Agencies warn health sector of Iranian and Russian cyber threats

The FBI, Cybersecurity and Infrastructure Agency, and the Department of Defense Cyber ​​​​Crime Center issued a joint advisory on August 29 warning of Iranian-based cyber actors abusing unauthorized network access to U.S. organizations, including healthcare organizations, to facilitate, execute, and profit from future ransomware attacks by apparently Russian-affiliated ransomware gangs. The Iranian group, which is associated with the Iranian government, has conducted numerous cyberattack attempts against U.S. organizations since 2017 and as recently as August 2024. Based on an FBI assessment, the cyber actors gain network access for espionage purposes and then work with ransomware groups, including the notorious Russian-linked ransomware groups RansomHub and APLHV, also known as BlackCat, to launch ransomware attacks against the espionage target. BlackCat was responsible for the 2024 Change Healthcare ransomware attack, the largest and most consequential cyberattack in U.S. history. The advisory does not indicate whether Iranian actors played a role in the Change Healthcare attack. However, it does state that the Iranian group’s ransomware activities are unlikely to be sanctioned by the Iranian government.

The joint advisory provides tactics, techniques, procedures, and indicators of compromise derived from FBI investigations and third-party reporting. The federal agencies urge organizations to implement the recommendations in the mitigation section of the advisory to reduce the likelihood of compromise by these Iran-based cyber actors and other ransomware attacks.

“This alert demonstrates the close ‘international collaboration’ among hackers to exploit cyberespionage campaigns for criminal gain,” said John Riggi, AHA national advisor for cybersecurity and risk. “This alert also demonstrates the national-level sophistication and expertise of the ransomware groups targeting the U.S. healthcare system. No healthcare organization, regardless of their cybersecurity preparedness, can be expected to fully defend against a group of nation-state-trained hackers working in concert with sophisticated ransomware gangs. It is clear that the initial access leading to a subsequent ransomware attack, sanctioned or not, is state-sponsored. We strongly encourage the U.S. government to treat these attacks as national security threats, through policy and action, and impose significant risks and consequences on our cyber adversaries. Offense is the best defense.”

While there is no specific threat information at this time, the field is reminded to remain extra vigilant over the long weekend, as we have seen healthcare services come under increased attack during the holidays in the past.

For more information on these or other cyber and risk issues, contact Riggi at [email protected]. For the latest cyber threat intelligence and resources, visit aha.org/cybersecurity.