H-ISAC Threat Intelligence Committee Warns Membership to Increase Cybersecurity Awareness

H‐ISAC TIC Threat Bulletin

Date: June 24, 2019
TLP – WHITE

The H-ISAC Threat Intelligence Committee (TIC) is warning the H-ISAC members to expect increased cyber offensive activity targeting US critical infrastructure, including healthcare, as a direct result of increased tensions between the US and Iran.

Note: This is a TLP WHITE intelligence update from the H-ISAC Threat Intelligence Committee (TIC), comprised of high end analysts from member organizations who meet together during times of crisis and share standard operating procedures (SOP) on how to respond. More detailed TLP AMBER information is available for members on the secure Member Portal.

Event:

Increased Potential Iranian Cyber Threat

Summary:

The Department of Homeland Security issued a warning on Saturday around potential
targeting of US government and critical infrastructure by Iran. The statement from the Department’s
Cybersecurity and Infrastructure Security Agency (CISA) resulted from the recent increase in Iranian
hostilities as well as possible retaliation for a US cyber‐attack that occurred against Iran on June 20. The
attack was meant to disable the Iranian computer systems used to control rocket and missile launches
as well as computers systems used by the Iranian intelligence group that helped plan oil tanker attacks
and the downing of an unmanned US surveillance drone.

The increase in Iranian cyber activity is based on intelligence reports from two major cyber security
intelligence firms (CrowdStrike and FireEye) and private sector firms, who have confirmed recent spear‐
phishing campaigns originating from Iranian actors that targeted multiple sectors including healthcare.
In the statement, DHS highlighted Iran’s prior use of destructive malware to impact government
agencies and private sector companies by leveraging distributed denial‐of‐service, spear‐phishing,
password spraying and credential stuffing attacks.

Assessment:

The recent increase in Iranian activity, more restrictive economic sanctions, increased
tensions between the US and Iran, and confirmation that the US conducted a cyber based attack
increases the likelihood that Iran could launch retaliatory attacks. The CISA statement seems to be more
of a warning of potential attacks to come and the need for increased awareness.

We recommend security teams begin increased awareness and closely monitor external proprietary and
open intelligence sources for any reports that could represent a risk to the Healthcare vertical.

Potential Actions:

 Maintain vigilance on operational security posture, including a potential increase in phishing
attempts.
 Ensure available patches are being applied in a timely manner across your infrastructure.
 Enable multi‐factor authentication, where possible.

References:

1. hxxps://www.washingtonpost[.]com/world/national‐security/with‐trumps‐approval‐pentagon‐
launched‐cyber‐strikes‐against‐iran/2019/06/22/250d3740‐950d‐11e9‐b570‐
6416efdc0803_story.html
2. hxxps://www.cnet[.]com/news/us‐hits‐iran‐with‐crippling‐cyberattack‐says‐a‐report/
3. hxxps://www.bleepingcomputer[.]com/news/security/us‐government‐warns‐of‐data‐wipers‐
used‐in‐iranian‐cyberattacks/
4. hxxps://thehill[.]com/policy/cybersecurity/449837‐iran‐steps‐up‐cyberattacks‐on‐us‐amid‐
tensions‐analysts
5. hxxps://www.bloomberg[.]com/news/articles/2019‐06‐22/iran‐increases‐cyberattacks‐on‐the‐
u‐s‐amid‐tensions‐dhs‐says
6. hxxps://apnews[.]com/f01492c3dbd14856bce41d776248921f