CISA Alerts Healthcare Groups about Iran Sponsored Hacker Group

This week, the United States Cybersecurity and Infrastructure Agency (CISA) published an alert detailing malicious activities by an advanced persistent threat group linked to Iran’s government. According to the joint advisory, bad actors exploit Microsoft Exchange and Fortinet vulnerabilities to target a wide variety of victims across numerous critical infrastructure sectors, including healthcare.

Since at least March 2021, FBI and CISA have witnessed an Iranian government-sponsored APT group exploit Fortinet vulnerabilities and a Microsoft Exchange ProxyShell weakness to obtain early access to systems in preparation for follow-on operations.

Although hacking groups tied to Russia frequently make news, groups belonging to other countries have grown in fame and infamy. These threat actors are focused on exploiting known vulnerabilities, according to the CISA advisory, which was based on analyses by the FBI, the Australian Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre. These Iranian government-sponsored APT attackers can use this access to carry out additional operations, including data exfiltration or encryption, ransomware, and extortion.

For example, in June 2021, the attackers used a Fortigate appliance to access environmental control networks affiliated with a US children’s hospital. According to the government, organizations that use Microsoft Exchange servers and Fortinet should look into any suspicious behavior in their networks. This is yet another sobering example of the threat posed by nation-state actors and why standard cybersecurity approaches need to be reconsidered. No single entity, be it a corporation or a country, can handle challenges of this magnitude on its own.