Healthcare Sector Warned About Cyberattacks by Iranian State-Sponsored Threat Actors

The federal government has released an alert to the healthcare industry concerning the danger of cyberattacks conducted by Iranian threat actors. Iranian state-sponsored actors do not have the advanced technical abilities of Chinese or Russian threat actors, yet still present a considerable threat to the industry. The threat actors primarily utilize social engineering tactics to access healthcare systems and are identified to perform advanced spear-phishing campaigns.

With spear phishing campaigns, healthcare-associated baits are used by threat actors along with fake personas and social media websites to communicate with their targets. Threat actors usually impersonate doctors, think tanks, and researchers to deceive targets into revealing their credentials or installing malware. The Tortoiseshell Facebook campaign spotted threat actors claiming to be recruiters in medicine, hospitality, journalism, aviation, and NGOs. Fake accounts were utilized to trick targets into opening malware-corrupted files or to entice them to go to phishing URLs to steal information. The threat actors frequently utilize LinkedIn for communicating with targets and giving bogus job offers headhunting persons of interest. Famous online sites like Google, Yahoo, and Microsoft are additionally impersonated to steal data.

One well-known campaign impersonated the Director of Research at the Foreign Policy Research Institute (FRPI). The email gave a CC to the Pew Research Center Director of Global Attitudes Research. The emails asked for feedback for an article regarding Iraq’s position in the world. These spear phishing emails are often realistic and persuasive and may entail several messages to keep targets in discussion to develop trust prior to deceiving them into downloading malware or revealing their credentials. It takes substantial time and effort to create realistic social media profile pages and Web footprints to make the campaign appear more legitimate and to make it through attempts to confirm the credibility of the account and request.

The Iranian state-sponsored hacking group called Pioneer Kitten (also known as NC757, Fox Kitten & Parisite) is well-known to take advantage of vulnerabilities in VPNs and other system appliances, for example, CVE-2020-5902 (BIG-IP), CVE-2019-11510 (Pulse Connect Secure) and CVE-2019-19781 (Citrix). Other vulnerabilities taken advantage of for preliminary access are the Microsoft Exchange ProxyShell and other Exchange vulnerabilities, the Log4j vulnerabilities, and Fortinet FortiOS vulnerabilities. There was a thwarted attack that involved taking advantage of a vulnerability in a Fortigate appliance to obtain access to the environmental control systems of a children’s hospital in the U.S.

Iranian threat actors carry out attacks to obtain access to sensitive personally identifiable information (PII); nevertheless, the attacks appear to be more detrimental than other state-sponsored hacking groups. Cyberattacks frequently take advantage of cyber vulnerabilities to strike Iran’s enemies to retaliate for sanctions at the same time reducing the threat of retaliation. Attacks were carried out where sites were defaced, DDoS attacks were used to ruin reputations, and the country is well known for employing wiper malware for attacks. Upon getting access to networks, the threat actors go laterally and install a PowerShell backdoor known as POWERSTATS for persistence.

Increasing strength against attacks demands an emphasis on the following anti-phishing techniques:

  • Have a strong email security option, multi-factor authentication, and engaging end-user training
  • Employees ought to get regular training and be educated on how to identify and report social engineering and phishing attacks.
  • Reviews must be done on all web-accessible systems
  • Vulnerabilities must be patched immediately
  • Segment systems to restrict the capability of the threat actors to move laterally
  • Regularly audit user accounts, particularly those having administrative privileges.
  • Set strong passwords to enhance defense against brute force attacks.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center has suggested other mitigations in its threat brief.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at