The U.S. Department of Health and Human Services (HHS) has issued a warning regarding a recent uptick in social engineering attacks targeting IT help desks within the Healthcare and Public Health (HPH) sector.
According to a sector alert from the Health Sector Cybersecurity Coordination Center (HC3), hackers have been employing these tactics to infiltrate the systems of targeted organizations by enrolling their own multi-factor authentication (MFA) devices.
In these incidents, threat actors utilize a local area code to place calls to organizations, masquerading as employees from the financial department. They then provide stolen ID verification details, including corporate ID and social security numbers, to gain the trust of IT helpdesk personnel.
Under the guise of a broken smartphone, they persuade helpdesk staff to enroll a new device in MFA, effectively granting them access to corporate resources. Subsequently, they exploit this access to redirect bank transactions in business email compromise attacks.
HC3 highlights one specific instance where the threat actor targeted login credentials associated with payer websites, subsequently manipulating ACH changes for payer accounts. This involved instructing payment processors to redirect legitimate payments to U.S. bank accounts controlled by the attackers, which were then funneled to overseas accounts. Additionally, during the campaign, the threat actor registered a domain resembling the target organization's and created an account posing as the Chief Financial Officer (CFO).
Such attacks may also incorporate AI voice cloning tools to further deceive targets, complicating identity verification processes. This tactic has gained popularity, with a recent global study indicating that 25% of individuals have encountered or are aware of AI voice impersonation scams.
The methods outlined in the HHS alert closely resemble those utilized by the Scattered Spider (aka UNC3944 and 0ktapus) threat group, which employs phishing, MFA bombing, and SIM swapping to initiate network breaches. This cybercriminal organization often impersonates IT personnel to obtain credentials or gain remote access to target networks.
While the FBI and CISA have issued advisories detailing Scattered Spider's tactics, the incidents reported within the health sector have yet to be definitively linked to a specific threat group.
To mitigate the risk of attacks on IT help desks, organizations in the health sector are advised to implement several measures, including requiring callbacks to verify requests, monitoring for suspicious ACH changes, and conducting in-person verifications for sensitive matters. Additionally, helpdesk staff should receive training to recognize social engineering techniques and verify callers' identities before providing access or sensitive information.
Cybersecurity in the healthcare sector of both Canada and the United States is a growing concern, as these institutions become increasingly reliant on digital technology for patient care, data storage, and operations. The healthcare industry is an attractive target for cybercriminals due to the sensitive nature of the data it handles, including personal health information (PHI), financial information, and other personal identifying information (PII). This data can be exploited for identity theft, financial gain, or even espionage and sabotage, making robust cybersecurity measures paramount.
In the United States, one of the most significant breaches occurred in 2015 when the health insurance company Anthem Inc. was targeted. Hackers gained unauthorized access to the company's IT system and compromised the data of nearly 79 million people, including names, dates of birth, medical IDs, social security numbers, addresses, email addresses, employment information, and income data. The breach was attributed to a sophisticated phishing attack that allowed hackers to gain credentials to access Anthem's systems.
Canada has also seen its share of healthcare security breaches. In 2020, Lifelabs, one of Canada's largest medical services companies, reported a data breach affecting up to 15 million customers. Most of the affected individuals were in British Columbia and Ontario. The hackers managed to extract customer information, including names, addresses, emails, customer logins and passwords, health card numbers, and in some cases, lab test results. The breach was the result of a ransomware attack, where the attackers demanded a ransom in exchange for the return of the stolen data.
These breaches were executed through sophisticated methods, including phishing and ransomware attacks, highlighting the importance of comprehensive cybersecurity measures. Phishing attacks deceive individuals into providing sensitive information or access credentials, while ransomware attacks involve encrypting an organization's files and demanding a ransom for their release. Both types of attacks exploit human and system vulnerabilities and underscore the need for ongoing cybersecurity training, robust data encryption, regular system updates, and backups.
In response to such incidents, healthcare organizations in both countries have been urged to enhance their cybersecurity frameworks. This includes adhering to standards and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Additionally, there is a push for more rigorous cybersecurity practices, including the implementation of advanced threat detection systems, regular security audits, and the fostering of a culture of security awareness among all staff members.
The growing sophistication of cyber threats, coupled with the high value of healthcare data, means that cybersecurity in healthcare will continue to be a pressing issue. Protecting against such threats requires a multifaceted approach, combining technological solutions with training and policy reforms to mitigate the risk of future breaches.
At BlueSky, we offer our clients unparalleled access to analyst-verified monitoring, actionable intelligence, and proactive insights into protests and potential disruptions in real-time. Our commitment is to deliver intelligence that is not only insightful but also deeply rooted in human expertise. We pride ourselves on delivering intelligence that is insightful and human-centric, because "Our best intelligence is not artificial."
If you have additional questions about this report or would like more information on BlueSky, reach out to our team directly: [email protected]