Health care systems vulnerable to cyberattacks supported by Russian intelligence agencies

Cyber organizations within Russian intelligence services remain a threat to the health care, medical and scientific sectors in the United States.

The U.S. Department of Health and Human Services’ (HHS) Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3) published “Major Cyber Organizations of Russian Intelligence Services,” a threat brief summarizing the assessed structure and potential threats of that nation’s cyber programs.

“As one of the five global superpowers, it comes as no surprise that Russia possesses one of the most skilled and dangerous cyber attack capabilities in the world,” HC3 analyst Ellie Wyatt said in a conference call. “While there are a number of associated organizations and threat actors, as you can see, all of them are ultimately controlled by Russia’s President Vladimir Putin.”

The brief did not issue a warning of a health care cyberattack happening now or in the near future. It did outline what is known about hackers working within at least three major organizations that report to Russia’s Security Council.

Staying secure

HC3 recommends steps for mitigating risks:

• Update software, including operating systems, applications, and firmware, on IT network assets.
• Reviewing the common vulnerabilities and exposures (CVEs) for all public facing systems. The federal Cybersecurity & Infrastructure Security Agency maintains an updated catalog of CVEs that are known to be exploited.
• Enforce multifactor authentication to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords.
• If you use remote desktop protocol (RDP) or other potentially risky services, secure and monitor them closely.
• Provide user awareness and training to help prevent successful targeted social engineering and spear phishing campaigns.
• As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality.

Threat actors

Wyatt and the threat brief cited work of cybersecurity consulting firms Mandiant and CrowdStrike, with other analysts and government agencies, to identify the major Russian organizations:

• The Federal Security Service, known as FSB, the equivalent of the American FBI. FSB is associated with the threat actor known as Turla, which made cyber attacks on the U.S. Central Command in 2008 and Germany’s government computer network in 2018. Turla also is known as Venomous Bear and other names designated by security and software companies.
• The Foreign Intelligence Service, known as the SVR, the equivalent of the CIA. SVR is associated with threat actor APT29, which launched cyberattacks on the pentagon in 2015 and COVID-19 vaccine developers in 2020. APT29 became known for the campaign against SolarWinds Orion IT software in businesses around the world.

A U.S. hospital was among about 18,00 SolarWinds customers who became victims in that attack, Wyatt said. APT29 also is known as Cozy Bear and other names.

• The Main Intelligence Directorate of the General Staff of the Armed Forces, known as GRU. Roughly equivalent to the U.S. Defense Intelligence Agency, GRU is the most reckless, brazen and disruptive of the three, Wyatt said, citing research of author and Wired magazine columnist Andy Greenberg.

GRU is associated with APT28, also known as Fancy Bear, the hacking group that attacked the World Anti-Doping Agency and the U.S. Democratic National Committee and Hillary Clinton’s presidential campaign, both in 2016, among others.

APT28 tends to leak stolen data for Russia’ political interests, Wyatt said.

GRU also is associated with threat actor Sandworm, also known as Voodoo Bear, which launched the NotPetya cyber attacks of 2017. The attack corresponded to Russian military action against Ukraine, but the malware spread, shutting down a U.S. pharmaceutical manufacturer and affecting medical records of dozens of U.S. hospitals.