Skip to main content

Health-ISAC Hacking Healthcare 7-3-2025

This week, Health-ISAC®‘s Hacking Healthcare® examines a new joint U.S. government agency alert that warns that Iranian cyber actors may target vulnerable U.S. networks and entities of interest. Join us as we breakdown the contents of the report, assess some of the takeaways, and highlight what Health-ISAC members can do to help mitigate cyber risks stemming from geopolitical conflict. 

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

 

PDF Version: TLP WHITE Hacking Heathcare 7.3.2025
Size : 587.3 kB Format : PDF

 

Text Version:

Welcome back to Hacking Healthcare®.

Health-ISAC will continue to monitor the conflict and has recently released ongoing updates, such as Potential Cascading Cybersecurity Impacts of Israeli Strikes on Strategic Iranian Military Targets and an additional attached geopolitical deep dive into the Cybersecurity Risks of the Israel-Iran War.

 U.S. Joint Cyber Alert Reiterates Cyber Threats Stemming from Geopolitical Conflict

A recent joint cyber alert from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) “strongly urge[s] organizations to remain vigilant for potential targeted cyber activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber actors.”[i] Let’s break down what the alert says while also generally reviewing some geopolitical issues that may be worth paying attention to.

Why the Alert?

The joint alert’s scope does not include an assessment of why Iranian-affiliated cyber threat actors may target U.S.-based entities. However, Israel’s recent escalation of hostilities towards Iran, including the U.S. bombing of Iranian nuclear facilities, is likely to be the primary catalyst. Given the current ceasefire and Iran’s limited military, diplomatic, and economic tools to impose costs on the U.S., malicious cyber activity stands out as a logical strategic response.   

What Does the Alert Say?

The alert highlights that “Iranian-affiliated cyber actors and aligned hacktivist groups often exploit targets of opportunity.”[ii] Examples include “unpatched or outdated software with known Common Vulnerabilities and Exposures (CVEs) or the use of default or common passwords.”[iii] In addition, the authoring agencies note an increase in Iranian-aligned hacktivists perpetrating “website defacements and leaks of sensitive information exfiltrated from victims.”[iv] Ransomware operations are also mentioned as something Iranian-affiliated actors may conduct, and additional information is provided through a link to a CISA advisory from last year.[v]

The authoring agencies specifically cite the risk to Defense Industrial Base (DIB) companies, “particularly those possessing holdings or relationships with Israeli research and defense firms.” However, it does also note that a prior cyber campaign from late 2023 to early 2024 did victimize entities from the healthcare and public health sector. The authoring agencies highlight that they are continuing to monitor the situation.

The four-page alert concludes with general mitigation measures, resources from the authoring agencies that provide background on Iranian-affiliated cyber actors, and contact information for all four agencies. The lack of specific mitigations suggests that, at least publicly, the authoring agencies are only aware of a general heightened risk of an Iranian-linked cyber threat rather than the imminent actions of a specific group.

Action & Analysis
**Available with Health-ISAC Membership**

Threat Intel and Information Sharing

While alerts like this are absolutely helpful in raising awareness of geopolitical threats, it is important to remember that the private sector collectively has an enormous amount of visibility into the global cyber threat environment as well. In addition, cyber threat intel can often flow faster through the private sector than it does through official government channels. 

As such, we highly encourage you to keep an eye out for official Health-ISAC advisories or warnings when geopolitical conflicts kick off. The growing relationships the Health-ISAC has with governments all over the world and the existing global Health-ISAC member network is an invaluable resource to keeping abreast of cyber threats emanating from geopolitical conflict. 

 

[i]https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest

[ii]https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest

[iii]https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest

[iv]https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest

[v] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

[vi]https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest

[vii]https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf

[viii] As an example, while not publicly confirmed to be the result of a hacktivist attack, an incident at a water utility in Arkansas City, Kansas (population ~12,000) was immediately followed with a CISA alert of pro-Russian cyber actors targeting water sector entities. 

Medical Device Security: What Healthcare Buyers Really Want
FBI: Healthcare fraud facilitated by insurer impersonation