The U.S. Department of Homeland Security issued a bulletin of the National Terrorism Advisory System on Sunday, as a result of the ongoing conflict with Iran.
The alert – aimed at critical sectors, including healthcare – details how pro-Iranian hacktivists and state-sponsored threat actors use malware to obtain access to networks and devices, including firewalls, internet of things (IoT) devices and operational platforms.
WHY IT MATTERS
After the Iranian government publicly condemned direct U.S. involvement in the conflict and vowed retaliation for American airstrikes over the weekend, DHS said in the new threat advisory that anti-Israel sentiment and the ongoing Israel-Iran conflict could contribute to U.S. attacks by hacktivists and Iranian government-affiliated actors.
These threat actors “routinely target poorly secured U.S. networks and internet-connected devices for disruptive cyberattacks,” according to the new DHS summary of the threat.
“Low-level cyberattacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks,” DHS said.
As of publication, the bulletin is in effect until Sept. 22.
Jen Easterly, former Cybersecurity and Infrastructure Security Agency director, advised organizations to “patch every internet-facing asset,” in a list of actions in a social media post on Sunday.
THE LARGER TREND
In October, the American Hospitals Association warned of Iranian cyber actors compromising healthcare infrastructure.
After gaining initial access to a system, they sell access to other threat actors, who wage more sophisticated attacks, including ransomware, Scott Gee, AHA deputy national advisor for cybersecurity and risk, said in the organization’s announcement.
“Hospitals should require the use of unique, complex passwords, which are changed regularly, and employ phishing-resistant multi-factor authentication to help defend against these attacks,” Gee said.
He stressed that organizations should implement the Department of Health and Human Services’ voluntary Cybersecurity Performance Goals as “the best first line of defense” against threat actors gaining initial access.
Then in December, CISA updated its advisory to all critical sectors urging action to address all operational technologies connected insecurely to the internet after observing the tactics of Iran’s Islamic Revolutionary Guard-affiliated group CyberAv3ngers.
CISA, the FBI, National Security Agency, Environmental Protection Agency, Israel National Cyber Directorate, Canadian Centre for Cybersecurity and the United Kingdom’s National Cybersecurity Centre updated their 2023 advisory about the threat.
The authoring agencies observed the threat actors supplanting existing ladder logic files with their own, renaming devices, resetting software versions to older versions, disabling upload and download functions, and changing default port numbers.
“With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber-physical effects on processes and equipment,” they said in the alert.
CyberAv3ngers have been active since 2020, according to MITRE, a not-for-profit organization that operates federally funded research and development centers.
In 2023, CyberAv3ngers were believed to be responsible for a series of attacks on U.S. water and wastewater facilities that targeted programmable logic controllers with a malware called IOCONTROL as part of a wider cyber campaign against Israel and Israeli-made technology, the organization said in its assessment of the group’s tactics, techniques and procedures.
After compromising Israeli-made Unitronics Vision Series PLCs and human machine interfaces, CISA said the threat actors left a message:
“You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers’ legal target.”
Through its Rewards for Justice program, the U.S. government is offering a bounty of up to $10 million for information leading to the identification or location of CyberAv3ngers threat actors.
Of note is that Teltonika, a vendor of telemedicine and remote patient monitoring devices for detecting cardiovascular disease, is named in the reward announcement.
ON THE RECORD
“The conflict could also motivate violent extremists and hate crime perpetrators seeking to attack targets perceived to be Jewish, pro-Israel or linked to the U.S. government or military in the homeland,” DHS said in the bulletin.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
