Another Cybersecurity Threat Poses Risk to Health Care

September 06, 2024

The federal government is warning health care and other sectors about an emerging, Iran-based ransomware threat.

Last month, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) released a joint advisory about a group of cyber actors known in the private sector as Pioneer Kitten, UNC757, Parisite, Rubidium, and Lemon Sandstorm.

“The FBI assesses a significant percentage of these threat actors’ operations against U.S. organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware," the advisory notes.

Here’s what you need to know:

• About the threat:  The groups appear to be targeting and exploiting U.S. and foreign organizations across multiple sectors. They seek to collaborate with ransomware affiliate actors to deploy ransomware.
• Collaboration concerns:  The joint advisory notes these groups appear to be working with known ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments.
  • The ransomware affiliates include NoEscape, Ransomhouse, and ALPHV (BlackCat).
  • The advisory has similarities to a previous alert from 2020 that focused on Iran-based threat actors.
• What they do:  The actors use remote external services on Internet-facing assets to gain initial access to victim networks and exploit vulnerabilities.
• What you can do:   The advisory notes that organizations should review available logs for IP addresses; patch and update networks; check systems for unique identifiers and outbound web requests.
  • Validate your security controls by exercising and testing your organization's security program against these threat behaviors.
• Action steps:  If you have been targeted or compromised by the Iranian cyber actors, contact your local FBI field office and report the incident.

The full advisory is available online. The federal government also released another advisory this week about Russian military cyber actors that are targeting U.S. and global critical infrastructure.

For additional information about health care cybersecurity, contact Jason Tomashunas, MS, CHEP, HAP manager, emergency management.