraud Management and Cybercrime , Health
Tehran hackers are using social engineering to bridge the sophistication gap
Marianne Kolbasuk McGee (HealthInfoSec) •
November 8, 2022
Be on the lookout for Iranian threat actors disguised as doctors, think tank researchers or journalists, the federal government warns the health sector.
The Ministry of Health and Human Services’ Health Sector Cybersecurity Coordination Center in a threat briefing on Thursday said Tehran-backed hackers often rely on social engineering to penetrate targets such as hospitals.
A recent incident involved a campaign by a threatening group dubbed Tortoiseshell involving Facebook accounts posing as recruiters for medicine, journalism and other industries. US and European targets received malware-infected files or were tricked into entering sensitive credentials on phishing sites (see: Facebook disrupts Iran’s APT campaign).
“Iranian state-sponsored actors often invest heavily in the social engineering layers of their attacks,” says Paul Prudhomme, former threat analyst at the Department of Defense and head of threat intelligence consulting at Rapid7.
“Iranian actors may have less sophisticated technical capabilities than their counterparts in other countries, but compensate for them with more elaborate and potentially more persuasive social engineering schemes.”
Prudhomme says Iranian actors sometimes go to extra lengths to make their social engineering personas more believable, such as creating additional social media accounts or other pieces of an internet footprint for them beyond the one. used in the attack, hoping to withstand scrutiny. “A common form of Iranian social engineering is to use a fake LinkedIn account to target social engineers with the lure of job opportunities in their respective fields,” he says.
In one example highlighted by HC3, an Iranian hacker impersonated the director of research at the Foreign Policy Research Institute. Credibility for the phishing email was given by the attacker copying another director of the Pew Research Center – an email address that actually forwarded to the attacker.
The emphasis on social engineering does not exclude the mounting of direct attacks. An infamous example is a foiled attack on Boston Children’s Hospital last year – foiled only because US authorities received intelligence of the impending assault and alerted the hospital, as reported by the FBI Director Christopher Wray in June (see: FBI: Hospital avoided ‘despicable’ Iranian cyberattack).
The hackers exploited a Fortigate device to gain access to the hospital’s environmental control networks. They accessed accounts of known users at the hospital from an IP address that the FBI associates with the Iranian government.
Adam Meyers, vice president of intelligence at security firm CrowdStrike, told Information Security Media Group that attacks by Iranian threat actors targeting organizations in the health sector tend to be “more disruptive operations” than attacks. attacks by some other hackers backed by nation states, such as China. .
Often, Iran-related attacks involve “lock-and-leaks,” in which threat actors release ransomware and then release data primarily to discredit the organization, he says. These attacks are sometimes supported by the Iranian government or carried out by Iranian cybercriminal gangs, he said. China’s nation-state attacks on the health sector have often been less disruptive, focusing on intellectual property theft for medical devices, pharmaceuticals and other innovations.
Errol Weiss, head of security at the Center for Health Information Sharing and Analysis, says Iran has an offensive cyber capability and threat actors demonstrate effective DDoS and security. destructive wiper and other cyberattacks.
“This is a group of threat actors that Health-ISAC pays attention to, and we are working with multiple partners to stay abreast of threats, motivations, and methods of attack so that we are better prepared and more resilient. as a sector in case healthcare is targeted.”
In September, the US government sanctioned Iran’s Ministry of Intelligence and Security and its minister for a cyberattack in July that temporarily crippled Albania’s online services portal for citizens (see: US sanctions Iranian ghosts for cyberattack in Albania).
Meyers says he suspects the HHS HC3 advisory is intended to draw the health sector’s attention to Iranian threats in part because of this attack on Albania.