Skip to main content

HHS Warns Healthcare Industry of Russian Threat Groups

by Chris Brook on Wednesday June 1, 2022

Contact Us
Free Demo

A new alert, via the HHS Cybersecurity Program, is reminding healthcare organizations about four Russian threat groups.

As the war continues in Ukraine, U.S. government departments continue to provide guidance to organizations on how to stay ahead of threats connected to Russia.

The United States Department of Health and Human Services (HHS) late last week issued an alert to U.S. healthcare organizations to familiarize themselves with four different threat groups that are posing a risk to healthcare systems.

What's interesting is that none of the groups are new; they've all been around since the mid-to-late 2000s but the fact that they’re continuing to pose a problem for defenders demonstrates both their persistence and effectiveness.

The groups covered in the alert include Turla, substantively linked to Russia's FSB security service, APT29, aka Cozy Bear, widely believed to be connected to Russia's SVR, APT28, aka Fancy Bear, attributed by the private sector by Russia’s military intelligence service, the GRU, and Sandworm, also connected to the GRU.

While the groups have largely targeted higher stakes entities across the government and energy industries - Turla hit U.S. Central Command in 2008, APT29 was ultimately linked to the 2020 SolarWinds hack, and APT28 was behind the 2016 hack of the Democratic National Committee – they do have a few attacks that implicated the healthcare industry under their belts.

The NotPetya ransomware, created and propagated by Sandworm, took medical record systems at dozens of U.S. hospitals offline in 2017.

Like most supply chain attacks, a year and a half removed from the incident, it's still difficult to gauge the scope of 2020's SolarWinds hack but it's known that at least one hospital was among the victims. The news forced the industry, the American Hospital Industry and the Health Information Sharing and Analysis Center (Health-ISAC) in particular, to reevaluate how to respond to cyber risk in their networks.

HHS doesn't give any recent examples of any of the groups' attacks against healthcare entities, meaning there may not be an imminent risk to organizations.

The alert, which was published by the Office of Information Security and the Health Sector Cybersecurity Coordination Center, might be better viewed as a primer around the structure of Russia's intelligence services and the various threat groups for the uninformed and a guide to best practices for administrators looking to ensure they’re mitigating Russia-based threats.

HHS’ mitigations mirror a lot of tips and techniques circulated by CISA of late, including:

The HHS warning follows up warnings last month from the United States, Australia, Canada, New Zealand, and the United Kingdom about Russian threat actors amid what many have called high cyber tensions stemming from Russia's invasion of Ukraine.

While most of the attacks referenced in the government-issued warnings were against Ukraine itself - distributed denial of service (DDoS) attacks against government websites and website defacements – the alerts are encouraging network defenders to prepare for potential attacks regardless.

Tags:  Healthcare Government

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.