HC3 alerts shed light on two popular healthcare cyberattack tactics

March 26, 2024 - The HHS Health Sector Cybersecurity Coordination Center (HC3) released two sector alerts recently, each highlighting a different cyber threat tactic that bad actors may use to facilitate healthcare cyberattacks.

Both tactics, email bombing and credential harvesting, are not new or emerging threat tactics. Rather, they are tried-and-true strategies that threat actors use to compromise the integrity of healthcare systems.

As such, HC3 stressed the importance of taking proactive steps to prevent future attacks and strengthen systems in each alert.

“The probability of cyber threat actors targeting the healthcare industry remains high,” HC3 stated. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”

Exploring the threat of email bombing

In an email bombing attack, threat actors flood an email address or server with thousands of email messages, essentially rendering the recipient’s mailbox useless. These attacks are a type of Denial of Service (DoS) attack. During these attacks, threat actors hope that their victims will miss important emails, such as sign-in and authentication attempts.

READ MORE: New cyber legislation would provide advance payments to providers facing hacks

HC3 highlighted several variations of email bombs, including registration bombs, link listing, and mass mailing. Registration bombs remain a top tactic in which a threat actor scrapes the web for newsletter sign-ups and signs a recipient up for numerous legitimate newsletters.

“Once the e-mail bomb order is placed, scheduled, and begins, the bots will sign an unlucky recipient up for all of these newsletters at once. This generates thousands of e-mails arriving to the victim immediately,” HC3 noted. “Beside the immediate impact, victims receive an annoying, steady flow of unwanted e-mails that will keep arriving years after the initial attack.”

Other common email bombing tactics include link listing, in which threat actors sign up targeted emails to multiple email subscription services, and mass mailing, in which threat actors send one email to hundreds or thousands of recipients.

HC3 recommended that victims avoid engaging with the attacker and refrain from clicking on suspicious links. In addition, victims should alert their IT team, review account information for suspicious activity, and consider changing passwords.

Defending against these attacks requires a focus on employee cyber hygiene, HC3 stressed. In addition, organizations may choose to implement reCAPTCHA and confirmed opt-in processes to reduce risk.

READ MORE: Change Healthcare cyberattack affecting hospital finances, care access

HC3 highlighted a 2016 cyberattack in which threat actors flooded thousands of “dot-gov” email inboxes with subscription requests. The large-scale attack rendered these inboxes unusable for days. In healthcare, a disruption like this could cause workflow issues and potentially impact patient care in the process.  

“E-mail bombing, while not a novel attack method, can still adversely impact many users, including those in the HPH sector. Organizations and individuals are encouraged to implement protections, security policies, and address user behavior in order to prevent future attacks,” the alert noted.

“Given the potential implications of such an attack on the HPH sector, especially concerning unresponsive e-mail addresses, downgraded network performance, and potential downtime for servers, this type of attack remains relevant to all users.”

Credential harvesting poses risks to healthcare

Another recent HC3 sector alert focused on credential harvesting, also known as credential phishing or credential stealing. Threat actors use this tactic to obtain sensitive credentials and gain access to a user’s digital identity, allowing them to traverse a network without raising red flags.

Threat actors may use phishing, keylogging, or brute force attacks to obtain these credentials. Threat actors have also been observed leveraging credential stuffing, a tactic in which attackers use previously compromised credentials to gain access to other accounts that use the same username and password.

READ MORE: 63% of known exploited vulnerabilities found on healthcare networks

“Credential harvesting is capable of disrupting normal operations, impeding the delivery of vital services and patient care. When systems are compromised, entities may experience downtime, inability to access critical patient data, and disruptions in communication,” HC3 added.

“These actions can lead to delays in appointments, procedures, and administration services. Additionally, these harvested credentials can be used to manipulate data in entity systems.”

Maintaining a solid patch management program, employee training and awareness, and email filtering and spam detection can reduce the risk of credential harvesting. What’s more, HC3 recommended using endpoint security solutions and monitoring and detection tools to detect suspicious login attempts and identify attacks in real-time.

Overall, both email bombing and credential harvesting are tactics that threat actors have used successfully to render services unusable. With a focus on employee education and technical safeguards, healthcare organizations can mitigate the risk of both types of attacks.