A joint advisory issued Oct. 16 by the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency and international agencies warns of a threat from Iranian cyber actors using brute force and other techniques to compromise organizations in healthcare and other critical infrastructure sectors. . The actors are likely trying to obtain credentials and network information from the victim that could be sold to cybercriminals, the advisory states. Since October 2023, these cyber actors have used forceful actions such as password spraying and multi-factor authentication push bombing to compromise user accounts to gain access to organizations. Additionally, they frequently modified MFA records, which allowed persistent access and performed discovery on compromised networks to obtain additional credentials and other information to potentially obtain additional access points.

“This alert highlights the ongoing threat posed by Iranian cyberthreat actors to the U.S. healthcare sector, including hospitals,” said Scott Gee, AHA deputy national advisor for cybersecurity and risks. “Once these bad actors gain initial access to a system, they sell that access to other bad actors who carry out much more sophisticated attacks, including ransomware attacks, often impacting healthcare delivery to patients and entire communities. Any ransomware attack that disrupts or delays patient care constitutes a life-threatening crime and the actors identified in this alert could be considered co-conspirators in these attacks. Hospitals should require the use of unique, complex passwords, which are changed regularly, and use phishing-resistant multi-factor authentication to defend against these attacks. The voluntary cybersecurity performance goals mentioned in the alert, which the AHA helped develop, are the best first line of defense against relatively unsophisticated initial access attacks like these. The AHA encourages hospitals to implement CPGs to improve their overall cybersecurity posture and help thwart adversaries like these.

For more information on this or other cybersecurity and risk issues, contact Gee at [email protected]. For the latest threat information and other cybersecurity and risk resources, visit www.aha.org/cybersecurity.