CISA issues alert for Iran-sponsored hacker group targeting healthcare

The bad actors are exploiting known vulnerabilities in Microsoft Exchange and Fortinet, the agency said.
By Kat Jercich
12:27 PM

The U.S. Cybersecurity and Infrastructure Agency issued an alert this week highlighting malicious activity from an advanced persistent threat group associated with the government of Iran.

The bad actors are targeting a broad range of victims across multiple critical infrastructure sectors – including healthcare – by taking advantage of Microsoft Exchange and Fortinet vulnerabilities, according to the joint advisory.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," said CISA officials in the alert.  

WHY IT MATTERS

Although Russia-linked hacking organizations often make headlines, groups from other nation-states have been gaining in prominence and infamy. 

According to the CISA alert, which resulted from analyses among the FBI, the Australian Cyber Security Centre and the United Kingdom’s National Cyber Security Centre, these particular threat actors are focused on exploiting known vulnerabilities.  

"These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware and extortion," observed the agency.

In June 2021, for example, the actors exploited a Fortigate appliance to access environmental control networks associated with a children's hospital in the United States.  

The agency advised that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks, along with:  

  • Patching and updating systems – especially software affected by vulnerabilities CVE-2021-34473, 2018-13379, 2020-12812 and 2019-5591.
  • Evaluating and updating block lists and allow lists.
  • Implementing and enforcing backup and restoration policies and procedures.
  • Implementing network segmentation.
  • Securing user accounts.
  • Implementing multi-factor authentication.
  • Using strong passwords.
  • Securing and mentoring potentially risky services.
  • Using antivirus programs.
  • Securing remote access.
  • Reducing phishing risks. 

"This is another sobering example of the threat from nation-state actors and why traditional approaches to cybersecurity must be re-examined," said Mike Wiacek, CEO and cofounder of Stairwell, in a statement to Healthcare IT News.  

"No single party, whether it is a company or a country, can solve problems of this magnitude on their own," Wiacek added. "Fragmented viewpoints only benefit bad actors, so working together and sharing information and intelligence is absolutely critical."  

THE LARGER TREND

Just this week, cyber expert Errol Weiss spoke with Healthcare IT News about the threat posed to critical infrastructure by nation-state actors, including those affiliated with Iran.

"Right or wrong: We've been spying on each other for years, we're going to continue to do it. The internet's an enabling way to do that," Weiss said.

Meanwhile, the U.S. federal government has continued to raise the alarm about threat actors, including Conti, Hive and Blackmatter.

ON THE RECORD  

"Cyber warfare continues to make the headlines as nations seek strategic advantage in cyberspace," observed Rick McElroy, principal cybersecurity strategist at VMWare, in a statement. "The vulnerabilities in use have actually been known for a while and the reconnaissance phase of this attack seems to go back to March.  

"To better ensure these types of attacks fail, organizations must make certain that they can patch both network devices and systems," he added. "Ensuring you have visibility into both network and endpoint traffic is critical to detecting these threats in real time."

 

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.