Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Feds Warn Health Sector of Top Russia-Backed APT Groups

Alert Comes as Other Ransomware Assaults, Data Leaks Plague Medical Providers
Feds Warn Health Sector of Top Russia-Backed APT Groups

Federal authorities are alerting healthcare sector entities of advanced persistent threats posed by Russian state-sponsored cyber and espionage groups, including some linked to attacks on pharmaceutical and related companies during the COVID-19 pandemic.

The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, in a threat brief issued Thursday spotlighted several cyber organizations connected to the Russian Intelligence Services that continue to pose threats to a long list of industries, including healthcare.

Meanwhile, healthcare sector entities in the U.S. - including large hospital systems and small medical practices - this week continued to battle a variety of other cybercrime gangs slinging ransomware assaults and leaking stolen data.

Top Russian Advanced Persistent Threats

HHS HC3 in its report identified four key Russian state-backed groups posing ongoing threats to the healthcare and other sectors. Those include:


Turla is also known as Venomous Bear, KRYPTON, Waterbug and Iron Hunter. Its primary targets include research organizations and entities in the pharmaceutical, academic, energy, government, military and telecommunications sectors, as well as embassies. Among the most notable attacks involving Turla was a 2018 incident involving the German government's computer network.


APT29 is also known as Cozy Bear, The Dukes, YTTRIUM and Iron Hemlock. Targeted industries include healthcare, pharmaceutical, academia, energy, financial, government, media and technology, as well as think tanks. Incidents tied to the group include attacks on COVID-19 vaccine developers in 2020 and least one U.S. hospital. The group was also behind the SolarWinds Orion attack in 2020.


APT28 is also known as Fancy Bear, Group 74, PawnStorm, Sednit, Snakemackerel, Sofacy, STRONTIUM, TG-4127, Tsar Team and Iron Twilight. Targeted industries include healthcare, aerospace, defense, energy, government, military and media. Its most notable attacks include the 2016 data theft from Hillary Clinton's presidential campaign and the Democratic National Committee. The group is also tied to a data theft and manipulation attack on the World Anti-Doping Agency in 2016.


Sandworm is also known as Voodoo Bear, CTG-7263, ELECTRUM, Hades/OlympicDestroyer, IRIDIUM, Qudedagh, Sandworm Team, Telebots and Iron Viking. The group has particularly focused on Ukrainian entities, and targeted industries include government and energy. But the impact of some past attacks directed at Ukrainian entities have been felt by entities in other regions and sectors, including healthcare, such as in the 2017 NotPetya ransomware attacks, which affected pharmaceutical giant Merck and medical transcription vendor Nuance Communications.

Ongoing Threats

The HHS HC3 report is a "high-level" overview of various Russian state actors and examples of previous campaigns going back to 2004, says Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.

"The health sector has quite a bit of institutional memory going back to the NotPetya attacks in 2017 that impacted pharmaceutical manufacturing and hospitals globally," he says.

"Since then, when we see rising tensions with Russia - like with Ukraine, for example - the NotPetya attacks set the baseline on the possible impacts we may see in healthcare from any direct cyberattack or collateral fallout."

"Every infosec professional knows, you can't forget about what happened, say 20 years ago, because it will come back to haunt you. Same with these threat actors," he says. "They still have their intelligence and military objectives, so healthcare organizations need to be prepared and implement appropriate infosec programs and safeguard their enterprise networks."

The most significant threat from state-sponsored Russian cyberespionage groups is to the pharmaceuticals sector rather than healthcare providers, says Paul Prudhomme, a former U.S. Department of Defense threat analyst who is head of threat intelligence advisory at security firm Rapid7.

"Like other state-sponsored groups in China, Iran, and North Korea in the past two years, state-sponsored Russian groups have targeted foreign pharmaceutical companies and other organizations with access to COVID-19 intellectual property, such as vaccine and treatment research," he says.

"COVID-19 intellectual property is a highly coveted prize for state-sponsored groups around the world, whose governments or their state-owned enterprises hope to use it to develop their own products."

Closer to Home

While the healthcare sector at large is being reminded of concerns involving Russian-backed APTs, healthcare entities across the U.S. - including small medical practices - continue to battle assaults by a variety of ransomware and other cybercrime gangs.

For instance, the ransomware group Vice Society this week claimed to have stolen - and allegedly leaked on its dark web site - data from Atlanta Perinatal Associates in Georgia, a healthcare practice specializing in high-risk pregnancies.

Allegedly leaked Atlanta Perinatal Associates data includes ultrasound reports containing patient’s' names, dates of birth, patient ID numbers, expected due dates of delivery, referring physicians, medical history details, sonographers, and ultrasound findings, according to blog site

Vice Society allegedly listed Atlanta Perinatal Associates on its data leak site this week.

When contacted by Information Security Media Group on Friday about the alleged incident, a manager at Atlanta Perinatal Associates denied that the practice had experienced a data breach and declined providing further comment on the Vice Society claims.

"Incidents such as this highlight the fact that we urgently need to find a solution to the ransomware problem," says Brett Callow, a threat analyst at security firm Emsisoft.

The threat actors behind these incidents "will attack any organization to make a buck, no matter the potential consequences," he says.

"Unfortunately, however, I don’t believe the ransomware problem can be solved quickly. Governments are certainly making progress, but we've still a very long way to go, and that means healthcare providers will continue to be bombarded by financially motivated cyberattacks."

Vice Society has also been linked to other ransomware assaults involving health data leaks in the U.S. and abroad. This includes attacks in May 2021 against New Zealand's Waikato District Health Board and in August 2021 against Indianapolis, Indiana-based Eskenazi Health, a public health provider.

Besides the alleged attack on Atlanta Perinatal Associates, several other U.S. healthcare entities have been faced with apparent ransomware assaults and data leaks recently.

That includes ransomware-as-a-service operator AvosLocker claiming to be behind an attack allegedly involving data theft from Texas-based CHRISTUS Health, which operates hundreds of healthcare facilities in the U.S., Mexico and South America.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.