Hospital helpdesks targeted by hackers — US Health Department warns health services are under threat

News
By published

Elaborate social engineering techniques used to trick IT helpdesks

American dollars with medical stethescope
(Image credit: Shutterstock)

The US Department of Health and Human Services (HHS) has issued a warning that hackers are attempting to target the helpdesks of hospitals in order to gain access to critical hospital systems.

The hackers have been observed contacting hospital IT help desks using local area code phone numbers and then pretending to be a hospital employee, providing the helpdesk with stolen identification.

The hackers then request that their device be set up to use the employee’s multi-factor authentication. Once they have access to the hospital's internal systems, they are free to steal data and re-route transactions into their own bank accounts.

Hospital data and finances a honeypot for hackers

The Health Sector Cybersecurity Coordination Center (HC3) issued a warning for hospitals to be vigilant in the face of hackers using elaborate social engineering campaigns to gain access to hospital systems. The HC3 stated that the hackers “specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts” in order to steal money.

“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts,” HC3 continued. "The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).

While no threat actor has been formally identified as responsible for these attacks, HC3 issued a number of guidance points to IT help desks in order to avoid succumbing to such an attack: (PDF)

  • Require callbacks for employees requesting new device MFA enrollment or password resets using the number on file for the employee
  • Monitor ACH changes for suspicious activity and frequently revalidate users who have access to payer websites
  • Employees requesting MFA device enrollment, password resets, or ACH changes should report in person to the IT helpdesk
  • Where this is not possible, contact the employee supervisor for verification
  • Train helpdesk employees to identify social engineering techniques and spearphishing attempts

Via BleepingComputer

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.