Iranian Cyber Actors May Target Vulnerable US Networks

As the U.S. prepares for Independence Day celebrations, health care organizations are advised to brace for potential cyberattacks from Iranian state-sponsored or affiliated actors. A joint statement issued June 30 by CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), and the NSA emphasizes ongoing threats targeting U.S. networks, particularly those connected to critical infrastructure, including health care.

The American Hospital Association (AHA) is urging hospitals and health systems to remain alert over the holiday weekend. “They have targeted the healthcare sector in the past, so hospitals are encouraged to maintain a heightened level of vigilance,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “This is especially important with the Fourth of July holiday approaching, since we often see heightened adversary activity around holidays.”

In an interview with Becker’s Health, AHA National Advisor John Riggi said that cybercriminals see this time as a prime opportunity for attacks, given the reduced staffing levels and increased distractions. Threat actors might also exploit these weaknesses through holiday-themed phishing emails and spoofed IT support calls.

Past Campaigns and Ongoing Threats

On June 20, the U.S. Department of Justice announced a sweeping nationwide crackdown on schemes by North Korea to generate revenue through illegal remote IT work for U.S. companies.

Between November 2023 and January 2024, Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated actors launched a global campaign targeting Israeli-made PLCs and HMIs—components often used in critical infrastructure. Victims included U.S.-based organizations in health care, water systems, energy, and food production.

As the Independence Day holiday weekend got started on Friday, July 2, 2021, U.S.-based software provider Kaseya’s Incident Response team discovered a potential security incident involving its VSA software. The attack was carried out by the Russia-linked ransomware group REvil and disrupted up to 2,000 organizations globally.

Recommended Actions to Mitigate Attacks

The joint advisory includes a series of urgent recommendations within the full advisory fact sheet to harden systems and improve resilience, including:

• Update and patch all internet-facing systems, especially those used for remote access.
• Enforce strong, unique passwords for all accounts, and enable multi-factor authentication (MFA) wherever possible.
• Review and monitor user access logs, especially for unusual remote access or configuration changes.
• Test and update business continuity and incident response plans on a regular basis.
• Rehearse system recovery procedures to ensure preparedness in case of a disruption.

“Since many attacks occur at the worst possible times, such as during payroll weeks or when key staff are out of the office or on holidays, this is a good criterion to use during tabletop disaster exercises,” said Ron Bebus, PrivaPlan CIO. “Make the drills as realistic as possible.”

Health care entities should assume adversaries are actively scanning for vulnerabilities. By preparing now, health systems can better defend against attacks and recover more quickly if targeted, especially during the holidays.