The U.S. Department of Health and Human Services's Cybersecurity Coordination Center (HC3) has published a threat note that provides information about Russian intelligence services' cyber organizations that pose a threat to organizations in the United States, including health care and public health (HPH). The threat brief provides insight into four major advanced persistent threat actors conducting offensive cyber activities and espionage within Russian intelligence services. These actors have been linked to the Federal Security Service (FSB), the Foreign Intelligence Service (SVR) and the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU). Turla, aka Venomous Bear/Iron Hunter/KRYPTON/Waterbug, operates under the direction of the FSB and caters primarily to sectors such as academia, energy, government, military, telecommunications, research, pharmaceutical companies and foreign embassies, and has been active since at least 2004. The group is known to use sophisticated malware and backdoors and is primarily focused on diplomatic espionage activities in former Eastern Bloc countries, although it was responsible for the attack on the US Central Command in 2008, G20 participants in 2017 and the government's computer network in Germany in 2018. APT29, aka Cozy Bear, YTTRIUM, Iron Hemlock and The Dukes, operates under the direction of SVR and is primarily aimed at academic, energy, financial, government, healthcare, media, pharmaceutical and technology industries and think tanks. The APT actor has been active since at least 2008 and uses a range of malware and backdoor variants. The APR actor primarily targets European and NATO countries and is known to conduct spear phishing campaigns to gain long-term stealth access to networks of targets, and is particularly persistent and focused on specific targets. The APT actor steals the information but does not leak it. APT29 is known to be behind the attack on the Pentagon in 2015, the SolarWinds Orion attack in 2020, and the COVID-19 vaccine developers targeted during the pandemic. APT28, aka Fancy Bear, STRONTIUM, Sofacy, Iron Twilight, operates under the direction of the GRU and has been active since 2004. APT28 targets dissidents and the aerospace, defense, energy, government, healthcare, military and media industries. The group uses a variety of malware, a downloader for next-level infections, and collects system information and metadata to distinguish real environments from sandboxes. APT28 primarily targets NATO countries and is known to use malware, phishing and credential gathering and tends to conduct noisy rather than stealth attacks. The group steals and leaks information to promote Russia's political interests. The group was behind the attack on the World Anti-Doping Agency in 2016, the cyberattack and data leak from the US Democratic National Committee and the Clinton campaign in 2016, and the German and French elections in 2016 and 2017. Sandworm, aka Voodoo Bear, ELECTRUM, IRIDIUM, Telebots and Iron Viking, operates under the direction of the GRU and has been active since at least 2007. Sandworm primarily targets the energy and government sectors and is the most destructive. Sandworm targets computer systems for destructive purposes, such as conducting wiper malware attacks, especially in Ukraine. The group uses malware such as BadRabbit, BlackEnergy, GCat, GreyEnergy, KillDisk, NotPetya, and Industroyer. Sandworm was behind the multiple attacks on the Ukrainian government and critical infrastructure in 2015-2016 and 2022, the attacks on Georgian websites before the Russian invasion in 2008, and the NotPetya attacks in 2017. The tactics, techniques, procedures, and malware used by each of these groups are different, but you can implement some mitigations to improve resilience and block major attack vectors.
All Russian cyber threats to US healthcare
by Giuseppe Gagliano
The article by Giuseppe Gagliano