HHS Warns Healthcare Industry of Russian Threat Groups | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

HHS Warns Healthcare Industry of Russian Threat Groups

by Chris Brook on Wednesday June 1, 2022

Contact Us
Free Demo

A new alert, via the HHS Cybersecurity Program, is reminding healthcare organizations about four Russian threat groups.

As the war continues in Ukraine, U.S. government departments continue to provide guidance to organizations on how to stay ahead of threats connected to Russia.

The United States Department of Health and Human Services (HHS) late last week issued an alert to U.S. healthcare organizations to familiarize themselves with four different threat groups that are posing a risk to healthcare systems.

What's interesting is that none of the groups are new; they've all been around since the mid-to-late 2000s but the fact that they’re continuing to pose a problem for defenders demonstrates both their persistence and effectiveness.

The groups covered in the alert include Turla, substantively linked to Russia's FSB security service, APT29, aka Cozy Bear, widely believed to be connected to Russia's SVR, APT28, aka Fancy Bear, attributed by the private sector by Russia’s military intelligence service, the GRU, and Sandworm, also connected to the GRU.

While the groups have largely targeted higher stakes entities across the government and energy industries - Turla hit U.S. Central Command in 2008, APT29 was ultimately linked to the 2020 SolarWinds hack, and APT28 was behind the 2016 hack of the Democratic National Committee – they do have a few attacks that implicated the healthcare industry under their belts.

The NotPetya ransomware, created and propagated by Sandworm, took medical record systems at dozens of U.S. hospitals offline in 2017.

Like most supply chain attacks, a year and a half removed from the incident, it's still difficult to gauge the scope of 2020's SolarWinds hack but it's known that at least one hospital was among the victims. The news forced the industry, the American Hospital Industry and the Health Information Sharing and Analysis Center (Health-ISAC) in particular, to reevaluate how to respond to cyber risk in their networks.

HHS doesn't give any recent examples of any of the groups' attacks against healthcare entities, meaning there may not be an imminent risk to organizations.

The alert, which was published by the Office of Information Security and the Health Sector Cybersecurity Coordination Center, might be better viewed as a primer around the structure of Russia's intelligence services and the various threat groups for the uninformed and a guide to best practices for administrators looking to ensure they’re mitigating Russia-based threats.

HHS’ mitigations mirror a lot of tips and techniques circulated by CISA of late, including:

The HHS warning follows up warnings last month from the United States, Australia, Canada, New Zealand, and the United Kingdom about Russian threat actors amid what many have called high cyber tensions stemming from Russia's invasion of Ukraine.

While most of the attacks referenced in the government-issued warnings were against Ukraine itself - distributed denial of service (DDoS) attacks against government websites and website defacements – the alerts are encouraging network defenders to prepare for potential attacks regardless.

Tags: Healthcare, Government

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.