As the war continues in Ukraine, U.S. government departments continue to provide guidance to organizations on how to stay ahead of threats connected to Russia.

The United States Department of Health and Human Services (HHS) late last week issued an alert to U.S. healthcare organizations to familiarize themselves with four different threat groups that are posing a risk to healthcare systems.

What's interesting is that none of the groups are new; they've all been around since the mid-to-late 2000s but the fact that they’re continuing to pose a problem for defenders demonstrates both their persistence and effectiveness.

The groups covered in the alert include Turla, substantively linked to Russia's FSB security service, APT29, aka Cozy Bear, widely believed to be connected to Russia's SVR, APT28, aka Fancy Bear, attributed by the private sector by Russia’s military intelligence service, the GRU, and Sandworm, also connected to the GRU.

While the groups have largely targeted higher stakes entities across the government and energy industries - Turla hit U.S. Central Command in 2008, APT29 was ultimately linked to the 2020 SolarWinds hack, and APT28 was behind the 2016 hack of the Democratic National Committee – they do have a few attacks that implicated the healthcare industry under their belts.

The NotPetya ransomware, created and propagated by Sandworm, took medical record systems at dozens of U.S. hospitals offline in 2017.

Like most supply chain attacks, a year and a half removed from the incident, it's still difficult to gauge the scope of 2020's SolarWinds hack but it's known that at least one hospital was among the victims. The news forced the industry, the American Hospital Industry and the Health Information Sharing and Analysis Center (Health-ISAC) in particular, to reevaluate how to respond to cyber risk in their networks.

HHS doesn't give any recent examples of any of the groups' attacks against healthcare entities, meaning there may not be an imminent risk to organizations.

The alert, which was published by the Office of Information Security and the Health Sector Cybersecurity Coordination Center, might be better viewed as a primer around the structure of Russia's intelligence services and the various threat groups for the uninformed and a guide to best practices for administrators looking to ensure they’re mitigating Russia-based threats.

HHS’ mitigations mirror a lot of tips and techniques circulated by CISA of late, including:

• Updating software, operating systems, applications, and firmware
• Review CVEs for public facing systems, especially CISA’s Known Exploited Vulnerabilites catalog
• Enforce MFA and require strong passwords
• Secure and monitor RDP if used
• Educate users on social engineering and spear phishing attacks
• Implement network segmentation
• Referring to HHS 405(d) Aligning Health Care Industry Security Approaches and Health Industry Cybersecurity Practices (HICP)

The HHS warning follows up warnings last month from the United States, Australia, Canada, New Zealand, and the United Kingdom about Russian threat actors amid what many have called high cyber tensions stemming from Russia's invasion of Ukraine.

While most of the attacks referenced in the government-issued warnings were against Ukraine itself - distributed denial of service (DDoS) attacks against government websites and website defacements – the alerts are encouraging network defenders to prepare for potential attacks regardless.