On October 23, 2024, the HHS Cyber Security Operations Cyber Threat Intelligence Branch released a list of notable cyber threat actors, including Advanced Persistent Threat (APT) groups and ransomware organizations that continue to target essential sectors.
What happened
During the recent Safeguarding Health Information: Building Assurance through HIPAA Security conference held by the HHS Office for Civil Rights and the NIST Information Technology Laboratory, the HHS Cyber Security Operations identified several prominent threat actors.
Their list includes Advanced Persistent Threat (APT) groups like APT28, also known as Fancy Bear, a Russian group known for its espionage efforts targeting military, government, and election systems. Their involvement in the 2016 U.S. election compromised SolarWind’s software update system, where “they gained unprecedented access to U.S. government agencies and corporations.”
Ransomware groups such as LockBit 3.0 and BlackCat have also been flagged for their evolving tactics, with LockBit’s 2021 attack on Accenture “[showcasing] their audacity in targeting high-profile corporations.”
The Lazarus Group from North Korea has gained notoriety for targeting financial institutions, as evidenced by their nearly $1 billion heist attempt on Bangladesh's central bank in 2018. Meanwhile, the Chinese group APT41 combines espionage with cybercrime, “targeting sectors like healthcare and telecommunications.”
Going deeper
- APT28 (Fancy Bear): Known for targeting military and government systems, they were responsible for the SolarWinds attack, which compromised U.S. government agencies.
- Lazarus Group: North Korean actor focused on financial institutions that attempted to steal nearly $1 billion from Bangladesh’s central bank.
- APT41 (Double Dragon): Chinese group that combines espionage and cybercrime, targeting the healthcare and telecommunications sectors with backdoor malware in trusted software updates.
- Hafnium: Chinese group that gained notoriety for exploiting Microsoft Exchange vulnerabilities, compromising over 250,000 servers globally.
- LockBit 3.0: A Ransomware-as-a-Service (RaaS) platform with advanced extortion techniques, as seen during the 2021 attack on Accenture, where they demanded a $50 million ransom.
- BlackCat (ALPHV): Targetshigh-value enterprises, with a notable attack on Schneider Electric in 2022 that disrupted integral infrastructure.
- Clop Ransomware: Known for exploiting third-party vulnerabilities, their 2023 MOVEit exploit affected numerous organizations globally.
- FIN7 (Carbanak): Specializes in point-of-sale attacks, including the 2017 breach of Chipotle, where millions of consumers’ payment card data were stolen.
- Evil Corp (Dridex): Targets European banks with sophisticated banking Trojans, changing their tactics over time, like using Dridex malware to attack financial institutions in 2019.
- Conti Group Legacy: Despite disbanding, splinter groups continually threaten cybersecurity, like the 2022 attack on the Costa Rican government, which disrupted national services for weeks.
What was said
During the conference, HHS Cyber Security Operations Cyber Threat Intelligence Branch Chief Rahul Gaitonde stated, “Global attacks have become more targeted, with a significant rise in zero-day vulnerability exploitation.”
Gaitonde also noted the impact of geopolitical tensions where “State-sponsored cyberattacks are increasingly targeting critical infrastructure and supply chains.”
In the know
Advanced Persistent Threats (APT) often involve state-sponsored actors motivated by espionage, while ransomware groups operate for financial gain. Recognizing these differences can help organizations develop targeted defense strategies.
Go deeper: How to manage persistent threats and zero-day vulnerabilities
Why it matters
With the continued rise in cyberattacks, understanding the motivations and methods of these actors can inform strategic decisions and improve organizations’ security posture. Moreover, this announcement urges organizations to strengthen their cybersecurity measures and remain vigilant against emerging threats.
Related: How the NIST Cybersecurity Framework relates to HIPAA compliance
FAQs
What is a zero-day vulnerability?
A zero-day vulnerability is a security flaw unknown to the software or system vendor, leaving them with ‘zero days’ to prepare a response. These vulnerabilities can exist in any application, operating system, or connected device.
Can state-sponsored cyberattacks affect healthcare systems?
Yes, state-sponsored cyberattacks cause serious disruptions to health systems, compromising patient privacy and security.
How can healthcare organizations prepare for cyber threats?
Healthcare organizations must do regular risk assessments, invest in advanced security measures, and use a HIPAA compliant communication platform like Paubox to secure protected health information (PHI).
Additionally, they should train staff on cybersecurity awareness and develop an incident response plan to counter potential cyberattacks.
Learn more: HIPAA Compliant Email: The Definitive Guide
