Iranian hackers emerge as cyberthreat to health care computer networks

‘Charming Kitten’ believed to be a front for Islamic Revolutionary Guard Corps, according to HHS’ cybersecurity agency.

Hackers from Iran could pose the next threat to physician and hospital computer networks.

“Iranian Threat Actors & Healthcare” is the latest threat brief by the Health Sector Cybersecurity Coordination Center (HC3) within the U.S. Department of Health and Human Services. HC3 periodically publishes the briefs and other information about relevant cybersecurity topics to raise awareness of current threats, threat actors, best practices, and tactics to avoid cyberattacks.

Iran is historically a “risk-averse actor,” but online attacks provide “a means to exploit enemy vulnerabilities while minimizing the risk of escalation/retaliation,” according to HC3. Iranian hackers have engaged in website defacement, spear phishing, distributed denial-of-service attacks, theft of personally identifiable information, installation of malware, and social media-driven operations.

In 2021, Iran also signed cooperation agreements that focus on cybersecurity and information and communication technology with Russian, and establishing a 25-year economic and defense collaboration with China, according to HC3. The countries share some common goals including greater censorship.

Strategies for security

To avoid cyberattacks, HC3 recommended the measures such as:

  • User training on spotting and reporting phishing attacks and social engineering that make phony emails appear credible.
  • Review computer network vulnerabilities and install security patches.
  • Segment networks to restrict lateral movements by threat actors.
  • Maintain offline backups of data and regularly test backup and restoration.
  • Ensure backup data is encrypted, unchangeable, and covers the organization’s entire data infrastructure.
  • Use strong passwords and multifactor authentication.
  • Require administrator credentials to install software.

Not-so-Charming Kitten

The threat actor “Charming Kitten” is associated with the Islamic Revolutionary Guard Corps (IRGC), according to HC3. That group formed “as an ideological custodian of Iran’s 1979 revolution.” In April 2019, President Donald J. Trump designated it a foreign terrorist organization, the first state security agency to receive that designation, according to the Council on Foreign Relations.

Charming Kitten, also known as TA453, Cobalt Illusion, Magic Hound, ITG18, Phosphorus, Newscaster, or APT35, has targeted medical researchers, dissidents, diplomats, human rights activists, media, government, military, energy, and telecommunications operations.

The group has used spear phishing, or targeted phony emails that attempt to fool receivers into revealing confidential information. Other tactics include leveraging fake personas and social media platforms to interact with targets and impersonating popular online sites to harvest user credentials, according to HC3, which listed at least eight other hacking handles, including six that use “kitten” in the name.

The IRGC also was the subject of a multinational cybersecurity advisory published in September by the National Security Agency and American allies.

Hack attacks

In the United States, Iranian hackers are associated with a thwarted cyberattack on a children’s hospital and a Facebook campaign targeting Americans and Europeans. In that campaign, hackers pretended to work in hospitality, medicine, journalism, nongovernmental organizations, and at airlines, according to HC3.

Things were worse for the government of Albania. That country has the headquarters of the Iranian group PMOI/MEK, which opposes the ruling regime in Iran, and was the location for the World Summit of Free Iran conference July 23-24, 2022.

The Albanian government faced a two-phase cyberattack that started about 14 months before July 18, 2022, when the “government published a statement announcing that it had to ‘temporarily close access to online public services and other government websites’ due to disruptive cyber activity,” according to HC3.