All Russian cyber threats to US health
The article by Giuseppe Gagliano
The U.S. Department of Health and Human Services Cyber Security Coordination Center (HC3) has issued a threat note providing information on Russian intelligence cyber organizations that pose a threat to organizations in the United States, including health care and public health (HPH).
The Threat Brief provides information on four major advanced persistent threat actors conducting offensive cyber activities and espionage within the Russian intelligence services. These actors were linked to the Federal Security Service (FSB), the Foreign Intelligence Service (SVR) and the Chief Intelligence Directorate of the Armed Forces General Staff (GRU).
Turla, aka Venomous Bear / Iron Hunter / KRYPTON / Waterbug, operates under the direction of the FSB and primarily targets sectors such as academia, energy, government, military, telecommunications, research, pharmaceutical companies and foreign embassies, and has been active since at least 2004. The group is known to use sophisticated malware and backdoors and is mainly focused on diplomatic espionage activities in former Eastern Bloc countries, although it was responsible for the attack on the US central command in the 2008, to G20 participants in 2017 and to the government computer network in Germany in 2018.
APT29, aka Cozy Bear, YTTRIUM, Iron Hemlock and The Dukes, operates under the direction of the SVR and caters primarily to academic, energy, financial, government, healthcare, media, pharmaceutical and technology industries and think tanks. The APT actor has been around since at least 2008 and uses a range of malware and backdoor variants. The APR actor mainly targets European and NATO countries and is known for conducting spear phishing campaigns to gain long-term stealth access to target networks, and is particularly persistent and focused on specific targets. The APT actor steals the information but doesn't leak it. APT29 is known to be behind the Pentagon attack in 2015, the SolarWinds Orion attack in 2020, and the COVID-19 vaccine developers targeted during the pandemic.
APT28, aka Fancy Bear, STRONTIUM, Sofacy, Iron Twilight, operates under the direction of GRU and has been in operation since 2004. APT28 caters to dissidents and the aerospace, defense, energy, government, healthcare, army and media. The group uses a variety of malware, a downloader for next-level infections, and gathers system information and metadata to distinguish real environments from sandboxes.
APT28 primarily targets NATO countries and is known for using malware, phishing and credential gathering and tends to conduct loud rather than stealthy attacks. The group steals and leaks information to further Russia's political interests. The group was behind the attack on the World Anti-Doping Agency in 2016, the cyber attack and data leak from the US Democratic National Committee and the Clinton campaign in 2016, and the German and French elections in 2016 and 2017.
Sandworm, aka Voodoo Bear, ELECTRUM, IRIDIUM, Telebots and Iron Viking, operates under the direction of the GRU and has been in operation since at least 2007. Sandworm primarily targets the energy and government sectors and is the most destructive. Sandworm targets computer systems for destructive purposes, such as conducting wiper malware attacks, especially in Ukraine. The group uses malware such as BadRabbit, BlackEnergy, GCat, GreyEnergy, KillDisk, NotPetya, and Industroyer. Sandworm was behind the multiple attacks on the Ukrainian government and critical infrastructure in 2015-2016 and 2022, the attacks on Georgian websites prior to the Russian invasion in 2008, and the NotPetya attacks in 2017.
The tactics, techniques, procedures and malware used by each of these groups are different, but some mitigations can be implemented to improve resilience and block major attack vectors.
This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/sanita/tutte-le-minacce-informatiche-russe-alla-sanita-usa/ on Thu, 26 May 2022 05:50:16 +0000.