Tehran hackers close the sophistication gap with social engineering

The federal government cautions the healthcare industry to be on the lookout for Iranian threat actors disguising themselves as doctors, think tank researchers, or journalists.

Tehran-backed hackers frequently use social engineering to infiltrate targets like hospitals, according to a danger briefing by the Department of Health and Human Services Health Sector Cybersecurity Coordinating Center on Thursday.

One recent example featured a Tortoiseshell threat group operation utilizing Facebook accounts pretending to be recruiters for the media, medical, and other fields. American and European targets were the recipients of malicious files or were tricked into providing personal information on phishing websites (see: Facebook Disrupts Iranian APT Campaign).

Also read, FBI Warns of Increase in Payment Scams in the Healthcare Sector

Paul Prudhomme, a former threat analyst for the Department of Defense and current head of threat intelligence advice at Rapid7, claims that Iranian state-sponsored attackers frequently make significant investments in the social engineering layers of their attacks.

Iranian actors may not possess the same level of technological sophistication as their colleagues in other nations, but they make up for it with more complex and potentially more convincing social engineering methods.

According to Prudhomme, Iranian actors occasionally go to greater lengths to increase the credibility of their social engineering personas, such as by setting up additional social media accounts or other online presences for themselves in addition to the one used in the attack, in the hopes of withstanding scrutiny. Using a phoney LinkedIn account to socially engineer individuals with the promise of job prospects in their specific industries is a typical practice among Iranian social engineers, the author claims.

The Issues

In one instance cited by HC3, an Iranian hacker pretended to be the Foreign Policy Research Institute’s director of research. Because the attacker copied another director at the Pew Research Center and used an email address. That actually went back to the Pew Research Center, the phishing email gained more credibility.

The focus on social engineering does not preclude carrying out direct assaults. One notorious instance is the attack that was prevented on Boston Children’s Hospital last year. According to FBI Director, the hospital was only informed of the impending attack after U.S. officials got intelligence about it.

In order to get access to the hospital’s environmental control networks, the hackers took advantage of a Fortigate device. They used an IP address FBI links to the Iranian government to access known user accounts at the hospital.

According to Adam Meyers, senior vice president of intelligence at the security company CrowdStrike. Attacks by Iranian threat actors on organizations serving the healthcare sector tend to be more disruptive operations than those carried out by some other nation-state-backed hackers, like those from China.

He claims that “lock and leak” assaults, where threat actors release ransomware. And subsequently leaked data intended to defame the organization, are frequent in attacks connected to Iran. He claims that Iranian cybercrime gangs or the Iranian government may occasionally support these attacks. China’s nation-state attacks on the healthcare industry have frequently been less destructive. And concentrating on the theft of intellectual property for drugs, medical devices, and other advances.

Iran has offensive cyber capabilities, according to Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center. Threat actors are also showing off successful DDoS, destructive wipers, and other cyberattacks.

The Recommendations

In order to be more prepared and more resilient as a sector in the event that healthcare is targeted. Health-ISAC keeps an eye on this threat actor group. And collaborates with a number of partners to stay current on threats, motivations, and attack tactics.

The Iranian Ministry of Intelligence and Security and its minister were sanctioned by the US government in September. As a result of a cyberattack that temporarily crippled Albania’s citizen online service site in July (see: U.S. Sanctions Iranian Spooks for Albania Cyberattack).