Be on the lookout for Iranian threat actors clothed as doctors, think tank researchers or reporters, the federal government warns the healthcare sector.
The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center in a Thursday threat briefing says Tehran-backed hackers often rely on social engineering to penetrate targets that include hospitals.
One recent incident involved a campaign by a threat group dubbed Tortoiseshell involving Facebook accounts posing as recruiters for medicine, journalism and other industries. American and European targets received malware-infected files or were enticed into entering sensitive credentials on phishing sites (see: Facebook Disrupts Iranian APT Campaign).
“Iranian state-sponsored actors often invest heavily in the social engineering layers of their attacks,” says Paul Prudhomme, a former Department of Defense threat analyst who is head of threat intelligence advisory at Rapid7.
“Iranian actors may have less sophisticated technical capabilities than their counterparts in other countries but compensate for it with more elaborate and potentially more persuasive social engineering schemes.”
Prudhomme says Iranian actors sometimes go to greater lengths to make their social engineering personae more credible, such as by creating additional social media accounts or other elements of an internet footprint for them beyond the one used in the attack, in the hopes of withstanding scrutiny. “A common form of Iranian social engineering is to use a fake LinkedIn account to social-engineer targets with the lure of job opportunities in their respective fields,” he says.
In one example highlighted by HC3, an Iranian hacker masqueraded as the director of research at the Foreign Policy Research Institute. Lending credibility to the phishing email was the attacker’s decision to copy another director at the Pew Research Center – an email address that actually led back to the attacker.
The emphasis on social engineering doesn’t rule out mounting direct attacks. One infamous example was a thwarted attack on Boston Children’s Hospital last year – thwarted only because U.S. authorities received intelligence about the pending assault and alerted the hospital, as FBI Director Christopher Wray said in June (see: FBI: Hospital Averted ‘Despicable’ Iranian Cyberattack) .
The hackers exploited a Fortigate appliance to access the hospital’s environmental control networks. They accessed known user accounts at the hospital from an IP address that the FBI associates with the Iranian government.
Adam Meyers, vice president of intelligence at security firm CrowdStrike, tells Information Security Media Group that attacks by Iranian threat actors targeting healthcare sector organizations tend to be “more disruptive operations” than attacks by some other nation-state-backed hackers, such as China.
Often attacks linked to Iran involve “lock and leak,” in which threat actors unleash ransomware and then leak data primarily to discredit the organization, he says. Those attacks are sometimes backed by the Iranian government or conducted by Iranian cybercrime gangs, he says. Nation-state attacks by China on the healthcare sector have often been less disruptive, focusing on intellectual property theft for medical devices, pharmaceuticals and other innovations.
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, says Iran has offensive cyber capability, and threat actors are demonstrating effective DDoS and destructive wiper and other cyberattacks.
“They are a threat actor group that Health-ISAC pays attention to, and we work with several partners to stay current on threats, motivations and attack methods so we’re better prepared and more resilient as a sector in case healthcare is targeted.”
In September, the U.S. government sanctioned Iran’s Ministry of Intelligence and Security and its minister for a July cyberattack that temporarily paralyzed Albania’s online service portal for citizens (see: U.S. Sanctions Iranian Spooks For Albania Cyberattack).
Meyers says he suspects the HHS HC3 advisory aims to heighten the healthcare sector’s attention on Iranian threats in part due to that attack on Albania.