Iranian Cyber Actors Facilitate Ransomware Attacks on US Organizations

The FBI, Cybersecurity and Infrastructure Agency, and the Department of Defense Cyber Crime Center today issued a joint advisory warning of Iranian-based cyber actors abusing unauthorized network access to U.S. organizations, including healthcare organizations, to facilitate, execute, and profit from future ransomware attacks by apparently Russian-affiliated ransomware gangs. The Iranian group, which is associated with the Iranian government, has conducted numerous cyberattack attempts against U.S. organizations since 2017 and as recently as August 2024. Based on an FBI assessment, the cyber actors gain network access for espionage purposes and then work with ransomware groups, including the notorious Russian-linked ransomware groups RansomHub and APLHV, also known as BlackCat, to launch ransomware attacks against the espionage target. BlackCat was responsible for the 2024 Change Healthcare ransomware attack, the largest and most consequential cyberattack in U.S. history. The advisory does not indicate whether Iranian actors played a role in the Change Healthcare attack, but does state that the Iranian group’s ransomware activities are likely not sanctioned by the Iranian government.

The joint advisory provides tactics, techniques, procedures, and indicators of compromise derived from FBI investigations and third-party reporting. The federal agencies urge organizations to implement the recommendations in the mitigation section of the advisory to reduce the likelihood of compromise by these Iran-based cyber actors and other ransomware attacks.

“This alert demonstrates the close ‘international collaboration’ among hackers to exploit cyberespionage campaigns for criminal gain,” said John Riggi, AHA national advisor for cybersecurity and risk. “This alert also demonstrates the national-level sophistication and expertise of the ransomware groups targeting the U.S. healthcare system. No healthcare organization, regardless of their cybersecurity preparedness, can be expected to fully defend against a group of nation-state-trained hackers working in concert with sophisticated ransomware gangs. It is clear that the initial access leading to a subsequent ransomware attack, sanctioned or not, is state-sponsored. We strongly encourage the U.S. government to treat these attacks as national security threats, through policy and action, and impose significant risks and consequences on our cyber adversaries. Offense is the best defense.”

While there is no specific threat information at this time, the field is reminded to remain extra vigilant over the long weekend, as we have seen healthcare services come under increased attack during the holidays in the past.

Share this information with your IT and cyber infrastructure teams.

WHAT YOU CAN DO

Part this advice with your IT and cyber infrastructure teams.
Implement the voluntary, consensus-based performance objectives for cybersecurity in healthcare.
Judgement Cybersecurity Practices in Healthcare: Managing Threats and Protecting Patients.
Update regularly update software and operating systems to fix vulnerabilities.
Implement strong email security measures to prevent phishing attacks.
To limit Access rights for accounts within organizations.
Protect against threats with a combination of antivirus, anti-malware and firewall solutions.
Back to top data regularly and ensure backups are isolated and immutable.
Behavior Cybersecurity awareness training for employees so they can recognize and report suspicious activities, such as phishing attempts.
Monitor networks for suspicious activity and have an incident response plan.
Determine and implement a business continuity plan to ensure minimal operational disruption in the event of a ransomware incident.

More information about the mitigation strategy can be found on the Cybersecurity and Infrastructure Security Agency’s #StopRansomware page.

FURTHER QUESTIONS

If you have any questions, please contact John Riggi, AHA’s national advisor for cybersecurity and risk, at [email protected]. For the latest cyber threat intelligence and resources, visit www.aha.org/cybersecurity.