Feds Warn of AI Attacks Targeting Health IT

The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) released an alert to warn that threat actors have begun targeting the health sector’s IT help desks to gain access to the organizations’ networks.

HC3 said that adversaries have begun using advanced social engineering tactics. Specifically, the sector alert warns of AI voice impersonation techniques.

“Social engineering is being used across the Healthcare and Public Health (HPH) sector to gain unauthorized access to systems,” the April 3 alert warns. “Threat actors are employing sophisticated social engineering techniques to target an organization’s IT help desk with phone calls from an area code local to the target organization, claiming to be an employee in a financial role.”

The alert notes that in September 2023, a threat actor leveraged spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals.

The threat actor was able to provide the required sensitive information for identity verification, including the last four digits of the target employee’s social security number and corporate ID number, along with other demographic details, HC3 said.

“These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches,” the alert says. The threat actor claimed that their phone was broken, and therefore the actor could not log in or receive multi-factor authentication (MFA) tokens.

The threat actor then successfully convinced the IT help desk to enroll a new device in MFA to gain access to corporate resources. After gaining access, the threat actor specifically targeted login information related to payer websites, where the actor then submitted a form to make changes for payer accounts.

“While these recent campaigns in the health sector did not involve ransomware, both of these incidents did leverage spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals,” HC3 said.

The cyber center offered various mitigations for healthcare organizations, including removing SMS as an MFA verification option.

Other mitigations include:

  • Requiring callbacks to the phone number on record for the employee requesting a password reset and enrollment of a new device;
  • Monitoring for any suspicious payroll changes and revalidating all users with access to payer websites;
  • Implementing procedures that require employees to appear in person at the IT help desk for such requests;
  • Implementing policies that require the supervisor of the employee to be contacted to verify these requests; and
  • Training users to identify and report social engineering techniques and spearphishing attempts.