Credential Harvesting Mitigations and Warning Against Volt Typhoon Threat

Credential Harvesting Mitigations Shared by HHS

The Health Sector Cybersecurity Coordination Center (HC3) has published a healthcare and public health (HPH) sector advisory concerning credential harvesting, a common tactic employed in cyberattacks on the HPH sector by hackers.

Although different secure ways of validating individuals and managing access to accounts and data resources are available, credentials like usernames, passwords, and personal information are frequently used. Credentials give access to web-based accounts, email systems, patient data, and network resources. When credentials are obtained, hackers will get access to the user’s privileges and control the network.

Credential harvesting or stealing credentials can cause data breaches. But it’s often just the first move in a much larger attack. When a hacker gains access to someone’s credentials, he can use them to access other accounts, change their privileges, exploit vulnerabilities in the company’s systems, deploy malware, move around within the network, interrupt important functions, and cause system downtime. This disruption in healthcare services can affect patient care.

Credential harvesting is normally connected with phishing, though credentials can be acquired utilizing the following various methods :

  • Phishing: The use of misleading messages to trick users into sharing their login credentials, usually on attacker-managed websites
  • Keylogging: Malware that records keystrokes as they are entered by users, including usernames and passwords.
  • Brute Force Attacks: Automatic attempts employing many combos of usernames and frequently used passwords until the right combination is determined.
  • Person-in-the-Middle (PITM) Attacks: The interception of two parties’ conversations, recording sign-in information shared during the validation process.
  • Credential Stuffing: Using credentials gathered in one data breach to access accounts on other platforms/systems where similar username/password information has been utilized.

Because there are many ways that credentials may be harvested, there is no single mitigation that can safeguard against this strategy. Healthcare organizations must be proactive and carry out various mitigations to minimize risk and stay compliant with HIPAA law. Multi-factor authentication (MFA) is one important safety measure as it provides an additional layer of authentication. In case credentials are breached, without the extra authentication, account access will not be allowed. Phishing-resistant MFA offers the highest level of security.

Many credential harvesting attacks utilize email for initial contact with end users. Email filtering applications such as spam filters will block most of these messages and stop them from reaching end users; nevertheless, even the most innovative email security program won’t prevent all malicious messages. Employee security training and awareness are consequently essential. Members of the workforce (including the CEO) must be taught regarding phishing and other means of credential harvesting and be taught cybersecurity guidelines.

Monitoring and detection programs ought to be utilized to discover suspicious access attempts and suspicious user activities. Endpoint security applications can secure against malware including keyloggers. Systems need to be kept up to date to stop the exploitation of vulnerabilities. Organizations must make sure they have incident response plans to reduce the damage created should an attack be successful.

This is HC3’s second sector warning issued this March on strategies employed by malicious actors in cyberattacks on the HPH sector. The previous alert addresses email bombing, which is utilized for denial of service attacks.

Five Eyes Agencies Warns Critical Infrastructure Against Volt Typhoon Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and other U.S. and global partners have published a joint alert warning critical infrastructure entities against the peril of attacks conducted by Chinese state-sponsored actors. The warning comes after a February 2024 cybersecurity notification concerning an innovative persistent threat group called Volt Typhoon. It was found that it installed itself in the networks of many critical infrastructure entities, such as energy, transportation, communications, and water and wastewater systems. The intrusions are considered to be strategic, with the threat actors keeping persistent access to possibly disturb or destroy critical services with greater geopolitical tension or military clashes.

Volt Typhoon utilizes living-of-the-land strategies rather than malware to maintain access to breached networks and perform its activities to elude detection. The magnitude of the compromises has yet to be determined but they may be extensive. Many critical infrastructure entities have experienced breached systems and are working on getting rid of threat actors from those systems.

The fact sheet gives guidance to leaders of critical infrastructure entities to help them prioritize the safety of critical infrastructure and capabilities. The issuing organizations want leaders to realize cyber risk as a primary business threat, which is important for good governance and national protection. Leaders need to enable cybersecurity teams to make decisions to better find and protect against Volt Typhoon attacks and malicious cyber activities, for example carrying out cybersecurity performance objectives. Cybersecurity teams must also be strengthened to efficiently apply detection and hardening recommendations, the personnel ought to receive constant cybersecurity training and skill improvement, and companies need to create and test extensive information security programs and drive a cybersecurity culture in their organization.

Leaders have also been informed to protect their supply chains by creating strong vendor risk management procedures, performing required research, choosing vendors that stick to secure-by-design principles, making sure vendors have patching plans, and restricting usage of any product that breaks the principle of least privilege.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at